I need to prevent users from authenticating through Kerberos when the encrypted /home/users has not yet been mounted. (This is to avoid corrupting the ecryptfs mountpoint)

Currently I have these lines in /etc/pam.d/common-auth:

auth    required                        pam_group.so use_first_pass
auth    [success=2 default=ignore]      pam_krb5.so minimum_uid=1000 try_first_pass
auth    [success=1 default=ignore]      pam_unix.so nullok_secure try_first_pass

I am planning to use pam_exec.so to execute a script that will exit 1 if the ecyptfs mounts are not ready yet.

Doing this:

auth    required        pam_exec.so     /etc/security/check_ecryptfs

will lock me out for good if ecryptfs for some reason fails. In such case I would like to at least be able to login with a local (non-kerberos) user to fix the issue.

Is there some sort of AND-Operator in which I can say that login through kerberos+ldap is only sufficient if both kerberos authentication and the ecryptfs mount has succeeded?