diff --git a/SOURCES/0020-ipa-kdb-fix-compiler-warnings.patch b/SOURCES/0020-ipa-kdb-fix-compiler-warnings.patch
new file mode 100644
index 0000000..ec12f9a
--- /dev/null
+++ b/SOURCES/0020-ipa-kdb-fix-compiler-warnings.patch
@@ -0,0 +1,105 @@
+From 02b0d44892a7c6953cfb70034dbfc1b77a2371fc Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 23 Feb 2021 10:06:25 +0200
+Subject: [PATCH] ipa-kdb: fix compiler warnings
+
+There are few fields in KDB structures that have 'conflicting' types but
+need to be compared. They come from MIT Kerberos and we have no choice
+here.
+
+In the same way, SID structures have own requirements.
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Robbie Harwood <rharwood@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_audit_as.c | 4 ++--
+ daemons/ipa-kdb/ipa_kdb_mspac.c | 4 ++--
+ daemons/ipa-kdb/ipa_kdb_principals.c | 6 +++---
+ daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 2 +-
+ 4 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c
+index 77748a75d6b16ee4d080a5f53213cc58c81660dc..a5ffe29334509e23fe0f0b9973432166c254b484 100644
+--- a/daemons/ipa-kdb/ipa_kdb_audit_as.c
++++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c
+@@ -110,13 +110,13 @@ void ipadb_audit_as_req(krb5_context kcontext,
+ }
+
+ if (client->last_failed + ied->pol->lockout_duration > authtime &&
+- (client->fail_auth_count >= ied->pol->max_fail &&
++ (client->fail_auth_count >= (krb5_kvno) ied->pol->max_fail &&
+ ied->pol->max_fail != 0)) {
+ /* client already locked, nothing more to do */
+ break;
+ }
+ if (ied->pol->max_fail == 0 ||
+- client->fail_auth_count < ied->pol->max_fail) {
++ client->fail_auth_count < (krb5_kvno) ied->pol->max_fail) {
+ /* let's increase the fail counter */
+ client->fail_auth_count++;
+ client->mask |= KMASK_FAIL_AUTH_COUNT;
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index 74cbb77cccb45188f7bd8a1a33085f8ef964930f..9f95d0dc407df4566467f2b4a960086a7d940bcc 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -158,9 +158,9 @@ int string_to_sid(const char *str, struct dom_sid *sid)
+
+ char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid)
+ {
+- size_t c;
++ int8_t c;
+ size_t len;
+- int ofs;
++ size_t ofs;
+ uint32_t ia;
+ char *buf;
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
+index 259a0d2563f4b9c038b041781b2580fe72d7ed7e..3b78970b118cb6d8bd97da82a79226d20ea784e1 100644
+--- a/daemons/ipa-kdb/ipa_kdb_principals.c
++++ b/daemons/ipa-kdb/ipa_kdb_principals.c
+@@ -498,7 +498,7 @@ static krb5_error_code ipadb_get_ldap_auth_ind(krb5_context kcontext,
+ l = len;
+ for (i = 0; i < count; i++) {
+ ret = snprintf(ap, l, "%s ", authinds[i]);
+- if (ret <= 0 || ret > l) {
++ if (ret <= 0 || ret > (int) l) {
+ ret = ENOMEM;
+ goto cleanup;
+ }
+@@ -1867,7 +1867,7 @@ static krb5_error_code ipadb_get_ldap_mod_auth_ind(krb5_context kcontext,
+ char *s = NULL;
+ size_t ai_size = 0;
+ int cnt = 0;
+- int i = 0;
++ size_t i = 0;
+
+ ret = krb5_dbe_get_string(kcontext, entry, "require_auth", &ais);
+ if (ret) {
+@@ -2248,7 +2248,7 @@ static krb5_error_code ipadb_entry_default_attrs(struct ipadb_mods *imods)
+ {
+ krb5_error_code kerr;
+ LDAPMod *m = NULL;
+- int i;
++ size_t i;
+
+ kerr = ipadb_mods_new(imods, &m);
+ if (kerr) {
+diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
+index 10f128700bfd01d6ed6b5dd224ea9226b6f0dd2e..a3be116f93458e7b1a50bbbc6bda916d0e11a47a 100644
+--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
++++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
+@@ -328,7 +328,7 @@ krb5_error_code ipadb_check_policy_as(krb5_context kcontext,
+ }
+
+ if (ied->pol->max_fail == 0 ||
+- client->fail_auth_count < ied->pol->max_fail) {
++ client->fail_auth_count < (krb5_kvno) ied->pol->max_fail) {
+ /* still within allowed failures range */
+ return 0;
+ }
+--
+2.26.3
+
diff --git a/SOURCES/0021-ipa-kdb-add-missing-prototypes.patch b/SOURCES/0021-ipa-kdb-add-missing-prototypes.patch
new file mode 100644
index 0000000..a997b67
--- /dev/null
+++ b/SOURCES/0021-ipa-kdb-add-missing-prototypes.patch
@@ -0,0 +1,88 @@
+From 0c9f411efb7fb7bd7df5f07f2225af3f75bdf342 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 24 Feb 2021 20:51:40 +0200
+Subject: [PATCH] ipa-kdb: add missing prototypes
+
+On Fedora 33 GCC defaults to -Wmissing-prototypes and emits warnings
+about function prototypes missing. If -Werror is specified, this breaks
+compilation.
