diff --git a/profiles/templates/3.5/3_ac_install_live/1-merge/app-admin/sudo/domain b/profiles/templates/3.5/3_ac_install_live/1-merge/app-admin/sudo/domain
new file mode 100644
index 000000000..d9fbd05bc
--- /dev/null
+++ b/profiles/templates/3.5/3_ac_install_live/1-merge/app-admin/sudo/domain
@@ -0,0 +1,7 @@
+# Calculate comment=# chmod=0440 module(client)!=&&client.os_remote_auth!=
+
+#?install.os_install_net_domain!=#
+%sudo-#-install.os_install_net_domain-# ALL=(ALL) ALL
+#install.os_install_net_domain#
+%sudo-#-install.os_install_net_hostname-# ALL=(ALL) ALL
+%sudo ALL=(ALL) ALL
diff --git a/profiles/templates/3.5/3_ac_install_live/1-merge/app-admin/sudo/domain.remove b/profiles/templates/3.5/3_ac_install_live/1-merge/app-admin/sudo/domain.remove
new file mode 100644
index 000000000..19a203fb2
--- /dev/null
+++ b/profiles/templates/3.5/3_ac_install_live/1-merge/app-admin/sudo/domain.remove
@@ -0,0 +1 @@
+# Calculate append=remove name=domain module(client)==||client.os_remote_auth==
diff --git a/profiles/templates/3.5/3_ac_install_live/1-merge/sys-auth/pambase/.calculate_directory b/profiles/templates/3.5/3_ac_install_live/1-merge/sys-auth/pambase/.calculate_directory
new file mode 100644
index 000000000..8e56a4caf
--- /dev/null
+++ b/profiles/templates/3.5/3_ac_install_live/1-merge/sys-auth/pambase/.calculate_directory
@@ -0,0 +1,2 @@
+# Calculate merge()!=&&pkg()!= path=/etc name=pam.d
+
diff --git a/profiles/templates/3.5/3_ac_install_live/1-merge/sys-auth/pambase/su b/profiles/templates/3.5/3_ac_install_live/1-merge/sys-auth/pambase/su
new file mode 100644
index 000000000..08edba97f
--- /dev/null
+++ b/profiles/templates/3.5/3_ac_install_live/1-merge/sys-auth/pambase/su
@@ -0,0 +1,41 @@
+# Calculate comment=#
+#%PAM-1.0
+
+auth       sufficient   pam_rootok.so
+
+# If you want to restrict users begin allowed to su even more,
+# create /etc/security/suauth.allow (or to that matter) that is only
+# writable by root, and add users that are allowed to su to that
+# file, one per line.
+#auth       required     pam_listfile.so item=ruser sense=allow onerr=fail file=/etc/security/suauth.allow
+
+# Uncomment this to allow users in the wheel group to su without
+# entering a passwd.
+#auth       sufficient   pam_wheel.so use_uid trust
+
+# Alternatively to above, you can implement a list of users that do
+# not need to supply a passwd with a list.
+#auth       sufficient   pam_listfile.so item=ruser sense=allow onerr=fail file=/etc/security/suauth.nopass
+
+# Comment this to allow any user, even those not in the 'wheel'
+# group to su
+#?module(client)!=&&client.os_remote_auth!=#
+#?install.os_install_net_domain!=#
+auth       [success=3 default=ignore]   pam_wheel.so use_uid group=su-#-install.os_install_net_domain-# trust
+#install.os_install_net_domain#
+auth       [success=2 default=ignore]   pam_wheel.so use_uid group=su-#-install.os_install_net_hostname-# trust
+auth       [success=1 default=ignore]   pam_wheel.so use_uid group=su trust
+#module#
+auth       required     pam_wheel.so use_uid
+
+auth       include      system-auth
+
+account    include      system-auth
+
+password   include      system-auth
+
+session    include      system-auth
+session    required     pam_env.so
+session    optional     pam_xauth.so
+# need for xautologin
+session    optional     pam_ck_connector.so nox11
diff --git a/profiles/templates/3.5/5_ac_client_configure/.calculate_directory b/profiles/templates/3.5/5_ac_client_configure/.calculate_directory
index 4b4c18a04..ded9b74d3 100644
--- a/profiles/templates/3.5/5_ac_client_configure/.calculate_directory
+++ b/profiles/templates/3.5/5_ac_client_configure/.calculate_directory
@@ -1 +1 @@
-# Calculate append=skip module(client)!=&&client.ac_client_configure==on||merge(sys-apps/calculate-utils)!=&&module(client)!=&&ini(merge-calculate.client)==||merge(sys-apps/calculate-utils)!=&&module(client)==&&ini(merge-calculate.client)!= merge=gnome-base/gdm,net-misc/openssh,sys-apps/sysvinit,sys-auth/nss_ldap,sys-libs/glibc,x11-base/xorg-server,x11-misc/lightdm,sys-auth/pambase
+# Calculate append=skip module(client)!=&&client.ac_client_configure==on||merge(sys-apps/calculate-utils)!=&&module(client)!=&&ini(merge-calculate.client)==||merge(sys-apps/calculate-utils)!=&&module(client)==&&ini(merge-calculate.client)!= merge=gnome-base/gdm,net-misc/openssh,sys-apps/sysvinit,sys-auth/nss_ldap,sys-libs/glibc,x11-base/xorg-server,x11-misc/lightdm,sys-auth/pambase,app-admin/sudo
diff --git a/profiles/templates/3.5/6_ac_update_sync/remerge/00-ini b/profiles/templates/3.5/6_ac_update_sync/remerge/00-ini
index 286248301..1f6dec0d8 100644
--- a/profiles/templates/3.5/6_ac_update_sync/remerge/00-ini
+++ b/profiles/templates/3.5/6_ac_update_sync/remerge/00-ini
@@ -2,4 +2,4 @@
 
 [overlay-calculate]
 # Save the latest version, because when switching profile cl-setup-profile 3.2.2 makes a call cl-setup-system
-remerge = 163
+remerge = 164
diff --git a/profiles/templates/3.5/6_ac_update_sync/remerge/101-200/164 b/profiles/templates/3.5/6_ac_update_sync/remerge/101-200/164
new file mode 100644
index 000000000..93d504f07
--- /dev/null
+++ b/profiles/templates/3.5/6_ac_update_sync/remerge/101-200/164
@@ -0,0 +1,4 @@
+# Calculate format=samba path=/etc/calculate name=ini.env merge=sys-auth/pambase,app-admin/sudo ini(overlay-calculate.remerge)<164
+
+[overlay-calculate]
+remerge = 164