OK, so looking at passwdutils source I see that the supported configurations are hardcoded in $SRC/lib/passwdutil/switch_utils:get_ns() and in __set_authtoken_attr().
Not only is there a limit on the number of backends that can appear in passwd, but also which ones as well. This isn't good if we want to eventually open the name service switch SPI. For now we can hardcode 'ad' as a the name of a backend to ignore, and we can update the passwd(1) manpage to indicate that having 'ad' in passwd is supported, though changing AD users' passwords through passwd(1) will not be. A more complete treatment of the problem may have to wait until we're ready to open the name service switch SPI. Nico --
