diff --git a/SOURCES/0044-SYSDB-merge_res_sysdb_attrs-fixed-to-avoid-NULL-ptr-.patch b/SOURCES/0044-SYSDB-merge_res_sysdb_attrs-fixed-to-avoid-NULL-ptr-.patch
new file mode 100644
index 0000000..3b4dcbc
--- /dev/null
+++ b/SOURCES/0044-SYSDB-merge_res_sysdb_attrs-fixed-to-avoid-NULL-ptr-.patch
@@ -0,0 +1,65 @@
+From 9ace3a7899e6b3753ef428088303e0a646db4096 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Sun, 22 Nov 2020 17:44:07 +0100
+Subject: [PATCH] SYSDB: merge_res_sysdb_attrs() fixed to avoid NULL ptr in
+ msgs[]
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This helps to avoid sssd_be segfaults at be_refresh_get_values_ex() due to NULL
+ptrs in results of sysdb_search_with_ts_attr()
+
+Resolves: https://github.com/SSSD/sssd/issues/5412
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit ff24d1538af88f83d0a3cc2817952cf70e7ca580)
+---
+ src/db/sysdb_search.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
+index 6c89b4c98..7939944ba 100644
+--- a/src/db/sysdb_search.c
++++ b/src/db/sysdb_search.c
+@@ -221,6 +221,7 @@ static errno_t merge_res_sysdb_attrs(TALLOC_CTX *mem_ctx,
+ const char *attrs[])
+ {
+ errno_t ret;
++ size_t ts_cache_res_count = 0;
+ struct ldb_result *ts_cache_res = NULL;
+
+ if (ts_res == NULL || ctx->ldb_ts == NULL) {
+@@ -231,7 +232,6 @@ static errno_t merge_res_sysdb_attrs(TALLOC_CTX *mem_ctx,
+ if (ts_cache_res == NULL) {
+ return ENOMEM;
+ }
+- ts_cache_res->count = ts_res->count;
+ ts_cache_res->msgs = talloc_zero_array(ts_cache_res,
+ struct ldb_message *,
+ ts_res->count);
+@@ -244,15 +244,18 @@ static errno_t merge_res_sysdb_attrs(TALLOC_CTX *mem_ctx,
+ ret = merge_msg_sysdb_attrs(ts_cache_res->msgs,
+ ctx,
+ ts_res->msgs[c],
+- &ts_cache_res->msgs[c], attrs);
+- if (ret != EOK) {
++ &ts_cache_res->msgs[ts_cache_res_count],
++ attrs);
++ if ((ret != EOK) || (ts_cache_res->msgs[ts_cache_res_count] == NULL)) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Cannot merge sysdb cache values for %s\n",
+ ldb_dn_get_linearized(ts_res->msgs[c]->dn));
+- /* non-fatal, we just get only the non-timestamp attrs */
++ /* non-fatal, just skip */
+ continue;
+ }
++ ts_cache_res_count += 1;
+ }
++ ts_cache_res->count = ts_cache_res_count;
+
+ *_ts_cache_res = ts_cache_res;
+ return EOK;
+--
+2.21.3
+
diff --git a/SOURCES/0045-DEBUG-journal_send-was-made-static.patch b/SOURCES/0045-DEBUG-journal_send-was-made-static.patch
new file mode 100644
index 0000000..5525677
--- /dev/null
+++ b/SOURCES/0045-DEBUG-journal_send-was-made-static.patch
@@ -0,0 +1,30 @@
+From 208372c7f6ad7d1d1d4b5cad57aaa08affaa0fac Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Wed, 21 Oct 2020 18:47:32 +0200
+Subject: [PATCH 45/46] DEBUG: journal_send() was made static
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+(cherry picked from commit 833034f5332d2492d413a9c97fded1480b58bf14)
+---
+ src/util/debug.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/util/debug.c b/src/util/debug.c
+index e2a76a414..e9633fb8c 100644
+--- a/src/util/debug.c
++++ b/src/util/debug.c
+@@ -201,7 +201,7 @@ static void debug_printf(const char *format, ...)
+ }
+
+ #ifdef WITH_JOURNALD
+-errno_t journal_send(const char *file,
++static errno_t journal_send(const char *file,
+ long line,
+ const char *function,
+ int level,
+--
+2.21.3
+
diff --git a/SOURCES/0046-DEBUG-fixes-program-identifier-as-seen-in-syslog.patch b/SOURCES/0046-DEBUG-fixes-program-identifier-as-seen-in-syslog.patch
new file mode 100644
index 0000000..2b684fe
--- /dev/null
+++ b/SOURCES/0046-DEBUG-fixes-program-identifier-as-seen-in-syslog.patch
@@ -0,0 +1,72 @@
+From 647a130b501374c22b63937decdcf97da5c92505 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Wed, 21 Oct 2020 19:20:03 +0200
+Subject: [PATCH 46/46] DEBUG: fixes program identifier as seen in syslog
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Commit 225fe9950f2807d5fb226f6b3be1ff4cefd731f0 changed `debug_prg_name`
+to accomodate needs of own SSSD logs, but this affected journal/syslog
+as well.
+
+This patch amends situation:
+ - journal messages gets "umbrella" identifier "sssd[]"
+ - syslog uses default which is program name
+
+Resolves: https://github.com/SSSD/sssd/issues/5384
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+(cherry picked from commit 18233532b72e62452eac6886652fa633ba055d8c)
+---
+ src/util/debug.c | 2 +-
+ src/util/sss_log.c | 12 +++---------
+ 2 files changed, 4 insertions(+), 10 deletions(-)
+
+diff --git a/src/util/debug.c b/src/util/debug.c
+index e9633fb8c..ee5fc12f9 100644
+--- a/src/util/debug.c
++++ b/src/util/debug.c
+@@ -250,7 +250,7 @@ static errno_t journal_send(const char *file,
+ "MESSAGE=%s", message,
+ "PRIORITY=%i", LOG_DEBUG,
+ "SSSD_DOMAIN=%s", domain,
+- "SSSD_PRG_NAME=%s", debug_prg_name,
++ "SSSD_PRG_NAME=sssd[%s]", debug_prg_name,
+ "SSSD_DEBUG_LEVEL=%x", level,
+ NULL);
+ ret = -res;
+diff --git a/src/util/sss_log.c b/src/util/sss_log.c
+index 48e73dbea..c6b7435c6 100644
+--- a/src/util/sss_log.c
++++ b/src/util/sss_log.c
+@@ -107,7 +107,7 @@ static void sss_log_internal(int priority, int facility, const char *format,
+ "SSSD_DOMAIN=%s", domain,
+ "PRIORITY=%i", syslog_priority,
+ "SYSLOG_FACILITY=%i", LOG_FAC(facility),
+- "SYSLOG_IDENTIFIER=%s", debug_prg_name,
++ "SYSLOG_IDENTIFIER=sssd[%s]", debug_prg_name,
+ NULL);
+
+ free(message);
+@@ -118,15 +118,9 @@ static void sss_log_internal(int priority, int facility, const char *format,
+ static void sss_log_internal(int priority, int facility, const char *format,
+ va_list ap)
+ {
+- int syslog_priority;
+-
+- syslog_priority = sss_to_syslog(priority);
+-
+- openlog(debug_prg_name, 0, facility);
+-
+- vsyslog(syslog_priority, format, ap);
++ int syslog_priority = sss_to_syslog(priority);
+
+- closelog();
++ vsyslog(facility|syslog_priority, format, ap);
+ }
+
+ #endif /* WITH_JOURNALD */
+--
+2.21.3
+
diff --git a/SOURCES/0047-ifp-fix-use-after-free.patch b/SOURCES/0047-ifp-fix-use-after-free.patch
new file mode 100644
index 0000000..b36076f
--- /dev/null
+++ b/SOURCES/0047-ifp-fix-use-after-free.patch
@@ -0,0 +1,37 @@
+From 316b8cde698bd4586a70fc5ed50a70dedc4b424f Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 3 Nov 2020 10:12:15 +0100
+Subject: [PATCH] ifp: fix use-after-free
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The variable fqdn is pointing to some data from state->res->msgs[0]. But
+before fqdn is used in the next search state->res and the memory
+hierarchy below is freed. As a result the location where fqdn is pointing
+to might hold the expected data or other data and the search will fail
+intermittently.
