For Linux and Shell scripting.

Authentication Token Manipulation Error when Changing User Passwords in Linux


You may get an error, such as Authentication Token Manipulation Error, while trying to change passwords for a user. For example:

#passwd user
Authentication Token Manipulation Error

This error is being produced because you are using shadowed password files and the shadow doesn’t have entry for this user. i.e, /etc/passwd has an entry for this user, but /etc/shadow doesn’t.

In order to resolve this, you can either add the entry manually or recreate the shadow file. You can use pwconv to recreate the shadow file. See the manpage for more details on this.

39 thoughts on “Authentication Token Manipulation Error when Changing User Passwords in Linux

  1. Here is another situation where I noticed this error. I was using PAM and the command “chage -d 0 username” to force the user “username” to change his/her password at his first log on. Actually, what I am going to mention here is *not* an error, but a mistake from my side.

    When you use PAM and the above command it will ask for the present password twice. First one as usual, and second time when you are being forced for the password change. When I entered the first one correctly and the second one wrongly, I got this error.

    [abdurahiman@239 ~]$ ssh test1@
    test1@‘s password:
    You are required to change your password immediately (root enforced)
    WARNING: Your password has expired.
    You must change your password now and login again!
    Changing password for user test1.
    Changing password for test1
    (current) UNIX password:
    passwd: Authentication token manipulation error
    Connection to closed.
    [abdurahiman@239 ~]$

    You won’t get this error if you enter the password carefully ;).


  2. hi, i am sujit,
    plz check the /etc/pam.d/system-auth there
    only check password lines and that line alos write main word

    “remember=5” this write after md5 shadow word
    then you can change the password of root or any normal user

  3. Thank you!!! solved my exact problem.

  4. Pingback: Matthieu/ergosteur's new blog » Blog Archive » Freeing the PBX - SOS! Ask me!

    • how to use pwconv ??

      • cd /etc/

        it will make /etc/shadow file

        • hi sorry to bother you i got a problem and stummbled on you post hoping you may be abe to help me
          i bought a laptop off someone onebay (bad idea ) its running ubuntu 11.10 the problem is this
          he bought it from someone that had a password to use it and guy i bought it from doesnt have password i have been going on sites and got directions to reset it i got down to enter new password entered it curser dosent move but i hit enter and then retype password ht enter and i get this passwd authentication token maniplation error passwd unchanged so did more checking which led me here to you today ( this is a big proble becouse i cant install or even change the time on the clock with out a password)
          i have seen all the different things on this page now if i wanted to try any of them foexample this one cd /etc/
          pwconv(just as an example ) is all this done in the drop to root shell prompt or do i have to go to a nother site unfortitly i reall dont know much about this system only heard about it when i turned this laptop on aslo is there a way i can just get rid of the password all to gether in other word laptop boots up an i am on whhich would bee so much less work any way thanks for time hope to hear from you if not sorry to have bothered you with my problem thanks ed

          • can you logon to the system with as any user (root or normal user)? If yes, check if the / filesystem is at 100% (you can use df command). Then check if /etc/passwd and /etc/shadow files exist. If any of them doesn’t exist, you can use pwconv or pwunconv (check manpage for more details)

            If your problem is that you don’t have the ROOT password, you can logon to the system in single user mode (which doesn’t ask for root password), and then reset the root password.

            If you need more help, please let me know the correct situation. I couldn’t get it from your last comment.

            • Hi
              i have created user in domain and some days it was ok that i was able to login by any user on the system.
              But currently i am not able to login by any user on the system

        • Thankx worked for me!!!!!!

  5. Works like a charm. thank you sir!!

    Shane Miller

  6. Saved my day. Thank you.

  7. Hi, I think my problem is different. And I’m not able to solve it as you describe.
    I have followed a how-to in ubuntu karmic 9.10 to authenticate users with openldap and after this everything related with ldap+samba works great but I cannot change normal users passwords nor create new ones and set their password.

    If you have a tip for this, let me know please.

    Pablo Alonso

  8. Sometimes work with update libpam-runtime package

    Thanks for you help.


  9. Thanks – solved my problem!!

  10. Ok…. after searching for over an hour and trying different solutions, including what is listed in this nice blog entry… here is what worked for me.

