ad-auth: custom pam configs to prefer sss over unix

ad-auth/files/pam/sss-custom

+Name: SSS authentication
+Default: yes
+Conflicts: sss
+Priority: 301
+
+Auth-Type: Primary
+Auth:
+	[success=end default=ignore]	pam_sss.so ignore_unknown_user forward_pass
+Auth-Initial:
+	[success=end default=ignore]	pam_sss.so ignore_unknown_user forward_pass
+Account-Type: Additional
+Account:
+	sufficient			pam_localuser.so
+	[default=bad success=ok user_unknown=ignore]	pam_sss.so
+Session-Type: Additional
+Session-Interactive-Only: yes
+Session:
+	optional			pam_sss.so
+Password-Type: Primary
+Password:
+	sufficient			pam_sss.so use_authtok
+Password-Initial:
+	sufficient			pam_sss.so

ad-auth/files/pam/unix-custom

+Name: Unix authentication
+Default: yes
+Conflicts: unix
+Priority: 300
+Auth-Type: Primary
+Auth:
+	[success=end default=ignore]	pam_unix.so use_first_pass nullok_secure
+Auth-Initial:
+	[success=end default=ignore]	pam_unix.so use_first_pass nullok_secure
+Account-Type: Primary
+Account:
+	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
+Account-Initial:
+	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
+Session-Type: Additional
+Session:
+	required	pam_unix.so
+Session-Initial:
+	required	pam_unix.so
+Password-Type: Primary
+Password:
+	[success=end default=ignore]	pam_unix.so obscure use_authtok try_first_pass sha512
+Password-Initial:
+	[success=end default=ignore]	pam_unix.so obscure sha512

ad-auth/tasks/pam.yml

 ---
-# file: roles/ad-auth/tasks/pam.yml
 
-- name: ensure pam applies a general umask
+- name: retrieve data of overwritten pam configs (unix)
+  stat:
+    path: "/usr/share/pam-configs/unix"
+    checksum_algorithm: "sha1"
+  register: "pamunix"
+
+- name: retrieve data of overwritten pam configs (sss)
+  stat:
+    path: "/usr/share/pam-configs/sss"
+    checksum_algorithm: "sha1"
+  register: "pamsss"
+
+- name: check that overwritten pam configs were not updated
+  fail:
+    msg: "The original PAM configs (unix/sss) that we overwrite have changed."
+  when: (pamunix.stat.checksum != '727dc8f53ceaea0264d0877fcbb2a52eb341ff10'
+      or pamsss.stat.checksum != '3c1d4e9fa522e2ec9729260d3b108ef31df8ef9d')
+
+- name: ensure pam applies customized configs
   copy:
-    src: pam/umask
-    dest: /usr/share/pam-configs/umask
+    src: "pam/{{ item }}"
+    dest: "/usr/share/pam-configs/{{ item }}"
     owner: root
     group: root
     mode: '0644'
   notify:
     - regenerate pam config
+  with_items:
+    - umask
+    - sss-custom
+    - unix-custom
   tags:
     - pam