diff --git a/SOURCES/0028-ipa-kdb-fix-crash-in-MS-PAC-cache-init-code.patch b/SOURCES/0028-ipa-kdb-fix-crash-in-MS-PAC-cache-init-code.patch
new file mode 100644
index 0000000..6593fab
--- /dev/null
+++ b/SOURCES/0028-ipa-kdb-fix-crash-in-MS-PAC-cache-init-code.patch
@@ -0,0 +1,127 @@
+From 81cbee4e3ff2e667946e0d41097b402257608b7e Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Fri, 6 Nov 2020 14:07:10 +0200
+Subject: [PATCH] ipa-kdb: fix crash in MS-PAC cache init code
+
+When initializing UPN suffixes, we calculate their sizes and didn't use
+the right variable to allocate their size. This affects us if there are
+more than one UPN suffix available for a trust due to memory corruption
+while filling in sizes.
+
+Add unit test for multiple UPN suffixes.
+
+Fixes: https://pagure.io/freeipa/issue/8566
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Robbie Harwood <rharwood@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_mspac.c | 2 +-
+ daemons/ipa-kdb/tests/ipa_kdb_tests.c | 50 +++++++++++++++++++++++++++
+ 2 files changed, 51 insertions(+), 1 deletion(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index dd29db190..fe5b586b6 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -2610,7 +2610,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
+ for (; t[n].upn_suffixes[len] != NULL; len++);
+
+ if (len != 0) {
+- t[n].upn_suffixes_len = calloc(n, sizeof(size_t));
++ t[n].upn_suffixes_len = calloc(len, sizeof(size_t));
+ if (t[n].upn_suffixes_len == NULL) {
+ ret = ENOMEM;
+ goto done;
+diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
+index d3ef5c00d..752b24ea4 100644
+--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
++++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
+@@ -71,6 +71,10 @@
+ #define DOM_SID "S-1-5-21-1-2-3"
+ #define DOM_SID_TRUST "S-1-5-21-4-5-6"
+ #define BLACKLIST_SID "S-1-5-1"
++#define NUM_SUFFIXES 10
++#define SUFFIX_TEMPLATE "d%0d" DOMAIN_NAME
++#define TEST_REALM_TEMPLATE "some." SUFFIX_TEMPLATE
++#define EXTERNAL_REALM "WRONG.DOMAIN"
+
+ static int setup(void **state)
+ {
+@@ -92,6 +96,9 @@
+ ipa_ctx = calloc(1, sizeof(struct ipadb_context));
+ assert_non_null(ipa_ctx);
+
++ kerr = krb5_get_default_realm(krb5_ctx, &ipa_ctx->realm);
++ assert_int_equal(kerr, 0);
++
+ ipa_ctx->mspac = calloc(1, sizeof(struct ipadb_mspac));
+ assert_non_null(ipa_ctx->mspac);
+
+@@ -126,6 +133,15 @@
+ &ipa_ctx->mspac->trusts[0].sid_blacklist_incoming[0]);
+ assert_int_equal(ret, 0);
+
++ ipa_ctx->mspac->trusts[0].upn_suffixes = calloc(NUM_SUFFIXES + 1, sizeof(char *));
++ ipa_ctx->mspac->trusts[0].upn_suffixes_len = calloc(NUM_SUFFIXES, sizeof(size_t));
++ for (size_t i = 0; i < NUM_SUFFIXES; i++) {
++ asprintf(&(ipa_ctx->mspac->trusts[0].upn_suffixes[i]), SUFFIX_TEMPLATE, i);
++ ipa_ctx->mspac->trusts[0].upn_suffixes_len[i] =