+
+We also default to -Werror=implicit-function-declaration
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Robbie Harwood <rharwood@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_mspac.c | 20 ++++++++++++--------
+ daemons/ipa-kdb/ipa_kdb_mspac_private.h | 4 ++++
+ 2 files changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index 9f95d0dc407df4566467f2b4a960086a7d940bcc..b6e7516859ce59232364f6ae93dee3063914ecf4 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -2325,9 +2325,10 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
+ *mspac = NULL;
+ }
+
+-krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
+- struct dom_sid **result_sids,
+- int *result_length)
++static krb5_error_code
++ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
++ struct dom_sid **result_sids,
++ int *result_length)
+ {
+ int len, i;
+ char **source;
+@@ -2358,9 +2359,10 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
+ return 0;
+ }
+
+-krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
+- char **sid_blacklist_incoming,
+- char **sid_blacklist_outgoing)
++static krb5_error_code
++ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
++ char **sid_blacklist_incoming,
++ char **sid_blacklist_outgoing)
+ {
+ krb5_error_code kerr;
+
+@@ -2381,7 +2383,8 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrus
+ return 0;
+ }
+
+-krb5_error_code ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx)
++static krb5_error_code
++ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx)
+ {
+ char *attrs[] = { NULL };
+ char *filter = "(objectclass=ipaNTTrustedDomain)";
+@@ -2426,7 +2429,8 @@ static void ipadb_free_sid_blacklists(char ***sid_blacklist_incoming, char ***si
+ }
+ }
+
+-krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
++static krb5_error_code
++ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
+ {
+ struct ipadb_adtrusts *t;
+ LDAP *lc = ipactx->lcontext;
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
+index 30382d2eefaeddc6d5aff38553fb4668e0173201..82397cc40febfef91f8f58cb643daaa5b9b1d6d9 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h
++++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
+@@ -52,3 +52,7 @@ struct ipadb_adtrusts {
+
+ int string_to_sid(const char *str, struct dom_sid *sid);
+ char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid);
++krb5_error_code filter_logon_info(krb5_context context, TALLOC_CTX *memctx,
++ krb5_data realm, struct PAC_LOGON_INFO_CTR *info);
++void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
++ bool *_with_pac, bool *_with_pad);
+\ No newline at end of file
+--
+2.26.3
+
diff --git a/SOURCES/0022-ipa-kdb-reformat-ipa_kdb_certauth.patch b/SOURCES/0022-ipa-kdb-reformat-ipa_kdb_certauth.patch
new file mode 100644
index 0000000..6a1f25d
--- /dev/null
+++ b/SOURCES/0022-ipa-kdb-reformat-ipa_kdb_certauth.patch
@@ -0,0 +1,75 @@
+From 592a0eceb7e38fb41c815efa22229574bae177c6 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 24 Feb 2021 20:52:15 +0200
+Subject: [PATCH] ipa-kdb: reformat ipa_kdb_certauth
+
+Add prototype to the exported function
+
+Replace few tabs by spaces and mark static code as static.
