r/system-auth: skip session winbind for local users

If winbind is unable to communicate with any domain controller, the
`pam_winbind.so` module will time out.  In _auth_ and _account_ context,
this was not an issue, at least for local users, because other modules
terminated the stack before `pam_winbind.so` was called.  In _session_
context, though, nothing terminated the stack at all, so
`pam_winbind.so` was called unconditionally.  This prevented even _root_
from logging in on the console.  This made troubleshooting difficult,
especially for the VM hosts, when the domain controllers were down.

roles/system-auth/templates/password-auth.j2

@@ -36,5 +36,6 @@ session     optional      pam_oddjob_mkhomedir.so umask=0077
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
 {% if pam_winbind %}
+session     sufficient    pam_localuser.so
 session     optional      pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
 {% endif %}