+
+Resolves: https://github.com/SSSD/sssd/issues/5382
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit 81e757b7b1d69893b5725f9c148c55d89c779e7b)
+---
+ src/responder/ifp/ifpsrv_cmd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c
+index ddb03f6b0..d83600681 100644
+--- a/src/responder/ifp/ifpsrv_cmd.c
++++ b/src/responder/ifp/ifpsrv_cmd.c
+@@ -124,6 +124,7 @@ ifp_user_get_attr_unpack_msg(struct ifp_attr_req *attr_req)
+ if (attr_req->attrs == NULL) {
+ return ENOMEM;
+ }
++ fqdn = talloc_steal(state, fqdn);
+
+ ai = 0;
+ for (i = 0; i < nattrs; i++) {
+--
+2.21.3
+
diff --git a/SOURCES/0048-fp-fix-original-fix-use-after-free-1.16-version.patch b/SOURCES/0048-fp-fix-original-fix-use-after-free-1.16-version.patch
new file mode 100644
index 0000000..9057579
--- /dev/null
+++ b/SOURCES/0048-fp-fix-original-fix-use-after-free-1.16-version.patch
@@ -0,0 +1,44 @@
+From 1b523ba2a6bfba6974c9c909d6180590d16cc6bd Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 23 Nov 2020 13:40:30 +0100
+Subject: [PATCH] fp: fix original fix use-after-free - 1.16 version
+
+This should have been a cherry-pick of
+3b158934cbb8f87cbfaf1650389b8dcd654b92ca but the cherry-pick of the
+original patch was broken and placed the change into a different function.
+
+This patch fixes this by directly placing the change at the right place.
+
+Resolves:
+https://github.com/SSSD/sssd/issues/5382
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+---
+ src/responder/ifp/ifpsrv_cmd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c
+index d83600681..620afe86a 100644
+--- a/src/responder/ifp/ifpsrv_cmd.c
++++ b/src/responder/ifp/ifpsrv_cmd.c
+@@ -124,7 +124,6 @@ ifp_user_get_attr_unpack_msg(struct ifp_attr_req *attr_req)
+ if (attr_req->attrs == NULL) {
+ return ENOMEM;
+ }
+- fqdn = talloc_steal(state, fqdn);
+
+ ai = 0;
+ for (i = 0; i < nattrs; i++) {
+@@ -576,7 +575,8 @@ static void ifp_user_get_attr_done(struct tevent_req *subreq)
+ }
+
+ if (state->search_type == SSS_DP_USER) {
+- /* throw away the result and perform attr search */
++ /* throw away the result but keep the fqdn and perform attr search */
++ fqdn = talloc_steal(state, fqdn);
+ talloc_zfree(state->res);
+
+ ret = sysdb_get_user_attr_with_views(state, state->dom, fqdn,
+--
+2.21.3
+
diff --git a/SOURCES/0049-krb5-only-try-pkinit-with-Smartcard-credentials.patch b/SOURCES/0049-krb5-only-try-pkinit-with-Smartcard-credentials.patch
new file mode 100644
index 0000000..e2209a1
--- /dev/null
+++ b/SOURCES/0049-krb5-only-try-pkinit-with-Smartcard-credentials.patch
@@ -0,0 +1,40 @@
+From 277cd1fa71222f3bdf4d8b39d0bce7d07d0df07b Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 24 Aug 2020 11:29:23 +0200
+Subject: [PATCH] krb5: only try pkinit with Smartcard credentials
+
+Currently pkinit is tried if a Smartcard is present. But depending on
+the used PAM service and other configurations it might happen that the
+user didn't provide the Smartcard PIN but e.g. the password. Hence,
+before trying pkinit we should check if the right credentials are
+available.
+
+Resolves:
+https://github.com/SSSD/sssd/issues/5290
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+(cherry picked from commit bca413267f58395e22415edc662a7ba89fbe7b30)
+---
+ src/providers/krb5/krb5_child.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
+index 47eb181ba..d293d195d 100644
+--- a/src/providers/krb5/krb5_child.c
++++ b/src/providers/krb5/krb5_child.c
+@@ -805,7 +805,11 @@ static krb5_error_code sss_krb5_responder(krb5_context ctx,
+ return kerr;
+ }
+ } else if (strcmp(question_list[c],
+- KRB5_RESPONDER_QUESTION_PKINIT) == 0) {
++ KRB5_RESPONDER_QUESTION_PKINIT) == 0
++ && (sss_authtok_get_type(kr->pd->authtok)
++ == SSS_AUTHTOK_TYPE_SC_PIN
++ || sss_authtok_get_type(kr->pd->authtok)
++ == SSS_AUTHTOK_TYPE_SC_KEYPAD)) {
+ return answer_pkinit(ctx, kr, rctx);
+ }
+ }
+--
+2.21.3
+
diff --git a/SOURCES/0050-negcache-make-sure-domain-config-does-not-leak-into-.patch b/SOURCES/0050-negcache-make-sure-domain-config-does-not-leak-into-.patch
new file mode 100644
index 0000000..8f36171
--- /dev/null
+++ b/SOURCES/0050-negcache-make-sure-domain-config-does-not-leak-into-.patch
@@ -0,0 +1,37 @@
+From 96bdcbb4441ddf05c065bbafa88e5691300424d1 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 8 Oct 2020 12:18:41 +0200
+Subject: [PATCH 50/53] negcache: make sure domain config does not leak into
+ global
+
+Resolves: https://github.com/SSSD/sssd/issues/5238
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+(cherry picked from commit 0e1bcf77bd73baa0fea64830eb1f4f65a63c7afe)
+---
+ src/responder/common/negcache.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
+index d9bf1417e..b9586f315 100644
+--- a/src/responder/common/negcache.c
++++ b/src/responder/common/negcache.c
+@@ -1048,6 +1048,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
+ }
+ }
+
++ talloc_zfree(filter_list);
+ /* Populate non domain-specific negative cache user entries */
+ ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY,
+ CONFDB_NSS_FILTER_USERS, &filter_list);
+@@ -1183,6 +1184,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
+ }
+ }
+
++ talloc_zfree(filter_list);
+ /* Populate non domain-specific negative cache group entries */
+ ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY,
+ CONFDB_NSS_FILTER_GROUPS, &filter_list);
+--
+2.21.3
+
diff --git a/SOURCES/0051-utils-add-SSS_GND_SUBDOMAINS-flag-for-get_next_domai.patch b/SOURCES/0051-utils-add-SSS_GND_SUBDOMAINS-flag-for-get_next_domai.patch
new file mode 100644
index 0000000..d5a0f00
--- /dev/null
+++ b/SOURCES/0051-utils-add-SSS_GND_SUBDOMAINS-flag-for-get_next_domai.patch
@@ -0,0 +1,108 @@
+From ea32d0eb61336858aa23697b4e91d420481fc3e2 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 8 Oct 2020 17:57:29 +0200
+Subject: [PATCH 51/53] utils: add SSS_GND_SUBDOMAINS flag for
+ get_next_domain()
+
+To allow to only iterate over a singel domain an its sub-domains a new
+flag is added to get_next_domain().
