diff --git a/authconfig-7.0.1-nss-update.patch b/authconfig-7.0.1-nss-update.patch
new file mode 100644
index 0000000..dcf9654
--- /dev/null
+++ b/authconfig-7.0.1-nss-update.patch
@@ -0,0 +1,136 @@
+diff -up authconfig-7.0.1/authinfo.py.nss-update authconfig-7.0.1/authinfo.py
+--- authconfig-7.0.1/authinfo.py.nss-update	2017-05-16 14:55:45.294736031 +0200
++++ authconfig-7.0.1/authinfo.py	2017-07-20 11:34:11.332143359 +0200
+@@ -93,9 +93,7 @@ PATH_SEBOOL = "/usr/sbin/setsebool"
+ PATH_SCEVENTD = "/usr/bin/pkcs11_eventmgr"
+ PATH_SCSETUP = "/usr/bin/pkcs11_setup"
+ 
+-PATH_LIBNSS_LDAP = "/usr" + LIBDIR + "/libnss_ldap.so.2"
+-if not os.path.isfile(PATH_LIBNSS_LDAP):
+-	PATH_LIBNSS_LDAP = LIBDIR + "/libnss_ldap.so.2"
++PATH_LIBNSS_LDAP = LIBDIR + "/libnss_ldap.so.2"
+ PATH_LIBNSS_NIS = LIBDIR + "/libnss_nis.so.2"
+ PATH_LIBNSS_WINBIND = LIBDIR + "/libnss_winbind.so.2"
+ PATH_LIBNSS_SSS = LIBDIR + "/libnss_sss.so.2"
+@@ -107,7 +105,7 @@ PATH_PAM_PKCS11 = AUTH_MODULE_DIR + "/pa
+ PATH_PAM_FPRINTD = AUTH_MODULE_DIR + "/pam_fprintd.so"
+ PATH_PAM_SSS = AUTH_MODULE_DIR + "/pam_sss.so"
+ 
+-PATH_LIBSSS_AUTOFS = "/usr" + LIBDIR + "/sssd/modules/libsss_autofs.so"
++PATH_LIBSSS_AUTOFS = LIBDIR + "/sssd/modules/libsss_autofs.so"
+ 
+ PATH_WINBIND_NET = "/usr/bin/net"
+ 
+@@ -213,10 +211,10 @@ def checkNSS(configuration, candidate):
+ 		start = configuration.find(candidate, start)
+ 		if start < 0:
+ 			return None
+-		if start > 0 and configuration[start-1].isalnum():
++		if start > 0 and not configuration[start-1].isspace():
+ 			start += clen
+ 			continue
+-		if start+clen < len(configuration) and configuration[start+clen].isalnum():
++		if start+clen < len(configuration) and not configuration[start+clen].isspace():
+ 			start += clen
+ 			continue
+ 		return start
+@@ -1293,10 +1291,12 @@ class AuthInfo:
+ 		self.enableMDNS = None
+ 		self.enableMyhostname = None
+ 		self.preferDNSinHosts = None
++		self.preferSSSinNsswitch = True
+ 		self.enableSSSD = None
+-                # This one we don't have a config entry, we just
++                # For these we don't have a config entry, we just
+                 # preserve the entry if we see it.
+ 		self.enableAltfiles = None
++		self.enableSystemd = None
+ 
+ 		# Authentication setup.
