# if pam-runtime and base-files start to use auth-client-config, can perhaps
# uncomment this
#[local]
#nss_passwd=passwd: compat
#nss_group=group: compat
#nss_shadow=shadow: compat
#pam_auth=auth    required        pam_unix.so nullok_secure debug
#pam_account=account required        pam_unix.so
#pam_password=password   required   pam_unix.so nullok obscure min=4 max=8 md5
#pam_session=session required        pam_unix.so
#	session optional        pam_foreground.so

[kerberos]
nss_passwd= passwd: files db
nss_group=group:				files db
nss_shadow=shadow:	 files
pam_auth=auth	[success=done default=ignore]        pam_unix.so nullok_secure debug
	auth    [authinfo_unavail=ignore success=1 default=2] pam_krb5.so use_first_pass debug
	auth    [default=done]  pam_ccreds.so action=validate use_first_pass
	auth    [default=done]  pam_ccreds.so action=store
	auth    [default=bad]   pam_ccreds.so action=update
pam_account=account sufficient      pam_krb5.so debug
	account sufficient      pam_unix.so debug
	account required        pam_permit.so
pam_password=password sufficient     pam_unix.so nullok obscure min=4 max=8 md5 debug
	password sufficient     pam_krb5.so debug try_first_pass
	password required       pam_deny.so
pam_session=session required        pam_mkhomedir.so umask=0022 skel=/etc/skel
	session optional        pam_foreground.so
	session optional        pam_krb5.so debug
	session required        pam_unix.so debug

[ldap]
nss_passwd=passwd: files ldap
nss_group=group: files ldap
nss_shadow=shadow: files ldap
pam_auth=auth       required     pam_env.so
	auth       sufficient   pam_unix.so likeauth nullok
	auth       sufficient   pam_ldap.so use_first_pass
	auth       required     pam_deny.so
pam_account=account    sufficient   pam_unix.so
	account    sufficient   pam_ldap.so
	account    required     pam_deny.so
pam_password=password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
	password   sufficient   pam_unix.so nullok md5 shadow use_authtok
	password   sufficient   pam_ldap.so use_first_pass
	password   required     pam_deny.so
pam_session=session    required     pam_limits.so
	session    required     pam_unix.so
	session    optional     pam_ldap.so