+
+Resolves: https://github.com/SSSD/sssd/issues/5238
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+(cherry picked from commit 385af99ff4d5a75d0c1edc9ad830da3eb7478295)
+---
+ src/tests/cmocka/test_utils.c | 31 +++++++++++++++++++++++++++++++
+ src/util/domain_info_utils.c | 10 +++++++---
+ src/util/util.h | 4 ++++
+ 3 files changed, 42 insertions(+), 3 deletions(-)
+
+diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
+index aa245f00b..8c0ce83f3 100644
+--- a/src/tests/cmocka/test_utils.c
++++ b/src/tests/cmocka/test_utils.c
+@@ -876,6 +876,37 @@ static void test_get_next_domain_flags(void **state)
+
+ dom = get_next_domain(dom, gnd_flags);
+ assert_null(dom);
++
++ /* Descend only to subdomains */
++ gnd_flags = SSS_GND_SUBDOMAINS | SSS_GND_INCLUDE_DISABLED;
++
++ dom = get_next_domain(test_ctx->dom_list, gnd_flags);
++ assert_non_null(dom);
++ assert_string_equal(dom->name, "sub1a");
++
++ dom = get_next_domain(dom, gnd_flags);
++ assert_null(dom);
++
++ dom = find_domain_by_name_ex(test_ctx->dom_list, "dom2", true,
++ SSS_GND_ALL_DOMAINS);
++ assert_non_null(dom);
++ assert_string_equal(dom->name, "dom2");
++
++ dom = get_next_domain(dom, gnd_flags);
++ assert_non_null(dom);
++ assert_string_equal(dom->name, "sub2a");
++
++ dom = get_next_domain(dom, gnd_flags);
++ assert_non_null(dom);
++ assert_string_equal(dom->name, "sub2b");
++
++ dom = get_next_domain(dom, gnd_flags);
++ assert_null(dom);
++
++ /* Expect NULL if the domain has no sub-domains */
++ test_ctx->dom_list->subdomains = NULL;
++ dom = get_next_domain(test_ctx->dom_list, gnd_flags);
++ assert_null(dom);
+ }
+
+ struct name_init_test_ctx {
+diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
+index c56a0611e..71dfcba02 100644
+--- a/src/util/domain_info_utils.c
++++ b/src/util/domain_info_utils.c
+@@ -39,16 +39,20 @@ struct sss_domain_info *get_next_domain(struct sss_domain_info *domain,
+ uint32_t gnd_flags)
+ {
+ struct sss_domain_info *dom;
+- bool descend = gnd_flags & SSS_GND_DESCEND;
++ bool descend = gnd_flags & (SSS_GND_DESCEND | SSS_GND_SUBDOMAINS);
+ bool include_disabled = gnd_flags & SSS_GND_INCLUDE_DISABLED;
++ bool only_subdomains = gnd_flags & SSS_GND_SUBDOMAINS;
+
+ dom = domain;
+ while (dom) {
+ if (descend && dom->subdomains) {
+ dom = dom->subdomains;
+- } else if (dom->next) {
++ } else if (dom->next && only_subdomains && IS_SUBDOMAIN(dom)) {
+ dom = dom->next;
+- } else if (descend && IS_SUBDOMAIN(dom) && dom->parent->next) {
++ } else if (dom->next && !only_subdomains) {
++ dom = dom->next;
++ } else if (descend && !only_subdomains && IS_SUBDOMAIN(dom)
++ && dom->parent->next) {
+ dom = dom->parent->next;
+ } else {
+ dom = NULL;
+diff --git a/src/util/util.h b/src/util/util.h
+index d7d2017fa..486394448 100644
+--- a/src/util/util.h
++++ b/src/util/util.h
+@@ -558,7 +558,11 @@ struct sss_domain_info *get_domains_head(struct sss_domain_info *domain);
+
+ #define SSS_GND_DESCEND 0x01
+ #define SSS_GND_INCLUDE_DISABLED 0x02
++/* Descend to sub-domains of current domain but do not go to next parent */
++#define SSS_GND_SUBDOMAINS 0x04
+ #define SSS_GND_ALL_DOMAINS (SSS_GND_DESCEND | SSS_GND_INCLUDE_DISABLED)
++#define SSS_GND_ALL_SUBDOMAINS (SSS_GND_SUBDOMAINS | SSS_GND_INCLUDE_DISABLED)
++
+ struct sss_domain_info *get_next_domain(struct sss_domain_info *domain,
+ uint32_t gnd_flags);
+ struct sss_domain_info *find_domain_by_name(struct sss_domain_info *domain,
+--
+2.21.3
+
diff --git a/SOURCES/0052-negcache-make-sure-short-names-are-added-to-sub-doma.patch b/SOURCES/0052-negcache-make-sure-short-names-are-added-to-sub-doma.patch
new file mode 100644
index 0000000..70d3965
--- /dev/null
+++ b/SOURCES/0052-negcache-make-sure-short-names-are-added-to-sub-doma.patch
@@ -0,0 +1,445 @@
+From c3207deee7411456827e69d0b72d7d44e7458853 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 9 Oct 2020 11:56:21 +0200
+Subject: [PATCH 52/53] negcache: make sure short names are added to
+ sub-domains
+
+If short names are used with filter_users or filter_groups in a
+[domain/...] section they should be added to the sub-domains of this
+domain as well.