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Robbie Harwood <rharwood@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_certauth.c | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c
+index 47911aa3ded56efe4d47acb78d94ccdbcdca7339..32d6710edb9f1547d1ffe628a5529357b2f593ab 100644
+--- a/daemons/ipa-kdb/ipa_kdb_certauth.c
++++ b/daemons/ipa-kdb/ipa_kdb_certauth.c
+@@ -71,10 +71,13 @@ struct krb5_certauth_moddata_st {
+ time_t valid_until;
+ };
+
+-void ipa_certmap_debug(void *private,
+- const char *file, long line,
+- const char *function,
+- const char *format, ...)
++krb5_error_code certauth_ipakdb_initvt(krb5_context context,
++ int maj_ver, int min_ver,
++ krb5_plugin_vtable vtable);
++
++static void ipa_certmap_debug(void *private, const char *file, long line,
++ const char *function,
++ const char *format, ...)
+ {
+ va_list ap;
+ char str[255] = { 0 };
+@@ -355,12 +358,12 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
+ * so there is nothing more to add here. */
+ auth_inds = calloc(2, sizeof(char *));
+ if (auth_inds != NULL) {
+- ret = asprintf(&auth_inds[0], "pkinit");
+- if (ret != -1) {
++ ret = asprintf(&auth_inds[0], "pkinit");
++ if (ret != -1) {
+ auth_inds[1] = NULL;
+ *authinds_out = auth_inds;
+- } else {
+- free(auth_inds);
++ } else {
++ free(auth_inds);
+ }
+ }
+
+@@ -405,12 +408,12 @@ static void ipa_certauth_free_indicator(krb5_context context,
+ size_t i = 0;
+
+ if ((authinds == NULL) || (moddata == NULL)) {
+- return;
++ return;
+ }
+
+ for(i=0; authinds[i]; i++) {
+- free(authinds[i]);
+- authinds[i] = NULL;
++ free(authinds[i]);
++ authinds[i] = NULL;
+ }
+
+ free(authinds);
+--
+2.26.3
+
diff --git a/SOURCES/0023-ipa-kdb-mark-test-functions-as-static.patch b/SOURCES/0023-ipa-kdb-mark-test-functions-as-static.patch
new file mode 100644
index 0000000..290e0d0
--- /dev/null
+++ b/SOURCES/0023-ipa-kdb-mark-test-functions-as-static.patch
@@ -0,0 +1,61 @@
+From 7423bf0192310509ff963d2b67c85409a501d4e3 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 24 Feb 2021 20:55:41 +0200
+Subject: [PATCH] ipa-kdb: mark test functions as static
+
+No need to define missing prototypes to single use test functions.
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Robbie Harwood <rharwood@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ daemons/ipa-kdb/tests/ipa_kdb_tests.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
+index 7f1ae7f66e233d779433eff4e5f32fe7fafc3f02..1f94afe486fd09c497ee8b8aa16880d1840603d0 100644
+--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
++++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
+@@ -164,7 +164,7 @@ extern krb5_error_code filter_logon_info(krb5_context context,
+ krb5_data realm,
+ struct PAC_LOGON_INFO_CTR *info);
+
+-void test_filter_logon_info(void **state)
++static void test_filter_logon_info(void **state)
+ {
+ krb5_error_code kerr;
+ krb5_data realm = {KV5M_DATA, REALM_LEN, REALM};
+@@ -299,10 +299,7 @@ void test_filter_logon_info(void **state)
+
+ }
+
+-extern void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
+- bool *with_pac, bool *with_pad);
+-
+-void test_get_authz_data_types(void **state)
++static void test_get_authz_data_types(void **state)
+ {
+ bool with_pac;
+ bool with_pad;
+@@ -420,7 +417,7 @@ void test_get_authz_data_types(void **state)
+ krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ);
+ }
+
+-void test_string_to_sid(void **state)
++static void test_string_to_sid(void **state)
+ {
+ int ret;
+ struct dom_sid sid;
+@@ -452,7 +449,7 @@ void test_string_to_sid(void **state)
+ assert_memory_equal(&exp_sid, &sid, sizeof(struct dom_sid));
+ }
+
+-void test_dom_sid_string(void **state)
++static void test_dom_sid_string(void **state)
+ {
+ struct test_ctx *test_ctx;
+ char *str_sid;
+--
+2.26.3
+
diff --git a/SOURCES/0024-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP.patch b/SOURCES/0024-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP.patch
new file mode 100644
index 0000000..f8fc36f
--- /dev/null
+++ b/SOURCES/0024-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP.patch
@@ -0,0 +1,238 @@
+From 022c2a55ec9578867b331e419fad547092d94192 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Fri, 19 Feb 2021 15:37:47 +0200
+Subject: [PATCH] ipa-kdb: do not use OpenLDAP functions with NULL LDAP context
+
+Calling to ipadb_get_connection() will remove LDAP context if any error
+happens. This means upper layers must always verify that LDAP context
+exists after such calls.
