passwd fails with "Authentication token manipulation error" for NIS

On centos 7 I have the following pam config: cat /etc/pam.d/passwd #%PAM-1.0 auth include system-auth account include system-auth password substack system-auth -password optional pam_gnome_keyring.so use_authtok password substack postlogin and cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so try_first_pass nullok auth required pam_deny.so account required pam_unix.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow nis password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so account required pam_slurm.so but when I run "passwd" as a user it asks me for the current passwd, new password and retype and then fails with passwd Changing password for user test. Changing password for test. (current) UNIX password: New password: Retype new password: passwd: Authentication token manipulation error And ideas how to fix or debug this? Note: yppasswd works fine, just passwd fails Update: I tried the same config with a different server and there it works. So I figure the problem is server side, not client. Still no idea how debug this properly.