diff --git a/.gitignore b/.gitignore
@@ -21,11 +21,14 @@ doc/
 # Vim
 *.swp
 
+# Eclipse
+.project
+
 # OS X
 .DS_Store
 
 # Puppet
 coverage/
-spec/fixtures/modules/*
 spec/fixtures/manifests/*
+spec/fixtures/modules/*
 Gemfile.lock
diff --git a/.travis.yml b/.travis.yml
@@ -26,11 +26,14 @@ env:
     - PUPPET_GEM_VERSION="~> 4.4.0"
     - PUPPET_GEM_VERSION="~> 4.5.0"
     - PUPPET_GEM_VERSION="~> 4.6.0"
+    - PUPPET_GEM_VERSION="~> 4.7.0"
+    - PUPPET_GEM_VERSION="~> 4.8.0"
+    - PUPPET_GEM_VERSION="~> 4.9.0"
     - PUPPET_GEM_VERSION="~> 4"
 
 sudo: false
 
-script: 'bundle exec rake validate && bundle exec rake lint && SPEC_OPTS="--format documentation" bundle exec rake spec'
+script: 'SPEC_OPTS="--format documentation" bundle exec rake validate lint spec'
 
 matrix:
   fast_finish: true
@@ -60,6 +63,20 @@ matrix:
     - rvm: 1.8.7
       env: PUPPET_GEM_VERSION="~> 4.6.0"
     - rvm: 1.8.7
+      env: PUPPET_GEM_VERSION="~> 4.7.0"
+    - rvm: 1.8.7
+      env: PUPPET_GEM_VERSION="~> 4.8.0"
+    - rvm: 1.8.7
+      env: PUPPET_GEM_VERSION="~> 4.9.0"
+    - rvm: 1.9.3
+      env: PUPPET_GEM_VERSION="~> 4.9.0"
+    - rvm: 2.0.0
+      env: PUPPET_GEM_VERSION="~> 4.9.0"
+    - rvm: 1.8.7
+      env: PUPPET_GEM_VERSION="~> 4"
+    - rvm: 1.9.3
+      env: PUPPET_GEM_VERSION="~> 4"
+    - rvm: 2.0.0
       env: PUPPET_GEM_VERSION="~> 4"
     - rvm: 2.3.1
       env: PUPPET_GEM_VERSION="~> 3.1.0"

diff --git a/Gemfile b/Gemfile
@@ -6,7 +6,6 @@ else
   gem 'puppet', :require => false
 end
 
-gem 'metadata-json-lint'
 gem 'puppetlabs_spec_helper', '>= 1.2.0'
 gem 'facter', '>= 1.7.0'
 gem 'rspec-puppet'
@@ -27,3 +26,5 @@ gem 'rspec',     '~> 2.0'   if RUBY_VERSION >= '1.8.7' and RUBY_VERSION < '1.9'
 gem 'rake',      '~> 10.0'  if RUBY_VERSION >= '1.8.7' and RUBY_VERSION < '1.9'
 gem 'json',      '<= 1.8'   if RUBY_VERSION < '2.0.0'
 gem 'json_pure', '<= 2.0.1' if RUBY_VERSION < '2.0.0'
+gem 'metadata-json-lint', '0.0.11'   if RUBY_VERSION < '1.9'
+gem 'metadata-json-lint'             if RUBY_VERSION >= '1.9'
diff --git a/README.md b/README.md
@@ -463,6 +463,12 @@ Boolean to purge the limits.d directory.
 