+
+Resolves: https://github.com/SSSD/sssd/issues/5238
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+(cherry picked from commit 0dc81a52e2836010974e9f71b1f3e47c20fd498d)
+---
+ src/responder/common/negcache.c | 105 +++++++------
+ src/tests/cmocka/test_negcache.c | 254 +++++++++++++++++++++++++++++++
+ 2 files changed, 312 insertions(+), 47 deletions(-)
+
+diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
+index b9586f315..47fbb2106 100644
+--- a/src/responder/common/negcache.c
++++ b/src/responder/common/negcache.c
+@@ -969,6 +969,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
+ char *name = NULL;
+ struct sss_domain_info *dom = NULL;
+ struct sss_domain_info *domain_list = rctx->domains;
++ struct sss_domain_info *ddom;
+ char *domainname = NULL;
+ char *conf_path = NULL;
+ TALLOC_CTX *tmpctx = talloc_new(NULL);
+@@ -1011,39 +1012,44 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
+ continue;
+ }
+
+- if (domainname && strcmp(domainname, dom->name)) {
+- DEBUG(SSSDBG_TRACE_FUNC,
+- "Mismatch between domain name (%s) and name "
+- "set in FQN (%s), assuming %s is UPN\n",
+- dom->name, domainname, filter_list[i]);
+- ret = sss_ncache_set_upn(ncache, true, dom, filter_list[i]);
++ /* Check domain and its sub-domains */
++ for (ddom = dom; ddom != NULL;
++ ddom = get_next_domain(ddom, SSS_GND_ALL_SUBDOMAINS)) {
++
++ if (domainname && strcmp(domainname, ddom->name)) {
++ DEBUG(SSSDBG_TRACE_FUNC,
++ "Mismatch between domain name (%s) and name "
++ "set in FQN (%s), assuming %s is UPN\n",
++ ddom->name, domainname, filter_list[i]);
++ ret = sss_ncache_set_upn(ncache, true, ddom, filter_list[i]);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_OP_FAILURE,
++ "sss_ncache_set_upn failed (%d [%s]), ignored\n",
++ ret, sss_strerror(ret));
++ }
++ continue;
++ }
++
++ fqname = sss_create_internal_fqname(tmpctx, name, ddom->name);
++ if (fqname == NULL) {
++ continue;
++ }
++
++ ret = sss_ncache_set_upn(ncache, true, ddom, fqname);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sss_ncache_set_upn failed (%d [%s]), ignored\n",
+ ret, sss_strerror(ret));
+ }
+- continue;
+- }
+-
+- fqname = sss_create_internal_fqname(tmpctx, name, dom->name);
+- if (fqname == NULL) {
+- continue;
+- }
+-
+- ret = sss_ncache_set_upn(ncache, true, dom, fqname);
+- if (ret != EOK) {
+- DEBUG(SSSDBG_OP_FAILURE,
+- "sss_ncache_set_upn failed (%d [%s]), ignored\n",
+- ret, sss_strerror(ret));
+- }
+- ret = sss_ncache_set_user(ncache, true, dom, fqname);
+- talloc_zfree(fqname);
+- if (ret != EOK) {
+- DEBUG(SSSDBG_CRIT_FAILURE,
+- "Failed to store permanent user filter for [%s]"
+- " (%d [%s])\n", filter_list[i],
+- ret, sss_strerror(ret));
+- continue;
++ ret = sss_ncache_set_user(ncache, true, ddom, fqname);
++ talloc_zfree(fqname);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_CRIT_FAILURE,
++ "Failed to store permanent user filter for [%s]"
++ " (%d [%s])\n", filter_list[i],
++ ret, sss_strerror(ret));
++ continue;
++ }
+ }
+ }
+ }
+@@ -1159,27 +1165,32 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
+ continue;
+ }
+
+- if (domainname && strcmp(domainname, dom->name)) {
+- DEBUG(SSSDBG_CRIT_FAILURE,
+- "Mismatch between domain name (%s) and name "
+- "set in FQN (%s), skipping group %s\n",
+- dom->name, domainname, name);
+- continue;
+- }
++ /* Check domain and its sub-domains */
++ for (ddom = dom;
++ ddom != NULL && (ddom == dom || ddom->parent != NULL);
++ ddom = get_next_domain(ddom, SSS_GND_ALL_DOMAINS)) {
++ if (domainname && strcmp(domainname, ddom->name)) {
++ DEBUG(SSSDBG_CRIT_FAILURE,
++ "Mismatch between domain name (%s) and name "
++ "set in FQN (%s), skipping group %s\n",
++ ddom->name, domainname, name);
++ continue;
++ }
+
+- fqname = sss_create_internal_fqname(tmpctx, name, dom->name);
+- if (fqname == NULL) {
+- continue;
+- }
++ fqname = sss_create_internal_fqname(tmpctx, name, ddom->name);
++ if (fqname == NULL) {
++ continue;
++ }
+
+- ret = sss_ncache_set_group(ncache, true, dom, fqname);
+- talloc_zfree(fqname);
+- if (ret != EOK) {
+- DEBUG(SSSDBG_CRIT_FAILURE,
+- "Failed to store permanent group filter for [%s]"
+- " (%d [%s])\n", filter_list[i],
+- ret, strerror(ret));
+- continue;
++ ret = sss_ncache_set_group(ncache, true, ddom, fqname);
++ talloc_zfree(fqname);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_CRIT_FAILURE,
++ "Failed to store permanent group filter for [%s]"
++ " (%d [%s])\n", filter_list[i],
++ ret, strerror(ret));
++ continue;
++ }
+ }
+ }
+ }
+diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c
+index 0876cfdaf..7a8827685 100644
+--- a/src/tests/cmocka/test_negcache.c
++++ b/src/tests/cmocka/test_negcache.c
+@@ -102,6 +102,8 @@ static int setup(void **state)
+ int ret;
+ struct test_state *ts;
+
++ test_dom_suite_setup(TESTS_PATH);
++
+ ts = talloc(NULL, struct test_state);
+ assert_non_null(ts);
+
+@@ -116,6 +118,7 @@ static int setup(void **state)
+ static int teardown(void **state)
+ {
+ struct test_state *ts = talloc_get_type_abort(*state, struct test_state);
++ test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME);
+ talloc_free(ts);
+ return 0;
+ }
+@@ -904,6 +907,255 @@ static void test_sss_ncache_reset_prepopulate(void **state)
+ assert_int_equal(ret, EEXIST);
+ }
+
++/* The main purpose of test_sss_ncache_short_name_in_domain is to test that
++ * short names in the filter_users or filter_groups options in a [domain/...]
++ * section are properly added to the related sub-domains as well (if there are
++ * any) and not added to domains from other [domain/...] sections. For
++ * completeness entries with fully-qualified names of the parent and the
++ * sub-domain and the generic UPN are added as well.
++ *
++ * The result should of course be independent of the present domains. To
++ * verify this the domains are added one after the other and the negative
++ * cache is repopulated each time.
++ *
++ * With the given domains, users and group we have to following expectations:
++ * - the short name entry will be added to the domain and all sub-domains as
++ * name and as upn by expanding it to a fully-qualified name with the
++ * domain name or sub-domain name respectively
++ * - the fully-qualified name from the parent domain is added as name and upn
++ * to the parent domain and as upn to all sub-domains
++ * - the fully-qualified name from the sub-domain is added as name to the
++ * sub-domain and as upn to the parent and all sub-domains
++ * - the generic upn is nowhere added as name and as upn to the parent and all
++ * sub-domains
++ * - none of the names is added to a different parent domain
++ *
++ * The following table should illustrated the expectations:
++ *
++ * user (name):
++ * | shortuser | parentu@TEST_DOM_NAME | subdomu@subTEST_DOM_NAME | upn@upn.dom
++ *-----------------+-----------+-----------------------+--------------------------+------------
++ * TEST_DOM_NAME | PRESENT | PRESENT | MISSING | MISSING
++ * subTEST_DOM_NAME| PRESENT | MISSING | PRESENT | MISSING
++ * TEST_DOM_NAME2 | MISSING | MISSING | MISSING | MISSING
++ *
++ * user (upn):
++ * | shortuser | parentu@TEST_DOM_NAME | subdomu@subTEST_DOM_NAME | upn@upn.dom
++ *-----------------+-----------+-----------------------+--------------------------+------------
++ * TEST_DOM_NAME | PRESENT | PRESENT | PRESENT | PRESENT
++ * subTEST_DOM_NAME| PRESENT | PRESENT | PRESENT | PRESENT
++ * TEST_DOM_NAME2 | MISSING | MISSING | MISSING | MISSING
++ *
++ *
++ *
++ * groups:
++ * | shortgroup | parentg@TEST_DOM_NAME | subdomg@subTEST_DOM_NAME
++ *-----------------+------------+-----------------------+-------------------------
++ * TEST_DOM_NAME | PRESENT | PRESENT | MISSING
++ * subTEST_DOM_NAME| PRESENT | MISSING | PRESENT
