roles/system-auth: Configure PAM system authentication

The *system-auth* role deploys PAM configuration for system-wide user
authentication. It is specifically focused on Active Directory
authentication using Samba/Winbind.

roles/system-auth/templates/password-auth.j2

@@ -0,0 +1,40 @@
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authconfig is run.
+auth        required      pam_env.so
+auth        required      pam_faildelay.so delay=2000000
+auth        sufficient    pam_unix.so nullok try_first_pass
+auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
+{% if pam_winbind %}
+auth        sufficient    pam_winbind.so krb5_auth krb5_ccache_type=KEYRING use_first_pass
+{% endif %}
+auth        required      pam_deny.so
+
+account     required      pam_unix.so
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 1000 quiet
+{% if pam_winbind %}
+account     [default=bad success=ok user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
+{% endif %}
+account     required      pam_permit.so
+
+password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+{% if pam_winbind %}
+password    sufficient    pam_winbind.so krb5_auth krb5_ccache_type=KEYRING use_authtok
+{% endif %}
+password    required      pam_deny.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+-session     optional      pam_systemd.so
+{% if pam_mkhomedir %}
+{% if pam_oddjob_mkhomedir %}
+session     optional      pam_oddjob_mkhomedir.so umask=0077
+{% endif %}
+{% endif %}
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so
+{% if pam_winbind %}
+session     optional      pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
+{% endif %}

roles/system-auth/templates/system-auth.j2

@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth		include	password-auth
+account		include	password-auth
+password	include	password-auth
+session		include	password-auth