++ strlen(ipa_ctx->mspac->trusts[0].upn_suffixes[i]);
++
++ }
++
+ ipa_ctx->kcontext = krb5_ctx;
+ kerr = krb5_db_set_context(krb5_ctx, ipa_ctx);
+ assert_int_equal(kerr, 0);
+@@ -478,6 +494,38 @@
+ }
+
+
++void test_check_trusted_realms(void **state)
++{
++ struct test_ctx *test_ctx;
++ krb5_error_code kerr = 0;
++ char *trusted_realm = NULL;
++
++ test_ctx = (struct test_ctx *) *state;
++
++ for(size_t i = 0; i < NUM_SUFFIXES; i++) {
++ char *test_realm = NULL;
++ asprintf(&test_realm, TEST_REALM_TEMPLATE, i);
++
++ if (test_realm) {
++ kerr = ipadb_is_princ_from_trusted_realm(
++ test_ctx->krb5_ctx,
++ test_realm,
++ strlen(test_realm),
++ &trusted_realm);
++ assert_int_equal(kerr, 0);
++ free(test_realm);
++ free(trusted_realm);
++ }
++ }
++
++ kerr = ipadb_is_princ_from_trusted_realm(
++ test_ctx->krb5_ctx,
++ EXTERNAL_REALM,
++ strlen(EXTERNAL_REALM),
++ &trusted_realm);
++ assert_int_equal(kerr, KRB5_KDB_NOENTRY);
++}
++
+ int main(int argc, const char *argv[])
+ {
+ const struct CMUnitTest tests[] = {
+@@ -488,6 +536,8 @@
+ cmocka_unit_test(test_string_to_sid),
+ cmocka_unit_test_setup_teardown(test_dom_sid_string,
+ setup, teardown),
++ cmocka_unit_test_setup_teardown(test_check_trusted_realms,
++ setup, teardown),
+ };
+
+ return cmocka_run_group_tests(tests, NULL, NULL);
+--
+2.29.2
+
diff --git a/SOURCES/0029-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1935146.patch b/SOURCES/0029-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1935146.patch
new file mode 100644
index 0000000..366fd17
--- /dev/null
+++ b/SOURCES/0029-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1935146.patch
@@ -0,0 +1,625 @@
+Adapted version due to missing patches:
+
+ commit 1f1e7dbe6131b3cdc0ba81b454c7729126bfa6ee
+ Author: Slava Aseev <ptrnine@altlinux.org>
+ Date: Mon Nov 23 18:23:01 2020 +0300
+
+ ipa-kdb: handle dates up to 2106-02-07 06:28:16
+
+ commit 44c222aca9bb0056004f15dfb187d3f249ed0452
+ Author: Alexander Bokovoy <abokovoy@redhat.com>
+ Date: Thu Dec 17 12:22:47 2020 +0200
+
+ ipa-kdb: use predefined filters for a wild-card searches
+
+ commit 78a7ab0daf0d5ebd388046aec6e1c9328e0564a8
+ Author: Robbie Harwood <rharwood@redhat.com>
+ Date: Tue Nov 10 14:07:47 2020 -0500
+
+ ipa-kdb: implement AS-REQ lifetime jitter
+
+ commit d6a8fc290aa93fc5d53025f4400a9736366175eb
+ Author: Rob Crittenden <rcritten@redhat.com>
+ Date: Thu Sep 24 22:39:36 2020 -0400
+
+ Pass the user to the password policy check in the kdb driver
+
+From 701d0fb0415497fe9fe8fbf25fa800041e2a2b40 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 23 Feb 2021 10:06:25 +0200
+Subject: [PATCH] ipa-kdb: fix compiler warnings
+
+There are few fields in KDB structures that have 'conflicting' types but
+need to be compared. They come from MIT Kerberos and we have no choice
+here.
+
+In the same way, SID structures have own requirements.
