## PAM configuration for Active Directory authentication
## This file complies with the Gentoo PAM layout; other distributions may
## requre different blocks in separate files, so adjust accordingly.
## 
## UNIX authentication is attempted first, allowing local users to log in even
## if domain authentication is unavailable. For this to work, 'compat' must be
## listed before 'winbind' in /etc/nsswitch.conf.
##
## Dustin C. Hatch <admiralnemo@gmail.com>
##
## This file is public domain. I don't care what you do with/to it. 
# vim: set ft=pamconf :

auth		required	pam_env.so 
auth		[success=1 default=ignore]	pam_succeed_if.so uid >= 100000000 quiet
auth		[success=2 default=ignore]	pam_unix.so try_first_pass likeauth
auth		[success=1 default=ignore]	pam_winbind.so try_first_pass krb5_auth krb5_ccache_type=FILE cached_login
auth		requisite	pam_deny.so
auth		required	pam_permit.so
 
account		sufficient	pam_winbind.so
account		required	pam_unix.so 
account		optional	pam_permit.so
 
password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 
password	[success=2 default=ignore]	pam_unix.so try_first_pass use_authtok sha512 shadow 
password	[success=1 default=ignore]	pam_winbind.so use_authtok try_first_pass
password	requisite	pam_deny.so
password	required	pam_permit.so
 
session		required	pam_mkhomedir.so skel=/etc/skel umask=0022
session		required	pam_limits.so 
session		required	pam_env.so
session		required	pam_unix.so 
session		optional	pam_permit.so