diff --git a/authconfig-6.2.10-cacertdir.patch b/authconfig-6.2.10-cacertdir.patch
new file mode 100644
index 0000000..c6dd030
--- /dev/null
+++ b/authconfig-6.2.10-cacertdir.patch
@@ -0,0 +1,63 @@
+# HG changeset patch
+# User Tomas Mraz <tmraz@redhat.com>
+# Date 1427468671 -3600
+#      Fri Mar 27 16:04:31 2015 +0100
+# Node ID 8dd359bfc32e9473251571486ef0a29d1c4167a4
+# Parent  1686f4a66f7cd306bd827274970de09a892bfd9e
+Make the ldapCacertDir follow the openldap default.
+
+diff -r 1686f4a66f7c -r 8dd359bfc32e authinfo.py
+--- a/authinfo.py	Tue Mar 03 10:24:52 2015 +0100
++++ b/authinfo.py	Fri Mar 27 16:04:31 2015 +0100
+@@ -116,7 +116,7 @@
+ PATH_WINBIND_NET = "/usr/bin/net"
+ PATH_IPA_CLIENT_INSTALL = "/usr/sbin/ipa-client-install"
+ 
+-PATH_LDAP_CACERTS = "/etc/openldap/cacerts"
++PATH_LDAP_CACERTS = "/etc/openldap/certs"
+ LDAP_CACERT_DOWNLOADED = "authconfig_downloaded.pem"
+ 
+ PATH_CONFIG_BACKUPS = "/var/lib/authconfig"
+@@ -1627,7 +1627,6 @@
+ 
+ 	# Read LDAP setup from /etc/ldap.conf.
+ 	def readLDAP(self, ref):
+-		self.ldapCacertDir = PATH_LDAP_CACERTS
+ 		# Open the file.  Bail if it's not there or there's some problem
+ 		# reading it.
+ 		try:
+@@ -1675,10 +1674,16 @@
+ 			if value:
+ 				self.setParam("ldapSchema", value, ref)
+ 				continue
++			value = matchKey(line, "tls_cacertdir")
++			if value:
++				self.setParam("ldapCacertDir", value, ref)
++				continue
+ 			# We'll pull MD5/DES crypt ("pam_password") from the config
+ 			# file, or from the pam_unix PAM config lines.
+ 
+ 		self.ldapServer = self.ldapHostsToURIs(cleanList(self.ldapServer), False)
++		if not self.ldapCacertDir:
++			self.ldapCacertDir = PATH_LDAP_CACERTS
+ 		f.close()
+ 		return True
+ 
+@@ -4444,7 +4449,7 @@
+ 			self.uninstallIPA()
+ 
+ 	def testLDAPCACerts(self):
+-		if self.enableLDAP or self.enableLDAPAuth:
++		if self.enableLDAP or self.enableLDAPAuth or self.ldapCacertURL:
+ 			try:
+ 				os.stat(self.ldapCacertDir)
+ 			except OSError as err:
+@@ -4456,7 +4461,7 @@
+ 
+ 	def rehashLDAPCACerts(self):
+ 		if ((self.enableLDAP or self.enableLDAPAuth) and
+-			(self.enableLDAPS or 'ldaps:' in self.ldapServer)):
++			(self.enableLDAPS or 'ldaps:' in self.ldapServer)) or self.ldapCacertURL:
+ 			os.system("/usr/sbin/cacertdir_rehash " + self.ldapCacertDir)
+ 
+ 	def downloadLDAPCACert(self):
diff --git a/authconfig-6.2.10-sssdprompting.patch b/authconfig-6.2.10-sssdprompting.patch
new file mode 100644
index 0000000..335fab6
--- /dev/null
+++ b/authconfig-6.2.10-sssdprompting.patch
@@ -0,0 +1,70 @@
+# HG changeset patch
+# User Tomas Mraz <tmraz@redhat.com>
+# Date 1427477516 -3600
+#      Fri Mar 27 18:31:56 2015 +0100
+# Node ID 8c4cdeb97a91c7b959234eccc6ad216691529c3d
+# Parent  93a10a7118a58f3fe0d8d8f7c4e81fed57f29c15
+Support pam_sss.so prompting for password for non-local users.
+
+See bug 1195817
+
+diff -r 93a10a7118a5 -r 8c4cdeb97a91 authinfo.py
+--- a/authinfo.py	Fri Mar 27 16:16:53 2015 +0100
++++ b/authinfo.py	Fri Mar 27 18:31:56 2015 +0100
+@@ -136,6 +136,7 @@
+ LOGIC_SKIPNEXT = "[success=1 default=ignore]"
+ LOGIC_SKIPNEXT3 = "[success=3 default=ignore]"
+ LOGIC_ALWAYS_SKIP = "[default=1]"
++LOGIC_SKIPNEXT_ON_FAILURE = "[default=1 success=ok]"
+ 
+ # Snip off line terminators and final whitespace from a passed-in string.