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Robbie Harwood <rharwood@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_audit_as.c | 4 ++--
+ daemons/ipa-kdb/ipa_kdb_mspac.c | 6 +++---
+ daemons/ipa-kdb/ipa_kdb_principals.c | 6 +++---
+ daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 2 +-
+ 4 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c
+index ed48ea758..ec2046bfe 100644
+--- a/daemons/ipa-kdb/ipa_kdb_audit_as.c
++++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c
+@@ -110,13 +110,13 @@ void ipadb_audit_as_req(krb5_context kcontext,
+ }
+
+ if (client->last_failed + ied->pol->lockout_duration > authtime &&
+- (client->fail_auth_count >= ied->pol->max_fail &&
++ (client->fail_auth_count >= (krb5_kvno) ied->pol->max_fail &&
+ ied->pol->max_fail != 0)) {
+ /* client already locked, nothing more to do */
+ break;
+ }
+ if (ied->pol->max_fail == 0 ||
+- client->fail_auth_count < ied->pol->max_fail) {
++ client->fail_auth_count < (krb5_kvno) ied->pol->max_fail) {
+ /* let's increase the fail counter */
+ client->fail_auth_count++;
+ client->mask |= KMASK_FAIL_AUTH_COUNT;
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index c6ac593ca..050100430 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -147,9 +147,9 @@ int string_to_sid(const char *str, struct dom_sid *sid)
+
+ char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid)
+ {
+- size_t c;
++ int8_t c;
+ size_t len;
+- int ofs;
++ size_t ofs;
+ uint32_t ia;
+ char *buf;
+
+@@ -2606,7 +2606,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
+
+ t[n].upn_suffixes_len = NULL;
+ if (t[n].upn_suffixes != NULL) {
+- size_t len = 0;
++ int len = 0;
+
+ for (; t[n].upn_suffixes[len] != NULL; len++);
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
+index d1fa51578..59337a4ca 100644
+--- a/daemons/ipa-kdb/ipa_kdb_principals.c
++++ b/daemons/ipa-kdb/ipa_kdb_principals.c
+@@ -491,7 +491,7 @@ static krb5_error_code ipadb_get_ldap_auth_ind(krb5_context kcontext,
+ l = len;
+ for (i = 0; i < count; i++) {
+ ret = snprintf(ap, l, "%s ", authinds[i]);
+- if (ret <= 0 || ret > l) {
++ if (ret <= 0 || ret > (int) l) {
+ ret = ENOMEM;
+ goto cleanup;
+ }
+@@ -2064,7 +2064,7 @@ static krb5_error_code ipadb_get_ldap_mod_auth_ind(krb5_context kcontext,
+ char *s = NULL;
+ size_t ai_size = 0;
+ int cnt = 0;
+- int i = 0;
++ size_t i = 0;
+
+ ret = krb5_dbe_get_string(kcontext, entry, "require_auth", &ais);
+ if (ret) {
+@@ -2445,7 +2445,7 @@ static krb5_error_code ipadb_entry_default_attrs(struct ipadb_mods *imods)
+ {
+ krb5_error_code kerr;
+ LDAPMod *m = NULL;
+- int i;
++ size_t i;
+
+ kerr = ipadb_mods_new(imods, &m);
+ if (kerr) {
+diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
+index 4965e6d7f..6f21ef867 100644
+--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
++++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
+@@ -328,7 +328,7 @@ krb5_error_code ipadb_check_policy_as(krb5_context kcontext,
+ }
+
+ if (ied->pol->max_fail == 0 ||
+- client->fail_auth_count < ied->pol->max_fail) {
++ client->fail_auth_count < (krb5_kvno) ied->pol->max_fail) {
+ /* still within allowed failures range */
+ return 0;
+ }
+--
+2.29.2
+
+From d454ca8f004954f19622fe61ad9e2854359f3784 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 24 Feb 2021 20:51:40 +0200
+Subject: [PATCH] ipa-kdb: add missing prototypes
+
+On Fedora 33 GCC defaults to -Wmissing-prototypes and emits warnings
+about function prototypes missing. If -Werror is specified, this breaks
+compilation.
