On Thu, 3 May 2001, Peter Brown wrote:
>
> I'm in the process of migrating a system running HP-UX 10.10 to Red Hat 7.0
> and when I moved the unshadowed HP-UX /etc/passwd file over, I found that
> my users could then log into their new accounts, that the transferred
> passwd file allows them access to the account on the new machine but
> that they cannot change their passwords. They get this message:
>
> passwd:authentication token manipulation error
>
> The PAM-Linux configuration is the Red Hat default (I certainly
> haven't messed with it). Here are the contents of /etc/pam.d/passwd:
>
> #%PAM-1.0
> auth required /lib/security/pam_stack.so debug service=system-auth
> account required /lib/security/pam_stack.so debug service=system-auth
> password required /lib/security/pam_stack.so debug service=system-auth
>
> Here are the contents of /etc/pam.d/system-auth (with debug and audit
> parameters newly introduded by me):
>
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth sufficient /lib/security/pam_unix.so debug audit likeauth nullok md5 shadow
> auth required /lib/security/pam_deny.so
> account sufficient /lib/security/pam_unix.so debug audit
> account required /lib/security/pam_deny.so
> password required /lib/security/pam_cracklib.so debug retry=3
> password sufficient /lib/security/pam_unix.so debug audit nullok use_authtok md5 shadow
> password required /lib/security/pam_deny.so
> session required /lib/security/pam_limits.so
> session required /lib/security/pam_unix.so debug audit
>
> Appended are the relevent lines of /var/log/secure after the debug and
> audit parameters were added. Two attempts are logged. The first by the
> user (fjaumott) trying to change her own password, the second one by root
> intending to change it for her. If anyone could help me understand
> what's going and make a recommendation, I'd be grateful. I've been
> reading the PAM documentation but I'm still clueless.
>
> Thanks.
>
> Peter Brown
>
>
Peter,
Does the file /etc/shadow exhist? The default install of Red
Hat uses shadow passwords, and I think what may be happening in that
qhen they try and change the password, there is no entry for the user in
/etc/shadow, so pam has problems. Backup /etc/shadow, and /etc/passwd.
The delete /etc/shadow, and run pwconv to convert your password file to
shadow passwords. If this fixes the problem, you will also want to run
grpconv.
Mikkel
--
Do not meddle in the affairs of dragons,
for you are crunchy and taste good with ketchup.
