How to debug chpasswd "Authentication token manipulation error"

I'm trying to programmatically change a user's password using chpasswd, but I'm getting the following error:

/sbin/chpasswd "
chpasswd: (user 0s22xmgW) pam_chauthtok() failed, error:
Authentication token manipulation error
chpasswd: (line 1, user 0s22xmgW) password not changed
root@phantom:/home/ealfonso#

After trying to enhance pam debug logging by appending "debug" to most lines in /etc/pam.d/common-auth and /etc/pam.d/common-password, and checking /var/auth.log, I see the following logs:

2025-04-23T12:37:33.676089-04:00 phantom chpasswd: pam_krb5(chpasswd:chauthtok): pam_sm_chauthtok: entry (prelim)
2025-04-23T12:37:33.676432-04:00 phantom chpasswd: pam_krb5(chpasswd:chauthtok): (user 0s22xmgW) attempting authentication as 0s22xmgW@example.com for kadmin/changepw
2025-04-23T12:37:34.701043-04:00 phantom chpasswd: pam_krb5(chpasswd:chauthtok): (user 0s22xmgW) krb5_get_init_creds_password: Client '0s22xmgW@example.com' not found in Kerberos database
2025-04-23T12:37:34.701246-04:00 phantom chpasswd: pam_krb5(chpasswd:chauthtok): pam_sm_chauthtok: exit (failure)
2025-04-23T12:37:34.701331-04:00 phantom chpasswd: pam_unix(chpasswd:chauthtok): username [0s22xmgW] obtained
2025-04-23T12:37:34.701762-04:00 phantom chpasswd: gkr-pam: invalid option: debug
2025-04-23T12:37:34.701966-04:00 phantom chpasswd: pam_krb5(chpasswd:chauthtok): pam_sm_chauthtok: entry (update)
2025-04-23T12:37:34.702065-04:00 phantom chpasswd: pam_krb5(chpasswd:chauthtok): (user 0s22xmgW) attempting authentication as 0s22xmgW@MY_REALM for kadmin/changepw
2025-04-23T12:37:35.719315-04:00 phantom chpasswd: pam_krb5(chpasswd:chauthtok): (user 0s22xmgW) krb5_get_init_creds_password: Client not found in Kerberos database
2025-04-23T12:37:35.719842-04:00 phantom chpasswd: pam_krb5(chpasswd:chauthtok): pam_sm_chauthtok: exit (failure)
2025-04-23T12:37:35.719923-04:00 phantom chpasswd: pam_unix(chpasswd:chauthtok): username [0s22xmgW] obtained
2025-04-23T12:37:35.719980-04:00 phantom chpasswd: pam_unix(chpasswd:chauthtok): password - new password not obtained

I do use kerberos authentication for AFS and I see some kerberos-related logs, but in this case I'm only trying to change the local unix password of the local unix user. The last two lines in the log show that chpasswd was able to obtain the user, but for some unknown reason, not the password:

2025-04-23T12:37:35.719923-04:00 phantom chpasswd: pam_unix(chpasswd:chauthtok): username [0s22xmgW] obtained
2025-04-23T12:37:35.719980-04:00 phantom chpasswd: pam_unix(chpasswd:chauthtok): password - new password not obtained

How can I get the reason behind the new password not obtained error and further debug this? I did try using strace and I see some kerberos-auth-related DNS and network requests, but again I'm not sure whether those are relevant to the failure to set the local unix password. For detail, below is the strace log : I think I do have the proper permissions on /etc/password and /etc/shadow:

ls -l /etc/shadow /etc/passwd
-rw-r--r-- 1 root root   2474 Apr 23 12:30 /etc/passwd
-rw-r----- 1 root shadow 1371 Apr 23 12:30 /etc/shadow

# grep -i password /etc/pam.d/common*:

# grep -i password /etc/pam.d/common*
/etc/pam.d/common-password:# /etc/pam.d/common-password - password-related modules common to all services
/etc/pam.d/common-password:# used to change user passwords.  The default is pam_unix.
/etc/pam.d/common-password:#hashed passwords using the yescrypt algorithm, introduced in Debian
/etc/pam.d/common-password:#used the option "sha512"; if a shadow password hash will be shared
/etc/pam.d/common-password:password     [success=2 default=ignore]      pam_krb5.so minimum_uid=1000 debug
/etc/pam.d/common-password:password     [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass yescrypt debug
/etc/pam.d/common-password:password     requisite                       pam_deny.so debug
/etc/pam.d/common-password:password     required                        pam_permit.so debug
/etc/pam.d/common-password:password     optional        pam_gnome_keyring.so debug
/etc/pam.d/common-password:password     optional        pam_ecryptfs.so debug

# cat /etc/nsswitch.conf:

# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the glibc-doc-reference' and info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files systemd
group:          files systemd
shadow:         files systemd
gshadow:        files systemd

hosts:          files mdns4_minimal dns [NOTFOUND=return] dns mymachines myhostname
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

$ grep -P "pam_unix|pam_krb" -R /etc/pam.d

common-account :17:account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so 
common-account :25:account	required			pam_krb5.so minimum_uid=1000
common-auth :17:auth	[success=2 default=ignore]	pam_krb5.so minimum_uid=1000 debug
common-auth :18:auth	[success=1 default=ignore]	pam_unix.so nullok try_first_pass debug
common-session-noninteractive :24:session	optional			pam_krb5.so minimum_uid=1000
common-session-noninteractive :25:session	required	pam_unix.so 
runuser :5:session		required	pam_unix.so
login :8:# to disable any delay, you should add the nodelay option to pam_unix)
common-password :6:# used to change user passwords.  The default is pam_unix.
common-password :8:# Explanation of pam_unix options:
common-password :15:#`OBSCURE_CHECKS_ENAB' option in login.defs.  See the pam_unix manpage
common-password :25:password	[success=2 default=ignore]	pam_krb5.so minimum_uid=1000 debug
common-password :26:password	[success=1 default=ignore]	pam_unix.so obscure use_authtok try_first_pass yescrypt debug
common-session :23:session	optional			pam_krb5.so minimum_uid=1000
common-session :24:session	required	pam_unix.so