Unable to change Admin Password

• An admin user attempts to make changes to the password for a local administrator user, but the changes are not taking effect. 
• Ms.log (less mp-log ms.log) outputs the following which indicates that the password file is being locked and no further changes can be applied for the admin accounts:

usermod: unable to lock password file
/usr/sbin/pwconv: can't lock passwd file

• Similar logs can also be found in Configd logs (less mp-log configd.log)

useradd: existing lock file /etc/passwd.lock with an invalid PID '#%PAM-'
useradd: cannot lock /etc/passwd; try again later.

• Palo Alto Networks Firewall or Panorama
• Any PAN-OS

This issue is usually caused by an unclean shutdown or sudden power loss to the device.  As a result stale passwd.lock files and shadow.lock are stored on a disk. They were created before unexpected reboot - file locking mechanism is used to coordinate access to a file when multiple processes try to read or write to it simultaneously. If the file is locked and firewall is rebooted in the meantime, the process that created that lock no longer exists so it cannot remove the lock. These stale .lock files have to be removed to resolve the issue.

Starting from PAN-OS image versions 10.1.15, 10.1.16, 10.2.11, 11.0.7, 11.1.4-h6, 11.1.5, 11.2.4, 11.2.5, and later new CLI command has been introduced:

delete authentication system-lock-files

This command can be used to delete stale .lock files stored on a disk, once it's used please try to change admin password again - password should be changed successfully.

If PAN-OS image version installed on the device doesn't include delete authentication system-lock-files command or issue is not resolved after running this command please please open a support case and reference this article to expedite the process. In that scenario stale .lock files will have to be deleted from the root mode.