diff --git a/data/os/RedHat/8.yaml b/data/os/RedHat/8.yaml
@@ -14,36 +14,58 @@ pam::package_name: pam
 
 # system-auth
 pam::pam_auth_lines:
-  - 'auth        required      pam_env.so'
-  - 'auth        sufficient    pam_unix.so try_first_pass nullok'
-  - 'auth        required      pam_deny.so'
+  - 'auth        required                                     pam_env.so'
+  - 'auth        required                                     pam_faildelay.so delay=2000000'
+  - 'auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular'
+  - 'auth        [default=1 ignore=ignore success=ok]         pam_localuser.so'
+  - 'auth        sufficient                                   pam_unix.so nullok'
+  - 'auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular'
+  - 'auth        sufficient                                   pam_sss.so forward_pass'
+  - 'auth        required                                     pam_deny.so'
 pam::pam_account_lines:
-  - 'account     required      pam_unix.so'
+  - 'account     required                                     pam_unix.so'
+  - 'account     sufficient                                   pam_localuser.so'
+  - 'account     sufficient                                   pam_usertype.so issystem'
+  - 'account     [default=bad success=ok user_unknown=ignore] pam_sss.so'
+  - 'account     required                                     pam_permit.so'
 pam::pam_password_lines:
-  - 'password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type='
-  - 'password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow'
-  - 'password    required      pam_deny.so'
+  - 'password    requisite                                    pam_pwquality.so local_users_only'
+  - 'password    sufficient                                   pam_unix.so sha512 shadow nullok use_authtok'
+  - 'password    sufficient                                   pam_sss.so use_authtok'
+  - 'password    required                                     pam_deny.so'
 pam::pam_session_lines:
-  - 'session     optional      pam_keyinit.so revoke'
-  - 'session     required      pam_limits.so'
-  - '-session     optional      pam_systemd.so'
-  - 'session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid'
-  - 'session     required      pam_unix.so'
+  - 'session     optional                                     pam_keyinit.so revoke'
+  - 'session     required                                     pam_limits.so'
+  - '-session    optional                                     pam_systemd.so'
+  - 'session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid'
+  - 'session     required                                     pam_unix.so'
+  - 'session     optional                                     pam_sss.so'
 