    The important thing to realize is that the error reporting mechanism is buggy: lots of different situations lead to this error message, each with their own reasons. This is why there are so many replies on the net saying “Here’s what to do…”.

    The way to isolate your particular problem is the following:

    1. Open a terminal window as root, and run “tail -f /var/log/auth.log”. This is absolutely critical, as PAM might give your answer right there.

    2. Try to change the password, or try to login remotely using “ssh -l theuserinquestion localhost”. You should see activity in the logfile that you are watching using tail.

    Now the next step is entirely situation specific: your problem may vary from mine. In my case, I found out that I had greedily downloaded a whole bunch of packages onto my machine (Ubuntu 10.04), and some of those packages related to authentication (LDAP, Kerberos, Winbind). But I only wanted Unix authentication… and there’s the problem. And watching auth.log made it clear: the system was trying to authenticate first off of LDAP and so on.

    For me, the fix was to run a program called “pam-auth-update” which presents a nice single screen asking you “Hey dude, what do you want to use to authenticate?”… just choose Unix and deselect LDAP, Kerberos, and Winbind, and I was set.

    Again, YOUR particular problem might be different – for example, maybe you DO want LDAP, but in your LDAP server you don’t have that user set up properly… so then YOUR solution is different. Hopefully, you get the picture now, and have a general way to solve the problem.

    Mohammed, I don’t have a blog, so I just picked you since your blog was the second hit for the error message on Google, and I’m too lazy to register in the forums.

    As-salaaaaaaaaaaaaaaamu alaikum.

  11. va alaikum salam…

    Thanks for your detailed comment, Ahmed. Of course, it’ll help other visitors to my blog.


  12. Ahmed,

    thanks that helped figure out my issue, turns out I had to add the user with smbpasswd -a


  13. Pingback: » Rooting the PBX

  14. 1. take backup of /etc/shadow
    2. change the readonly /etc/shadow to write for root
    chmod 700 /etc/shadow
    3. Add a dummy line related to that user
    4. save it and change the /etc/shadow write to read only
    chmod 400 /etc/shadow

    this should do that job.

  15. Ahmed,

    Many thanks for your post.

    I had the same niggle on my deverlopment system and was just ignorng it.

    However as i am now deploying it i thought that i better sort it out, and after a quick google, found your post and checked the log (Why didn’t i think of that?) realised the same, my system was trying to LDAP/AD authenticate through likewise.

    A quick ‘pam-auth-update’ disabling likewise and ldap fixed my problem

    Many thanks!


  16. Cheers Ahmed,
    after several days of struggling I came across your post about the “pam-auth-update” program which happened to fix the bugger in zero-point-nothing :^)
    I’m happy again.
    By the way, it seems, that a software called 2xclient caused all of my problems. Upon installation it altered several pam.d files and didn’t even leave the backups behind, although it injected comments into the new configs, that it had done so :^)
    And that software didn’t even work for me lol.

    Cheers again!

  17. my error was:
    100% /
    disk full!
    empty the disk, passwd works

  18. @Ahmed
    For me the fix was also “pam-auth-update” and just selected unix auth option, I disabled the pam-sss section, cause I didn’t really needed it.
    I have also tried before to manually override the configuration file in /etc/pam.d/common-password but with no success.
    So thanks, you just made my day ( it’s 11:58 PM ) :))

    Ubuntu 10.10 32 bit edition

  19. This is not resolve the problem for me. I’m using Kerberos.

  20. Pingback: Passwd: Authentication token manipulation error | chrisspenblog

  21. hello thank for your help.
    i have a same error but i resolved with your help.

  22. pam-auth-update worked for me

  23. “pam-auth-update” it’s the answer!!!!! thanks a lot!

  24. If you got this error;

    Changing password for user
    Kerberos 5 Password: passwd: Authentication token manipulation error

    You are using Kerberos authentication, please use command ‘kpasswd’.
    It works perfectly. Unix native ‘passwd’ command will not work here.

  25. for me was just that someone had deleted the /etc/pam.d/passwd file, just copied it from another server and then could change the passwords of any user, for me the file looks like:

    auth include system-auth
    account include system-auth
    password include system-auth

  26. any individual have any info?

  27. I do not even know how I ended up here, but I thought this submit was once great. I don’t realize who you’re but definitely you’re going to a famous blogger if you happen to are not already. Cheers!

  28. its working and Thanks making my day esay!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s