From 224d2cf76ba09e5ca609d94b926df38f8fc71243 Mon Sep 17 00:00:00 2001
From: Louis Abel <tucklesepk@gmail.com>
Date: Tue, 25 Jun 2024 14:01:38 -0700
Subject: [PATCH] clarify pam configs

---
 docs/el/freeipa.md | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/docs/el/freeipa.md b/docs/el/freeipa.md
index 0610282a..2ba069ba 100644
--- a/docs/el/freeipa.md
+++ b/docs/el/freeipa.md
@@ -691,10 +691,8 @@ be changed.
 % sudo vi /etc/pam.d/authorization
 # authorization: auth account
 # Originally we used default_principal but it was found it can cause issues on
-# Sonoma and newer. As a result, the below file may appear to be close to the
-# default. You may still use default_principal if you wish.
-#auth          optional       pam_krb5.so use_first_pass use_kcminit default_principal
-auth          optional       pam_krb5.so use_first_pass use_kcminit no_auth_ccache
+# Sonoma and newer. If you have issues, remove default_principal.
+auth          optional       pam_krb5.so use_first_pass use_kcminit no_auth_ccache default_principal
 auth          optional       pam_ntlm.so use_first_pass
 auth          required       pam_opendirectory.so use_first_pass nullok
 account       required       pam_opendirectory.so
@@ -702,10 +700,8 @@ account       required       pam_opendirectory.so
 % sudo vi /etc/pam.d/screensaver
 # screensaver: auth account
 # Originally we used default_principal but it was found it can cause issues on
-# Sonoma and newer. As a result, the below file may appear to be close to the
-# default if you wish.
-#auth       optional       pam_krb5.so use_first_pass use_kcminit default_principal
-auth       optional       pam_krb5.so use_first_pass use_kcminit
+# Sonoma and newer. If you have issues, remove default_principal
+auth       optional       pam_krb5.so use_first_pass use_kcminit default_principal
 auth       required       pam_opendirectory.so use_first_pass nullok
 account    required       pam_opendirectory.so
 account    sufficient     pam_self.so
@@ -715,7 +711,7 @@ account    required       pam_group.so no_warn deny group=admin,wheel ruser fail
 % sudo vi /etc/pam.d/passwd
 # Originally the line below was required. There may be issues with
 # having it on Sonoma and newer. YMMV.
-# password   sufficient     pam_krb5.so
+password   sufficient     pam_krb5.so
 auth       required       pam_permit.so
 account    required       pam_opendirectory.so
 password   required       pam_opendirectory.so