From b8e091142f1136becc945a0082d233bd0d493241 Mon Sep 17 00:00:00 2001
From: Jim Madge <jmadge@turing.ac.uk>
Date: Fri, 2 Aug 2024 14:07:36 +0100
Subject: [PATCH] Add required PAM rule after pam_systemd.so

---
 .../resources/workspace/ansible/desired_state.yaml         | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/data_safe_haven/resources/workspace/ansible/desired_state.yaml b/data_safe_haven/resources/workspace/ansible/desired_state.yaml
index 3c7f569e92..7d2d6ffa1f 100644
--- a/data_safe_haven/resources/workspace/ansible/desired_state.yaml
+++ b/data_safe_haven/resources/workspace/ansible/desired_state.yaml
@@ -66,9 +66,12 @@
         name: common-session
         type: session
         control: optional
-        module_path: pam_mkhomedir.so
+        module_path: pam_systemd.so
+        new_type: session
+        new_control: optional
+        new_module_path: pam_mkhomedir.so
         module_arguments: 'skel=/etc/skel umask=0022'
-        state: args_present
+        state: after
       notify: Update PAM auth
 
     - name: Don't prompt to change expired passwords via ldap