diff --git a/ad-auth/files/pam/sss-custom b/ad-auth/files/pam/sss-custom
new file mode 100644
index 0000000000000000000000000000000000000000..fc1f9c8926bad3bb3ab24a489a054678bf64ac7e
--- /dev/null
+++ b/ad-auth/files/pam/sss-custom
@@ -0,0 +1,23 @@
+Name: SSS authentication
+Default: yes
+Conflicts: sss
+Priority: 301
+
+Auth-Type: Primary
+Auth:
+	[success=end default=ignore]	pam_sss.so ignore_unknown_user forward_pass
+Auth-Initial:
+	[success=end default=ignore]	pam_sss.so ignore_unknown_user forward_pass
+Account-Type: Additional
+Account:
+	sufficient			pam_localuser.so
+	[default=bad success=ok user_unknown=ignore]	pam_sss.so
+Session-Type: Additional
+Session-Interactive-Only: yes
+Session:
+	optional			pam_sss.so
+Password-Type: Primary
+Password:
+	sufficient			pam_sss.so use_authtok
+Password-Initial:
+	sufficient			pam_sss.so
diff --git a/ad-auth/files/pam/unix-custom b/ad-auth/files/pam/unix-custom
new file mode 100644
index 0000000000000000000000000000000000000000..17aee25ed554c3063ca2c27e5292d9eef4bb9c9f
--- /dev/null
+++ b/ad-auth/files/pam/unix-custom
@@ -0,0 +1,24 @@
+Name: Unix authentication
+Default: yes
+Conflicts: unix
+Priority: 300
+Auth-Type: Primary
+Auth:
+	[success=end default=ignore]	pam_unix.so use_first_pass nullok_secure
+Auth-Initial:
+	[success=end default=ignore]	pam_unix.so use_first_pass nullok_secure
+Account-Type: Primary
+Account:
+	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
+Account-Initial:
+	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
+Session-Type: Additional
+Session:
+	required	pam_unix.so
+Session-Initial:
+	required	pam_unix.so
+Password-Type: Primary
+Password:
+	[success=end default=ignore]	pam_unix.so obscure use_authtok try_first_pass sha512
+Password-Initial:
+	[success=end default=ignore]	pam_unix.so obscure sha512
diff --git a/ad-auth/tasks/pam.yml b/ad-auth/tasks/pam.yml
index 43973a66df3ded959eb1fcdfb3b28a66bf9dbdf6..b0032143fd9e8f44f1c813418b7504eedf0f0b5d 100644
--- a/ad-auth/tasks/pam.yml
+++ b/ad-auth/tasks/pam.yml
@@ -1,14 +1,35 @@
 ---
-# file: roles/ad-auth/tasks/pam.yml
 
-- name: ensure pam applies a general umask
+- name: retrieve data of overwritten pam configs (unix)
+  stat:
+    path: "/usr/share/pam-configs/unix"
+    checksum_algorithm: "sha1"
+  register: "pamunix"
+
+- name: retrieve data of overwritten pam configs (sss)
+  stat:
+    path: "/usr/share/pam-configs/sss"
+    checksum_algorithm: "sha1"
+  register: "pamsss"
+
+- name: check that overwritten pam configs were not updated
+  fail:
+    msg: "The original PAM configs (unix/sss) that we overwrite have changed."
+  when: (pamunix.stat.checksum != '727dc8f53ceaea0264d0877fcbb2a52eb341ff10'
+      or pamsss.stat.checksum != '3c1d4e9fa522e2ec9729260d3b108ef31df8ef9d')
+
+- name: ensure pam applies customized configs
   copy:
-    src: pam/umask
-    dest: /usr/share/pam-configs/umask
+    src: "pam/{{ item }}"
+    dest: "/usr/share/pam-configs/{{ item }}"
     owner: root
     group: root
     mode: '0644'
   notify:
     - regenerate pam config
+  with_items:
+    - umask
+    - sss-custom
+    - unix-custom
   tags:
     - pam