# Solved: Fedora Core 3: useradd: cannot rewrite password file



## lotuseclat79 (Sep 12, 2003)

Running FC3 and when I try to add a regular user get:
useradd: cannot rewrite password file

Investigated with Google - no solution found even at fedora.redhat.com.

I am running as root.

In /etc there was a .pwd.lock file dated as of the installation date of FC3. However, when that file is renamed or deleted, running useradd just regenerates the file.

Relevant software versions/releases running are:
PAM version 0.77 Release 66.2
passwd version 0.68 Release 10
shadow-utils vrsion 4.0.3 Release 56

This looks like a bug in FC3 that was never fixed, but if anyone has a clue or fix for this, it will be much appreciated.

Also, curious if anyone knows what the "dashed" files in /etc are:
passwd-
shadow-
as opposed to /etc/passwd and /etc/shadow in /etc? Should they be exact copies of /etc/passwd and /etc/shadow?

Tia,

-- Tom


----------



## zathraszero (Aug 16, 2006)

I'm running Kunbuntu but having the same problem. Just fixed it a minute ago.

I had the passwd- shadow- group- and gshadow- files in /etc. I did delete them in my attempt to get it going as well as any *lock files there.

What my problem was the the root "/" mount point was out of disk space. Check that and see if that help you out.


----------



## lotuseclat79 (Sep 12, 2003)

Hi zathraszero,

Glad that it worked for you, but did not for me. I did as you by renaming the files with '-' at the end, and have lots of GBs in the root, '/', partition.

-- Tom


----------



## lotuseclat79 (Sep 12, 2003)

I read the System Administrator's Guide for PAM( in /usr/share/doc), and created a pam.conf in /etc and renamed the pam.d directory and also created a new other file with the standard unix entries in a newly created pam.d (minimal). A no go for rewriting the passwd file with the changes due to authorization failure.

I looked this AM for the .rpm files installed on the machine and found them under /var/cache/... My next attempt will be to uninstall PAM which I assume is causing the current situation. The passwd file in the pam.d directory referenced the system-auth file and after I renamed the pam.d directory and created one anew, there were still autorization problems that ensued. Hopefully, if uninstalling PAM will make it easier to just edit the passwd file I can create a new user account and then reinstall PAM with the modified passwd file. If that does not work, I may have to uninstall the shadow-utils .rpm package as well and keep experimenting until I find a solution while continuing to learn more about PAM (very interesting stuff, but a big pita).

-- Tom


----------



## lotuseclat79 (Sep 12, 2003)

The solution, I am told, is not in PAM, but in SELinux (re: Red Hat FC3).

In the /etc/selinux/config file, the fix is to modify:
= targeted

to

= disabled

Solution has not yet been tried, but will post back results.

-- Tom


----------



## lotuseclat79 (Sep 12, 2003)

Well, so much for that theory - it did not work. Here's what happened:

After the boot msg: Red Hat nash version 4.1.18 starting, got the msg:
Enforcing mode requested but not policy loaded. Halting now.
Kernel panic - not syncing: Attempted to kill init!

Then it hung at that point.

I went out and purchased O'Reilly's Knoppix Hacks with the 3.4 CD, and the mag Linux Pro (UK) w/Ubuntu 6.0.6. I saved the /etc/selinux/config as config.orig prior to making the above change from =targeted to =disabled, so I am assuming that I can recover the config.orig file to be able to boot from FC3 again by using either Knoppix 3.4 or Ubuntu 6.0.6.

After I contact my source for the fix and figure out what the next step is I'll repost the results when this problem is finally solved. I do currently assume that it is a problem with selinux as the problem was fixed for another customer with that fix, but that remains to be seen in my case.

-- Tom


----------



## lotuseclat79 (Sep 12, 2003)

For the useradd problem, the advice should have been:
=enforcing to =disabled for SELINUX
instead of
=targeted to =disabled for SELINUXTYPE
in the /etc/selinux/config file.

Then useradd both graphical and command line started to work for FC3.

During the course of trying to make Knoppix v3.4 work from the Knoppix Hacks O'Reilly boot with the CD, it kept getting:
Disk error 10, AX=4280 drive EF or Disk error 10, AX=4200 drive EF

It gets that error even when I type in from the boot prompt (below):
boot: knoppix testcd

Does this mean that the Knoppix v3.4 CD is corrupt or bad?

Since I also got Ubuntu 6.0.6 (Linux Pro magazine - $10 from B&N), that worked like a charm (i.e. no problems). I just had to figure out that I needed to use sudo -i and mkdir /mnt/fc3 to mount the Linux FC3 partition.
Then I just copied the saved config.orig file into the config file in the /etc/selinux directory in order to get past the kernel panic problem. After reboot, I made the changes to the config file to get useradd working (as above).

I plan to put the original config file back in place to help increase the security.

-- Tom


----------



## lotuseclat79 (Sep 12, 2003)

Addendum:

The so-called fix above is really a work-around. If you need to maintain SELinux level security, after making the above change to get useradd to work, you then need to:

1) reboot
2) make usermod or useradd changes as root,
3) reconfigure the /etc/selinux/config file back to its original state (with the problem)
4) reboot

This requires the above procedure in order to use the useradd/usermod commands or the graphical user interface for administering accounts as root, and then to maintain the SELinux level of security after 4) above.

Fedora Core 5 is purported not have the problem, but FC3 users can work around the problem as above. So, this is not really a fix, just a way to get useradd/usermod to work with a temporary configuration change.

-- Tom


----------



## uid1003 (Jan 8, 2008)

I experienced the same problem while using an older version of DSL (damn small linux) but I discovered under the gui menu there's a gui method for adding users. 

My fix was to login as root - sudo would probably work as well. Edit that /etc/passwd file add a new line that to the list with the name, uid, gid, etc of the user you wanted to create and then save the file. Next use passwd username to set the password - I am still looking into the actual cause of this glitch.


----------



## lotuseclat79 (Sep 12, 2003)

Hi uid1003,

Welcome to TSG!

Yes, FC3 also has a GUI method, but that also did not work in my case.

You root edits might have worked for DSL, but would not even begin to make a difference with FC3 due to the presense of SELinux and PAM security (not used in DSL).

Root edits were the first thing I tried in FC3, and when the standard Unix tricks I learned long ago did not work - it took some digging to work around them as documented above.

Have you read what the DSL documentation says about adding users?

-- Tom


----------



## RobLinux (Nov 7, 2007)

That is one tricky problem, shame the LIVE CD didn't work.

How on earth did FC3, not have a documented fix for useradd with SELinux? Presumably most turned the security off once it caused problems. useradd gets used by daemon rpm's providing network services, so it's not an issue that wouldn't be common.


----------



## lotuseclat79 (Sep 12, 2003)

Hi Rob,

I think I found the solution (well, close) in a RH user forum, and the Knoppix Live CD was defective when I tried to open the CD paper container (very tightly packed I might add) with a knife, and by my own hand made it defective by scratching the working surface - the lesson I learned is to make sure when using a knife to be on the non-working side (top) of the CD so that if you scratch it, it will still be able to work on the operational side.

I since have gotten a buddy to send me a more recent Knoppix Live CD, but I am currently living in an Ubuntu Gutsy environment with 1GB RAM, no disks mounted, and a very restrictive iptables firewall. So, far after about 1.5 yrs, no extra AS, AV or other security software expenses and using common sense to stay away from suspect websites keeps my system clean - when I power off, if infected (it's only in RAM), zap!

-- Tom


----------

