This configuration parameter specifies the message displayed if both user name and user ID conflicts are detected during login; that is, there are two local account conflicts. For example, a local user (user2) and the Active Directory user (user1) have the same UID (10001) but different user names, and another local account has the same user name (user1) as the Active Directory user but has a different UID value (10002):
user1 10001 #AD User
user1 10002 #local user
user2 10001 #local user
When the message is displayed, the %s token in the message string is replaced with the name of the first conflicting local account, and the %d token is replaced with the UID of the second conflicting local account. The message string you define must contain exactly one %s token and exactly one %d token, in that order, and no other string replacement (%) characters.
pam.account.conflict.both.mesg: \ Accounts with conflicting name (%s) and UID (%d) exist locally
For more information about displaying a warning when local conflicts are detected, see pam.uid.conflict.