-# passwort-auth
+# password-auth
 pam::pam_password_auth_lines:
-  - 'auth        required      pam_env.so'
-  - 'auth        sufficient    pam_unix.so try_first_pass nullok'
-  - 'auth        required      pam_deny.so'
+  - 'auth        required                                     pam_env.so'
+  - 'auth        required                                     pam_faildelay.so delay=2000000'
+  - 'auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular'
+  - 'auth        [default=1 ignore=ignore success=ok]         pam_localuser.so'
+  - 'auth        sufficient                                   pam_unix.so nullok'
+  - 'auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular'
+  - 'auth        sufficient                                   pam_sss.so forward_pass'
+  - 'auth        required                                     pam_deny.so'
 pam::pam_password_account_lines:
-  - 'account     required      pam_unix.so'
+  - 'account     required                                     pam_unix.so'
+  - 'account     sufficient                                   pam_localuser.so'
+  - 'account     sufficient                                   pam_usertype.so issystem'
+  - 'account     [default=bad success=ok user_unknown=ignore] pam_sss.so'
+  - 'account     required                                     pam_permit.so'
 pam::pam_password_password_lines:
-  - 'password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type='
-  - 'password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow'
-  - 'password    required      pam_deny.so'
+  - 'password    requisite                                    pam_pwquality.so local_users_only'
+  - 'password    sufficient                                   pam_unix.so sha512 shadow nullok use_authtok'
+  - 'password    sufficient                                   pam_sss.so use_authtok'
+  - 'password    required                                     pam_deny.so'
 pam::pam_password_session_lines:
-  - 'session     optional      pam_keyinit.so revoke'
-  - 'session     required      pam_limits.so'
-  - '-session     optional      pam_systemd.so'
-  - 'session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid'
-  - 'session     required      pam_unix.so'
+  - 'session     optional                                     pam_keyinit.so revoke'
+  - 'session     required                                     pam_limits.so'
+  - '-session    optional                                     pam_systemd.so'
+  - 'session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid'
+  - 'session     required                                     pam_unix.so'
+  - 'session     optional                                     pam_sss.so'
diff --git a/data/os/RedHat/9.yaml b/data/os/RedHat/9.yaml
@@ -0,0 +1,67 @@
+---
+# EL9 does not use pam_access by default
+pam::login_pam_access: absent
+
+pam::common_files_create_links: true
+pam::common_files_suffix: '_ac'
+pam::common_files:
+  - password_auth
+  - system_auth
+
+pam::pam_d_login_template: pam/login.el9.erb
+pam::pam_d_sshd_template: pam/sshd.el9.erb
+pam::package_name: pam
+pam::pam_auth_lines:
+  - 'auth        required                                     pam_env.so'
+  - 'auth        required                                     pam_faildelay.so delay=2000000'
+  - 'auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular'
+  - 'auth        [default=1 ignore=ignore success=ok]         pam_localuser.so'
+  - 'auth        sufficient                                   pam_unix.so nullok try_first_pass'
+  - 'auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular'
+  - 'auth        sufficient                                   pam_sss.so forward_pass'
+  - 'auth        required                                     pam_deny.so'
+pam::pam_password_auth_lines:
+  - 'auth        required                                     pam_env.so'
+  - 'auth        required                                     pam_faildelay.so delay=2000000'
+  - 'auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular'
+  - 'auth        [default=1 ignore=ignore success=ok]         pam_localuser.so'
+  - 'auth        sufficient                                   pam_unix.so nullok try_first_pass'
+  - 'auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular'
+  - 'auth        sufficient                                   pam_sss.so forward_pass'
+  - 'auth        required                                     pam_deny.so'
+pam::pam_account_lines:
+  - 'account     required                                     pam_unix.so'
+  - 'account     sufficient                                   pam_localuser.so'
+  - 'account     sufficient                                   pam_usertype.so issystem'
+  - 'account     [default=bad success=ok user_unknown=ignore] pam_sss.so'
+  - 'account     required                                     pam_permit.so'
+pam::pam_password_lines:
+  - 'password    requisite                                    pam_pwquality.so try_first_pass local_users_only'
+  - 'password    sufficient                                   pam_unix.so sha512 shadow nullok try_first_pass use_authtok'
+  - 'password    sufficient                                   pam_sss.so use_authtok'
+  - 'password    required                                     pam_deny.so'
+pam::pam_session_lines:
+  - 'session     optional                                     pam_keyinit.so revoke'
+  - 'session     required                                     pam_limits.so'
+  - '-session    optional                                     pam_systemd.so'