+
+ipadb_get_user_auth() may re-read global configuration and that may fail
+and cause IPA context to have NULL LDAP context.
+
+Fixes: https://pagure.io/freeipa/issue/8681
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Robbie Harwood <rharwood@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb.c | 1 +
+ daemons/ipa-kdb/ipa_kdb_mspac.c | 32 +++++++++++++++-------------
+ daemons/ipa-kdb/ipa_kdb_principals.c | 26 ++++++++++++++++------
+ 3 files changed, 37 insertions(+), 22 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
+index 0dcc74263263423da6b1f4d8441ee149bce24c58..eb18a037e41bd778b3f522644acf8d793ddf70e7 100644
+--- a/daemons/ipa-kdb/ipa_kdb.c
++++ b/daemons/ipa-kdb/ipa_kdb.c
+@@ -56,6 +56,7 @@ static void ipadb_context_free(krb5_context kcontext,
+ /* ldap free lcontext */
+ if ((*ctx)->lcontext) {
+ ldap_unbind_ext_s((*ctx)->lcontext, NULL, NULL);
++ (*ctx)->lcontext = NULL;
+ }
+ free((*ctx)->supp_encs);
+ free((*ctx)->def_encs);
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index b6e7516859ce59232364f6ae93dee3063914ecf4..b231844250b8c65337bf4e7523d6a800dfe0767d 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -386,7 +386,6 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+ TALLOC_CTX *memctx,
+ struct netr_SamInfo3 *info3)
+ {
+- LDAP *lcontext = ipactx->lcontext;
+ LDAPDerefRes *deref_results = NULL;
+ struct dom_sid sid;
+ gid_t prigid = -1;
+@@ -403,7 +402,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+ krb5_principal princ;
+ krb5_data *data;
+
+- ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, "objectClass",
++ ret = ipadb_ldap_attr_to_strlist(ipactx->lcontext, lentry, "objectClass",
+ &objectclasses);
+ if (ret == 0 && objectclasses != NULL) {
+ for (c = 0; objectclasses[c] != NULL; c++) {
+@@ -427,7 +426,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+ }
+
+ if (is_host) {
+- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "fqdn", &strres);
++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "fqdn", &strres);
+ if (ret) {
+ /* fqdn is mandatory for hosts */
+ return ret;
+@@ -440,7 +439,8 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+ return ENOENT;
+ }
+ } else if (is_service) {
+- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "krbPrincipalName", &strres);
++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
++ "krbCanonicalName", &strres);
+ if (ret) {
+ /* krbPrincipalName is mandatory for services */
+ return ret;
+@@ -489,7 +489,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+ return ENOENT;
+ }
+ } else {
+- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "uid", &strres);
++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "uid", &strres);
+ if (ret) {
+ /* uid is mandatory */
+ return ret;
+@@ -502,7 +502,8 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+ if (is_host || is_service) {
+ prigid = 515; /* Well known RID for domain computers group */
+ } else {
+- ret = ipadb_ldap_attr_to_int(lcontext, lentry, "gidNumber", &intres);
++ ret = ipadb_ldap_attr_to_int(ipactx->lcontext, lentry,
++ "gidNumber", &intres);
+ if (ret) {
+ /* gidNumber is mandatory */
+ return ret;
+@@ -533,7 +534,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+ info3->base.kickoff_time = -1;
+ #endif
+
+- ret = ipadb_ldap_attr_to_time_t(lcontext, lentry,
++ ret = ipadb_ldap_attr_to_time_t(ipactx->lcontext, lentry,
+ "krbLastPwdChange", &timeres);
+ switch (ret) {
+ case 0:
+@@ -550,7 +551,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+ info3->base.allow_password_change = 0;
+ info3->base.force_password_change = -1;
+
+- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "cn", &strres);
++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "cn", &strres);
+ switch (ret) {
+ case 0:
