diff --git a/SOURCES/0086-pam_sss-fix-missing-initializer.patch b/SOURCES/0086-pam_sss-fix-missing-initializer.patch
new file mode 100644
index 0000000..3689f82
--- /dev/null
+++ b/SOURCES/0086-pam_sss-fix-missing-initializer.patch
@@ -0,0 +1,43 @@
+From 62af4b5baa54bb4838197969064d3c2b090325cc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Thu, 18 Jun 2020 15:08:24 +0200
+Subject: [PATCH] pam_sss: fix missing initializer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fix the following error introduced by:
+3ed254765fc92e9cc9e4c35335818eaf1256e0d6
+
+```
+/home/pbrezina/workspace/sssd/src/sss_client/pam_sss.c: In function ‘prompt_sc_pin’:
+/home/pbrezina/workspace/sssd/src/sss_client/pam_sss.c:1839:41: error: missing initializer for field ‘next’ of ‘struct cert_auth_info’ [-Werror=missing-field-initializers]
+ NULL, NULL, NULL, NULL, NULL };
+ ^~~~
+/home/pbrezina/workspace/sssd/src/sss_client/pam_sss.c:132:28: note: ‘next’ declared here
+ struct cert_auth_info *next;
+
+```
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+(cherry picked from commit a08d4741cd5d2ecea44eb590e881baf2071e34d2)
+---
+ src/sss_client/pam_sss.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
+index 38a75e1b6..7084ce953 100644
+--- a/src/sss_client/pam_sss.c
++++ b/src/sss_client/pam_sss.c
+@@ -1800,7 +1800,7 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
+ struct pam_response *resp = NULL;
+ struct cert_auth_info *cai = pi->selected_cert;
+ struct cert_auth_info empty_cai = { NULL, NULL, discard_const("Smartcard"),
+- NULL, NULL, NULL, NULL, NULL };
++ NULL, NULL, NULL, NULL, NULL, NULL };
+
+ if (cai == NULL && SERVICE_IS_GDM_SMARTCARD(pi)) {
+ cai = &empty_cai;
+--
+2.35.3
+
diff --git a/SOURCES/0087-pam-better-SC-fallback-message.patch b/SOURCES/0087-pam-better-SC-fallback-message.patch
new file mode 100644
index 0000000..181a9ee
--- /dev/null
+++ b/SOURCES/0087-pam-better-SC-fallback-message.patch
@@ -0,0 +1,109 @@
+From bcb392e60c1935a98738988c5289585acd89ce82 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 21 Feb 2022 18:02:47 +0100
+Subject: [PATCH 87/88] pam: better SC fallback message
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If no suitable certificates were found or if gdm-smartcard was somehow
+activated without a Smartcard present ask to (re)-insert a Smartcard.
+
+Resolves: https://github.com/SSSD/sssd/issues/6022
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit 4d2277f8c3065771a8c3bbc7938309a4905640f0)
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/sss_client/pam_sss.c | 47 +++++++++++++++++++++++-----------------
+ 1 file changed, 27 insertions(+), 20 deletions(-)
+
+diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
+index 7084ce953..feb4837fb 100644
+--- a/src/sss_client/pam_sss.c
++++ b/src/sss_client/pam_sss.c
+@@ -1787,40 +1787,39 @@ static int prompt_multi_cert(pam_handle_t *pamh, struct pam_items *pi)
+ return ret;
+ }
+
++#define SC_INSERT_PROMPT _("Please (re)insert (different) Smartcard")
++
+ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
+ {
+ int ret;
+ char *answer = NULL;
+- char *prompt;
+- size_t size;
++ char *prompt = NULL;
+ size_t needed_size;
+ const struct pam_conv *conv;
+ const struct pam_message *mesg[2] = { NULL, NULL };
+ struct pam_message m[2] = { { 0 }, { 0 } };
+ struct pam_response *resp = NULL;
+ struct cert_auth_info *cai = pi->selected_cert;
+- struct cert_auth_info empty_cai = { NULL, NULL, discard_const("Smartcard"),
+- NULL, NULL, NULL, NULL, NULL, NULL };
+
+ if (cai == NULL && SERVICE_IS_GDM_SMARTCARD(pi)) {
+- cai = &empty_cai;
++ ret = asprintf(&prompt, SC_INSERT_PROMPT);
+ } else if (cai == NULL || cai->token_name == NULL