+
+We also default to -Werror=implicit-function-declaration
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Robbie Harwood <rharwood@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 4 ++++
+ daemons/ipa-kdb/ipa_kdb_mspac.c | 20 ++++++++++++--------
+ daemons/ipa-kdb/ipa_kdb_mspac_private.h | 4 ++++
+ 3 files changed, 20 insertions(+), 8 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+index 7f03f2f03..6976f9ba9 100644
+--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
++++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+@@ -9,6 +9,10 @@
+ #include "ipa_krb5.h"
+ #include "ipa_kdb.h"
+
++krb5_error_code kdcpolicy_ipakdb_initvt(krb5_context context,
++ int maj_ver, int min_ver,
++ krb5_plugin_vtable vtable);
++
+ static krb5_error_code
+ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
+ const krb5_kdc_req *request,
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index 050100430..c05fb717a 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -2403,9 +2403,10 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
+ *mspac = NULL;
+ }
+
+-krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
+- struct dom_sid **result_sids,
+- int *result_length)
++static krb5_error_code
++ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
++ struct dom_sid **result_sids,
++ int *result_length)
+ {
+ int len, i;
+ char **source;
+@@ -2436,9 +2437,10 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
+ return 0;
+ }
+
+-krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
+- char **sid_blacklist_incoming,
+- char **sid_blacklist_outgoing)
++static krb5_error_code
++ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
++ char **sid_blacklist_incoming,
++ char **sid_blacklist_outgoing)
+ {
+ krb5_error_code kerr;
+
+@@ -2459,7 +2461,8 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrus
+ return 0;
+ }
+
+-krb5_error_code ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx)
++static krb5_error_code
++ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx)
+ {
+ char *attrs[] = { NULL };
+ char *filter = "(objectclass=ipaNTTrustedDomain)";
+@@ -2504,7 +2507,8 @@ static void ipadb_free_sid_blacklists(char ***sid_blacklist_incoming, char ***si
+ }
+ }
+
+-krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
++static krb5_error_code
++ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
+ {
+ struct ipadb_adtrusts *t;
+ LDAP *lc = ipactx->lcontext;
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
+index b21aa163f..2369e16f8 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h
++++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
+@@ -53,3 +53,7 @@ struct ipadb_adtrusts {
+
+ int string_to_sid(const char *str, struct dom_sid *sid);
+ char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid);
++krb5_error_code filter_logon_info(krb5_context context, TALLOC_CTX *memctx,
++ krb5_data realm, struct PAC_LOGON_INFO_CTR *info);
++void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
++ bool *_with_pac, bool *_with_pad);
+\ No newline at end of file
+--
+2.29.2
+
+From da98a6fcb81ee3ac7df8bb238a0793809c2be3fd Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 24 Feb 2021 20:52:15 +0200
+Subject: [PATCH] ipa-kdb: reformat ipa_kdb_certauth
+
+Add prototype to the exported function
+
+Replace few tabs by spaces and mark static code as static.
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Robbie Harwood <rharwood@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_certauth.c | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c
+index bc6b26578..3a3060c92 100644
+--- a/daemons/ipa-kdb/ipa_kdb_certauth.c
++++ b/daemons/ipa-kdb/ipa_kdb_certauth.c
+@@ -71,10 +71,13 @@ struct krb5_certauth_moddata_st {
+ time_t valid_until;
+ };
+
+-void ipa_certmap_debug(void *private,
+- const char *file, long line,
+- const char *function,
+- const char *format, ...)
++krb5_error_code certauth_ipakdb_initvt(krb5_context context,
++ int maj_ver, int min_ver,
++ krb5_plugin_vtable vtable);
++
++static void ipa_certmap_debug(void *private, const char *file, long line,
++ const char *function,
++ const char *format, ...)
+ {
+ va_list ap;
+ char str[255] = { 0 };
+@@ -354,12 +357,12 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
+ * so there is nothing more to add here. */
+ auth_inds = calloc(2, sizeof(char *));
+ if (auth_inds != NULL) {
+- ret = asprintf(&auth_inds[0], "pkinit");
+- if (ret != -1) {
++ ret = asprintf(&auth_inds[0], "pkinit");
++ if (ret != -1) {
+ auth_inds[1] = NULL;
+ *authinds_out = auth_inds;
+- } else {
+- free(auth_inds);
++ } else {
++ free(auth_inds);
+ }
+ }
+
+@@ -404,12 +407,12 @@ static void ipa_certauth_free_indicator(krb5_context context,
+ size_t i = 0;
+
+ if ((authinds == NULL) || (moddata == NULL)) {
+- return;
++ return;
+ }
+
+ for(i=0; authinds[i]; i++) {
+- free(authinds[i]);
+- authinds[i] = NULL;
++ free(authinds[i]);
++ authinds[i] = NULL;
+ }
+
+ free(authinds);
+--
+2.29.2
+
+From aa7f99c08ff41f216d60152d6235922c561c2881 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 24 Feb 2021 20:55:41 +0200
+Subject: [PATCH] ipa-kdb: mark test functions as static
+
+No need to define missing prototypes to single use test functions.
