diff --git a/SOURCES/0112-IPA-Handle-requests-for-netgroups-from-trusted-domai.patch b/SOURCES/0112-IPA-Handle-requests-for-netgroups-from-trusted-domai.patch
new file mode 100644
index 0000000..e60a668
--- /dev/null
+++ b/SOURCES/0112-IPA-Handle-requests-for-netgroups-from-trusted-domai.patch
@@ -0,0 +1,62 @@
+From 18cbf559addfeb77ad83b81e23431295a3e5c6ae Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Fri, 6 May 2016 15:02:19 +0200
+Subject: [PATCH] IPA: Handle requests for netgroups from trusted domains
+ gracefully
+
+In ipa_account_info_handler we first check if the request is for a user
+from a trusted domain and go that way for all request types. In
+contrast, in the ipa_account_info_done we first check if the requested
+object is a netgroup. If both are true, we first start a subdomain
+lookup send but then call netgroup lookup recv, which results in talloc
+type mismatch and crashes sssd_be.
+
+Resolves:
+https://fedorahosted.org/sssd/ticket/3007
+---
+ src/providers/ipa/ipa_id.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c
+index 29e22982c415220c931f0422e10cd06dfa1a195b..dff4b23580d8c7502a1fbe9c57d21b8c555883be 100644
+--- a/src/providers/ipa/ipa_id.c
++++ b/src/providers/ipa/ipa_id.c
+@@ -115,21 +115,27 @@ void ipa_account_info_handler(struct be_req *breq)
+ return sdap_handler_done(breq, DP_ERR_OK, EOK, "Success");
+ }
+
+- if (strcasecmp(ar->domain, be_ctx->domain->name) != 0) {
+- /* if domain names do not match, this is a subdomain case
+- * subdomain lookups are handled differently on the server
+- * and the client
+- */
+- req = ipa_subdomain_account_send(breq, be_ctx->ev, ipa_ctx, breq, ar);
+-
+- } else if ((ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_NETGROUP) {
++ if ((ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_NETGROUP) {
+ /* netgroups are handled by a separate request function */
+ if (ar->filter_type != BE_FILTER_NAME) {
+ return sdap_handler_done(breq, DP_ERR_FATAL,
+ EINVAL, "Invalid filter type");
+ }
++
++ if ((strcasecmp(ar->domain, be_ctx->domain->name) != 0)) {
++ return sdap_handler_done(breq, DP_ERR_OK, EOK,
++ "netgroups in subdomains are "
++ "not handled\n");
++ }
++
+ req = ipa_id_get_netgroup_send(breq, be_ctx->ev,
+ ipa_ctx, ar->filter_value);
++ } else if (strcasecmp(ar->domain, be_ctx->domain->name) != 0) {
++ /* if domain names do not match, this is a subdomain case
++ * subdomain lookups are handled differently on the server
++ * and the client
++ */
++ req = ipa_subdomain_account_send(breq, be_ctx->ev, ipa_ctx, breq, ar);
+ } else {
+ /* any account request is handled by sdap,
+ * any invalid request is caught there. */
+--
+2.4.11
+
diff --git a/SOURCES/0113-LDAP-Try-also-the-AD-access-control-for-IPA-users.patch b/SOURCES/0113-LDAP-Try-also-the-AD-access-control-for-IPA-users.patch
new file mode 100644
index 0000000..ac735c0
--- /dev/null
+++ b/SOURCES/0113-LDAP-Try-also-the-AD-access-control-for-IPA-users.patch
@@ -0,0 +1,44 @@
+From 01598f563378f8cf85e7a7fb0c29e7bf32518c3f Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Fri, 22 Apr 2016 18:32:26 +0200
+Subject: [PATCH] LDAP: Try also the AD access control for IPA users
+
+Resolves:
+ https://fedorahosted.org/sssd/ticket/2927
+
+If a user from an AD trusted domain is logging in, we should also check
+their AD lockout status. This helps cases where the user might have been
+disabled but is logging in with an SSH public key.