+ || *cai->token_name == '\0') {
+- return EINVAL;
++ return PAM_SYSTEM_ERR;
++ } else {
++ ret = asprintf(&prompt, SC_PROMPT_FMT, cai->token_name);
+ }
+
+- size = sizeof(SC_PROMPT_FMT) + strlen(cai->token_name);
+- prompt = malloc(size);
+- if (prompt == NULL) {
+- D(("malloc failed."));
+- return ENOMEM;
++ if (ret == -1) {
++ D(("asprintf failed."));
++ return PAM_SYSTEM_ERR;
+ }
+
+- ret = snprintf(prompt, size, SC_PROMPT_FMT, cai->token_name);
+- if (ret < 0 || ret >= size) {
+- D(("snprintf failed."));
+- free(prompt);
+- return EFAULT;
++ if (cai == NULL) {
++ ret = do_pam_conversation(pamh, PAM_TEXT_INFO, prompt, NULL, NULL);
++ if (ret != PAM_SUCCESS) {
++ D(("Conversation failure: %s, ignored", pam_strerror(pamh, ret)));
++ }
+ }
+
+ if (pi->user_name_hint) {
+@@ -1907,10 +1906,18 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
+ }
+ }
+
+- if (answer == NULL) {
+- pi->pam_authtok = NULL;
+- pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY;
+- pi->pam_authtok_size=0;
++ if (cai == NULL) {
++ /* it is expected that the user just replaces the Smartcard which
++ * would trigger gdm to restart the PAM module, so it is not
++ * expected that this part of the code is reached. */
++ ret = PAM_AUTHINFO_UNAVAIL;
++ goto done;
++ }
++
++ if (answer == NULL || *answer == '\0') {
++ D(("Missing PIN."));
++ ret = PAM_CRED_INSUFFICIENT;
++ goto done;
+ } else {
+
+ ret = sss_auth_pack_sc_blob(answer, 0, cai->token_name, 0,
+--
+2.35.3
+
diff --git a/SOURCES/0088-pam_sss-fix-for-old-GDM-screen-lock.patch b/SOURCES/0088-pam_sss-fix-for-old-GDM-screen-lock.patch
new file mode 100644
index 0000000..eab3575
--- /dev/null
+++ b/SOURCES/0088-pam_sss-fix-for-old-GDM-screen-lock.patch
@@ -0,0 +1,68 @@
+From ddfc7e99e96ee732586c07342900d287d2378802 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 30 May 2022 11:56:24 +0200
+Subject: [PATCH 88/88] pam_sss: fix for old GDM screen lock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In contrast to the login screen the lock screen of older GDM versions
+does not restart PAM if a new Smartcard is inserted. So the user must
+press the enter key explicitly restart PAM. This patch uses a dedicated
+prompt in this case and overwrites any other error message shown in
+between.
+
+Resolves: https://github.com/SSSD/sssd/issues/6022
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/sss_client/pam_sss.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
+index feb4837fb..db41fdb67 100644
+--- a/src/sss_client/pam_sss.c
++++ b/src/sss_client/pam_sss.c
+@@ -1788,6 +1788,7 @@ static int prompt_multi_cert(pam_handle_t *pamh, struct pam_items *pi)
+ }
+
+ #define SC_INSERT_PROMPT _("Please (re)insert (different) Smartcard")
++#define SC_INSERT_PROMPT_ENTER _("Please (re)insert (different) Smartcard and press enter")
+
+ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
+ {
+@@ -1802,7 +1803,16 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
+ struct cert_auth_info *cai = pi->selected_cert;
+
+ if (cai == NULL && SERVICE_IS_GDM_SMARTCARD(pi)) {
+- ret = asprintf(&prompt, SC_INSERT_PROMPT);
++ /* Older versions of the GDM screen lock do not restart PAM if a
++ * Smartcard is removed and inserted again in contrast to the login
++ * screen. The PKCS11_LOGIN_TOKEN_NAME enviroment variable is used to
++ * detect the screen lock mode and the user is prompted to press the
++ * enter key. */
++ if (getenv("PKCS11_LOGIN_TOKEN_NAME") == NULL) {
++ ret = asprintf(&prompt, SC_INSERT_PROMPT);
++ } else {
++ ret = asprintf(&prompt, SC_INSERT_PROMPT_ENTER);
++ }
+ } else if (cai == NULL || cai->token_name == NULL
+ || *cai->token_name == '\0') {