+  - 'session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid'
+  - 'session     required                                     pam_unix.so'
+  - 'session     optional                                     pam_sss.so'
+pam::pam_password_account_lines:
+  - 'account     required                                     pam_unix.so'
+  - 'account     sufficient                                   pam_localuser.so'
+  - 'account     sufficient                                   pam_usertype.so issystem'
+  - 'account     [default=bad success=ok user_unknown=ignore] pam_sss.so'
+  - 'account     required                                     pam_permit.so'
+pam::pam_password_password_lines:
+  - 'password    requisite                                    pam_pwquality.so try_first_pass local_users_only'
+  - 'password    sufficient                                   pam_unix.so sha512 shadow nullok try_first_pass use_authtok'
+  - 'password    sufficient                                   pam_sss.so use_authtok'
+  - 'password    required                                     pam_deny.so'
+pam::pam_password_session_lines:
+  - 'session     optional                                     pam_keyinit.so revoke'
+  - 'session     required                                     pam_limits.so'
+  - '-session    optional                                     pam_systemd.so'
+  - 'session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid'
+  - 'session     required                                     pam_unix.so'
+  - 'session     optional                                     pam_sss.so'
diff --git a/data/os/Suse/15.0.yaml b/data/os/Suse/15.0.yaml
@@ -0,0 +1,26 @@
+---
+pam::common_files_create_links: true
+pam::common_files_suffix: '_pc'
+pam::common_files:
+  - common_account
+  - common_auth
+  - common_password
+  - common_session
+
+pam::pam_d_login_template: pam/login.suse15-old.erb
+pam::pam_d_sshd_template: pam/sshd.suse15-old.erb
+pam::package_name: pam
+pam::pam_auth_lines:
+  - 'auth  required  pam_env.so'
+  - 'auth  required  pam_unix.so try_first_pass'
+pam::pam_account_lines:
+  - 'account  required  pam_unix.so try_first_pass'
+pam::pam_password_lines:
+  - 'password  requisite  pam_cracklib.so'
+  - 'password  required   pam_unix.so use_authtok nullok shadow try_first_pass'
+pam::pam_session_lines:
+  - 'session  optional  pam_systemd.so'
+  - 'session  required  pam_limits.so'
+  - 'session  required  pam_unix.so try_first_pass'
+  - 'session  optional  pam_umask.so'
+  - 'session  optional  pam_env.so'
diff --git a/data/os/Suse/15.1.yaml b/data/os/Suse/15.1.yaml
@@ -0,0 +1,26 @@
+---
+pam::common_files_create_links: true
+pam::common_files_suffix: '_pc'
+pam::common_files:
+  - common_account
+  - common_auth
+  - common_password
+  - common_session
+
+pam::pam_d_login_template: pam/login.suse15-old.erb
+pam::pam_d_sshd_template: pam/sshd.suse15-old.erb
+pam::package_name: pam
+pam::pam_auth_lines:
+  - 'auth  required  pam_env.so'
+  - 'auth  required  pam_unix.so try_first_pass'
+pam::pam_account_lines:
+  - 'account  required  pam_unix.so try_first_pass'
+pam::pam_password_lines:
+  - 'password  requisite  pam_cracklib.so'
+  - 'password  required   pam_unix.so use_authtok nullok shadow try_first_pass'
+pam::pam_session_lines:
+  - 'session  optional  pam_systemd.so'
+  - 'session  required  pam_limits.so'
+  - 'session  required  pam_unix.so try_first_pass'
+  - 'session  optional  pam_umask.so'
+  - 'session  optional  pam_env.so'
diff --git a/data/os/Suse/15.2.yaml b/data/os/Suse/15.2.yaml
@@ -0,0 +1,26 @@
+---
+pam::common_files_create_links: true
+pam::common_files_suffix: '_pc'
+pam::common_files:
+  - common_account
+  - common_auth
+  - common_password
+  - common_session
+
+pam::pam_d_login_template: pam/login.suse15-old.erb
+pam::pam_d_sshd_template: pam/sshd.suse15-old.erb
+pam::package_name: pam
+pam::pam_auth_lines:
+  - 'auth  required  pam_env.so'
+  - 'auth  required  pam_unix.so try_first_pass'
+pam::pam_account_lines:
+  - 'account  required  pam_unix.so try_first_pass'
+pam::pam_password_lines:
+  - 'password  requisite  pam_cracklib.so'
+  - 'password  required   pam_unix.so use_authtok nullok shadow try_first_pass'
+pam::pam_session_lines:
+  - 'session  optional  pam_systemd.so'
+  - 'session  required  pam_limits.so'
+  - 'session  required  pam_unix.so try_first_pass'
+  - 'session  optional  pam_umask.so'
+  - 'session  optional  pam_env.so'
diff --git a/data/os/Suse/15.3.yaml b/data/os/Suse/15.3.yaml
@@ -0,0 +1,26 @@
+---
+pam::common_files_create_links: true
+pam::common_files_suffix: '_pc'
+pam::common_files:
+  - common_account
+  - common_auth
+  - common_password
+  - common_session
+
+pam::pam_d_login_template: pam/login.suse15-old.erb
+pam::pam_d_sshd_template: pam/sshd.suse15-old.erb
+pam::package_name: pam
+pam::pam_auth_lines:
+  - 'auth  required  pam_env.so'
+  - 'auth  required  pam_unix.so try_first_pass'
+pam::pam_account_lines:
+  - 'account  required  pam_unix.so try_first_pass'
+pam::pam_password_lines:
+  - 'password  requisite  pam_cracklib.so'
+  - 'password  required   pam_unix.so use_authtok nullok shadow try_first_pass'
+pam::pam_session_lines:
+  - 'session  optional  pam_systemd.so'
+  - 'session  required  pam_limits.so'
+  - 'session  required  pam_unix.so try_first_pass'
+  - 'session  optional  pam_umask.so'
+  - 'session  optional  pam_env.so'
diff --git a/data/os/Suse/15.yaml b/data/os/Suse/15.yaml
@@ -7,8 +7,8 @@ pam::common_files:
   - common_password
   - common_session
 
