diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/files/pambase-20120417-sssd.patch b/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/files/pambase-20120417-sssd.patch
new file mode 100644
index 0000000000..842ec42eeb
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/files/pambase-20120417-sssd.patch
@@ -0,0 +1,39 @@
+diff -ur pambase-20140313.orig/system-auth.in pambase-20140313/system-auth.in
+--- pambase-20140313.orig/system-auth.in	2014-03-13 07:13:15.000000000 -0700
++++ pambase-20140313/system-auth.in	2016-05-02 12:57:35.437730031 -0700
+@@ -7,7 +7,8 @@
+ #if HAVE_KRB5
+ auth		KRB5_CONTROL	pam_krb5.so KRB5_PARAMS
+ #endif
+-auth		required	pam_unix.so try_first_pass LIKEAUTH nullok DEBUG
++auth		sufficient	pam_sss.so use_first_pass
++auth		sufficient	pam_unix.so try_first_pass LIKEAUTH nullok DEBUG
+ /* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
+ auth		optional	pam_permit.so
+  
+@@ -16,6 +17,7 @@
+ #endif
+ account		required	pam_unix.so DEBUG
+ /* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
++account		[default=bad success=ok user_unknown=ignore]	pam_sss.so
+ account		optional	pam_permit.so
+  
+ #if HAVE_CRACKLIB
+@@ -27,7 +29,8 @@
+ #if HAVE_KRB5
+ password	KRB5_CONTROL	pam_krb5.so KRB5_PARAMS
+ #endif
+-password	required	pam_unix.so try_first_pass UNIX_AUTHTOK nullok UNIX_EXTENDED_ENCRYPTION DEBUG
++password	sufficient	pam_unix.so try_first_pass UNIX_AUTHTOK nullok UNIX_EXTENDED_ENCRYPTION DEBUG
++password	sufficient	pam_sss.so use_authtok
+ /* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
+ password	optional	pam_permit.so
+  
+diff -ur pambase-20140313.orig/system-session.inc pambase-20140313/system-session.inc
+--- pambase-20140313.orig/system-session.inc	2014-03-13 07:13:15.000000000 -0700
++++ pambase-20140313/system-session.inc	2016-05-02 12:57:59.723883487 -0700
+@@ -23,3 +23,4 @@
+ #endif
+ 
+ session		optional	pam_permit.so
++session		optional	pam_sss.so
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/pambase-20101024-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/pambase-20101024-r2.ebuild
deleted file mode 100644
index ad732d4079..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/pambase-20101024-r2.ebuild
+++ /dev/null
@@ -1,97 +0,0 @@
-# Copyright 1999-2013 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/pambase/pambase-20101024-r2.ebuild,v 1.5 2013/06/28 12:04:39 aballier Exp $
-
-EAPI=4
-
-inherit eutils
-
-DESCRIPTION="PAM base configuration files"
-HOMEPAGE="http://www.gentoo.org/proj/en/base/pam/"
-SRC_URI="http://dev.gentoo.org/~flameeyes/${PN}/${P}.tar.bz2"
-
-LICENSE="GPL-2"
-SLOT="0"
-KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x86-freebsd ~amd64-linux ~ia64-linux ~x86-linux"
-IUSE="debug cracklib passwdqc consolekit gnome-keyring selinux mktemp pam_ssh +sha512 pam_krb5 minimal"
-RESTRICT="binchecks"
-
-RDEPEND="
-	|| (
-		>=sys-libs/pam-0.99.9.0-r1
-		( sys-auth/openpam
-		  || ( sys-freebsd/freebsd-pam-modules sys-netbsd/netbsd-pam-modules )
-		)
-	)
-	cracklib? ( >=sys-libs/pam-0.99[cracklib] )
-	consolekit? ( >=sys-auth/consolekit-0.3[pam] )
-	gnome-keyring? ( >=gnome-base/gnome-keyring-2.20[pam] )
-	selinux? ( >=sys-libs/pam-0.99[selinux] )
-	passwdqc? ( >=sys-auth/pam_passwdqc-1.0.4 )