+---
+ src/providers/ldap/sdap_access.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c
+index 3ef45b717787058ec61c4d6875cb41bb2e8195fc..14ec34508636c19b288a57cd305d874705bdb842 100644
+--- a/src/providers/ldap/sdap_access.c
++++ b/src/providers/ldap/sdap_access.c
+@@ -741,6 +741,21 @@ static errno_t sdap_account_expired(struct sdap_access_ctx *access_ctx,
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "sdap_account_expired_rhds failed.\n");
+ }
++
++ if (ret == EOK &&
++ strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_IPA) == 0) {
++ DEBUG(SSSDBG_TRACE_FUNC,
++ "IPA access control succeeded, checking AD "
++ "access control\n");
++ ret = sdap_account_expired_ad(pd, user_entry);
++ if (ret == ERR_ACCOUNT_EXPIRED || ret == ERR_ACCESS_DENIED) {
++ DEBUG(SSSDBG_TRACE_FUNC,
++ "sdap_account_expired_ad: %s.\n", sss_strerror(ret));
++ } else if (ret != EOK) {
++ DEBUG(SSSDBG_CRIT_FAILURE,
++ "sdap_account_expired_ad failed.\n");
++ }
++ }
+ } else if (strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_NDS) == 0) {
+ ret = sdap_account_expired_nds(pd, user_entry);
+ if (ret == ERR_ACCESS_DENIED) {
+--
+2.4.11
+
diff --git a/SOURCES/0114-NSS-Fix-memory-leak-netgroup.patch b/SOURCES/0114-NSS-Fix-memory-leak-netgroup.patch
new file mode 100644
index 0000000..7b94d48
--- /dev/null
+++ b/SOURCES/0114-NSS-Fix-memory-leak-netgroup.patch
@@ -0,0 +1,106 @@
+From de876c0de1056008786f56aa56f1198479cb58d2 Mon Sep 17 00:00:00 2001
+From: Pavel Reichl <preichl@redhat.com>
+Date: Fri, 27 Nov 2015 07:53:00 -0500
+Subject: [PATCH] NSS: Fix memory leak netgroup
+
+Resolves:
+https://fedorahosted.org/sssd/ticket/2865
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit 4231a17e66e0809a9c3d42207b45f95429cbb46c)
+---
+ src/responder/nss/nsssrv_netgroup.c | 41 ++++++++++++++++++++++++++-----------
+ 1 file changed, 29 insertions(+), 12 deletions(-)
+
+diff --git a/src/responder/nss/nsssrv_netgroup.c b/src/responder/nss/nsssrv_netgroup.c
+index c71043858988bbf6c66aaab1357d24d3701c777f..94fe3776d94a24dec03a5766c4026c3887b448aa 100644
+--- a/src/responder/nss/nsssrv_netgroup.c
++++ b/src/responder/nss/nsssrv_netgroup.c
+@@ -435,14 +435,18 @@ static errno_t create_negcache_netgr(struct setent_step_ctx *step_ctx)
+ errno_t ret;
+ struct getent_ctx *netgr;
+
+- netgr = talloc_zero(step_ctx->nctx, struct getent_ctx);
+- if (netgr == NULL) {
+- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n");
+- ret = ENOMEM;
+- goto done;
+- } else {
+- netgr->ready = true;
+- netgr->found = false;
++ /* Is there already netgroup with such name? */
++ ret = get_netgroup_entry(step_ctx->nctx, step_ctx->name,
++ &netgr);
++ if (ret != EOK || netgr == NULL) {
++
++ netgr = talloc_zero(step_ctx->nctx, struct getent_ctx);
++ if (netgr == NULL) {
++ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n");
++ ret = ENOMEM;
++ goto done;
++ }
++
+ netgr->entries = NULL;
+ netgr->lookup_table = step_ctx->nctx->netgroups;
+ netgr->name = talloc_strdup(netgr, step_ctx->name);
+@@ -457,13 +461,20 @@ static errno_t create_negcache_netgr(struct setent_step_ctx *step_ctx)
+ DEBUG(SSSDBG_CRIT_FAILURE, "set_netgroup_entry failed.\n");
+ goto done;
+ }
+- set_netgr_lifetime(step_ctx->nctx->neg_timeout, step_ctx, netgr);
+ }
+
++ netgr->ready = true;
++ netgr->found = false;
++
++ set_netgr_lifetime(step_ctx->nctx->neg_timeout, step_ctx, netgr);
++
++ ret = EOK;
++
+ done:
+ if (ret != EOK) {
+ talloc_free(netgr);
+ }
++
+ return ret;
+ }
+
+@@ -474,6 +485,12 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx)
+ struct getent_ctx *netgr;
