auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        required                                     pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
auth        sufficient                                   pam_fprintd.so                                         {include if "with-fingerprint"}
auth        sufficient                                   pam_unix.so nullok try_first_pass
auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient                                   pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
auth        required                                     pam_faillock.so authfail deny=4 unlock_time=1200       {include if "with-faillock"}
auth        required                                     pam_deny.so

account     required                                     pam_access.so                                          {include if "with-pamaccess"}
account     required                                     pam_faillock.so                                        {include if "with-faillock"}
account     required                                     pam_unix.so broken_shadow
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth}
account     required                                     pam_permit.so

password    requisite                                    pam_pwquality.so try_first_pass local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient                                   pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
session     optional                                     pam_ecryptfs.so unwrap                                {include if "with-ecryptfs"}
-session    optional                                     pam_systemd.so
session     optional                                     pam_oddjob_mkhomedir.so umask=0077                    {include if "with-mkhomedir"}
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_winbind.so {if "with-krb5":krb5_auth}