+ return PAM_SYSTEM_ERR;
+@@ -1820,6 +1830,12 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
+ if (ret != PAM_SUCCESS) {
+ D(("Conversation failure: %s, ignored", pam_strerror(pamh, ret)));
+ }
++ } else {
++ /* clear previous messages, if any */
++ ret = do_pam_conversation(pamh, PAM_TEXT_INFO, "", NULL, NULL);
++ if (ret != PAM_SUCCESS) {
++ D(("Conversation failure: %s, ignored", pam_strerror(pamh, ret)));
++ }
+ }
+
+ if (pi->user_name_hint) {
+--
+2.35.3
+
diff --git a/SOURCES/0089-ad-use-right-sdap_domain-in-ad_domain_info_send.patch b/SOURCES/0089-ad-use-right-sdap_domain-in-ad_domain_info_send.patch
new file mode 100644
index 0000000..14d8eb1
--- /dev/null
+++ b/SOURCES/0089-ad-use-right-sdap_domain-in-ad_domain_info_send.patch
@@ -0,0 +1,176 @@
+From 2b84dddf8c3d3b30bb1919205b4eb53e1ba31714 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 15 Mar 2022 11:36:45 +0100
+Subject: [PATCH] ad: use right sdap_domain in ad_domain_info_send
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Originally ad_domain_info_send() was only called when there was only a
+single domain available and hence only a single sdap_domain struct with
+the search bases in the sdap_domain list. Since ad_domain_info_send() is
+now called at other times as well the right sdap_domain struct must be
+selected so that the right search bases are used.
+
+Resolves: https://github.com/SSSD/sssd/issues/6063
+
+Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit 51e92297157562511baf8902777f02a4aa2e70e6)
+---
+ src/providers/ad/ad_domain_info.c | 10 +++++-
+ src/providers/ldap/ldap_common.h | 3 ++
+ src/providers/ldap/sdap_domain.c | 21 ++++++++++++
+ src/tests/cmocka/test_search_bases.c | 48 +++++++++++++++++++++++++++-
+ 4 files changed, 80 insertions(+), 2 deletions(-)
+
+diff --git a/src/providers/ad/ad_domain_info.c b/src/providers/ad/ad_domain_info.c
+index 52b2e2442..f3a82a198 100644
+--- a/src/providers/ad/ad_domain_info.c
++++ b/src/providers/ad/ad_domain_info.c
+@@ -181,6 +181,7 @@ struct ad_domain_info_state {
+ struct sdap_id_op *id_op;
+ struct sdap_id_ctx *id_ctx;
+ struct sdap_options *opts;
++ struct sdap_domain *sdom;
+
+ const char *dom_name;
+ int base_iter;
+@@ -215,6 +216,13 @@ ad_domain_info_send(TALLOC_CTX *mem_ctx,
+ state->id_ctx = conn->id_ctx;
+ state->opts = conn->id_ctx->opts;
+ state->dom_name = dom_name;
++ state->sdom = sdap_domain_get_by_name(state->opts, state->dom_name);
++ if (state->sdom == NULL || state->sdom->search_bases == NULL) {
++ DEBUG(SSSDBG_OP_FAILURE, "Missing internal domain data.\n");
++ ret = EINVAL;
++ goto immediate;
++ }
++
+
+ ret = ad_domain_info_next(req);
+ if (ret != EOK && ret != EAGAIN) {
+@@ -243,7 +251,7 @@ ad_domain_info_next(struct tevent_req *req)
+ struct ad_domain_info_state *state =
+ tevent_req_data(req, struct ad_domain_info_state);
+
+- base = state->opts->sdom->search_bases[state->base_iter];
++ base = state->sdom->search_bases[state->base_iter];
+ if (base == NULL) {
+ return EOK;
+ }
+diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
+index 19a696a3d..1a122ea03 100644
+--- a/src/providers/ldap/ldap_common.h
++++ b/src/providers/ldap/ldap_common.h
+@@ -352,6 +352,9 @@ sdap_domain_remove(struct sdap_options *opts,
+ struct sdap_domain *sdap_domain_get(struct sdap_options *opts,
+ struct sss_domain_info *dom);
+
++struct sdap_domain *sdap_domain_get_by_name(struct sdap_options *opts,
++ const char *dom_name);
++
+ struct sdap_domain *sdap_domain_get_by_dn(struct sdap_options *opts,
+ const char *dn);
+
+diff --git a/src/providers/ldap/sdap_domain.c b/src/providers/ldap/sdap_domain.c
+index fa6e9340d..1785dd20d 100644
