clarify pam configs

docs/el/freeipa.md

@@ -691,21 +691,17 @@ be changed.
 % sudo vi /etc/pam.d/authorization
 # authorization: auth account
 # Originally we used default_principal but it was found it can cause issues on
-# Sonoma and newer. As a result, the below file may appear to be close to the
-# default. You may still use default_principal if you wish.
-#auth          optional       pam_krb5.so use_first_pass use_kcminit default_principal
-auth          optional       pam_krb5.so use_first_pass use_kcminit no_auth_ccache
+# Sonoma and newer. If you have issues, remove default_principal.
+auth          optional       pam_krb5.so use_first_pass use_kcminit no_auth_ccache default_principal
 auth          optional       pam_ntlm.so use_first_pass
 auth          required       pam_opendirectory.so use_first_pass nullok
 account       required       pam_opendirectory.so
 
 % sudo vi /etc/pam.d/screensaver
 # screensaver: auth account
 # Originally we used default_principal but it was found it can cause issues on
-# Sonoma and newer. As a result, the below file may appear to be close to the
-# default if you wish.
-#auth       optional       pam_krb5.so use_first_pass use_kcminit default_principal
-auth       optional       pam_krb5.so use_first_pass use_kcminit
+# Sonoma and newer. If you have issues, remove default_principal
+auth       optional       pam_krb5.so use_first_pass use_kcminit default_principal
 auth       required       pam_opendirectory.so use_first_pass nullok
 account    required       pam_opendirectory.so
 account    sufficient     pam_self.so
@@ -715,7 +711,7 @@ account    required       pam_group.so no_warn deny group=admin,wheel ruser fail
 % sudo vi /etc/pam.d/passwd
 # Originally the line below was required. There may be issues with
 # having it on Sonoma and newer. YMMV.
-# password   sufficient     pam_krb5.so
+password   sufficient     pam_krb5.so
 auth       required       pam_permit.so
 account    required       pam_opendirectory.so
 password   required       pam_opendirectory.so