diff --git a/README.md b/README.md
@@ -27,6 +27,7 @@ only), 1.9.3, 2.0.0 and 2.1.0.
  * OpenSuSE 13.1
  * Ubuntu 12.04 LTS
  * Ubuntu 14.04 LTS
+ * Ubuntu 16.04 LTS
  * Debian 8.2
 
 EL no longer requires the `redhat-lsb` package.

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -820,8 +820,45 @@
                 ]
               }
             }
+            '16.04': {
+              $default_pam_d_login_template = 'pam/login.ubuntu16.erb'
+              $default_pam_d_sshd_template  = 'pam/sshd.ubuntu16.erb'
+              $default_package_name         = 'libpam0g'
+
+              if $ensure_vas == 'present' {
+                fail("/Pam: vas is not supported on Ubuntu ${::lsbdistrelease}/")
+              } else {
+
+                $default_pam_auth_lines = [
+                  'auth  [success=1 default=ignore]  pam_unix.so nullok_secure',
+                  'auth  requisite     pam_deny.so',
+                  'auth  required      pam_permit.so',
+                ]
+
+                $default_pam_account_lines = [
+                  'account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so',
+                  'account requisite     pam_deny.so',
+                  'account required      pam_permit.so',
+                ]
+
+                $default_pam_password_lines = [
+                  'password  [success=1 default=ignore]  pam_unix.so obscure sha512',
+                  'password  requisite     pam_deny.so',
+                  'password  required      pam_permit.so',
+                ]
+
+                $default_pam_session_lines = [
+                  'session [default=1]   pam_permit.so',
+                  'session requisite     pam_deny.so',
+                  'session required      pam_permit.so',
+                  'session optional      pam_umask.so',
+                  'session required      pam_unix.so',
+                  'session optional      pam_systemd.so',
+                ]
+              }
+            }
             default: {
-              fail("Pam is only supported on Ubuntu 12.04 and 14.04. Your lsbdistrelease is identified as <${::lsbdistrelease}>.")
+              fail("Pam is only supported on Ubuntu 12.04, 14.04 and 16.04. Your lsbdistrelease is identified as <${::lsbdistrelease}>.")
             }
           }
         }

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "ghoneycutt-pam",
-  "version": "2.23.0",
+  "version": "2.24.0",
   "author": "ghoneycutt",
   "summary": "Manage PAM",
   "license": "Apache-2.0",
@@ -92,7 +92,8 @@
       "operatingsystem": "Ubuntu",
       "operatingsystemrelease": [
         "12.04",
-        "14.04"
+        "14.04",
+        "16.04"
       ]
     },
     {

diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -151,6 +151,17 @@
             :types          => ['auth', 'account', 'password', 'session', 'noninteractive_session' ],
           }, ],
       },
+    'ubuntu1604'            =>
+      { :osfamily           => 'Debian',
+        :lsbdistid          => 'Ubuntu',
+        :release            => '16.04',
+        :releasetype        => 'lsbdistrelease',
+        :packages           => [ 'libpam0g', ],
+        :files              => [
+          { :prefix         => 'pam_common_',
+            :types          => ['auth', 'account', 'password', 'session', 'noninteractive_session' ],
+          }, ],
+      },
     'debian82'              =>
     { :osfamily             => 'Debian',
       :lsbdistid            => 'Debian',
@@ -313,6 +324,15 @@
             next
           end
 
+          if check == 'vas' and v[:osfamily] == 'Debian' and v[:release] == '16.04'
+            it 'should fail' do
+              expect {
+                should contain_class('pam')
+              }.to raise_error(Puppet::Error,/Pam: vas is not supported on #{v[:lsbdistid]} #{v[:release]}/)
+            end
+            next
+          end
+
           v[:files].each do |file|
             group = file[:group] || 'root'
             dirpath = file[:dirpath] || '/etc/pam.d/'
@@ -579,7 +599,7 @@
           it { should_not contain_file('pam_password_auth_ac').with_content(/auth[\s]+sufficient[\s]+pam_vas3.so.*store_creds/) }
         end
 
-        if v[:osfamily] == 'Debian' and v[:lsbdistid] == 'Ubuntu'
+        if v[:osfamily] == 'Debian' and v[:lsbdistid] == 'Ubuntu' and v[:release] != '16.04'
           it { should contain_class('pam::accesslogin') }
           it { should contain_class('pam::limits') }
 