+--- a/src/providers/ldap/sdap_domain.c
++++ b/src/providers/ldap/sdap_domain.c
+@@ -44,6 +44,27 @@ sdap_domain_get(struct sdap_options *opts,
+ return sditer;
+ }
+
++struct sdap_domain *
++sdap_domain_get_by_name(struct sdap_options *opts,
++ const char *dom_name)
++{
++ struct sdap_domain *sditer = NULL;
++
++ if (dom_name == NULL) {
++ DEBUG(SSSDBG_OP_FAILURE, "Missing domain name.\n");
++ return NULL;
++ }
++
++ DLIST_FOR_EACH(sditer, opts->sdom) {
++ if (sditer->dom->name != NULL
++ && strcasecmp(sditer->dom->name, dom_name) == 0) {
++ break;
++ }
++ }
++
++ return sditer;
++}
++
+ struct sdap_domain *
+ sdap_domain_get_by_dn(struct sdap_options *opts,
+ const char *dn)
+diff --git a/src/tests/cmocka/test_search_bases.c b/src/tests/cmocka/test_search_bases.c
+index 4538eaceb..0d06786ca 100644
+--- a/src/tests/cmocka/test_search_bases.c
++++ b/src/tests/cmocka/test_search_bases.c
+@@ -177,6 +177,51 @@ void test_get_by_dn_fail(void **state)
+ do_test_get_by_dn(dn, dns, 1, dns2, 1, DN_NOT_IN_DOMS);
+ }
+
++void test_sdap_domain_get_by_name(void **state)
++{
++ struct sdap_options *opts;
++ struct sss_domain_info dom1 = { 0 };
++ dom1.name = discard_const("dom1");
++ struct sss_domain_info dom2 = { 0 };
++ dom2.name = discard_const("dom2");
++ struct sss_domain_info dom3 = { 0 };
++ dom3.name = discard_const("dom3");
++ int ret;
++ struct sdap_domain *sdom;
++
++ opts = talloc_zero(NULL, struct sdap_options);
++ assert_non_null(opts);
++
++ ret = sdap_domain_add(opts, &dom1, NULL);
++ assert_int_equal(ret, EOK);
++
++ ret = sdap_domain_add(opts, &dom2, NULL);
++ assert_int_equal(ret, EOK);
++
++ ret = sdap_domain_add(opts, &dom3, NULL);
++ assert_int_equal(ret, EOK);
++
++ sdom = sdap_domain_get_by_name(opts, NULL);
++ assert_null(sdom);
++
++ sdom = sdap_domain_get_by_name(opts, "abc");
++ assert_null(sdom);
++
++ sdom = sdap_domain_get_by_name(opts, "dom1");
++ assert_non_null(sdom);
++ assert_ptr_equal(sdom->dom, &dom1);
++
++ sdom = sdap_domain_get_by_name(opts, "dom2");
++ assert_non_null(sdom);
++ assert_ptr_equal(sdom->dom, &dom2);
++
++ sdom = sdap_domain_get_by_name(opts, "dom3");
++ assert_non_null(sdom);
++ assert_ptr_equal(sdom->dom, &dom3);
++
++ talloc_free(opts);
++}
++
+ int main(void)
+ {
+ const struct CMUnitTest tests[] = {
+@@ -184,7 +229,8 @@ int main(void)
+ cmocka_unit_test(test_search_bases_success),
+ cmocka_unit_test(test_get_by_dn_fail),
+ cmocka_unit_test(test_get_by_dn),
+- cmocka_unit_test(test_get_by_dn2)
++ cmocka_unit_test(test_get_by_dn2),
++ cmocka_unit_test(test_sdap_domain_get_by_name)
+ };
+
+ return cmocka_run_group_tests(tests, NULL, NULL);
+--
+2.35.3
+
diff --git a/SOURCES/0090-ad-add-fallback-in-ad_domain_info_send.patch b/SOURCES/0090-ad-add-fallback-in-ad_domain_info_send.patch
new file mode 100644
index 0000000..766de92
--- /dev/null
+++ b/SOURCES/0090-ad-add-fallback-in-ad_domain_info_send.patch
@@ -0,0 +1,58 @@
+From 410a3faa8cf1e358e53728fae7440a81763ab743 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 23 May 2022 09:05:43 +0200
+Subject: [PATCH] ad: add fallback in ad_domain_info_send()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Commit 51e92297157562511baf8902777f02a4aa2e70e6 allowed
+ad_domain_info_send() to handle multiple domains by searching for the
+matching sdap_domain data. Unfortunately it assumed that the configured
+name and the DNS domain name are always matching. This is true for all
+sub-domains discovered at runtime by DNS lookups but might not be true
+for the domain configured in sssd.conf. Since the configured domain is
+the first in the list of sdap_domain data it will be used as a fallback
+in case no data could be found by name.
