@@ -, +, @@ 
---
 pambase.py                   |  7 ++++++-
 templates/system-auth.tpl    | 38 ++++++++++++++++++++++++++++++------
 templates/system-session.tpl |  4 ++++
 3 files changed, 42 insertions(+), 7 deletions(-)
--- a/pambase.py	
+++ a/pambase.py	
@@ -19,6 +19,7 @@ def main():
     parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module')
     parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module')
     parser.add_argument('--securetty', action="store_true", help='enable pam_securetty.so module')
+    parser.add_argument('--sssd', action="store_true", help='enable sssd.so module')
     parser.add_argument('--yescrypt', action="store_true", help='enable yescrypt option for pam_unix.so module')
     parser.add_argument('--sha512', action="store_true", help='enable sha512 option for pam_unix.so module')
     parser.add_argument('--krb5', action="store_true", help='enable pam_krb5.so module')
@@ -41,7 +42,8 @@ def process_args(args):
         "unix_authtok",
         "unix_extended_encryption",
         "likeauth",
-        "nullok"
+        "nullok",
+        "local_users_only"
     ]
 
     # create a blank dictionary
@@ -62,6 +64,9 @@ def process_args(args):
     if args.krb5:
         output["krb5_params"] = "{0} ignore_root try_first_pass".format("debug").strip()
 
+    if args.sssd:
+        output["local_users_only"] = "local_users_only"
+
     if args.yescrypt:
         output["unix_extended_encryption"] = "yescrypt shadow"
     elif args.sha512:
--- a/templates/system-auth.tpl	
+++ a/templates/system-auth.tpl	
@@ -7,34 +7,55 @@ auth		sufficient	pam_ssh.so
 auth		[success={{ 4 if homed else 3 }} default=ignore]      pam_krb5.so {{ krb5_params }}
 {% endif %}
 
+{% if sssd %}
+auth		[default=1 ignore=ignore success=ok]	pam_usertype.so isregular
+auth		[default=3 ignore=ignore success=ok]	pam_localuser.so
+{% endif %}
+
 auth		requisite	pam_faillock.so preauth
+
 {% if homed %}
 auth            [success=2 default=ignore]      pam_systemd_home.so
 {% endif %}
+
+{% if sssd %}
+auth            sufficient    pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }}
+{% else %}
 auth            [success=1 default=ignore]      pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
+{% endif %}
 auth		[default=die]	pam_faillock.so authfail
-
+{% if sssd %}
+auth		sufficient	pam_sss.so forward_pass {{ debug|default('', true) }}
+{% endif %}
 {% if caps %}
 auth		optional	pam_cap.so
 {% endif %}
-
+{% if sssd %}
+auth		sufficient	pam_deny.so
+{% endif %}
 {% if krb5 %}
 account		[success=2 default=ignore]	pam_krb5.so {{ krb5_params }}
 {% endif %}
 
 {% if homed %}
-account         [success=1 default=ignore]      pam_systemd_home.so
+account         [success={{ 2 if sssd else 1 }} default=ignore]      pam_systemd_home.so
 {% endif %}
 
 account		required	pam_unix.so {{ debug|default('', true) }}
 account         required        pam_faillock.so
+{% if sssd %}
+account		sufficient	pam_localuser.so
+account		sufficient	pam_usertype.so issystem
+account		[default=bad success=ok user_unknown=ignore] pam_sss.so {{ debug|default('', true) }}
+account		required	pam_permit.so
+{% endif %}
 
 {% if passwdqc %}
 password	required	pam_passwdqc.so config=/etc/security/passwdqc.conf
 {% endif %}
 
 {% if pwquality %}
-password        required        pam_pwquality.so
+password        required        pam_pwquality.so {{ local_users_only|default('', true ) }}
 {% endif %}
 
 {% if pwhistory %}
@@ -50,9 +71,14 @@ password        [success=1 default=ignore]      pam_systemd_home.so
 {% endif %}
 
 {% if passwdqc or pwquality %}
-password	required	pam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
+password	{{ 'sufficient' if sssd else 'required' }}	pam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
 {% else %}
-password        required        pam_unix.so try_first_pass {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
+password        {{ 'sufficient' if sssd else 'required' }}        pam_unix.so try_first_pass {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
+{% endif %}
+
+{% if sssd %}
+password	sufficient	pam_sss.so use_authtok
+password	required	pam_deny.so
 {% endif %}
 
 {% if pam_ssh %}
--- a/templates/system-session.tpl	
+++ a/templates/system-session.tpl	
@@ -13,3 +13,7 @@ session         [success=1 default=ignore]      pam_systemd_home.so
 {% endif %}
 
 session		required	pam_unix.so {{ debug|default('', true) }}
+
+{% if sssd %}
+session		optional	pam_sss.so {{ debug|default('', true) }}
+{% endif %}
--