#%PAM-1.0

# optional   = [ default=ignore success=ok   new_authtok_reqd=ok   ]
# sufficient = [ default=ignore success=done new_authtok_reqd=done ]
# required   = [ default=bad    success=ok   new_authtok_reqd=ok   ignore=ignore]
# requisite  = [ default=die    success=ok   new_authtok_reqd=ok   ignore=ignore]

auth required				pam_env.so
auth sufficient				pam_unix.so try_first_pass
auth requisite				pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient				pam_krb5.so use_first_pass
auth required				pam_deny.so

account required					pam_unix.so broken_shadow
account sufficient					pam_succeed_if.so uid < 1000 quiet
account required					pam_ldap.so
account [default=bad success=ok user_unknown=ignore]	pam_krb5.so
account required					pam_permit.so

password requisite			pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient			pam_unix.so sha512 shadow try_first_pass use_authtok
password requisite			pam_succeed_if.so uid >= 1000 quiet
password sufficient			pam_krb5.so use_authtok
password required			pam_deny.so

session optional			pam_keyinit.so revoke
session required			pam_limits.so
-session optional			pam_systemd.so
session [success=1 default=ignore]	pam_succeed_if.so service in crond quiet use_uid
session required			pam_unix.so
session optional			pam_ldap.so
session optional			pam_krb5.so