I have a non-root, local account where I have been unable to use 'passwd' as user root to change that password. The system is an AWS instance running Ubuntu 14.04 bound to Active Directory using both kerberos and LDAP. I can become root on the instance.
The account had a UID above 10000. Initially I received the error below from passwd:
Current Kerberos password:
passwd: Authentication token manipulation error
passwd: password unchanged
After reading some posts, I used usermod to change the UID for the account to 601 - a value below the minimum set in /etc/pam.d/common-password.
After the change I am no longer prompted for the Kerberos password, however I still receive an error. The new error message occurs after I have entered the new password and confirmed.
Enter new password:
Retype new password:
passwd: Authentication token manipulation error
passwd: password unchanged
Unfortunately, removing LDAP or Kerberos packages are not options. A snippet for the configuration in PAM for /etc/pam.d/common-password related to UIDs and unix/krb5/ldap is below.
password [success=3 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password [success=2 default=ignore] pam_krb5.so minimum_uid=1000
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
I have confirmed that the account only exists locally. It is not present in Active Directory.
Ideally I would prefer not to hack around the problem by generating the password via mkpasswd or similar tool and would prefer /usr/bin/passwd to manipulate the correct account in the correct database.
Suggestions are welcome.
pam-auth-updatedid resolve my problem by swapping the position of the krb5 line and the pam_unix line withincommon-password. Thank you. I'm curious as to why this resolved the issue? If I recall, I already tried manually swapping the lines as an attempt to resolve but it did not. What didpam-auth-updatedo which a manual line swap did not? – Marty Combs Nov 17 '17 at 19:21