+ info3->base.full_name.string = talloc_strdup(memctx, strres);
+@@ -563,7 +564,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+ return ret;
+ }
+
+- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+ "ipaNTLogonScript", &strres);
+ switch (ret) {
+ case 0:
+@@ -577,7 +578,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+ return ret;
+ }
+
+- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+ "ipaNTProfilePath", &strres);
+ switch (ret) {
+ case 0:
+@@ -591,7 +592,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+ return ret;
+ }
+
+- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+ "ipaNTHomeDirectory", &strres);
+ switch (ret) {
+ case 0:
+@@ -605,7 +606,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+ return ret;
+ }
+
+- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+ "ipaNTHomeDirectoryDrive", &strres);
+ switch (ret) {
+ case 0:
+@@ -626,7 +627,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+ /* Well know RID of domain controllers group */
+ info3->base.rid = 516;
+ } else {
+- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+ "ipaNTSecurityIdentifier", &strres);
+ if (ret) {
+ /* SID is mandatory */
+@@ -643,7 +644,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+ }
+ }
+
+- ret = ipadb_ldap_deref_results(lcontext, lentry, &deref_results);
++ ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
+ switch (ret) {
+ LDAPDerefRes *dres;
+ LDAPDerefVal *dval;
+@@ -2433,7 +2434,7 @@ static krb5_error_code
+ ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
+ {
+ struct ipadb_adtrusts *t;
+- LDAP *lc = ipactx->lcontext;
++ LDAP *lc = NULL;
+ char *attrs[] = { "cn", "ipaNTTrustPartner", "ipaNTFlatName",
+ "ipaNTTrustedDomainSID", "ipaNTSIDBlacklistIncoming",
+ "ipaNTSIDBlacklistOutgoing", "ipaNTAdditionalSuffixes", NULL };
+@@ -2467,6 +2468,7 @@ ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
+ goto done;
+ }
+
++ lc = ipactx->lcontext;
+ for (le = ldap_first_entry(lc, res); le; le = ldap_next_entry(lc, le)) {
+ dnstr = ldap_get_dn(lc, le);
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
+index 3b78970b118cb6d8bd97da82a79226d20ea784e1..e1e86a6102886051cdafa3d885bf75c2718b8575 100644
+--- a/daemons/ipa-kdb/ipa_kdb_principals.c
++++ b/daemons/ipa-kdb/ipa_kdb_principals.c
+@@ -341,6 +341,11 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
+ if (gcfg != NULL)
+ gua = gcfg->user_auth;
+
++ /* lcontext == NULL means ipadb_get_global_config() failed to load
++ * global config and cleared the ipactx */
++ if (ipactx->lcontext == NULL)
++ return IPADB_USER_AUTH_NONE;
++
+ /* Get the user's user_auth settings if not disabled. */
+ if ((gua & IPADB_USER_AUTH_DISABLED) == 0)
+ ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua);
+@@ -555,8 +560,16 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
+ free(entry);
+ return KRB5_KDB_DBNOTINITED;
+ }
+- lcontext = ipactx->lcontext;
+- if (!lcontext) {
++
++ entry->magic = KRB5_KDB_MAGIC_NUMBER;
++ entry->len = KRB5_KDB_V1_BASE_LENGTH;
++
++ /* Get User Auth configuration. */
++ ua = ipadb_get_user_auth(ipactx, lentry);
++
++ /* ipadb_get_user_auth() calls into ipadb_get_global_config()
++ * and that might fail, causing lcontext to become NULL */
++ if (!ipactx->lcontext) {
+ krb5_klog_syslog(LOG_INFO,
+ "No LDAP connection in ipadb_parse_ldap_entry(); retrying...\n");
+ ret = ipadb_get_connection(ipactx);
+@@ -568,11 +581,10 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
+ }
+ }
+
+- entry->magic = KRB5_KDB_MAGIC_NUMBER;
+- entry->len = KRB5_KDB_V1_BASE_LENGTH;
+-
+- /* Get User Auth configuration. */
+- ua = ipadb_get_user_auth(ipactx, lentry);
++ /* If any code below would result in invalidating ipactx->lcontext,
++ * lcontext must be updated with the new ipactx->lcontext value.