+
+Resolves: https://github.com/SSSD/sssd/issues/6170
+
+Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit 71b14474bec82a0c57065ad45915ebfeb9e3d03e)
+---
+ src/providers/ad/ad_domain_info.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/src/providers/ad/ad_domain_info.c b/src/providers/ad/ad_domain_info.c
+index f3a82a198..9583c74b9 100644
+--- a/src/providers/ad/ad_domain_info.c
++++ b/src/providers/ad/ad_domain_info.c
+@@ -217,8 +217,23 @@ ad_domain_info_send(TALLOC_CTX *mem_ctx,
+ state->opts = conn->id_ctx->opts;
+ state->dom_name = dom_name;
+ state->sdom = sdap_domain_get_by_name(state->opts, state->dom_name);
++ /* The first domain in the list is the domain configured in sssd.conf and
++ * here it might be possible that the domain name from the config file and
++ * the DNS domain name do not match. All other sub-domains are discovered
++ * at runtime with the help of DNS lookups so it is expected that the
++ * names matches. Hence it makes sense to fall back to the first entry in
++ * the list if no matching domain was found since it is most probably
++ * related to the configured domain. */
++ if (state->sdom == NULL) {
++ DEBUG(SSSDBG_OP_FAILURE, "No internal domain data found for [%s], "
++ "falling back to first domain.\n",
++ state->dom_name);
++ state->sdom = state->opts->sdom;
++ }
+ if (state->sdom == NULL || state->sdom->search_bases == NULL) {
+- DEBUG(SSSDBG_OP_FAILURE, "Missing internal domain data.\n");
++ DEBUG(SSSDBG_OP_FAILURE,
++ "Missing internal domain data for domain [%s].\n",
++ state->dom_name);
+ ret = EINVAL;
+ goto immediate;
+ }
+--
+2.35.3
+
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index 6103e53..b8f71fa 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -50,7 +50,7 @@
Name: sssd
Version: 1.16.5
-Release: 10%{?dist}.12
+Release: 10%{?dist}.13
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@@ -144,6 +144,11 @@ Patch0082: 0082-ad-only-send-cldap-ping-to-our-local-domain.patch
Patch0083: 0083-cldap-use-dns_resolver_server_timeout-timeout-for-cl.patch
Patch0084: 0084-sysdb-more-specific-mpg-search-filter.patch
Patch0085: 0085-ad-add-required-cn-attribute-to-subdomain-object.patch
+Patch0086: 0086-pam_sss-fix-missing-initializer.patch
+Patch0087: 0087-pam-better-SC-fallback-message.patch
+Patch0088: 0088-pam_sss-fix-for-old-GDM-screen-lock.patch
+Patch0089: 0089-ad-use-right-sdap_domain-in-ad_domain_info_send.patch
+Patch0090: 0090-ad-add-fallback-in-ad_domain_info_send.patch
#Those patches should not be removed in RHEL-7
Patch0999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec
@@ -1319,6 +1324,10 @@ systemctl try-restart sssd >/dev/null 2>&1 || :
}
%changelog
+* Fri Jun 10 2022 Alexey Tikhonov <atikhono@redhat.com> 1.16.5-10.13
+- Resolves: rhbz#2079441 - SSSD update prompts for smartcard pin twice - After update to 7.9 [rhel-7.9.z]
+- Resolves: rhbz#2073352 - Use right sdap_domain in ad_domain_info_send [rhel-7.9.z]
+
* Mon Jan 31 2022 Alexey Tikhonov <atikhono@redhat.com> 1.16.5-10.12
- Resolves: rhbz#2006382 - IPA Intermittence fetching groups
- Resolves: rhbz#2006866 - sssd_be segfault due to empty forest root name