+ char *name = NULL;
+ uint32_t lifetime;
++ TALLOC_CTX *tmp_ctx;
++
++ tmp_ctx = talloc_new(NULL);
++ if (tmp_ctx == NULL) {
++ return ENOMEM;
++ }
+
+ /* Check each domain for this netgroup name */
+ while (dom) {
+@@ -494,8 +511,7 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx)
+ /* make sure to update the dctx if we changed domain */
+ step_ctx->dctx->domain = dom;
+
+- talloc_free(name);
+- name = sss_get_cased_name(step_ctx, step_ctx->name,
++ name = sss_get_cased_name(tmp_ctx, step_ctx->name,
+ dom->case_sensitive);
+ if (!name) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "sss_get_cased_name failed\n");
+@@ -623,10 +639,11 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx)
+ "create_negcache_netgr failed with: %d:[%s], ignored.\n",
+ ret, sss_strerror(ret));
+ }
++
+ ret = ENOENT;
+
+ done:
+- talloc_free(name);
++ talloc_free(tmp_ctx);
+ return ret;
+ }
+
+--
+2.4.11
+
diff --git a/SOURCES/0115-ipa_s2n_save_objects-use-configured-user-and-group-t.patch b/SOURCES/0115-ipa_s2n_save_objects-use-configured-user-and-group-t.patch
new file mode 100644
index 0000000..2829467
--- /dev/null
+++ b/SOURCES/0115-ipa_s2n_save_objects-use-configured-user-and-group-t.patch
@@ -0,0 +1,69 @@
+From 8233ca6a64e673aad41f2aeb1f6152930fd16f72 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 5 Jan 2016 13:46:55 +0100
+Subject: [PATCH] ipa_s2n_save_objects(): use configured user and group timeout
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Resolves https://fedorahosted.org/sssd/ticket/2899
+
+Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
+(cherry picked from commit acce97e8d97e81a9e660d46c4e3c00bcb423c035)
+(cherry picked from commit e8b5470df44c9f4eb0a4ccc0c79efe778c9658ba)
+---
+ src/providers/ipa/ipa_s2n_exop.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
+index bcd11749fbde4cae2a47b9b2182138ae04f2d6bc..d101a437dfaf2829013f9e3e3705a7161c654d78 100644
+--- a/src/providers/ipa/ipa_s2n_exop.c
++++ b/src/providers/ipa/ipa_s2n_exop.c
+@@ -1743,7 +1743,6 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
+ {
+ int ret;
+ time_t now;
+- uint64_t timeout = 10*60*60; /* FIXME: find a better timeout ! */
+ struct sss_nss_homedir_ctx homedir_ctx;
+ char *name = NULL;
+ char *realm;
+@@ -1947,7 +1946,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
+ * SYSDB_INITGR_EXPIRE will be set.*/
+ ret = sysdb_attrs_add_time_t(attrs->sysdb_attrs,
+ SYSDB_INITGR_EXPIRE,
+- time(NULL) + timeout);
++ time(NULL) + dom->user_timeout);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_attrs_add_time_t failed.\n");
+@@ -2006,7 +2005,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
+ gid, attrs->a.user.pw_gecos,
+ attrs->a.user.pw_dir, attrs->a.user.pw_shell,
+ NULL, attrs->sysdb_attrs, NULL,
+- timeout, now);
++ dom->user_timeout, now);
+ if (ret == EEXIST && dom->mpg == true) {
+ /* This handles the case where getgrgid() was called for
+ * this user, so a group was created in the cache
+@@ -2034,7 +2033,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
+ attrs->a.user.pw_dir,
+ attrs->a.user.pw_shell,
+ NULL, attrs->sysdb_attrs, NULL,
+- timeout, now);
++ dom->user_timeout, now);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_store_user failed for MPG user [%d]: %s\n",
+@@ -2174,7 +2173,8 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
+ }
+
+ ret = sysdb_store_group(dom, name, attrs->a.group.gr_gid,
+- attrs->sysdb_attrs, timeout, now);
++ attrs->sysdb_attrs, dom->group_timeout,
++ now);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_group failed.\n");
+ goto done;
+--