++ * TEST_DOM_NAME2 | MISSING | MISSING | MISSING
++ *
++ *
++ * The following expect_*() implement checks for the expextations:
++ */
++
++static void expect_in_parent(struct sss_nc_ctx *ncache,
++ struct sss_domain_info *dom)
++{
++ int ret;
++
++ ret = check_user_in_ncache(ncache, dom, "shortuser");
++ assert_int_equal(ret, EEXIST);
++ ret = sss_ncache_check_upn(ncache, dom, "shortuser@"TEST_DOM_NAME);
++ assert_int_equal(ret, EEXIST);
++
++ ret = check_user_in_ncache(ncache, dom, "parentu");
++ assert_int_equal(ret, EEXIST);
++ ret = sss_ncache_check_upn(ncache, dom, "parentu@"TEST_DOM_NAME);
++ assert_int_equal(ret, EEXIST);
++
++ ret = check_user_in_ncache(ncache, dom, "subdomu");
++ assert_int_equal(ret, ENOENT);
++ ret = sss_ncache_check_upn(ncache, dom, "subdomu@sub"TEST_DOM_NAME);
++ assert_int_equal(ret, EEXIST);
++
++ ret = check_user_in_ncache(ncache, dom, "upn");
++ assert_int_equal(ret, ENOENT);
++ ret = sss_ncache_check_upn(ncache, dom, "upn@upn.dom");
++ assert_int_equal(ret, EEXIST);
++
++ ret = check_group_in_ncache(ncache, dom, "shortgroup");
++ assert_int_equal(ret, EEXIST);
++
++ ret = check_group_in_ncache(ncache, dom, "parentg");
++ assert_int_equal(ret, EEXIST);
++
++ ret = check_group_in_ncache(ncache, dom, "subdomg");
++ assert_int_equal(ret, ENOENT);
++}
++
++static void expect_in_subdomain(struct sss_nc_ctx *ncache,
++ struct sss_domain_info *sub_dom)
++{
++ int ret;
++
++ ret = check_user_in_ncache(ncache, sub_dom, "shortuser");
++ assert_int_equal(ret, EEXIST);
++ ret = sss_ncache_check_upn(ncache, sub_dom, "shortuser@sub"TEST_DOM_NAME);
++ assert_int_equal(ret, EEXIST);
++
++ ret = check_user_in_ncache(ncache, sub_dom, "subdomu");
++ assert_int_equal(ret, EEXIST);
++ ret = sss_ncache_check_upn(ncache, sub_dom, "subdomu@sub"TEST_DOM_NAME);
++ assert_int_equal(ret, EEXIST);
++
++ ret = check_user_in_ncache(ncache, sub_dom, "upn");
++ assert_int_equal(ret, ENOENT);
++ ret = sss_ncache_check_upn(ncache, sub_dom, "upn@upn.dom");
++ assert_int_equal(ret, EEXIST);
++
++ ret = check_user_in_ncache(ncache, sub_dom, "parentu");
++ assert_int_equal(ret, ENOENT);
++ ret = sss_ncache_check_upn(ncache, sub_dom, "parentu@"TEST_DOM_NAME);
++ assert_int_equal(ret, EEXIST);
++
++
++ ret = check_group_in_ncache(ncache, sub_dom, "shortgroup");
++ assert_int_equal(ret, EEXIST);
++
++ ret = check_group_in_ncache(ncache, sub_dom, "parentg");
++ assert_int_equal(ret, ENOENT);
++
++ ret = check_group_in_ncache(ncache, sub_dom, "subdomg");
++ assert_int_equal(ret, EEXIST);
++}
++static void expect_no_entries_in_dom(struct sss_nc_ctx *ncache,
++ struct sss_domain_info *dom2)
++{
++ int ret;
++
++ ret = check_user_in_ncache(ncache, dom2, "shortuser");
++ assert_int_equal(ret, ENOENT);
++ ret = sss_ncache_check_upn(ncache, dom2, "shortuser"TEST_DOM_NAME);
++ assert_int_equal(ret, ENOENT);
++
++ ret = check_user_in_ncache(ncache, dom2, "parentu");
++ assert_int_equal(ret, ENOENT);
++ ret = sss_ncache_check_upn(ncache, dom2, "parentu@"TEST_DOM_NAME);
++ assert_int_equal(ret, ENOENT);
++
++ ret = check_user_in_ncache(ncache, dom2, "subdomu");
++ assert_int_equal(ret, ENOENT);
++ ret = sss_ncache_check_upn(ncache, dom2, "subdomu@sub"TEST_DOM_NAME);
++ assert_int_equal(ret, ENOENT);
++
++ ret = check_user_in_ncache(ncache, dom2, "upn");
++ assert_int_equal(ret, ENOENT);
++ ret = sss_ncache_check_upn(ncache, dom2, "upn@upn.dom");
++ assert_int_equal(ret, ENOENT);
++
++ ret = check_group_in_ncache(ncache, dom2, "shortgroup");
++ assert_int_equal(ret, ENOENT);
++
++ ret = check_group_in_ncache(ncache, dom2, "parentg");
++ assert_int_equal(ret, ENOENT);
++
++ ret = check_group_in_ncache(ncache, dom2, "subdomg");
++ assert_int_equal(ret, ENOENT);
++}
++
++static void test_sss_ncache_short_name_in_domain(void **state)
++{
++ int ret;
++ struct test_state *ts;
++ struct tevent_context *ev;
++ struct sss_nc_ctx *ncache;
++ struct sss_test_ctx *tc;
++ struct sss_domain_info *dom;
++ struct sss_domain_info *dom2;
++ struct sss_domain_info *sub_dom;
++
++ struct sss_test_conf_param params[] = {
++ { "filter_users", "shortuser, parentu@"TEST_DOM_NAME", "
++ "subdomu@sub"TEST_DOM_NAME", upn@upn.dom" },
++ { "filter_groups", "shortgroup, parentg@"TEST_DOM_NAME", "
++ "subdomg@sub"TEST_DOM_NAME },
++ { NULL, NULL },
++ };
++
++ const char *nss_filter_users[] = { params[0].value, NULL};
++ const char *nss_filter_groups[] = { params[1].value, NULL};
++
++ ts = talloc_get_type_abort(*state, struct test_state);
++
++ ev = tevent_context_init(ts);
++ assert_non_null(ev);
++
++ dom = talloc_zero(ts, struct sss_domain_info);
++ assert_non_null(dom);
++ dom->name = discard_const_p(char, TEST_DOM_NAME);
++ sss_domain_set_state(dom, DOM_ACTIVE);
++
++ ts->nctx = mock_nctx(ts);
++ assert_non_null(ts->nctx);
++
++ tc = create_dom_test_ctx(ts, TESTS_PATH, TEST_CONF_DB,
++ TEST_DOM_NAME, TEST_ID_PROVIDER, params);
++ assert_non_null(tc);
++
++ ret = confdb_add_param(tc->confdb, true, "config/domain/"TEST_DOM_NAME,
++ "filter_users", nss_filter_users);
++ assert_int_equal(ret, EOK);
++
++ ret = confdb_add_param(tc->confdb, true, "config/domain"TEST_DOM_NAME,
++ "filter_groups", nss_filter_groups);
++ assert_int_equal(ret, EOK);
++
++ ncache = ts->ctx;
++ ts->rctx = mock_rctx(ts, ev, dom, ts->nctx);
++ assert_non_null(ts->rctx);
++ ts->rctx->cdb = tc->confdb;
++
++ ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &dom->names);
++ assert_int_equal(ret, EOK);
++
++ ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache);
++ assert_int_equal(ret, EOK);
++
++ /* Add another domain */
++ dom2 = talloc_zero(ts, struct sss_domain_info);
++ assert_non_null(dom2);
++ dom2->name = discard_const_p(char, TEST_DOM_NAME"2");
++ sss_domain_set_state(dom2, DOM_ACTIVE);
++ dom->next = dom2;
++ dom2->names = dom->names;
++
++ expect_in_parent(ncache, dom);
++ expect_no_entries_in_dom(ncache, dom2);
++
++ ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache);
++ assert_int_equal(ret, EOK);
++
++ expect_in_parent(ncache, dom);
++ expect_no_entries_in_dom(ncache, dom2);
++
++ /* Add a sub domain */
++ sub_dom = talloc_zero(ts, struct sss_domain_info);
++ assert_non_null(sub_dom);
++ sub_dom->name = discard_const_p(char, "sub"TEST_DOM_NAME);
++ sss_domain_set_state(sub_dom, DOM_ACTIVE);
++ sub_dom->parent = dom;
++ dom->subdomains = sub_dom;
++ sub_dom->names = dom->names;
++
++ ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache);
++ assert_int_equal(ret, EOK);
++
++ expect_in_parent(ncache, dom);
++ expect_in_subdomain(ncache, sub_dom);
++ expect_no_entries_in_dom(ncache, dom2);
++}
++
+ static void test_sss_ncache_reset(void **state)
+ {
+ errno_t ret;
+@@ -1066,6 +1318,8 @@ int main(void)
+ setup, teardown),
+ cmocka_unit_test_setup_teardown(test_sss_ncache_reset_prepopulate,
+ setup, teardown),
++ cmocka_unit_test_setup_teardown(test_sss_ncache_short_name_in_domain,
++ setup, teardown),
+ cmocka_unit_test_setup_teardown(test_sss_ncache_reset,
+ setup, teardown),
+ cmocka_unit_test_setup_teardown(test_sss_ncache_locate_uid_gid,
+--
+2.21.3
+
diff --git a/SOURCES/0053-negcache-do-not-use-default_domain_suffix.patch b/SOURCES/0053-negcache-do-not-use-default_domain_suffix.patch
new file mode 100644
index 0000000..eb0bcec
--- /dev/null
+++ b/SOURCES/0053-negcache-do-not-use-default_domain_suffix.patch
@@ -0,0 +1,155 @@
+From 56d509ad3001101f04c4af050c3da7472032e4cb Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 9 Oct 2020 15:26:39 +0200
+Subject: [PATCH 53/53] negcache: do not use default_domain_suffix
+
+When splitting the names from the filter_users and filter_groups options
+do not use the default_domain_suffix because it will hide that the
+original name is a short name and should be added everywhere.