+ 		self.enableNullOk = True
+@@ -1394,8 +1394,9 @@ class AuthInfo:
+ 		("winbindSeparator", "c"), ("winbindTemplateHomedir", "c"), ("winbindTemplateShell", "c"),
+ 		("winbindUseDefaultDomain", "b"), ("winbindOffline", "b"), ("winbindKrb5", "b")]),
+ 	SaveGroup(self.writeNSS, None, [("enableWinbind", "b"), ("enableNIS", "b"), ("enableNIS3", "b"),
+-		("enableLDAP", "b"), ("enableMDNS", "b"), ("enableMyhostname", "b"),
+-		("enableSSSD", "b"), ("preferDNSinHosts", "b"), ("implicitSSSD", "b")]),
++		("enableLDAP", "b"), ("enableMDNS", "b"), ("enableMyhostname", "b"), ("enableSystemd", "b"),
++		("enableAltfiles", "b"), ("enableSSSD", "b"), ("preferDNSinHosts", "b"), ("implicitSSSD", "b"),
++		("preferSSSinNsswitch", "b")]),
+ 	SaveGroup(self.writePAM, None, [("pwqualityArgs", "c"), ("passwdqcArgs", "c"),
+ 		("faillockArgs", "c"), ("enableFaillock", "b"),
+ 		("localuserArgs", "c"), ("pamAccessArgs", "c"), ("enablePAMAccess", "b"),
+@@ -1984,9 +1985,9 @@ class AuthInfo:
+ 				# some modules can be found in hosts only
+ 				value = matchKey(line, "hosts:")
+ 				if value:
+-					if checkNSS(value, "mdns4_minimal [NOTFOUND=return]"):
++					if checkNSS(value, "mdns4_minimal [NOTFOUND=return]") != None:
+ 						self.setParam("enableMDNS", True, ref)
+-					if checkNSS(value, "myhostname"):
++					if checkNSS(value, "myhostname") != None:
+ 						self.setParam("enableMyhostname", True, ref)
+ 
+ 					nispos = checkNSS(value, "nis")
+@@ -1996,12 +1997,14 @@ class AuthInfo:
+ 
+ 		if nssconfig:
+ 			nssmap = (('LDAP', 'ldap'), ('NIS', 'nis'), ('Altfiles', 'altfiles'),
+-				('NIS3', 'nisplus'), ('Winbind', 'winbind'))
++				('NIS3', 'nisplus'), ('Winbind', 'winbind'), ('Systemd', 'systemd'))
+ 			for attr, nssentry in nssmap:
+-				if checkNSS(nssconfig, nssentry):
++				if checkNSS(nssconfig, nssentry) != None:
+ 					self.setParam('enable' + attr, True, ref)
+-
+-			self.setParam("implicitSSSD", bool(checkNSS(nssconfig, "sss")), ref)
++			ssspos = checkNSS(nssconfig, "sss")
++			self.setParam("implicitSSSD", ssspos != None, ref)
++			if ssspos != None:
++				self.setParam("preferSSSinNsswitch", ssspos == 0, ref)
+ 		f.close()
+ 		return True
+ 
+@@ -3504,8 +3507,12 @@ class AuthInfo:
+ 			if self.enableNIS:
+ 				normal += " nis"
+ 			if self.enableSSSD or self.implicitSSSD:
+-				normal += " sss"
+-				services += " sss"
++				if self.preferSSSinNsswitch:
++					normal = "sss " + normal
++					services = "sss " + services
++				else:
++					normal += " sss"
++					services += " sss"
+ 			if self.enableLDAP and not self.implicitSSSD:
+ 				normal += " ldap"
+ 
+@@ -3516,6 +3523,9 @@ class AuthInfo:
+ 			users = normal
+ 			if self.enableWinbind:
+ 				users += " winbind"
++			shadow = normal
++			if self.enableSystemd:
++				users += " systemd"
+ 
+ 			# Adjust automount from normal.
+ 			automount = normal
+@@ -3558,7 +3568,7 @@ class AuthInfo:
+ 				elif matchLine(ls, "shadow:"):
+ 					if not wroteshadow:
+ 						output += "shadow:    "
+-						output += users
++						output += shadow
+ 						output += "\n"
+ 						wroteshadow = True
+ 				# If it's a 'group' line, insert ours instead.
+@@ -3613,7 +3623,7 @@ class AuthInfo:
+ 				output += "\n"
+ 			if not wroteshadow:
+ 				output += "shadow:    "
+-				output += users
++				output += shadow
+ 				output += "\n"
+ 			if not wrotegroup:
+ 				output += "group:     "
diff --git a/authconfig.spec b/authconfig.spec
index a219c79..995ae43 100644
--- a/authconfig.spec
+++ b/authconfig.spec
@@ -1,13 +1,14 @@
 Summary: Command line tool for setting up authentication from network services
 Name: authconfig
 Version: 7.0.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 ExclusiveOS: Linux
 Group: System Environment/Base
 URL: https://pagure.io/authconfig
 Source: https://releases.pagure.org/%{name}/%{name}-%{version}.tar.bz2
 Patch1: authconfig-6.2.6-gdm-nolastlog.patch
+Patch2: authconfig-7.0.1-nss-update.patch
 Requires: pam >= 0.99.10.0, python3, libpwquality > 0.9
 Requires: python3-sssdconfig
 Conflicts: pam_krb5 < 1.49, samba-common < 3.0, samba-client < 3.0
@@ -68,6 +69,9 @@ sed -i 's/pam_mkhomedir.so/pam_oddjob_mkhomedir.so/g' /etc/pam.d/*-auth-ac &>/de
 %attr(700,root,root) %dir %{_localstatedir}/lib/%{name}
 
 %changelog
+* Thu Jul 20 2017 Tomáš Mráz <tmraz@redhat.com> - 7.0.1-2
+- update nsswitch.conf handling to cover current Fedora defaults
+
 * Tue May 16 2017 Tomáš Mráz <tmraz@redhat.com> - 7.0.1-1
 - fix CVE-2017-7488 incorrect PAM configuration with SSSD (#1441604)
   (if you use configuration with pam_sss, use authconfig --updateall