diff --git a/ad-auth/tasks/pam.yml b/ad-auth/tasks/pam.yml
index b0032143fd9e8f44f1c813418b7504eedf0f0b5d..b61382359bf1991ad6ce0ce6d17c6ce6f88061e2 100644
--- a/ad-auth/tasks/pam.yml
+++ b/ad-auth/tasks/pam.yml
@@ -14,9 +14,15 @@
 
 - name: check that overwritten pam configs were not updated
   fail:
-    msg: "The original PAM configs (unix/sss) that we overwrite have changed."
-  when: (pamunix.stat.checksum != '727dc8f53ceaea0264d0877fcbb2a52eb341ff10'
-      or pamsss.stat.checksum != '3c1d4e9fa522e2ec9729260d3b108ef31df8ef9d')
+    msg: "The original PAM configs (sss) that we overwrite have changed."
+  when: pamsss.stat.checksum != '3c1d4e9fa522e2ec9729260d3b108ef31df8ef9d'
+
+- name: check that overwritten pam configs were not updated
+  fail:
+    msg: "The original PAM configs (unix) that we overwrite have changed."
+  when:
+    - pamunix.stat.checksum != '727dc8f53ceaea0264d0877fcbb2a52eb341ff10'
+    - pamunix.stat.checksum != 'f3703a58a041745d6b70b9ebb179736653d32ef4'
 
 - name: ensure pam applies customized configs
   copy:
diff --git a/ad-auth/templates/sssd.conf.j2 b/ad-auth/templates/sssd.conf.j2
index 79bb05054500deff59ab83adc3d6278da3c91de7..f204293949bbdb4166384db75f057e05e7026cb1 100644
--- a/ad-auth/templates/sssd.conf.j2
+++ b/ad-auth/templates/sssd.conf.j2
@@ -1,7 +1,9 @@
 [sssd]
 domains = {{ domain }}
 config_file_version = 2
+{% if ansible_distribution_major_version|int(default=99) < 11 %}
 services = nss, pam
+{% endif %}
 
 [pam]
 offline_credentials_expiration = 1