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Robbie Harwood <rharwood@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ daemons/ipa-kdb/tests/ipa_kdb_tests.c | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
+index 368a2f978..960200b6e 100644
+--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
++++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
+@@ -180,7 +180,7 @@ extern krb5_error_code filter_logon_info(krb5_context context,
+ krb5_data realm,
+ struct PAC_LOGON_INFO_CTR *info);
+
+-void test_filter_logon_info(void **state)
++static void test_filter_logon_info(void **state)
+ {
+ krb5_error_code kerr;
+ krb5_data realm = {KV5M_DATA, REALM_LEN, REALM};
+@@ -315,10 +315,7 @@ void test_filter_logon_info(void **state)
+
+ }
+
+-extern void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
+- bool *with_pac, bool *with_pad);
+-
+-void test_get_authz_data_types(void **state)
++static void test_get_authz_data_types(void **state)
+ {
+ bool with_pac;
+ bool with_pad;
+@@ -436,7 +433,7 @@ void test_get_authz_data_types(void **state)
+ krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ);
+ }
+
+-void test_string_to_sid(void **state)
++static void test_string_to_sid(void **state)
+ {
+ int ret;
+ struct dom_sid sid;
+@@ -468,7 +465,7 @@ void test_string_to_sid(void **state)
+ assert_memory_equal(&exp_sid, &sid, sizeof(struct dom_sid));
+ }
+
+-void test_dom_sid_string(void **state)
++static void test_dom_sid_string(void **state)
+ {
+ struct test_ctx *test_ctx;
+ char *str_sid;
+@@ -494,7 +491,7 @@ void test_dom_sid_string(void **state)
+ }
+
+
+-void test_check_trusted_realms(void **state)
++static void test_check_trusted_realms(void **state)
+ {
+ struct test_ctx *test_ctx;
+ krb5_error_code kerr = 0;
+--
+2.29.2
+
+From 79baa0932d1349d46d162e7478fa4e3c8e88dc09 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Fri, 19 Feb 2021 15:37:47 +0200
+Subject: [PATCH] ipa-kdb: do not use OpenLDAP functions with NULL LDAP context
+
+Calling to ipadb_get_connection() will remove LDAP context if any error
+happens. This means upper layers must always verify that LDAP context
+exists after such calls.
+
+ipadb_get_user_auth() may re-read global configuration and that may fail
+and cause IPA context to have NULL LDAP context.
+
+Fixes: https://pagure.io/freeipa/issue/8681
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Robbie Harwood <rharwood@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb.c | 1 +
+ daemons/ipa-kdb/ipa_kdb_mspac.c | 32 +++++++++++++++-------------
+ daemons/ipa-kdb/ipa_kdb_principals.c | 26 ++++++++++++++++------
+ 3 files changed, 37 insertions(+), 22 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
+index 33d2a6773..e7b8d7dbf 100644
+--- a/daemons/ipa-kdb/ipa_kdb.c
++++ b/daemons/ipa-kdb/ipa_kdb.c
+@@ -56,6 +56,7 @@ static void ipadb_context_free(krb5_context kcontext,
+ /* ldap free lcontext */
+ if ((*ctx)->lcontext) {
+ ldap_unbind_ext_s((*ctx)->lcontext, NULL, NULL);
++ (*ctx)->lcontext = NULL;
+ }
+ free((*ctx)->supp_encs);
+ free((*ctx)->def_encs);
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index c05fb717a..1e59189ed 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -416,7 +416,6 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+ TALLOC_CTX *memctx,
+ struct netr_SamInfo3 *info3)
+ {
+- LDAP *lcontext = ipactx->lcontext;
+ LDAPDerefRes *deref_results = NULL;
+ struct dom_sid sid;
+ gid_t prigid = -1;
+@@ -433,7 +432,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+ bool is_idobject = false;
+ krb5_principal princ;
+
+- ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, "objectClass",
++ ret = ipadb_ldap_attr_to_strlist(ipactx->lcontext, lentry, "objectClass",
