diff --git a/ad-auth/files/pam/unix-custom b/ad-auth/files/pam/unix-custom
deleted file mode 100644
index 17aee25ed554c3063ca2c27e5292d9eef4bb9c9f..0000000000000000000000000000000000000000
--- a/ad-auth/files/pam/unix-custom
+++ /dev/null
@@ -1,24 +0,0 @@
-Name: Unix authentication
-Default: yes
-Conflicts: unix
-Priority: 300
-Auth-Type: Primary
-Auth:
-	[success=end default=ignore]	pam_unix.so use_first_pass nullok_secure
-Auth-Initial:
-	[success=end default=ignore]	pam_unix.so use_first_pass nullok_secure
-Account-Type: Primary
-Account:
-	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
-Account-Initial:
-	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
-Session-Type: Additional
-Session:
-	required	pam_unix.so
-Session-Initial:
-	required	pam_unix.so
-Password-Type: Primary
-Password:
-	[success=end default=ignore]	pam_unix.so obscure use_authtok try_first_pass sha512
-Password-Initial:
-	[success=end default=ignore]	pam_unix.so obscure sha512
diff --git a/ad-auth/handlers/main.yml b/ad-auth/handlers/main.yml
index 9e5ae987c0a44971163c27dc568f960dec0f6779..27f2e9ea390094e8202bab9f17bd5a43e6f26b83 100644
--- a/ad-auth/handlers/main.yml
+++ b/ad-auth/handlers/main.yml
@@ -1,9 +1,23 @@
 ---
 
-- name: regenerate pam config
+# I kill that cat
+- name: disable pam-auth-update heuristic
+  file:
+    path: /var/lib/pam/
+    state: "{{ item }}"
+    mode: "0755"
+    owner: root
+    group: root
+  with_items:
+    - absent
+    - directory
+  listen: "regenerate pam config"
+
+- name: update pam
   command: pam-auth-update --force
   environment:
     DEBIAN_FRONTEND: noninteractive
+  listen: "regenerate pam config"
 
 - name: clear sssd cache
   command: sss_cache -E
diff --git a/ad-auth/tasks/pam.yml b/ad-auth/tasks/pam.yml
index b61382359bf1991ad6ce0ce6d17c6ce6f88061e2..ec299edcc578ef2dd3e3693dbf26c5bfd7bebea1 100644
--- a/ad-auth/tasks/pam.yml
+++ b/ad-auth/tasks/pam.yml
@@ -25,17 +25,34 @@
     - pamunix.stat.checksum != 'f3703a58a041745d6b70b9ebb179736653d32ef4'
 
 - name: ensure pam applies customized configs
-  copy:
-    src: "pam/{{ item }}"
+  template:
+    src: "pam/{{ item }}.j2"
     dest: "/usr/share/pam-configs/{{ item }}"
     owner: root
     group: root
     mode: '0644'
   notify:
+    - disable pam-auth-update heuristic
     - regenerate pam config
   with_items:
     - umask
     - sss-custom
     - unix-custom
-  tags:
-    - pam
+
+- name: ensure we readout current debconf
+  debconf:
+    name: libpam-runtime
+  register: debconf_libpam
+
+- name: ensure debconf is updated
+  debconf:
+    name: libpam-runtime
+    question: libpam-runtime/profiles
+    vtype: multiselect
+    value: >-
+      {{ debconf_libpam["current"]["libpam-runtime/profiles"].split(", ") |
+         map("regex_replace", '^(unix|sss)$', '\\1-custom') |
+         join(', ') }}
+  notify:
+    - disable pam-auth-update heuristic
+    - regenerate pam config
diff --git a/ad-auth/files/pam/sss-custom b/ad-auth/templates/pam/sss-custom.j2
similarity index 94%
rename from ad-auth/files/pam/sss-custom
rename to ad-auth/templates/pam/sss-custom.j2
index fc1f9c8926bad3bb3ab24a489a054678bf64ac7e..7d10114ef003d4b12e7dd52aca631fabfa0de264 100644
--- a/ad-auth/files/pam/sss-custom
+++ b/ad-auth/templates/pam/sss-custom.j2
@@ -1,4 +1,4 @@
-Name: SSS authentication
+Name: SSS authentication custom
 Default: yes
 Conflicts: sss
 Priority: 301
diff --git a/ad-auth/files/pam/umask b/ad-auth/templates/pam/umask.j2
similarity index 100%
rename from ad-auth/files/pam/umask
rename to ad-auth/templates/pam/umask.j2
diff --git a/ad-auth/templates/pam/unix-custom.j2 b/ad-auth/templates/pam/unix-custom.j2
new file mode 100644
index 0000000000000000000000000000000000000000..085ea05256fb3b44c58a2e0e103fe98ef950f828
--- /dev/null
+++ b/ad-auth/templates/pam/unix-custom.j2
@@ -0,0 +1,25 @@
+Name: Unix authentication custom
+Default: yes
+Conflicts: unix
+Priority: 300
+Auth-Type: Primary
+Auth:
+	[success=end default=ignore]	pam_unix.so try_first_pass {{ "nullok_secure" if ansible_distribution_major_version|int(default=99) < 11 else "nullok" }} 
+Auth-Initial:
+	[success=end default=ignore]	pam_unix.so try_first_pass {{ "nullok_secure" if ansible_distribution_major_version|int(default=99) < 11 else "nullok" }}
+Account-Type: Primary
+Account:
+	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
+Account-Initial:
+	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
+Session-Type: Additional
+Session:
+	required	pam_unix.so
+Session-Initial:
+	required	pam_unix.so
+Password-Type: Primary
+Password:
+	[success=end default=ignore]	pam_unix.so obscure use_authtok try_first_pass {{ "sha512" if ansible_distribution_major_version|int(default=99) < 11 else "yescrypt" }}
+Password-Initial:
+	[success=end default=ignore]	pam_unix.so obscure {{ "sha512" if ansible_distribution_major_version|int(default=99) < 11 else "yescrypt" }}
+