diff -up authconfig-6.2.8/authconfig-gtk.py.services authconfig-6.2.8/authconfig-gtk.py
--- authconfig-6.2.8/authconfig-gtk.py.services	2014-09-29 15:37:19.000000000 +0200
+++ authconfig-6.2.8/authconfig-gtk.py	2014-09-29 15:41:20.478788789 +0200
@@ -257,7 +257,7 @@ class Authconfig:
 				self.info = backup
 			# Save.
 			if (response == 1):
-				self.apply()
+				self.apply(nostart=True)
 				backup = self.info
 		return backup
 
@@ -266,7 +266,10 @@ class Authconfig:
 		if not backup:
 			return
 		self.winbindjoin_launch(button, map, xml, parent)
-		self.info = backup
+		if self.info != backup:
+			self.info = backup
+		else:
+			self.apply()
 
 	def winbindjoin_launch(self, button, map, xml, parent):
 		if not self.info.joinUser:
@@ -285,7 +288,10 @@ class Authconfig:
 		if not backup:
 			return
 		self.ipav2join_launch(button, map, xml, parent)
-		self.info = backup
+		if self.info != backup:
+			self.info = backup
+		else:
+			self.apply()
 
 	def ipav2join_launch(self, button, map, xml, parent):
 		response = self.run_on_button(None, "joinipadomain",
@@ -772,7 +778,7 @@ class Authconfig:
 		return dialog
 
 	# Save changes.
-	def apply(self):
+	def apply(self, nostart = False):
 		self.update_type(self.id_map, self.currid)
 		self.update_type(self.auth_map, self.currauth)
 		self.apply_idsettings()
@@ -788,7 +794,7 @@ class Authconfig:
 		else:
 			self.info.writeChanged(self.pristineinfo)
 
-		self.info.post(False)
+		self.info.post(nostart)
 		if "--firstboot" in sys.argv:
 			for service in firstbootservices:
 				if authinfo.Service.isEnabled(service):
diff -up authconfig-6.2.8/authinfo.py.services authconfig-6.2.8/authinfo.py
--- authconfig-6.2.8/authinfo.py.services	2014-09-29 15:43:38.000000000 +0200
+++ authconfig-6.2.8/authinfo.py	2014-09-29 15:44:28.629036362 +0200
@@ -4395,15 +4395,15 @@ class AuthInfo:
 			"winbind", nostart)
 
 	def toggleSSSDService(self, nostart):
-		
 		explicitenable = ((self.enableSSSD and self.enableSSSDAuth) or
 			(self.enableSSSD and os.path.exists(PATH_SSSD_CONFIG)) or
 			(self.enableSSSDAuth and os.path.exists(PATH_SSSD_CONFIG)))
-		toggleSplatbindService(self.implicitSSSD or self.implicitSSSDAuth or
-			self.enableIPAv2 or explicitenable,
+		enable = (self.implicitSSSD or self.implicitSSSDAuth or
+			self.enableIPAv2 or explicitenable)
+		toggleSplatbindService(enable,
 			PATH_SSSD,
-			"sssd", nostart or not (self.implicitSSSD or self.implicitSSSDAuth
-			or self.enableIPAv2))
+			"sssd", nostart or (enable and not (self.implicitSSSD or
+			self.implicitSSSDAuth or self.enableIPAv2)))
 
 	def toggleOddjobService(self, nostart):
 		if self.enableMkHomeDir and os.access("%s/pam_%s.so"
diff -up authconfig-6.2.8/man/en/authconfig.8.services authconfig-6.2.8/man/en/authconfig.8
--- authconfig-6.2.8/man/en/authconfig.8.services	2013-11-01 16:08:01.000000000 +0100
+++ authconfig-6.2.8/man/en/authconfig.8	2014-09-29 15:40:31.872691485 +0200
@@ -35,7 +35,7 @@ be restored by the \fB--restorelastbacku
 
 If \fB--nostart\fR is specified (which is what the install program does),
 ypbind or other daemons will not be started or stopped immediately following
-program execution, but only enabled to start or stop at boot time. 
+program execution, but only enabled to start or stop at boot time.
 
 The \fB--enablenis\fP, \fB--enableldap\fP, \fB--enablewinbind\fP,
 and \fB--enablehesiod\fP options
@@ -94,6 +94,22 @@ The \fB/usr/bin/authconfig\fR uses the \
 system user before it starts up. If you want to run it directly without the 
 authentication as the system user, run the \fB/usr/sbin/authconfig\fR command.
 
+The SSSD service is enabled and possibly started by authconfig when at least two of
+the following three conditions are met:
+.br
+1) /etc/sssd/sssd.conf file exists (or is configured via the implicit SSSD support)
+.br
+2) SSSD authentication is enabled (pam_sss.so is used in PAM configuration)
+.br
+3) SSSD is enabled for user identity (nsswitch.conf contains sss)
+
+When \fB--update\fR action is used the enablement or disablement and possible restart
+of services happens only in case the changed configuration options affect the
+service to be restarted. This means that if for example the ypbind service is
+enabled with \fBauthconfig --update --nostart --enablenis\fR but not started
+and you run the same command without the \fB--nostart\fR later the ypbind
+service will not be started because no configuration change affecting ypbind
+happened.
 .PD
 .SH "RETURN CODES"
 \fBauthconfig\fR returns 0 on success, 1 on backup operation errors,