 - *Default*: false
 
+manage_nsswitch
+------------------
+Boolean to manage the inclusion of the nsswitch class.
+
+- *Default*: true
+
 ===
 
 # pam::limits::fragment define

diff --git a/Rakefile b/Rakefile
@@ -1,6 +1,5 @@
 require 'puppetlabs_spec_helper/rake_tasks'
 require 'puppet-lint/tasks/puppet-lint'
-
 PuppetLint.configuration.send('disable_80chars')
 PuppetLint.configuration.send('disable_140chars')
 PuppetLint.configuration.relative = true

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -54,9 +54,18 @@
   $system_auth_ac_password_lines       = undef,
   $system_auth_ac_session_lines        = undef,
   $vas_major_version                   = '4',
+  $manage_nsswitch                     = true,
 ) {
 
-  include ::nsswitch
+  if is_string($manage_nsswitch) == true {
+    $manage_nsswitch_real = str2bool($manage_nsswitch)
+  } else {
+    $manage_nsswitch_real = $manage_nsswitch
+  }
+
+  if $manage_nsswitch_real == true {
+    include ::nsswitch
+  }
 
   case $::osfamily {
     'RedHat': {
@@ -830,7 +839,45 @@
               $default_package_name         = 'libpam0g'
 
               if $ensure_vas == 'present' {
-                fail("/Pam: vas is not supported on Ubuntu ${::lsbdistrelease}/")
+                if $vas_major_version == '3' {
+                  fail("Pam is only supported with vas_major_version 4 on Ubuntu 16.04. Your vas_major_version is <${vas_major_version}>.")
+                }
+
+                $default_pam_auth_lines = [
+                  'auth sufficient pam_vas3.so create_homedir get_nonvas_pass',
+                  'auth requisite  pam_vas3.so echo_return',
+                  'auth [success=1 default=ignore] pam_unix.so nullok_secure use_first_pass',
+                  'auth requisite  pam_deny.so',
+                  'auth required   pam_permit.so',
+                ]
+
+                $default_pam_account_lines = [
+                  'account sufficient pam_vas3.so',
+                  'account requisite  pam_vas3.so echo_return',
+                  'account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so',
+                  'account requisite  pam_deny.so',
+                  'account required   pam_permit.so',
+                ]
+
+                $default_pam_password_lines = [
+                  'password sufficient  pam_vas3.so',
+                  'password  requisite pam_vas3.so echo_return',
+                  'password  [success=1 default=ignore]  pam_unix.so obscure sha512',
+                  'password  requisite pam_deny.so',
+                  'password  required  pam_permit.so',
+                ]
+
+                $default_pam_session_lines = [
+                  'session [default=1] pam_permit.so',
+                  'session requisite pam_deny.so',
+                  'session required  pam_permit.so',
+                  'session optional  pam_umask.so',
+                  'session required  pam_vas3.so create_homedir',
+                  'session requisite pam_vas3.so echo_return',
+                  'session required  pam_unix.so',
+                  'session optional  pam_systemd.so',
+                ]
+
               } else {
 
                 $default_pam_auth_lines = [
@@ -1185,35 +1232,35 @@
     $my_pam_session_lines = $pam_session_lines
   }
 
-if ( $::osfamily == 'RedHat' ) and ( $::operatingsystemmajrelease == '6' or $::operatingsystemmajrelease == '7' ) {
-  if $pam_password_auth_lines == undef {
-    $my_pam_password_auth_lines = $default_pam_password_auth_lines
-  } else {
-    $my_pam_password_auth_lines = $pam_password_auth_lines
-  }
-  validate_array($my_pam_password_auth_lines)
+  if ( $::osfamily == 'RedHat' ) and ( $::operatingsystemmajrelease == '6' or $::operatingsystemmajrelease == '7' ) {
+    if $pam_password_auth_lines == undef {
+      $my_pam_password_auth_lines = $default_pam_password_auth_lines
+    } else {
+      $my_pam_password_auth_lines = $pam_password_auth_lines
+    }
+    validate_array($my_pam_password_auth_lines)
 
-  if $pam_password_account_lines == undef {
-    $my_pam_password_account_lines = $default_pam_password_account_lines
-  } else {
-    $my_pam_password_account_lines = $pam_password_account_lines
-  }
-  validate_array($my_pam_password_account_lines)
+    if $pam_password_account_lines == undef {
+      $my_pam_password_account_lines = $default_pam_password_account_lines
+    } else {
+      $my_pam_password_account_lines = $pam_password_account_lines
+    }
+    validate_array($my_pam_password_account_lines)
 