+
+Additionally this patch fixes a typo where sss_parse_name() was used
+instead of sss_parse_name_for_domains().
+
+Resolves: https://github.com/SSSD/sssd/issues/5238
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+(cherry picked from commit fa4b46e7de7297da3c0e37913eab8cba7f103629)
+---
+ src/responder/common/negcache.c | 29 +++++++++++++++--------------
+ src/tests/cmocka/test_negcache.c | 22 ++++++++++++++++++++--
+ 2 files changed, 35 insertions(+), 16 deletions(-)
+
+diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
+index 47fbb2106..ff05aaea5 100644
+--- a/src/responder/common/negcache.c
++++ b/src/responder/common/negcache.c
+@@ -998,13 +998,13 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
+
+ for (i = 0; (filter_list && filter_list[i]); i++) {
+ ret = sss_parse_name_for_domains(tmpctx, domain_list,
+- rctx->default_domain,
++ NULL,
+ filter_list[i],
+ &domainname, &name);
+ if (ret == EAGAIN) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+- "cannot add [%s] to negcache because the required or "
+- "default domain are not known yet\n", filter_list[i]);
++ "Can add [%s] only as UPN to negcache because the "
++ "required domain is not known yet\n", filter_list[i]);
+ } else if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Invalid name in filterUsers list: [%s] (%d)\n",
+@@ -1064,12 +1064,12 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
+
+ for (i = 0; (filter_list && filter_list[i]); i++) {
+ ret = sss_parse_name_for_domains(tmpctx, domain_list,
+- rctx->default_domain, filter_list[i],
++ NULL, filter_list[i],
+ &domainname, &name);
+ if (ret == EAGAIN) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+- "Cannot add [%s] to negcache because the required or "
+- "default domain are not known yet\n", filter_list[i]);
++ "Can add [%s] only as UPN to negcache because the "
++ "required domain is not known yet\n", filter_list[i]);
+ } else if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Invalid name in filterUsers list: [%s] (%d)\n",
+@@ -1156,9 +1156,12 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
+ if (ret != EOK) goto done;
+
+ for (i = 0; (filter_list && filter_list[i]); i++) {
+- ret = sss_parse_name(tmpctx, dom->names, filter_list[i],
+- &domainname, &name);
++ ret = sss_parse_name_for_domains(tmpctx, domain_list,
++ NULL, filter_list[i],
++ &domainname, &name);
+ if (ret != EOK) {
++ /* Groups do not have UPNs, so domain names, if present,
++ * must be known */
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Invalid name in filterGroups list: [%s] (%d)\n",
+ filter_list[i], ret);
+@@ -1205,13 +1208,11 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
+
+ for (i = 0; (filter_list && filter_list[i]); i++) {
+ ret = sss_parse_name_for_domains(tmpctx, domain_list,
+- rctx->default_domain, filter_list[i],
++ NULL, filter_list[i],
+ &domainname, &name);
+- if (ret == EAGAIN) {
+- DEBUG(SSSDBG_MINOR_FAILURE,
+- "Cannot add [%s] to negcache because the required or "
+- "default domain are not known yet\n", filter_list[i]);
+- } else if (ret != EOK) {
++ if (ret != EOK) {
++ /* Groups do not have UPNs, so domain names, if present,
++ * must be known */
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Invalid name in filterGroups list: [%s] (%d)\n",
+ filter_list[i], ret);
+diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c
+index 7a8827685..f8cbbc1fe 100644
+--- a/src/tests/cmocka/test_negcache.c
++++ b/src/tests/cmocka/test_negcache.c
+@@ -916,7 +916,9 @@ static void test_sss_ncache_reset_prepopulate(void **state)
+ *
+ * The result should of course be independent of the present domains. To
+ * verify this the domains are added one after the other and the negative
+- * cache is repopulated each time.
++ * cache is repopulated each time. The result should be also independent of
++ * the setting of default_domain_suffix option which is tested by
++ * test_sss_ncache_short_name_in_domain_with_prefix.
+ *
+ * With the given domains, users and group we have to following expectations:
+ * - the short name entry will be added to the domain and all sub-domains as
+@@ -1064,7 +1066,8 @@ static void expect_no_entries_in_dom(struct sss_nc_ctx *ncache,
+ assert_int_equal(ret, ENOENT);
+ }
+
+-static void test_sss_ncache_short_name_in_domain(void **state)
++static void run_sss_ncache_short_name_in_domain(void **state,
++ bool use_default_domain_prefix)
+ {
+ int ret;
+ struct test_state *ts;
+@@ -1114,6 +1117,9 @@ static void test_sss_ncache_short_name_in_domain(void **state)
+ ncache = ts->ctx;
+ ts->rctx = mock_rctx(ts, ev, dom, ts->nctx);
+ assert_non_null(ts->rctx);
++ if (use_default_domain_prefix) {
++ ts->rctx->default_domain = discard_const(TEST_DOM_NAME);
++ }
+ ts->rctx->cdb = tc->confdb;
+
+ ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &dom->names);
+@@ -1156,6 +1162,16 @@ static void test_sss_ncache_short_name_in_domain(void **state)
+ expect_no_entries_in_dom(ncache, dom2);
+ }
+
++static void test_sss_ncache_short_name_in_domain(void **state)
++{
++ run_sss_ncache_short_name_in_domain(state, false);
++}
++
++static void test_sss_ncache_short_name_in_domain_with_prefix(void **state)
++{
++ run_sss_ncache_short_name_in_domain(state, true);
++}
++
+ static void test_sss_ncache_reset(void **state)
+ {
+ errno_t ret;
+@@ -1320,6 +1336,8 @@ int main(void)
+ setup, teardown),
+ cmocka_unit_test_setup_teardown(test_sss_ncache_short_name_in_domain,
+ setup, teardown),
++ cmocka_unit_test_setup_teardown(test_sss_ncache_short_name_in_domain_with_prefix,
++ setup, teardown),
+ cmocka_unit_test_setup_teardown(test_sss_ncache_reset,
+ setup, teardown),
+ cmocka_unit_test_setup_teardown(test_sss_ncache_locate_uid_gid,
+--
+2.21.3
+
diff --git a/SOURCES/0054-ad-add-ad_allow_remote_domain_local_groups.patch b/SOURCES/0054-ad-add-ad_allow_remote_domain_local_groups.patch
new file mode 100644
index 0000000..a2924cc
--- /dev/null
+++ b/SOURCES/0054-ad-add-ad_allow_remote_domain_local_groups.patch
@@ -0,0 +1,193 @@
+From 6f31f43ee15bcb0933ddca8726b166a93f9371a9 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 1 Oct 2019 20:24:09 +0200
+Subject: [PATCH] ad: add ad_allow_remote_domain_local_groups
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+As the option name says if set to true Domain Local groups from remote
+domains won't be filtered out. This option is added to facilitate the
+migration from other solution and should only be used for this purpose.
