I am seeing an issue when I try to change a local user's password when SSSD (1.9.2-82.el6) is not running. I have two sets of users: users stored in ldap and users stored locally on my RHEL 6.4 machine. When able, I want to login as the ldap users and only fallback to the local users when I can't contact the ldap server. This is why I have pam configured like this:

password    requisite     pam_cracklib.so retry=3 minlen=10
password    sufficient    pam_sss.so forward_pass use_authtok
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

When SSSD is running, I can change the password of local users and ldap users. However, when I try to change the password of a local user when SSSD is not running, I see this error:

Changing password for user.
passd: Authentication token manipulation error.

I then added 'audit' and 'debug' options to the pam_unix module and saw this output in /var/log/secure:

Apr 25 16:01:21 localhost passwd: pam_sss(passwd:chauthtok): Request to sssd failed. Connection refused
Apr 25 16:01:21 localhost passwd: pam_unix(passwd:chauthtok): username [user] obtained
Apr 25 16:01:28 localhost passwd: pam_sss(passwd:chauthtok): Request to sssd failed. Connection refused
Apr 25 16:01:28 localhost passwd: pam_unix(passwd:chauthtok): username [user] obtained
Apr 25 16:01:28 localhost passwd: pam_unix(passwd:chauthtok): password - new password not obtained
Apr 25 16:01:28 localhost passwd: gkr-pam: couldn't update the 'login' keyring password: no old password was entered 

I know that I can comment out the password line in /etc/pam.d/system-auth-ac that references pam_sss, and the password change will work correctly. Also, I know that I can login using a local account when SSSD is stopped. Here is the auth section of my system-auth-ac:

auth        required      pam_env.so
auth        sufficient    pam_sss.so forward_pass
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

Am I misconfigured somehow? Does pam_sss support forwarding passwords when SSSD is stopped?

Thanks,

Kevin