-  if $pam_password_password_lines == undef {
-    $my_pam_password_password_lines = $default_pam_password_password_lines
-  } else {
-    $my_pam_password_password_lines = $pam_password_password_lines
-  }
-  validate_array($my_pam_password_password_lines)
+    if $pam_password_password_lines == undef {
+      $my_pam_password_password_lines = $default_pam_password_password_lines
+    } else {
+      $my_pam_password_password_lines = $pam_password_password_lines
+    }
+    validate_array($my_pam_password_password_lines)
 
-  if $pam_password_session_lines == undef {
-    $my_pam_password_session_lines = $default_pam_password_session_lines
-  } else {
-    $my_pam_password_session_lines = $pam_password_session_lines
+    if $pam_password_session_lines == undef {
+      $my_pam_password_session_lines = $default_pam_password_session_lines
+    } else {
+      $my_pam_password_session_lines = $pam_password_session_lines
+    }
+    validate_array($my_pam_password_session_lines)
   }
-  validate_array($my_pam_password_session_lines)
-}
 
   if $services != undef {
     create_resources('pam::service',$services)

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "ghoneycutt-pam",
-  "version": "2.30.0",
+  "version": "2.31.0",
   "author": "ghoneycutt",
   "summary": "Manage PAM",
   "description": "Manages PAM, including specifying users and groups in access.conf, limits.conf, and limits fragments",

diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -373,7 +373,7 @@
             next
           end
 
-          if check == 'vas' and v[:osfamily] == 'Debian' and v[:release] == '16.04'
+          if check == 'vas' and v[:osfamily] == 'Debian' and v[:release] == '18.04'
             it 'should fail' do
               expect {
                 should contain_class('pam')
@@ -648,7 +648,15 @@
           it { should_not contain_file('pam_password_auth_ac').with_content(/auth[\s]+sufficient[\s]+pam_vas3.so.*store_creds/) }
         end
 
-        if v[:osfamily] == 'Debian' and v[:lsbdistid] == 'Ubuntu' and v[:release] != '16.04'
+        if v[:osfamily] == 'RedHat' and v[:release] != '5' and v[:release] != '6'
+          it 'should fail' do
+            expect {
+              should contain_class('pam')
+            }.to raise_error(Puppet::Error,/Pam is only supported with vas_major_version 4 on/)
+          end
+        end
+
+        if v[:osfamily] == 'Debian' and v[:lsbdistid] == 'Ubuntu' and ['12.04', '14.04'].include?(v[:release])
           it { should contain_class('pam::accesslogin') }
           it { should contain_class('pam::limits') }
 
@@ -686,6 +694,14 @@
             it { should contain_file("pam_common_noninteractive_session").that_requires("Package[#{pkg}]") }
           end
         end
+
+        if v[:osfamily] == 'Debian' and v[:lsbdistid] == 'Ubuntu' and v[:release] == '16.04'
+          it 'should fail' do
+            expect {
+              should contain_class('pam')
+            }.to raise_error(Puppet::Error,/Pam is only supported with vas_major_version 4/)
+          end
+        end
       end
     end
   end
@@ -829,6 +845,42 @@
         end
       end
 