++ * We rely on the fact that none of LDAP-parsing helpers does it. */
++ lcontext = ipactx->lcontext;
+
+ /* ignore mask for now */
+
+--
+2.26.3
+
diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
index 76f9908..0cb4f84 100644
--- a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
+++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
@@ -1,4 +1,4 @@
-From 3cb7e1ad038a798f1fc88d2c1b116607fe04a806 Mon Sep 17 00:00:00 2001
+From cab573c5e2fb5631c9fd77a41ff77103ea51f9b3 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 14 Mar 2017 15:48:07 +0000
Subject: [PATCH] Change branding to IPA and Identity Management
@@ -1106,5 +1106,5 @@ index 643215985e932cae6e8d954596194032655b25d4..68baa0174ed88ede3f42092fb68150b5
""") + _("""
To enable the binddn run the following command to set the password:
--
-2.26.2
+2.26.3
diff --git a/SOURCES/1002-Package-copy-schema-to-ca.py.patch b/SOURCES/1002-Package-copy-schema-to-ca.py.patch
index fbe3870..6cc1d21 100644
--- a/SOURCES/1002-Package-copy-schema-to-ca.py.patch
+++ b/SOURCES/1002-Package-copy-schema-to-ca.py.patch
@@ -1,4 +1,4 @@
-From 6b729f724be49e4157a213e6b2c09fc3da5fc477 Mon Sep 17 00:00:00 2001
+From 514a42e4ea723e6630ac24ff3ea68a442137ab52 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 14 Mar 2017 16:07:15 +0000
Subject: [PATCH] Package copy-schema-to-ca.py
@@ -40,5 +40,5 @@ index 922185c4b948fa7a5d1bcab6b2be3b34e99f66d4..8fead26f50cb4f045db6d60f9ca71dd9
--
-2.26.2
+2.26.3
diff --git a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
index aea1eac..8cea203 100644
--- a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
+++ b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
@@ -1,4 +1,4 @@
-From 5043712188408afa67ec062b213b9d6b8b0f10e5 Mon Sep 17 00:00:00 2001
+From 90ffaffce2db5467ac6fd773db53373adfff69b4 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 22 Jun 2016 13:53:46 +0200
Subject: [PATCH] Revert "Increased mod_wsgi socket-timeout"
@@ -24,5 +24,5 @@ index 912a63c2240e0681dfbeeac223a902b15b304716..c5fc518f803d379287043b405efeb46d
WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
--
-2.26.2
+2.26.3
diff --git a/SOURCES/1004-Remove-csrgen.patch b/SOURCES/1004-Remove-csrgen.patch
index 68889b5..27f9930 100644
--- a/SOURCES/1004-Remove-csrgen.patch
+++ b/SOURCES/1004-Remove-csrgen.patch
@@ -1,4 +1,4 @@
-From d70975a40069c46b9d474de0e971d65606b6e6e3 Mon Sep 17 00:00:00 2001
+From e4ef3eb243d8e4fe26dee86529f90f8aaa8ab00f Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Thu, 16 Mar 2017 09:44:21 +0000
Subject: [PATCH] Remove csrgen
@@ -403,5 +403,5 @@ index 79111ab686b4fe25227796509b3cd3fcb54af728..00000000000000000000000000000000
@@ -1 +0,0 @@
-{{ options|join(";") }}
--
-2.26.2
+2.26.3
diff --git a/SOURCES/1005-Removing-filesystem-encoding-check.patch b/SOURCES/1005-Removing-filesystem-encoding-check.patch
index 8657ddf..6da2669 100644
--- a/SOURCES/1005-Removing-filesystem-encoding-check.patch
+++ b/SOURCES/1005-Removing-filesystem-encoding-check.patch
@@ -1,4 +1,4 @@
-From 3e6b0431e88c39d8c130feaa27f1c9591f774864 Mon Sep 17 00:00:00 2001
+From 17675289caa161c6574d1afbc813bd91efe71064 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= <tdudlak@redhat.com>
Date: Fri, 10 Aug 2018 13:16:38 +0200
Subject: [PATCH] Removing filesystem encoding check
@@ -126,5 +126,5 @@ index b660532bd6e8db964b8287845ed1b5ebbcb43b9b..60309c58f250a263c8c3d13b0b47773b
IPA_NOT_CONFIGURED = b'IPA is not configured on this system'
IPA_CLIENT_NOT_CONFIGURED = b'IPA client is not configured on this system'
--
-2.26.2
+2.26.3
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index c05a853..b22cd72 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -102,7 +102,7 @@
Name: ipa
Version: %{IPA_VERSION}
-Release: 5%{?dist}.4
