[SSSD] Trying to get id proxy to work

Hello, I'm trying to set sssd up so that I use a local passwd file for accounts and Kerberos for authentication, until AD is set up with the correct attributes (which will be a while). I have Kerberos working via krb5.conf, and LDAP sort of works via ldap.conf (except the important parts) but I will need to switch to SSSD eventually. I was hoping to get this going now with local accounts to make things easier down the road. This is on RHEL 5 right now. I'm hoping 6 isn't much different. I'm having some trouble (shocker!) so my first question is: is this configuration possible? My sssd.conf is pretty basic so far: [sssd] config_file_version = 2 domains = DEFAULT services = nss, pam [nss] [pam] [domain/DEFAULT] auth_provider = krb5 id_provider = proxy proxy_lib_name = files krb5_server = kerberos.foo.com krb5_realm = IT.FOO.COM These are some of the errors I'm seeing: [sssd[pam]] [sss_dp_get_reply] (4): Got reply (3, 19, Initgroups call not supported) from Data Provider [sssd[pam]] [pam_check_user_dp_callback] (2): Unable to get information from Data Provider [sssd[pam]] [pam_check_user_search] (4): Requesting info for [jce54@DEFAULT] [pam_check_user_search] (2): No matching domain found for [jce54], fail! sshd[6592]: pam_sss(sshd:auth): received for user jce54: 10 (User not known to the underlying authentication module) This suggests to me that it's not talking with NSS somehow... /etc/pam.d/system-auth: auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass #auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so #account sufficient pam_ldap.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so #account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok #password sufficient pam_krb5.so use_authtok minimum_uid=1000 password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session sufficient pam_sss.so session required pam_unix.so I read in one of the man pages I think that sssd will append the krb5_realm to the username if there isn't a domain there, and I'm logging in with jce54, so it *should* I think use jce54(a)IT.FOO.COM, but doesn't appear to do anything Kerberos-wise so maybe that's not an issue (yet). Thanks, Josh