+2.4.11
+
diff --git a/SOURCES/0116-IPA-use-forest-name-when-looking-up-the-Global-Catal.patch b/SOURCES/0116-IPA-use-forest-name-when-looking-up-the-Global-Catal.patch
new file mode 100644
index 0000000..164e78d
--- /dev/null
+++ b/SOURCES/0116-IPA-use-forest-name-when-looking-up-the-Global-Catal.patch
@@ -0,0 +1,29 @@
+From 0a7c43151c362bf8e7276fc1d08c49cb91fdb005 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 17 May 2016 11:54:10 +0200
+Subject: [PATCH] IPA: use forest name when looking up the Global Catalog
+
+Resolves https://fedorahosted.org/sssd/ticket/3015
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit 149174acae677d1e72a0da431bf0850d55f2ccb4)
+---
+ src/providers/ipa/ipa_subdomains_server.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
+index c561118946e2ba76b2b4076e5057b1b5c0075a41..b75266701904d8bd1723bc277ae96d407f90f30d 100644
+--- a/src/providers/ipa/ipa_subdomains_server.c
++++ b/src/providers/ipa/ipa_subdomains_server.c
+@@ -249,7 +249,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx,
+ DEBUG(SSSDBG_TRACE_ALL, "No extra attrs set.\n");
+ }
+
+- gc_service_name = talloc_asprintf(ad_options, "%s%s", "gc_", subdom->name);
++ gc_service_name = talloc_asprintf(ad_options, "%s%s", "gc_", subdom->forest);
+ if (gc_service_name == NULL) {
+ talloc_free(ad_options);
+ return ENOMEM;
+--
+2.4.11
+
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index eff8ddf..de6504f 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -25,7 +25,7 @@
Name: sssd
Version: 1.13.0
-Release: 40%{?dist}.4
+Release: 40%{?dist}.9
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@@ -147,6 +147,11 @@ Patch0108: 0108-LDAP-Use-the-IPA-provider-interface-to-resolve-exter.patch
Patch0109: 0109-memberof-Don-t-allocate-on-a-NULL-context.patch
Patch0110: 0110-memberof-Fix-a-memory-leak-when-removing-ghost-users.patch
Patch0111: 0111-memberof-Don-t-allocate-on-NULL-when-deleting-member.patch
+Patch0112: 0112-IPA-Handle-requests-for-netgroups-from-trusted-domai.patch
+Patch0113: 0113-LDAP-Try-also-the-AD-access-control-for-IPA-users.patch
+Patch0114: 0114-NSS-Fix-memory-leak-netgroup.patch
+Patch0115: 0115-ipa_s2n_save_objects-use-configured-user-and-group-t.patch
+Patch0116: 0116-IPA-use-forest-name-when-looking-up-the-Global-Catal.patch
#This patch should not be removed in RHEL-7
Patch999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec
@@ -1079,6 +1084,26 @@ fi
/usr/bin/rm -f /var/tmp/sssd.upgrade || :
%changelog
+* Tue May 24 2016 Jakub Hrozek <jhrozek@redhat.com> - 1.13.0-40.9
+- Resolves: rhbz#1339509 - sssd tries to resolve global catalog servers
+ from AD forest sub-domains in AD-IPA trust setup
+
+* Tue May 24 2016 Jakub Hrozek <jhrozek@redhat.com> - 1.13.0-40.8
+- Resolves: rhbz#1339258 - [sssd] Trusted (AD) user's info stays in sssd
+ cache for much more than expected.
+
+* Tue May 24 2016 Jakub Hrozek <jhrozek@redhat.com> - 1.13.0-40.7
+- Resolves: rhbz#1339207 - sssd_nss memory usage keeps growing when trying
+ to retrieve non-existing netgroups
+
+* Thu May 19 2016 Jakub Hrozek <jhrozek@redhat.com> - 1.13.0-40.6
+- Resolves: rhbz#1337292 - In IPA-AD trust environment access is granted
+ to AD user even if the user is disabled on AD.
+
+* Tue May 17 2016 Jakub Hrozek <jhrozek@redhat.com> - 1.13.0-40.5
+- Resolves: rhbz#1336836 - IPA provider crashes if a netgroup from a
+ trusted domain is requested
+
* Mon Apr 18 2016 Jakub Hrozek <jhrozek@redhat.com> - 1.13.0-40.4
- Resolves: rhbz#1324442 - sssd be memory leak in sssd's memberof plugin
- More patches from upstream related to the memory leak