+      context "with manage_nsswitch parameter default value" do
+        let :facts do
+          { :osfamily => v[:osfamily],
+            :"#{v[:releasetype]}" => v[:release],
+            :lsbdistid => v[:lsbdistid],
+          }
+        end
+        it { is_expected.to contain_class('nsswitch') }
+      end
+
+      ['true', true, 'y'].each do |value|
+        context "with manage_nsswitch parameter set to #{value}" do
+          let :facts do
+            { :osfamily => v[:osfamily],
+              :"#{v[:releasetype]}" => v[:release],
+              :lsbdistid => v[:lsbdistid],
+            }
+          end
+          let(:params) { {:manage_nsswitch => value} }
+          it { is_expected.to contain_class('nsswitch') }
+        end
+      end
+
+      ['false', false, 'n'].each do |value|
+        context "with manage_nsswitch parameter set to #{value}" do
+          let :facts do
+            { :osfamily => v[:osfamily],
+              :"#{v[:releasetype]}" => v[:release],
+              :lsbdistid => v[:lsbdistid],
+            }
+          end
+          let(:params) { {:manage_nsswitch => value} }
+          it { is_expected.not_to contain_class('nsswitch') }
+        end
+      end
+
       ['true',true,'false',false].each do |value|
         context "with limits_fragments_hiera_merge parameter specified as a valid value: #{value} on #{v[:osfamily]} with #{v[:releasetype]} #{v[:release]}" do
           let :facts do

diff --git a/spec/fixtures/pam_common_account.vas.ubuntu1604 b/spec/fixtures/pam_common_account.vas.ubuntu1604
@@ -1,7 +1,7 @@
 # This file is being maintained by Puppet.
 # DO NOT EDIT
-account sufficient  pam_vas3.so
-account requisite   pam_vas3.so echo_return
+account sufficient pam_vas3.so
+account requisite  pam_vas3.so echo_return
 account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so
-account requisite   pam_deny.so
-account required    pam_permit.so
+account requisite  pam_deny.so
+account required   pam_permit.so
diff --git a/spec/fixtures/pam_common_auth.vas.ubuntu1604 b/spec/fixtures/pam_common_auth.vas.ubuntu1604
@@ -1,6 +1,7 @@
 # This file is being maintained by Puppet.
 # DO NOT EDIT
-auth        required    pam_env.so
-auth        sufficient  pam_vas3.so show_lockout_msg get_nonvas_pass store_creds
-auth        requisite   pam_vas3.so echo_return
-auth        required    pam_unix.so use_first_pass
+auth sufficient pam_vas3.so create_homedir get_nonvas_pass
+auth requisite  pam_vas3.so echo_return
+auth [success=1 default=ignore] pam_unix.so nullok_secure use_first_pass
+auth requisite  pam_deny.so
+auth required   pam_permit.so
diff --git a/spec/fixtures/pam_common_noninteractive_session.vas.ubuntu1604 b/spec/fixtures/pam_common_noninteractive_session.vas.ubuntu1604
@@ -1,9 +1,10 @@
 # This file is being maintained by Puppet.
 # DO NOT EDIT
-session  [default=1] pam_permit.so
+session [default=1] pam_permit.so
 session requisite pam_deny.so
 session required  pam_permit.so
 session optional  pam_umask.so
 session required  pam_vas3.so create_homedir
 session requisite pam_vas3.so echo_return
 session required  pam_unix.so
+session optional  pam_systemd.so
diff --git a/spec/fixtures/pam_common_session.vas.ubuntu1604 b/spec/fixtures/pam_common_session.vas.ubuntu1604
@@ -1,9 +1,10 @@
 # This file is being maintained by Puppet.
 # DO NOT EDIT
-session  [default=1] pam_permit.so
+session [default=1] pam_permit.so
 session requisite pam_deny.so
 session required  pam_permit.so
 session optional  pam_umask.so
 session required  pam_vas3.so create_homedir
 session requisite pam_vas3.so echo_return
 session required  pam_unix.so
+session optional  pam_systemd.so
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
@@ -1 +1,16 @@
 require 'puppetlabs_spec_helper/module_spec_helper'
+
+RSpec.configure do |config|
+  config.hiera_config = 'spec/fixtures/hiera/hiera.yaml'
+  config.before :each do
+    # Ensure that we don't accidentally cache facts and environment between
+    # test cases.  This requires each example group to explicitly load the
+    # facts being exercised with something like
+    # Facter.collection.loader.load(:ipaddress)
+    Facter.clear
+    Facter.clear_messages
+  end
+  config.default_facts = {
+    :environment => 'rp_env',
+  }
+end