diff --git a/manifests/sudo.pp b/manifests/sudo.pp
index 0a2725fa4e2b7d5fbb1461e380d78f5c033e78d3..41ad9656b64054c8eaef953190f90ba3a14abfb7 100644
--- a/manifests/sudo.pp
+++ b/manifests/sudo.pp
@@ -8,6 +8,9 @@
 # $timeout: how long (in minutes) between requiring a new Duo re-auth.
 # Default: 30
 #
+# $debuild: set this true if you need to set up a debuild environment.
+# Default: false
+#
 # Example.
 # To install sudo with no Duo support:
 #
@@ -35,6 +38,7 @@ class base::sudo(
   $duo         = false,
   $duo_sudoers = [],
   $timeout     = 30,
+  $debuild     = false,
 ){
   package { 'sudo':
     ensure => installed
diff --git a/templates/sudo/etc/pam.d/sudo.erb b/templates/sudo/etc/pam.d/sudo.erb
index 45b367da8bbf9e10a5f0a3f71086e630710ca7d1..c0d4bcb04935a39185221545f6e701b0694b87ab 100644
--- a/templates/sudo/etc/pam.d/sudo.erb
+++ b/templates/sudo/etc/pam.d/sudo.erb
@@ -14,3 +14,10 @@ account    include      common-auth
 password   include      common-auth
 session    optional     pam_keyinit.so revoke
 session    required     pam_limits.so
+<%- if (@debuild) then -%>
+# Instead of including the stock common-session-noninteractive we
+# use parts of it, overriding minimum_uid for pam_afs_session
+# so that sudo will be able to get AFS tokens (helps with cowbuilder)
+session    optional     pam_krb5.so minimum_uid=1000
+session    optional     pam_afs_session.so minimum_uid=0
+<%- end -%>