-	mktemp? ( sys-auth/pam_mktemp )
-	pam_ssh? ( sys-auth/pam_ssh )
-	sha512? ( >=sys-libs/pam-1.0.1 )
-	pam_krb5? (
-		|| ( >=sys-libs/pam-1.1.0 sys-auth/openpam )
-		>=sys-auth/pam_krb5-4.3
-	)
-	!<sys-freebsd/freebsd-pam-modules-6.2-r1
-	!<sys-libs/pam-0.99.9.0-r1"
-DEPEND="app-portage/portage-utils"
-
-src_compile() {
-	local implementation=
-	local linux_pam_version=
-	if has_version sys-libs/pam; then
-		implementation="linux-pam"
-		local ver_str=$(qatom `best_version sys-libs/pam` | cut -d ' ' -f 3)
-		linux_pam_version=$(printf "0x%02x%02x%02x" ${ver_str//\./ })
-	elif has_version sys-auth/openpam; then
-		implementation="openpam"
-	else
-		die "PAM implementation not identified"
-	fi
-
-	use_var() {
-		local varname=$(echo $1 | tr [a-z] [A-Z])
-		local usename=${2-$(echo $1 | tr [A-Z] [a-z])}
-		local varvalue=$(use $usename && echo yes || echo no)
-		echo "${varname}=${varvalue}"
-	}
-
-	emake \
-		GIT=true \
-		$(use_var debug) \
-		$(use_var cracklib) \
-		$(use_var passwdqc) \
-		$(use_var consolekit) \
-		$(use_var GNOME_KEYRING gnome-keyring) \
-		$(use_var selinux) \
-		$(use_var mktemp) \
-		$(use_var PAM_SSH pam_ssh) \
-		$(use_var sha512) \
-		$(use_var KRB5 pam_krb5) \
-		$(use_var minimal) \
-		IMPLEMENTATION=${implementation} \
-		LINUX_PAM_VERSION=${linux_pam_version}
-}
-
-src_test() { :; }
-
-src_install() {
-	emake GIT=true DESTDIR="${ED}" install
-}
-
-pkg_postinst() {
-	if use sha512; then
-		elog "Starting from version 20080801, pambase optionally enables"
-		elog "SHA512-hashed passwords. For this to work, you need sys-libs/pam-1.0.1"
-		elog "built against sys-libs/glibc-2.7 or later."
-		elog "If you don't have support for this, it will automatically fallback"
-		elog "to MD5-hashed passwords, just like before."
-		elog
-		elog "Please note that the change only affects the newly-changed passwords"
-		elog "and that SHA512-hashed passwords will not work on earlier versions"
-		elog "of glibc or Linux-PAM."
-	fi
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/pambase-20120417-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/pambase-20120417-r4.ebuild
similarity index 98%
rename from sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/pambase-20120417-r3.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/pambase-20120417-r4.ebuild
index 5eb8ba3fa6..2819751ca8 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/pambase-20120417-r3.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/pambase-20120417-r4.ebuild
@@ -46,6 +46,9 @@ src_prepare() {
 	epatch "${FILESDIR}"/${P}-systemd.patch
 	epatch "${FILESDIR}"/${P}-lastlog-silent.patch
 	epatch "${FILESDIR}"/${P}-systemd-auth.patch # 485470
+	if ! use arm64; then
+		epatch "${FILESDIR}"/${P}-sssd.patch
+	fi
 }
 
 src_compile() {
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/pambase-20140313.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/pambase-20140313.ebuild
deleted file mode 100644
index 4ab3716501..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/pambase-20140313.ebuild
+++ /dev/null
@@ -1,106 +0,0 @@
-# Copyright 1999-2014 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/pambase/pambase-20140313.ebuild,v 1.1 2014/03/13 14:29:23 ssuominen Exp $