diff --git a/spec/fixtures/pam_common_account.defaults.ubuntu1604 b/spec/fixtures/pam_common_account.defaults.ubuntu1604
@@ -0,0 +1,5 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so
+account requisite     pam_deny.so
+account required      pam_permit.so
diff --git a/spec/fixtures/pam_common_account.vas.ubuntu1604 b/spec/fixtures/pam_common_account.vas.ubuntu1604
@@ -0,0 +1,7 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+account sufficient  pam_vas3.so
+account requisite   pam_vas3.so echo_return
+account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so
+account requisite   pam_deny.so
+account required    pam_permit.so
diff --git a/spec/fixtures/pam_common_auth.defaults.ubuntu1604 b/spec/fixtures/pam_common_auth.defaults.ubuntu1604
@@ -0,0 +1,5 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+auth  [success=1 default=ignore]  pam_unix.so nullok_secure
+auth  requisite     pam_deny.so
+auth  required      pam_permit.so
diff --git a/spec/fixtures/pam_common_auth.vas.ubuntu1604 b/spec/fixtures/pam_common_auth.vas.ubuntu1604
@@ -0,0 +1,6 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+auth        required    pam_env.so
+auth        sufficient  pam_vas3.so show_lockout_msg get_nonvas_pass store_creds
+auth        requisite   pam_vas3.so echo_return
+auth        required    pam_unix.so use_first_pass
diff --git a/spec/fixtures/pam_common_noninteractive_session.defaults.ubuntu1604 b/spec/fixtures/pam_common_noninteractive_session.defaults.ubuntu1604
@@ -0,0 +1,8 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+session [default=1]   pam_permit.so
+session requisite     pam_deny.so
+session required      pam_permit.so
+session optional      pam_umask.so
+session required      pam_unix.so
+session optional      pam_systemd.so
diff --git a/spec/fixtures/pam_common_noninteractive_session.vas.ubuntu1604 b/spec/fixtures/pam_common_noninteractive_session.vas.ubuntu1604
@@ -0,0 +1,9 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+session  [default=1] pam_permit.so
+session requisite pam_deny.so
+session required  pam_permit.so
+session optional  pam_umask.so
+session required  pam_vas3.so create_homedir
+session requisite pam_vas3.so echo_return
+session required  pam_unix.so
diff --git a/spec/fixtures/pam_common_password.defaults.ubuntu1604 b/spec/fixtures/pam_common_password.defaults.ubuntu1604
@@ -0,0 +1,5 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+password  [success=1 default=ignore]  pam_unix.so obscure sha512
+password  requisite     pam_deny.so
+password  required      pam_permit.so
diff --git a/spec/fixtures/pam_common_password.vas.ubuntu1604 b/spec/fixtures/pam_common_password.vas.ubuntu1604
@@ -0,0 +1,7 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+password sufficient  pam_vas3.so
+password  requisite pam_vas3.so echo_return
+password  [success=1 default=ignore]  pam_unix.so obscure sha512
+password  requisite pam_deny.so
+password  required  pam_permit.so
diff --git a/spec/fixtures/pam_common_session.defaults.ubuntu1604 b/spec/fixtures/pam_common_session.defaults.ubuntu1604
@@ -0,0 +1,8 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+session [default=1]   pam_permit.so
+session requisite     pam_deny.so
+session required      pam_permit.so
+session optional      pam_umask.so
+session required      pam_unix.so
+session optional      pam_systemd.so
diff --git a/spec/fixtures/pam_common_session.vas.ubuntu1604 b/spec/fixtures/pam_common_session.vas.ubuntu1604
@@ -0,0 +1,9 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+session  [default=1] pam_permit.so
+session requisite pam_deny.so
+session required  pam_permit.so
+session optional  pam_umask.so
+session required  pam_vas3.so create_homedir
+session requisite pam_vas3.so echo_return
+session required  pam_unix.so
diff --git a/spec/fixtures/pam_d_login.defaults.ubuntu1604 b/spec/fixtures/pam_d_login.defaults.ubuntu1604
@@ -0,0 +1,18 @@
+auth     optional   pam_faildelay.so  delay=3000000
+auth     [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
+auth     requisite  pam_nologin.so
+session  [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+session  required   pam_env.so readenv=1
+session  required   pam_env.so readenv=1 envfile=/etc/default/locale
+@include common-auth
+auth     optional   pam_group.so
+session  required   pam_limits.so
+session  optional   pam_lastlog.so
+session  optional   pam_motd.so  motd=/run/motd.dynamic
+session  optional   pam_motd.so noupdate
+session  optional   pam_mail.so standard
+session  required   pam_loginuid.so
+@include common-account
+@include common-session
+@include common-password
+session  [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
diff --git a/spec/fixtures/pam_d_sshd.defaults.ubuntu1604 b/spec/fixtures/pam_d_sshd.defaults.ubuntu1604
@@ -0,0 +1,13 @@
+@include common-auth
+account  required     pam_nologin.so
+@include common-account
+session  [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+session  required     pam_loginuid.so
+session  optional     pam_keyinit.so force revoke
+@include common-session
+session  optional     pam_motd.so  motd=/run/motd.dynamic
+session  optional     pam_motd.so  noupdate
+session  required     pam_limits.so
+session  required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+session  [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+@include common-password
diff --git a/templates/login.ubuntu16.erb b/templates/login.ubuntu16.erb
@@ -0,0 +1,18 @@
+auth     optional   pam_faildelay.so  delay=3000000
+auth     [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
+auth     requisite  pam_nologin.so
+session  [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+session  required   pam_env.so readenv=1
+session  required   pam_env.so readenv=1 envfile=/etc/default/locale
+@include common-auth
+auth     optional   pam_group.so
+session  required   pam_limits.so
+session  optional   pam_lastlog.so
+session  optional   pam_motd.so  motd=/run/motd.dynamic
+session  optional   pam_motd.so noupdate
+session  optional   pam_mail.so standard
+session  required   pam_loginuid.so
+@include common-account
+@include common-session
+@include common-password
+session  [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
diff --git a/templates/sshd.ubuntu16.erb b/templates/sshd.ubuntu16.erb
@@ -0,0 +1,13 @@
+@include common-auth
+account  required     pam_nologin.so
+@include common-account
+session  [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+session  required     pam_loginuid.so
+session  optional     pam_keyinit.so force revoke
+@include common-session
+session  optional     pam_motd.so  motd=/run/motd.dynamic
+session  optional     pam_motd.so  noupdate
+session  required     pam_limits.so
+session  required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+session  [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+@include common-password