How Do I Fix the "Authentication token manipulation error" When I Reset the Password Using passwd on a Linux ECS?
Symptom
When user root tries to change the password of an administrator or a common user, the system displays "passwd:Authentication token manipulation error."
Possible Causes
This problem is usually caused by wrong attributes of password files or a full root directory.
Run the following command to check the attributes of the files /etc/passwd and /etc/shadow that store user names and passwords:
# lsattr /etc/passwd /etc/shadow
As shown in the preceding figure, the /etc/passwd and /etc/shadow files have the i attribute. A file with the i attribute is immutable. It cannot be deleted or renamed, no link can be created to this file, and no data can be written to the file. Only the administrator can set or clear this attribute.
Files with the a attribute can only be open in append mode for writing. Only the administrator can set or clear this attribute.
The CAP_LINUX_IMMUTABLE capability can be used to set or clear this attribute.
For information about other file attributes, run the following command to view the chattr user manual:
# man chattr
2. If the lsattr command output does not contain any attributes that restrict file modification, the problem may be caused by insufficient root partition space. In this case, run the following command to check the root partition usage:
# df -h
Delete unnecessary files from the root partition.
Solution
- Use chattr to revoke the i or a attribute and then change the password.
- For files with the i attribute, run the following command:
# chattr -i /etc/passwd /etc/shadow
- For files with the a attribute, run the following command:
# chattr -a /etc/passwd /etc/shadow
- For files with the i attribute, run the following command:
- (Optional) Change the file attributes back to i or a to meet the security requirements.
- To set the i attribute for the files, run the following command:
# chattr +i /etc/passwd /etc/shadow
- To set the a attribute for the files, run the following command:
# chattr +a /etc/passwd /etc/shadow
Run the following command to check the file attributes again:
# lsattr /etc/passwd /etc/shadow
- To set the i attribute for the files, run the following command:
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.