+
+Resolves: https://github.com/SSSD/sssd/issues/5346
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked with changes from commit 4f65a8d15b8e5f3dd613e789d68f38e60e0addc5)
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/config/SSSDConfig/__init__.py.in | 1 +
+ src/config/cfg_rules.ini | 1 +
+ src/config/etc/sssd.api.d/sssd-ad.conf | 1 +
+ src/man/sssd-ad.5.xml | 49 ++++++++++++++++++++++++++
+ src/providers/ad/ad_common.c | 3 ++
+ src/providers/ad/ad_common.h | 1 +
+ src/providers/ad/ad_opts.c | 1 +
+ src/providers/ldap/sdap.h | 1 +
+ src/providers/ldap/sdap_ad_groups.c | 3 +-
+ 9 files changed, 60 insertions(+), 1 deletion(-)
+
+diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
+index 1aa93f8cf..15ab632aa 100644
+--- a/src/config/SSSDConfig/__init__.py.in
++++ b/src/config/SSSDConfig/__init__.py.in
+@@ -250,6 +250,7 @@ option_strings = {
+ 'ad_maximum_machine_account_password_age' : _('Maximum age in days before the machine account password should be renewed'),
+ 'ad_machine_account_password_renewal_opts' : _('Option for tuning the machine account renewal task'),
+ 'ad_use_ldaps' : _('Use LDAPS port for LDAP and Global Catalog requests'),
++ 'ad_allow_remote_domain_local_groups' : _('Do not filter domain local groups from other domains'),
+
+ # [provider/krb5]
+ 'krb5_kdcip' : _('Kerberos server address'),
+diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
+index e8ea13081..8f8ef30c3 100644
+--- a/src/config/cfg_rules.ini
++++ b/src/config/cfg_rules.ini
+@@ -459,6 +459,7 @@ option = ad_maximum_machine_account_password_age
+ option = ad_server
+ option = ad_site
+ option = ad_use_ldaps
++option = ad_allow_remote_domain_local_groups
+
+ # IPA provider specific options
+ option = ipa_anchor_uuid
+diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
+index c53c08f37..74599a56d 100644
+--- a/src/config/etc/sssd.api.d/sssd-ad.conf
++++ b/src/config/etc/sssd.api.d/sssd-ad.conf
+@@ -21,6 +21,7 @@ ad_site = str, None, false
+ ad_maximum_machine_account_password_age = int, None, false
+ ad_machine_account_password_renewal_opts = str, None, false
+ ad_use_ldaps = bool, None, false
++ad_allow_remote_domain_local_groups = bool, None, false
+ ldap_uri = str, None, false
+ ldap_backup_uri = str, None, false
+ ldap_search_base = str, None, false
+diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
+index 6fc57ca21..839279bad 100644
+--- a/src/man/sssd-ad.5.xml
++++ b/src/man/sssd-ad.5.xml
+@@ -923,6 +923,55 @@ ad_gpo_map_deny = +my_pam_service
+ </listitem>
+ </varlistentry>
+
++ <varlistentry>
++ <term>ad_allow_remote_domain_local_groups (boolean)</term>
++ <listitem>
++ <para>
++ If this option is set to <quote>true</quote> SSSD
++ will not filter out Domain Local groups from remote
++ domains in the AD forest. By default they are
++ filtered out e.g. when following a nested group
++ hierarchy in remote domains because they are not
++ valid in the local domain. To be compatible with
++ other solutions which make AD users and groups
++ available on Linux client this option was added.
++ </para>
++ <para>
++ Please note that setting this option to
++ <quote>true</quote> will be against the intention of
++ Domain Local group in Active Directory and
++ <emphasis>SHOULD ONLY BE USED TO FACILITATE
++ MIGRATION FROM OTHER SOLUTIONS</emphasis>. Although
++ the group exists and user can be member of the group
++ the intention is that the group should be only used
++ in the domain it is defined and in no others. Since
++ there is only one type of POSIX groups the only way
++ to achieve this on the Linux side is to ignore those
++ groups. This is also done by Active Directory as can
++ be seen in the PAC of the Kerberos ticket for a
++ local service or in tokenGroups requests where
++ remote Domain Local groups are missing as well.
++ </para>
++ <para>
++ Given the comments above, if this option is set to
++ <quote>true</quote> the tokenGroups request must be
++ disabled by setting
++ <quote>ldap_use_tokengroups</quote> to
++ <quote>false</quote> to get consistent
++ group-memberships of a users. Additionally the
++ Global Catalog lookup should be skipped as well by
++ setting <quote>ad_enable_gc</quote> to
++ <quote>false</quote>. Finally it might be necessary
++ to modify <quote>ldap_group_nesting_level</quote> if
++ the remote Domain Local groups can only be found
++ with a deeper nesting level.