-
-EAPI=5
-inherit eutils
-
-DESCRIPTION="PAM base configuration files"
-HOMEPAGE="http://www.gentoo.org/proj/en/base/pam/"
-SRC_URI="http://dev.gentoo.org/~ssuominen/${P}.tar.bz2"
-
-LICENSE="GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 -sparc-fbsd -x86-fbsd ~x86-freebsd ~amd64-linux ~ia64-linux ~x86-linux"
-IUSE="consolekit cracklib debug gnome-keyring minimal mktemp pam_krb5 pam_ssh passwdqc selinux +sha512 systemd"
-
-RESTRICT=binchecks
-
-MIN_PAM_REQ=1.1.3
-
-RDEPEND="
-	|| (
-		>=sys-libs/pam-${MIN_PAM_REQ}
-		( sys-auth/openpam || ( sys-freebsd/freebsd-pam-modules sys-netbsd/netbsd-pam-modules ) )
-		)
-	consolekit? ( >=sys-auth/consolekit-0.4.6[pam] )
-	cracklib? ( >=sys-libs/pam-${MIN_PAM_REQ}[cracklib] )
-	gnome-keyring? ( >=gnome-base/gnome-keyring-2.32[pam] )
-	mktemp? ( sys-auth/pam_mktemp )
-	pam_krb5? (
-		|| ( >=sys-libs/pam-${MIN_PAM_REQ} sys-auth/openpam )
-		>=sys-auth/pam_krb5-4.3
-		)
-	pam_ssh? ( sys-auth/pam_ssh )
-	passwdqc? ( >=sys-auth/pam_passwdqc-1.0.4 )
-	selinux? ( >=sys-libs/pam-${MIN_PAM_REQ}[selinux] )
-	sha512? ( >=sys-libs/pam-${MIN_PAM_REQ} )
-	systemd? ( >=sys-apps/systemd-204[pam] )
-	!<sys-apps/shadow-4.1.5-r1
-	!<sys-freebsd/freebsd-pam-modules-6.2-r1
-	!<sys-libs/pam-0.99.9.0-r1"
-DEPEND="app-portage/portage-utils"
-
-src_compile() {
-	local implementation=
-	local linux_pam_version=
-	if has_version sys-libs/pam; then
-		implementation=linux-pam
-		local ver_str=$(qatom `best_version sys-libs/pam` | cut -d ' ' -f 3)
-		linux_pam_version=$(printf "0x%02x%02x%02x" ${ver_str//\./ })
-	elif has_version sys-auth/openpam; then
-		implementation=openpam
-	else
-		die "PAM implementation not identified"
-	fi
-
-	use_var() {
-		local varname=$(echo $1 | tr [a-z] [A-Z])
-		local usename=${2-$(echo $1 | tr [A-Z] [a-z])}
-		local varvalue=$(usex $usename)
-		echo "${varname}=${varvalue}"
-	}
-
-	emake \
-		GIT=true \
-		$(use_var debug) \
-		$(use_var cracklib) \
-		$(use_var passwdqc) \
-		$(use_var consolekit) \
-		$(use_var systemd) \
-		$(use_var GNOME_KEYRING gnome-keyring) \
-		$(use_var selinux) \
-		$(use_var mktemp) \
-		$(use_var PAM_SSH pam_ssh) \
-		$(use_var sha512) \
-		$(use_var KRB5 pam_krb5) \
-		$(use_var minimal) \
-		IMPLEMENTATION=${implementation} \
-		LINUX_PAM_VERSION=${linux_pam_version}
-}
-
-src_test() { :; }
-
-src_install() {
-	emake GIT=true DESTDIR="${ED}" install
-}
-
-pkg_postinst() {
-	if use sha512; then
-		elog "Starting from version 20080801, pambase optionally enables"
-		elog "SHA512-hashed passwords. For this to work, you need sys-libs/pam-1.0.1"
-		elog "built against sys-libs/glibc-2.7 or later."
-		elog "If you don't have support for this, it will automatically fallback"
-		elog "to MD5-hashed passwords, just like before."
-		elog
-		elog "Please note that the change only affects the newly-changed passwords"
-		elog "and that SHA512-hashed passwords will not work on earlier versions"
-		elog "of glibc or Linux-PAM."
-	fi
-
-	if use systemd && use consolekit; then
-		ewarn "You are enabling 2 session trackers, ConsoleKit and systemd-logind"
-		ewarn "at the same time. This is not recommended setup to have, please"
-		ewarn "consider disabling either USE=\"consolekit\" or USE=\"systemd\."
-	fi
-}