+ &objectclasses);
+ if (ret == 0 && objectclasses != NULL) {
+ for (c = 0; objectclasses[c] != NULL; c++) {
+@@ -470,13 +469,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+ }
+
+ if (is_host) {
+- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "fqdn", &strres);
++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "fqdn", &strres);
+ if (ret) {
+ /* fqdn is mandatory for hosts */
+ return ret;
+ }
+ } else if (is_service) {
+- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "krbCanonicalName", &strres);
++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
++ "krbCanonicalName", &strres);
+ if (ret) {
+ /* krbCanonicalName is mandatory for services */
+ return ret;
+@@ -496,7 +496,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+ return ENOENT;
+ }
+ } else {
+- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "uid", &strres);
++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "uid", &strres);
+ if (ret) {
+ /* uid is mandatory */
+ return ret;
+@@ -509,7 +509,8 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+ if (is_host || is_service) {
+ prigid = 515; /* Well known RID for domain computers group */
+ } else {
+- ret = ipadb_ldap_attr_to_int(lcontext, lentry, "gidNumber", &intres);
++ ret = ipadb_ldap_attr_to_int(ipactx->lcontext, lentry,
++ "gidNumber", &intres);
+ if (ret) {
+ /* gidNumber is mandatory */
+ return ret;
+@@ -540,7 +541,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+ info3->base.kickoff_time = -1;
+ #endif
+
+- ret = ipadb_ldap_attr_to_time_t(lcontext, lentry,
++ ret = ipadb_ldap_attr_to_time_t(ipactx->lcontext, lentry,
+ "krbLastPwdChange", &timeres);
+ switch (ret) {
+ case 0:
+@@ -557,7 +558,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+ info3->base.allow_password_change = 0;
+ info3->base.force_password_change = -1;
+
+- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "cn", &strres);
++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "cn", &strres);
+ switch (ret) {
+ case 0:
+ info3->base.full_name.string = talloc_strdup(memctx, strres);
+@@ -570,7 +571,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+ return ret;
+ }
+
+- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+ "ipaNTLogonScript", &strres);
+ switch (ret) {
+ case 0:
+@@ -584,7 +585,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+ return ret;
+ }
+
+- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+ "ipaNTProfilePath", &strres);
+ switch (ret) {
+ case 0:
+@@ -598,7 +599,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+ return ret;
+ }
+
+- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+ "ipaNTHomeDirectory", &strres);
+ switch (ret) {
+ case 0:
+@@ -612,7 +613,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+ return ret;
+ }
+
+- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+ "ipaNTHomeDirectoryDrive", &strres);
+ switch (ret) {
+ case 0:
+@@ -643,7 +644,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+ info3->base.rid = 515;
+ }
+ } else {
+- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+ "ipaNTSecurityIdentifier", &strres);
+ if (ret) {
+ /* SID is mandatory */
+@@ -660,7 +661,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+ }
+ }
+
+- ret = ipadb_ldap_deref_results(lcontext, lentry, &deref_results);
++ ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
+ switch (ret) {
+ LDAPDerefRes *dres;
+ LDAPDerefVal *dval;
+@@ -2511,7 +2512,7 @@ static krb5_error_code
+ ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
+ {
+ struct ipadb_adtrusts *t;
+- LDAP *lc = ipactx->lcontext;
++ LDAP *lc = NULL;
+ char *attrs[] = { "cn", "ipaNTTrustPartner", "ipaNTFlatName",
+ "ipaNTTrustedDomainSID", "ipaNTSIDBlacklistIncoming",
+ "ipaNTSIDBlacklistOutgoing", "ipaNTAdditionalSuffixes", NULL };