+ def snipString(s):
+@@ -464,6 +465,8 @@
+ 	 "permit",		[]],
+ 	[False,  AUTH,          LOGIC_SUFFICIENT,
+ 	 "fprintd",		[]],
++	[False, AUTH,		LOGIC_SKIPNEXT_ON_FAILURE,
++	 "localuser",		[]],
+ 	[True,  AUTH,		LOGIC_SUFFICIENT,
+ 	 "unix",		argv_unix_auth],
+ 	[False, AUTH,		LOGIC_REQUISITE,
+@@ -587,6 +590,8 @@
+ 	 "env",			[]],
+ 	[False, AUTH,		LOGIC_REQUIRED,
+ 	 "deny",		[]],
++	[False, AUTH,		LOGIC_SKIPNEXT_ON_FAILURE,
++	 "localuser",		[]],
+ 	[True,  AUTH,		LOGIC_SUFFICIENT,
+ 	 "unix",		argv_unix_auth],
+ 	[False, AUTH,		LOGIC_REQUISITE,
+@@ -3814,6 +3819,10 @@
+ 						argv = module[ARGV][0:] # shallow copy
+ 						argv[1] = self.uidMin
+ 						args = " ".join(argv)
++			# do not continue to following modules if authentication fails
++			if name == "unix" and stack == "auth" and (self.enableSSSDAuth or
++				self.implicitSSSDAuth or self.enableIPAv2) and (not self.enableNIS):
++				logic = LOGIC_FORCE_PKCS11 # make it or break it logic
+ 			# use oddjob_mkhomedir if available
+ 			if name == "mkhomedir" and os.access("%s/pam_%s.so"
+ 				% (AUTH_MODULE_DIR, "oddjob_mkhomedir"), os.X_OK):
+@@ -3841,6 +3850,8 @@
+ 				args = self.mkhomedirArgs
+ 			if name == "systemd":
+ 				args = self.systemdArgs
++			if name == "sss" and stack == "auth" and not self.enableNIS:
++				args = "forward_pass"
+ 			if not args and module[ARGV]:
+ 				args = " ".join(module[ARGV])
+ 			if name == "winbind" and self.winbindOffline and stack != "password":
+@@ -3945,7 +3956,9 @@
+ 					(self.enablePasswdQC and module[NAME] == "passwdqc") or
+ 					(self.enableWinbindAuth and module[NAME] == "winbind") or
+ 					((self.enableSSSDAuth or self.implicitSSSDAuth or self.enableIPAv2) and module[NAME] == "sss") or
+-					(self.enableLocAuthorize and module[NAME] == "localuser") or
++					((self.enableSSSDAuth or self.implicitSSSDAuth or self.enableIPAv2) and
++						(not self.enableNIS) and module[NAME] == "localuser" and module[STACK] == AUTH) or
++					(self.enableLocAuthorize and module[NAME] == "localuser" and module[STACK] == ACCOUNT) or
+ 					(self.enablePAMAccess and module[NAME] == "access") or
+ 					(self.enableMkHomeDir and module[NAME] == "mkhomedir") or
+ 					(not self.enableSysNetAuth and module[STACK] == AUTH and
diff --git a/authconfig.spec b/authconfig.spec
index b5f7c22..f94d69b 100644
--- a/authconfig.spec
+++ b/authconfig.spec
@@ -1,13 +1,15 @@
 Summary: Command line tool for setting up authentication from network services
 Name: authconfig
 Version: 6.2.10
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 ExclusiveOS: Linux
 Group: System Environment/Base
 URL: https://fedorahosted.org/authconfig
 Source: https://fedorahosted.org/releases/a/u/%{name}/%{name}-%{version}.tar.bz2
 Patch1: authconfig-6.2.6-gdm-nolastlog.patch
+Patch3: authconfig-6.2.10-cacertdir.patch
+Patch4: authconfig-6.2.10-sssdprompting.patch
 Requires: newt-python, pam >= 0.99.10.0, python, libpwquality > 0.9
 Requires: python-sssdconfig
 Conflicts: pam_krb5 < 1.49, samba-common < 3.0, samba-client < 3.0
@@ -39,6 +41,8 @@ authentication schemes.
 %prep
 %setup -q -n %{name}-%{version}
 %patch1 -p1 -b .nolastlog
+%patch3 -p1 -b .cacertdir
+%patch4 -p1 -b .sssdprompting
 
 %build
 %configure
@@ -121,6 +125,10 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %{_datadir}/icons/hicolor/256x256/apps/system-config-authentication.*
 
 %changelog
+* Fri Mar 27 2015 Tomáš Mráz <tmraz@redhat.com> - 6.2.10-4
+- make the cacertdir setup more sane (#1203024)
+- support sssd prompting non-local users for password (#1195817)
+
 * Wed Mar  4 2015 Tomáš Mráz <tmraz@redhat.com> - 6.2.10-3
 - add newly needed requires python-sssdconfig