-pam::pam_d_login_template: pam/login.suse15.erb
-pam::pam_d_sshd_template: pam/sshd.suse15.erb
+pam::pam_d_login_template: pam/login.suse15-new.erb
+pam::pam_d_sshd_template: pam/sshd.suse15-new.erb
 pam::package_name: pam
 pam::pam_auth_lines:
   - 'auth  required  pam_env.so'

diff --git a/data/os/Ubuntu/22.04.yaml b/data/os/Ubuntu/22.04.yaml
@@ -0,0 +1,33 @@
+---
+pam::common_files_create_links: false
+pam::common_files_suffix:       ~
+pam::common_files:
+  - common_account
+  - common_auth
+  - common_password
+  - common_session
+  - common_session_noninteractive
+
+pam::pam_d_login_template: pam/login.ubuntu22.erb
+pam::pam_d_sshd_template: pam/sshd.ubuntu22.erb
+pam::package_name: libpam0g
+pam::pam_auth_lines:
+  - 'auth	[success=1 default=ignore]	pam_unix.so nullok'
+  - 'auth	requisite			pam_deny.so'
+  - 'auth	required			pam_permit.so'
+  - 'auth	optional			pam_cap.so '
+pam::pam_account_lines:
+  - 'account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so '
+  - 'account	requisite			pam_deny.so'
+  - 'account	required			pam_permit.so'
+pam::pam_password_lines:
+  - 'password	[success=1 default=ignore]	pam_unix.so obscure yescrypt'
+  - 'password	requisite			pam_deny.so'
+  - 'password	required			pam_permit.so'
+pam::pam_session_lines:
+  - 'session	[default=1]			pam_permit.so'
+  - 'session	requisite			pam_deny.so'
+  - 'session	required			pam_permit.so'
+  - 'session optional			pam_umask.so'
+  - 'session	required	pam_unix.so '
+  - 'session	optional	pam_systemd.so '
diff --git a/hiera.yaml b/hiera.yaml
@@ -7,6 +7,8 @@ hierarchy:
   # Used for Solaris
   - name: "osfamily/kernelrelease"
     path: "os/%{facts.os.family}/%{facts.kernelrelease}.yaml"
+  - name: "osfamily/full_release"
+    path: "os/%{facts.os.family}/%{facts.os.release.full}.yaml"
   - name: "osfamily/major_release"
     path: "os/%{facts.os.family}/%{facts.os.release.major}.yaml"
   # Used to distinguish between Debian and Ubuntu

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -238,8 +238,8 @@
   Optional[String]                                                  $common_files_suffix                = undef,
 ) {
   # Fail on unsupported platforms
-  if $facts['os']['family'] == 'RedHat' and !($facts['os']['release']['major'] in ['5','6','7','8']) {
-    fail("osfamily RedHat's os.release.major is <${::facts['os']['release']['major']}> and must be 5, 6, 7 or 8")
+  if $facts['os']['family'] == 'RedHat' and !($facts['os']['release']['major'] in ['5','6','7','8', '9']) {
+    fail("osfamily RedHat's os.release.major is <${::facts['os']['release']['major']}> and must be 5, 6, 7, 8 or 9")
   }
 
   if $facts['os']['family'] == 'Solaris' and !($facts['kernelrelease'] in ['5.9','5.10','5.11']) {
@@ -254,8 +254,8 @@
     fail("Debian's os.release.major is <${facts['os']['release']['major']}> and must be 7, 8, 9, 10 or 11")
   }
 
-  if $facts['os']['name'] == 'Ubuntu' and !($facts['os']['release']['major'] in ['12.04', '14.04', '16.04', '18.04', '20.04']) {
-    fail("Ubuntu's os.release.major is <${facts['os']['release']['major']}> and must be 12.04, 14.04, 16.04, 18.04 or 20.04")
+  if $facts['os']['name'] == 'Ubuntu' and !($facts['os']['release']['major'] in ['12.04', '14.04', '16.04', '18.04', '20.04', '22.04']) {
+    fail("Ubuntu's os.release.major is <${facts['os']['release']['major']}> and must be 12.04, 14.04, 16.04, 18.04, 20.04 or 22.04")
   }
 
   if $pam_d_sshd_template == 'pam/sshd.custom.erb' {

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "ghoneycutt-pam",
-  "version": "3.7.1",
+  "version": "3.8.1",
   "author": "ghoneycutt",
   "summary": "Manage PAM",
   "license": "Apache-2.0",
@@ -34,7 +34,8 @@
         "5",
         "6",
         "7",
-        "8"
+        "8",
+        "9"
       ]
     },
     {
@@ -43,7 +44,8 @@
         "5",
         "6",
         "7",
-        "8"
+        "8",
+        "9"
       ]
     },
     {
@@ -52,7 +54,8 @@
         "5",
         "6",
         "7",
-        "8"
+        "8",
+        "9"
       ]
     },
     {
@@ -61,7 +64,8 @@
         "5",
         "6",
         "7",
-        "8"
+        "8",
+        "9"
       ]
     },
     {
@@ -99,7 +103,8 @@
         "14.04",
         "16.04",
         "18.04",
-        "20.04"
+        "20.04",
+        "22.04"
       ]
     }
   ],