diff -Naur old/authinfo.py new/authinfo.py
--- old/authinfo.py	2017-03-28 13:38:56.610467419 +0200
+++ new/authinfo.py	2017-03-28 13:55:43.626505569 +0200
@@ -334,6 +334,10 @@
 	"wait_for_card"
 ]
 
+argv_sssd_missing_name = [
+   "allow_missing_name"
+]
+
 argv_krb5_auth = [
 	"use_first_pass"
 ]
@@ -736,6 +740,8 @@
 pam_modules[SMARTCARD] = [
 	[True,  AUTH,		LOGIC_REQUIRED,
 	 "env",			[]],
+	[False,  AUTH,		LOGIC_SUFFICIENT,
+	 "sss",			argv_sssd_missing_name],
 	[False,  AUTH,		LOGIC_PKCS11,
 	 "pkcs11",		argv_force_pkcs11_auth],
 	[False, AUTH,		LOGIC_OPTIONAL,
@@ -1428,7 +1434,7 @@
 		("kerberosAdminServer", "i"), ("kerberosRealmviaDNS", "b"),
 		("kerberosKDCviaDNS", "b")]),
 	SaveGroup(self.writeSSSD, self.toggleSSSDService, [("ldapServer", "i"), ("ldapBaseDN", "c"), ("enableLDAPS", "b"),
-		("ldapSchema", "c"), ("ldapCacertDir", "c"), ("enableCacheCreds", "b"),
+		("ldapSchema", "c"), ("ldapCacertDir", "c"), ("enableCacheCreds", "b"), ("enableSmartcard", "b"),
 		("kerberosRealm", "c"), ("kerberosKDC", "i"), ("kerberosAdminServer", "i"),
 		("forceSSSDUpdate", "b"), ("enableLDAP", "b"), ("enableKerberos", "b"),
 		("enableLDAPAuth", "b"), ("enableIPAv2", "b")]),
@@ -3281,11 +3287,35 @@
 				domain.remove_provider(subtype)
 			domain.add_provider(newprovider, subtype)
 
+	def writeSSSDPAM(self):
+		if not self.sssdConfig:
+			return True
+
+		pam = self.sssdConfig.get_service('pam')
+
+		if self.enableSmartcard and self.enableSSSDAuth and self.smartcardModule == "sssd" :
+			pam.set_option('pam_cert_auth', 'True')
+		else:
+			try:
+				pam.remove_option('pam_cert_auth')
+			except SSSDConfig.NoOptionError:
+				pass
+
+		self.sssdConfig.save_service(pam)
+		try:
+			self.sssdConfig.write(all_configs[CFG_SSSD].origPath)
+		except IOError:
+			pass
+
+		return True
+
 	def writeSSSD(self):
 		if not self.sssdConfig:
 			return True
 
 		all_configs[CFG_SSSD].backup(self.backupDir)
+		
+		self.writeSSSDPAM()
 
 		if self.enableIPAv2:
 			# just save the backup
@@ -3855,7 +3885,7 @@
 				args = self.mkhomedirArgs
 			if name == "systemd":
 				args = self.systemdArgs
-			if name == "sss" and stack == "auth" and not self.enableNIS:
+			if name == "sss" and stack == "auth" and not self.enableNIS and not module[ARGV] == argv_sssd_missing_name:
 				args = "forward_pass"
 			if not args and module[ARGV]:
 				args = " ".join(module[ARGV])
@@ -3935,6 +3965,10 @@
 				enableSmartcard = True
 				forceSmartcard = True
 
+			# configure SSSD Smartcard support instead of
+			# pam_pkcs11 if SSSD is used for authentication and no
+			# Smartcard module is set, e.g. if pam_pkcs11 is not installed.
+			use_sssd_smartcard_support = self.enableSSSDAuth and self.smartcardModule == "sssd"
 			prevmodule = []
 			for module in pam_modules[service]:
 				if prevmodule and module[STACK] != prevmodule[STACK]:
@@ -3952,15 +3986,17 @@
 					    ((module[NAME] == "krb5" and module[ARGV] == argv_krb5_sc_auth) or
 					    (module[NAME] == "permit" and module[STACK] == AUTH))) or
 					((self.enableLDAPAuth and not self.implicitSSSDAuth) and module[NAME] == "ldap") or
-					(enableSmartcard and module[STACK] == AUTH and
+					(enableSmartcard and use_sssd_smartcard_support and module[NAME] == "sss" and module[ARGV] == argv_sssd_missing_name) or
+					(enableSmartcard and not use_sssd_smartcard_support and module[STACK] == AUTH and
 						module[NAME] == "succeed_if" and module[LOGIC] == LOGIC_SKIPNEXT) or
-					(enableSmartcard and module[NAME] == "pkcs11") or 
+					(enableSmartcard and not use_sssd_smartcard_support and module[NAME] == "pkcs11") or
+					(enableSmartcard and not use_sssd_smartcard_support and forceSmartcard and module[NAME] == "deny") or
 					(enableSmartcard and forceSmartcard and module[NAME] == "deny") or 
 					(enableFprintd and module[NAME] == "fprintd") or
 					(self.enableOTP and module[NAME] == "otp") or
 					(self.enablePasswdQC and module[NAME] == "passwdqc") or
 					(self.enableWinbindAuth and module[NAME] == "winbind") or
-					((self.enableSSSDAuth or self.implicitSSSDAuth or self.enableIPAv2) and module[NAME] == "sss") or
+					((self.enableSSSDAuth or self.implicitSSSDAuth or self.enableIPAv2) and module[NAME] == "sss" and module[ARGV] != argv_sssd_missing_name) or
 					((self.enableSSSDAuth or self.implicitSSSDAuth or self.enableIPAv2) and
 						(not self.enableNIS) and module[NAME] == "localuser" and module[STACK] == AUTH) or
 					(self.enableLocAuthorize and module[NAME] == "localuser" and module[STACK] == ACCOUNT) or
@@ -4093,6 +4129,8 @@
 				ret = ret and self.writeWinbind()
 			if self.implicitSSSD or self.implicitSSSDAuth:
 				ret = ret and self.writeSSSD()
+			elif self.enableSSSDAuth:
+				ret = ret and self.writeSSSDPAM()
 			ret = ret and self.writeNSS()
 			ret = ret and self.writePAM()
 			ret = ret and self.writeSysconfig()
@@ -4250,7 +4288,8 @@
 		print " LDAP server = \"%s\"" % self.ldapServer
 		print " LDAP base DN = \"%s\"" % self.ldapBaseDN
 		print " LDAP schema = \"%s\"" % (self.ldapSchema or "rfc2307")
-		print "pam_pkcs11 is %s" % formatBool(self.enableSmartcard)
+		print "pam_pkcs11 is %s" % formatBool(self.enableSmartcard and not (self.enableSSSDAuth and self.smartcardModule == "sssd"))
+		print "SSSD smartcard support is %s" % formatBool(self.enableSmartcard and (self.enableSSSDAuth and self.smartcardModule == "sssd"))
 		print " use only smartcard for login is %s" % formatBool(self.forceSmartcard)
 		print " smartcard module = \"%s\"" % self.smartcardModule
 		print " smartcard removal action = \"%s\"" % self.smartcardAction