diff -Naur old/authinfo.py new/authinfo.py
--- old/authinfo.py	2017-04-28 12:04:32.204470232 +0200
+++ new/authinfo.py	2017-04-28 12:10:10.534170041 +0200
@@ -1432,6 +1432,7 @@
 		self.sssdConfig = None
 		self.sssdDomain = None
 		self.forceSSSDUpdate = None
+		self.sssdConfigPresent = False
 		if SSSDConfig:
 			try:
 				self.sssdConfig = SSSDConfig.SSSDConfig()
@@ -1915,6 +1916,7 @@
 		self.sssdConfig = SSSDConfig.SSSDConfig()
 		try:
 			self.sssdConfig.import_config(all_configs[CFG_SSSD].origPath)
+			self.sssdConfigPresent = True
 		except (IOError, SSSDConfig.ParsingError):
 			self.sssdConfig = SSSDConfig.SSSDConfig()
 			self.sssdConfig.new_config()
@@ -3321,9 +3323,14 @@
 				domain.remove_provider(subtype)
 			domain.add_provider(newprovider, subtype)
 
-	def writeSSSDPAM(self):
+	def writeSSSDPAM(self, write_config):
 		if not self.sssdConfig:
 			return True
+		
+		if not self.sssdConfigPresent and not self.implicitSSSD:
+			# do not write to sssd.conf since the file does not exist yet and
+			# we are not creating the domain ourselves
+			return True
 
 		try:
 			pam = self.sssdConfig.get_service('pam')
@@ -3339,10 +3346,11 @@
 				pass
 
 		self.sssdConfig.save_service(pam)
-		try:
-			self.sssdConfig.write(all_configs[CFG_SSSD].origPath)
-		except IOError:
-			pass
+		if write_config:
+			try:
+				self.sssdConfig.write(all_configs[CFG_SSSD].origPath)
+			except IOError:
+				pass
 
 		return True
 
@@ -3352,7 +3360,8 @@
 
 		all_configs[CFG_SSSD].backup(self.backupDir)
 		
-		self.writeSSSDPAM()
+		# do not write to the file yet since we will write all changes at ones
+		self.writeSSSDPAM(False)
 
 		if self.enableIPAv2:
 			# just save the backup
@@ -4172,7 +4181,7 @@
 			if self.implicitSSSD or self.implicitSSSDAuth:
 				ret = ret and self.writeSSSD()
 			elif self.enableSSSDAuth:
-				ret = ret and self.writeSSSDPAM()
+				ret = ret and self.writeSSSDPAM(True)
 			ret = ret and self.writeNSS()
 			ret = ret and self.writePAM()
 			ret = ret and self.writeSysconfig()