+@@ -2545,6 +2546,7 @@ ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
+ goto done;
+ }
+
++ lc = ipactx->lcontext;
+ for (le = ldap_first_entry(lc, res); le; le = ldap_next_entry(lc, le)) {
+ dnstr = ldap_get_dn(lc, le);
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
+index 59337a4ca..0a98ff054 100644
+--- a/daemons/ipa-kdb/ipa_kdb_principals.c
++++ b/daemons/ipa-kdb/ipa_kdb_principals.c
+@@ -335,6 +335,11 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
+ if (gcfg != NULL)
+ gua = gcfg->user_auth;
+
++ /* lcontext == NULL means ipadb_get_global_config() failed to load
++ * global config and cleared the ipactx */
++ if (ipactx->lcontext == NULL)
++ return IPADB_USER_AUTH_NONE;
++
+ /* Get the user's user_auth settings if not disabled. */
+ if ((gua & IPADB_USER_AUTH_DISABLED) == 0)
+ ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua);
+@@ -608,8 +613,16 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
+ free(entry);
+ return KRB5_KDB_DBNOTINITED;
+ }
+- lcontext = ipactx->lcontext;
+- if (!lcontext) {
++
++ entry->magic = KRB5_KDB_MAGIC_NUMBER;
++ entry->len = KRB5_KDB_V1_BASE_LENGTH;
++
++ /* Get User Auth configuration. */
++ ua = ipadb_get_user_auth(ipactx, lentry);
++
++ /* ipadb_get_user_auth() calls into ipadb_get_global_config()
++ * and that might fail, causing lcontext to become NULL */
++ if (!ipactx->lcontext) {
+ krb5_klog_syslog(LOG_INFO,
+ "No LDAP connection in ipadb_parse_ldap_entry(); retrying...\n");
+ ret = ipadb_get_connection(ipactx);
+@@ -621,11 +634,10 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
+ }
+ }
+
+- entry->magic = KRB5_KDB_MAGIC_NUMBER;
+- entry->len = KRB5_KDB_V1_BASE_LENGTH;
+-
+- /* Get User Auth configuration. */
+- ua = ipadb_get_user_auth(ipactx, lentry);
++ /* If any code below would result in invalidating ipactx->lcontext,
++ * lcontext must be updated with the new ipactx->lcontext value.
++ * We rely on the fact that none of LDAP-parsing helpers does it. */
++ lcontext = ipactx->lcontext;
+
+ /* ignore mask for now */
+
+--
+2.29.2
+
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index 999ec31..532c8b2 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -149,7 +149,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
-Release: 14%{?dist}
+Release: 16%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@@ -191,6 +191,8 @@ Patch0024: 0024-wgi-plugins.py-ignore-empty-plugin-directories_rhbz#1895910
Patch0025: 0025-ipatests-support-subordinate-upn-suffixes_rhbz#1914823.patch
Patch0026: 0026-ipa-kdb-support-subordinate-superior-UPN-suffixes_rhbz#1914823.patch
Patch0027: 0027-ad-trust-accept-subordinate-domains-of-the-forest-trust-root_rhbz#1914823.patch
+Patch0028: 0028-ipa-kdb-fix-crash-in-MS-PAC-cache-init-code.patch
+Patch0029: 0029-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1935146.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002: 1002-4.8.0-Remove-csrgen.patch
Patch1003: 1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch
@@ -868,7 +870,6 @@ export PATH=/usr/bin:/usr/sbin:$PATH
export PYTHON=%{__python3}
%configure --with-vendor-suffix=-%{release} \
- --with-ipaplatform=rhel \
%{enable_server_option} \
%{with_ipatests_option} \
%{linter_options}
@@ -1542,6 +1543,14 @@ fi
%changelog
+* Tue Mar 9 2021 Thomas Woerner <twoerner@redhat.com> - 4.8.7-16
+- Fix krb5kdc is crashing intermittently on IPA server
+ Resolves: RHBZ#1935146
+
+* Fri Feb 19 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.7-15
+- ipa-kdb: fix crash in MS-PAC cache init code
+ Resolves: RHBZ#1930562
+
* Tue Jan 12 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.8.7-14
- wgi/plugins.py: ignore empty plugin directories
Resolves: RHBZ#1895910