From c5c38f0ecec7ffbb2fb5c74fe9cc129bf382e963 Mon Sep 17 00:00:00 2001
From: Louis Abel <tucklesepk@gmail.com>
Date: Tue, 18 Jun 2024 08:28:32 -0700
Subject: [PATCH] adjust pam comments

---
 docs/el/freeipa.md | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/docs/el/freeipa.md b/docs/el/freeipa.md
index 85fd8a06..56473dad 100644
--- a/docs/el/freeipa.md
+++ b/docs/el/freeipa.md
@@ -692,7 +692,8 @@ be changed.
 # authorization: auth account
 # Originally we used default_principal but it was found it can cause issues on
 # Sonoma and newer. As a result, the below file may appear to be close to the
-# default.
+# default. You may still use default_principal if you wish.
+#auth          optional       pam_krb5.so use_first_pass use_kcminit default_principal
 auth          optional       pam_krb5.so use_first_pass use_kcminit no_auth_ccache
 auth          optional       pam_ntlm.so use_first_pass
 auth          required       pam_opendirectory.so use_first_pass nullok
@@ -702,7 +703,8 @@ account       required       pam_opendirectory.so
 # screensaver: auth account
 # Originally we used default_principal but it was found it can cause issues on
 # Sonoma and newer. As a result, the below file may appear to be close to the
-# default.
+# default if you wish.
+#auth       optional       pam_krb5.so use_first_pass use_kcminit default_principal
 auth       optional       pam_krb5.so use_first_pass use_kcminit
 auth       required       pam_opendirectory.so use_first_pass nullok
 account    required       pam_opendirectory.so
@@ -712,7 +714,7 @@ account    required       pam_group.so no_warn deny group=admin,wheel ruser fail
 
 % sudo vi /etc/pam.d/passwd
 # Originally the line below was required. There may be issues with
-# having it on Sonoma and newer.
+# having it on Sonoma and newer. YMMV.
 # password   sufficient     pam_krb5.so
 auth       required       pam_permit.so
 account    required       pam_opendirectory.so