Using `realm join` with custom `authselect`profiles

In the process of updating out hardening-automation to update configuration of /etc/pam.d files to leverage authselect vice direct-editing of files and am running into issues.

Specifically, one of the security controls I need to implement states that the pam_lastlog.so module must be set as required (rather than the optional that comes in the default sssd profile for authselect). Neither pam_lastlog.so seems to have an /etc/security/*.config file (like pam_faillock and pam_pwhistory do), nor does authselectseem to let me change the optional to required.

I thought I'd try cloning the default sssd profile (and create an sssd-hardenedprofile) and select that custom profile as my active profile. However, when I issue my realm join …, it pretty much says, "screw that custom profile you're using, we're going to select the default sssd profile as the active profile" ...which (effectively) clobbers the pam_lastlog fixes that I'd enabled in my custom authselect profile and the changes that I'd used authselect to make prior the running of realm join. But, "nope".

Figured I'd ask if anyone's run into this scenario and found a path past it before trying to open up a Bugzilla about it.