+Release: 5%{?dist}.5
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -110,9 +110,9 @@ License: GPLv3+
URL: http://www.freeipa.org/
Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity Management
-#Source1: header-logo.png
-#Source2: login-screen-background.jpg
-#Source4: product-name.png
+Source1: header-logo.png
+Source2: login-screen-background.jpg
+Source4: product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity Management
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -136,6 +136,11 @@ Patch0016: 0016-Improve-PKI-subsystem-detection.patch
Patch0017: 0017-ipatests-add-test-for-PKI-subsystem-detection.patch
Patch0018: 0018-ipatest-fix-test_upgrade.py-TestUpgrade-test_kra_det.patch
Patch0019: 0019-Add-more-indices.patch
+Patch0020: 0020-ipa-kdb-fix-compiler-warnings.patch
+Patch0021: 0021-ipa-kdb-add-missing-prototypes.patch
+Patch0022: 0022-ipa-kdb-reformat-ipa_kdb_certauth.patch
+Patch0023: 0023-ipa-kdb-mark-test-functions-as-static.patch
+Patch0024: 0024-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002: 1002-Package-copy-schema-to-ca.py.patch
Patch1003: 1003-Revert-Increased-mod_wsgi-socket-timeout.patch
@@ -396,10 +401,7 @@ Requires: oddjob
Requires: gssproxy >= 0.7.0-2
# 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050)
Requires: sssd-dbus >= 1.15.2
-
-%if 0%{?centos} == 0
Requires: system-logos >= 70.7.0
-%endif
Provides: %{alt_name}-server = %{version}
Conflicts: %{alt_name}-server
@@ -956,9 +958,9 @@ cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3
# with_python3
# RHEL spec file only: START: Change branding to IPA and Identity Management
-#cp %SOURCE1 install/ui/images/header-logo.png
-#cp %SOURCE2 install/ui/images/login-screen-background.jpg
-#cp %SOURCE4 install/ui/images/product-name.png
+cp %SOURCE1 install/ui/images/header-logo.png
+cp %SOURCE2 install/ui/images/login-screen-background.jpg
+cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity Management
@@ -982,8 +984,7 @@ find \
%configure --with-vendor-suffix=-%{release} \
%{enable_server_option} \
%{with_ipatests_option} \
- %{linter_options} \
- --with-ipaplatform=rhel
+ %{linter_options}
%make_build
@@ -1004,8 +1005,7 @@ find \
%configure --with-vendor-suffix=-%{release} \
%{enable_server_option} \
%{with_ipatests_option} \
- %{linter_options} \
- --with-ipaplatform=rhel
+ %{linter_options}
popd
%endif
# with_python3
@@ -1092,11 +1092,9 @@ ln -s %{_bindir}/ipa-test-task-%{python2_version} %{buildroot}%{_bindir}/ipa-tes
# remove files which are useful only for make uninstall
find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \;
-%if 0%{?centos} == 0
# RHEL spec file only: START: Replace login-screen-logo.png with a symlink
ln -sf %{_datadir}/pixmaps/fedora-gdm-logo.png %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png
# RHEL spec file only: END: Replace login-screen-logo.png with a symlink
-%endif
%find_lang %{gettext_domain}
@@ -1753,8 +1751,15 @@ fi
%changelog
-* Tue Mar 16 2021 CentOS Sources <bugs@centos.org> - 4.6.8-5.el7.centos.4
-- Roll in CentOS Branding
+* Tue Apr 6 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.6.8-5.el7_9.5
+- Resolves: #1931405 krb5kdc crash - Segmentation fault in ldap_first_entry().
+ - ipa-kdb: fix compiler warnings
+ - ipa-kdb: add missing prototypes
+ - ipa-kdb: reformat ipa_kdb_certauth
+ - ipa-kdb: mark test functions as static
+ - ipa-kdb: do not use OpenLDAP functions with NULL LDAP context
+- Resolves: #1835741 krb5kdc crashing on ipa server
+- Resolves: #1929372 krb5kdc is crashing intermittently on IPA server.
* Fri Jan 29 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.6.8-5.el7_9.4
- Resolves: #1897253 IPA WebUI inaccessible after upgrading to RHEL 8.3.- idoverride-memberof.js missing