@%@UCRWARNING=# @%@

@!@
if configRegistry.is_true('auth/faillog', False):
    print('account  required          pam_faillock.so')

krb5_minimum_uid = int(configRegistry.get('pam/krb5/minimum_uid', 1000))

print('''
# local unix authentication; deny access if account is expired
account  [success=done new_authtok_reqd=done \\
         acct_expired=bad \\
         default=ignore]   pam_unix.so
''')

print('''
# remote authentication; if a service
# - isn't aware of the user, proceed with the next service
'''.strip())

pam_krb5 = '''
account  [success=1 default=ignore]   pam_succeed_if.so quiet service = samba
account  <action>        pam_krb5.so minimum_uid=%d''' % (krb5_minimum_uid,)
pam_sss = '''
account  <action>        pam_sss.so'''
pam_winbind = '''
account  <action>        pam_winbind.so'''


def pam_section(template, index):
    action = 'required  ' if index <= 1 else 'sufficient'
    return template.replace('<action>', action)


methods = set(configRegistry['auth/methods'].split(' ')) & {'krb5', 'ldap', 'winbind'}
index = len(methods)

if 'krb5' in methods:
    print(pam_section(pam_krb5, index))
    index -= 1
if 'ldap' in methods:
    print(pam_section(pam_sss, index))
    index -= 1
if 'winbind' in methods:
    print(pam_section(pam_winbind, index))
@!@
