??with-smartcard
auth        required                                     pam_env.so
?with-faillock:
auth        required                                     pam_faillock.so preauth silent deny=4 unlock_time=1200
auth        sufficient                                   pam_sss.so allow_missing_name
?with-faillock:
auth        required                                     pam_faillock.so authfail deny=4 unlock_time=1200
auth        required                                     pam_deny.so

?with-faillock:
account     required                                     pam_faillock.so
account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session     optional                                    pam_systemd.so
?with-mkhomedir:
session     optional                                     pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so