++ </para>
++ <para>
++ Default: False
++ </para>
++ </listitem>
++ </varlistentry>
++
+ <varlistentry>
+ <term>dyndns_update (boolean)</term>
+ <listitem>
+diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
+index 4e46da7f2..4e51d08e6 100644
+--- a/src/providers/ad/ad_common.c
++++ b/src/providers/ad/ad_common.c
+@@ -1072,6 +1072,9 @@ ad_set_sdap_options(struct ad_options *ad_opts,
+ keytab_path);
+ }
+
++ id_opts->allow_remote_domain_local_groups = dp_opt_get_bool(ad_opts->basic,
++ AD_ALLOW_REMOTE_DOMAIN_LOCAL);
++
+ ret = sdap_set_sasl_options(id_opts,
+ dp_opt_get_string(ad_opts->basic,
+ AD_HOSTNAME),
+diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
+index 753394832..815b41419 100644
+--- a/src/providers/ad/ad_common.h
++++ b/src/providers/ad/ad_common.h
+@@ -69,6 +69,7 @@ enum ad_basic_opt {
+ AD_MAXIMUM_MACHINE_ACCOUNT_PASSWORD_AGE,
+ AD_MACHINE_ACCOUNT_PASSWORD_RENEWAL_OPTS,
+ AD_USE_LDAPS,
++ AD_ALLOW_REMOTE_DOMAIN_LOCAL,
+
+ AD_OPTS_BASIC /* opts counter */
+ };
+diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
+index f2596a935..950ea51ff 100644
+--- a/src/providers/ad/ad_opts.c
++++ b/src/providers/ad/ad_opts.c
+@@ -55,6 +55,7 @@ struct dp_option ad_basic_opts[] = {
+ { "ad_maximum_machine_account_password_age", DP_OPT_NUMBER, { .number = 30 }, NULL_NUMBER },
+ { "ad_machine_account_password_renewal_opts", DP_OPT_STRING, { "86400:750" }, NULL_STRING },
+ { "ad_use_ldaps", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
++ { "ad_allow_remote_domain_local_groups", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+ DP_OPTION_TERMINATOR
+ };
+
+diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
+index 0bf4fe12b..d9eff20ec 100644
+--- a/src/providers/ldap/sdap.h
++++ b/src/providers/ldap/sdap.h
+@@ -511,6 +511,7 @@ struct sdap_options {
+ bool support_matching_rule;
+ enum dc_functional_level dc_functional_level;
+ const char *schema_basedn;
++ bool allow_remote_domain_local_groups;
+
+ /* Certificate mapping support */
+ struct sdap_certmap_ctx *sdap_certmap_ctx;
+diff --git a/src/providers/ldap/sdap_ad_groups.c b/src/providers/ldap/sdap_ad_groups.c
+index 0e36328b9..e8c6280d0 100644
+--- a/src/providers/ldap/sdap_ad_groups.c
++++ b/src/providers/ldap/sdap_ad_groups.c
+@@ -38,7 +38,8 @@ errno_t sdap_check_ad_group_type(struct sss_domain_info *dom,
+ errno_t ret = EOK;
+ *_need_filter = false;
+
+- if (opts->schema_type == SDAP_SCHEMA_AD) {
++ if (opts->schema_type == SDAP_SCHEMA_AD
++ && !opts->allow_remote_domain_local_groups) {
+ ret = sysdb_attrs_get_int32_t(group_attrs, SYSDB_GROUP_TYPE,
+ &ad_group_type);
+ if (ret != EOK) {
+--
+2.21.3
+
diff --git a/SOURCES/0055-man-fix-description-of-dns_resolver_op_timeout.patch b/SOURCES/0055-man-fix-description-of-dns_resolver_op_timeout.patch
new file mode 100644
index 0000000..df5070e
--- /dev/null
+++ b/SOURCES/0055-man-fix-description-of-dns_resolver_op_timeout.patch
@@ -0,0 +1,37 @@
+From f768f73903bf0c3d0d1b4361ebff6b111a918470 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Tue, 11 Jun 2019 13:49:13 +0200
+Subject: [PATCH 55/57] man: fix description of dns_resolver_op_timeout
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/3217
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 7b4635c8428917ced63954f2c3c70491b45d7870)
+---
+ src/man/include/failover.xml | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/man/include/failover.xml b/src/man/include/failover.xml
+index cd6fd4d79..11ff86a38 100644
+--- a/src/man/include/failover.xml
++++ b/src/man/include/failover.xml
+@@ -77,7 +77,13 @@
+ </term>
+ <listitem>
+ <para>
+- How long would SSSD talk to a single DNS server.
++ Time in seconds to tell how long would SSSD try
++ to resolve single DNS query (e.g. resolution of a
++ hostname or an SRV record) before trying the next
++ hostname or discovery domain.
++ </para>
++ <para>
++ Default: 6
+ </para>
+ </listitem>
+ </varlistentry>
+--
+2.21.3
+
diff --git a/SOURCES/0056-man-fix-description-of-dns_resolver_timeout.patch b/SOURCES/0056-man-fix-description-of-dns_resolver_timeout.patch
new file mode 100644
index 0000000..e589679
--- /dev/null
+++ b/SOURCES/0056-man-fix-description-of-dns_resolver_timeout.patch
@@ -0,0 +1,32 @@
+From 9b1f6f88b1245bc8737a4b2616299a8427d822e0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Tue, 11 Jun 2019 13:49:33 +0200
+Subject: [PATCH 56/57] man: fix description of dns_resolver_timeout
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/3217
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 3807de1d97fc87cf7c25af264a8b1bbabdef54e2)
+---
+ src/man/include/failover.xml | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/man/include/failover.xml b/src/man/include/failover.xml
+index 11ff86a38..7b451d831 100644
+--- a/src/man/include/failover.xml
++++ b/src/man/include/failover.xml
+@@ -98,6 +98,9 @@
+ include several steps, such as resolving DNS SRV
+ queries or locating the site.
+ </para>
++ <para>
++ Default: 6
++ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+--
+2.21.3
+
diff --git a/SOURCES/0057-failover-add-dns_resolver_server_timeout-option.patch b/SOURCES/0057-failover-add-dns_resolver_server_timeout-option.patch
new file mode 100644
index 0000000..01fb7da
--- /dev/null
+++ b/SOURCES/0057-failover-add-dns_resolver_server_timeout-option.patch
@@ -0,0 +1,277 @@
+From 2c7c69485883ab0f408cf2f8cdcc4617462d68ec Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Tue, 11 Jun 2019 13:37:23 +0200
+Subject: [PATCH 57/57] failover: add dns_resolver_server_timeout option
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/3217
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked with fixes from commit 99e2a107f01c625cb59cb88589db87294176d6c6)
+---
+ src/config/SSSDConfig/__init__.py.in | 1 +
+ src/config/SSSDConfigTest.py | 2 ++
+ src/config/cfg_rules.ini | 1 +
+ src/config/etc/sssd.api.conf | 1 +
+ src/man/include/failover.xml | 17 ++++++++++++++++-
+ src/providers/data_provider.h | 1 +
+ src/providers/data_provider_fo.c | 3 +++
+ src/resolv/async_resolv.c | 10 ++++++----
+ src/resolv/async_resolv.h | 2 +-
+ src/tests/cmocka/test_fo_srv.c | 4 ++--
+ src/tests/cmocka/test_resolv_fake.c | 2 +-
+ src/tests/fail_over-tests.c | 2 +-
+ src/tests/resolv-tests.c | 2 +-
+ 13 files changed, 37 insertions(+), 11 deletions(-)
+
+diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
+index f3c6cfebf..1aa93f8cf 100644
+--- a/src/config/SSSDConfig/__init__.py.in
++++ b/src/config/SSSDConfig/__init__.py.in
+@@ -170,6 +170,7 @@ option_strings = {
+ 'entry_cache_timeout' : _('Entry cache timeout length (seconds)'),
+ 'lookup_family_order' : _('Restrict or prefer a specific address family when performing DNS lookups'),
+ 'account_cache_expiration' : _('How long to keep cached entries after last successful login (days)'),
++ 'dns_resolver_server_timeout' : _('How long should SSSD talk to single DNS server before trying next server (miliseconds)'),
+ 'dns_resolver_op_timeout' : _('How long should keep trying to resolve single DNS query (seconds)'),
+ 'dns_resolver_timeout' : _('How long to wait for replies from DNS when resolving servers (seconds)'),
+ 'dns_discovery_domain' : _('The domain part of service discovery DNS query'),
+diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
+index 979b1806f..d484e527e 100755
+--- a/src/config/SSSDConfigTest.py
++++ b/src/config/SSSDConfigTest.py
+@@ -608,6 +608,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
+ 'refresh_expired_interval',
+ 'lookup_family_order',
+ 'account_cache_expiration',
++ 'dns_resolver_server_timeout',
+ 'dns_resolver_op_timeout',
+ 'dns_resolver_timeout',
+ 'dns_discovery_domain',
+@@ -980,6 +981,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
+ 'refresh_expired_interval',
+ 'account_cache_expiration',
+ 'lookup_family_order',
++ 'dns_resolver_server_timeout',
+ 'dns_resolver_op_timeout',
+ 'dns_resolver_timeout',
+ 'dns_discovery_domain',
+diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
+index 79e366875..e8ea13081 100644
+--- a/src/config/cfg_rules.ini
++++ b/src/config/cfg_rules.ini
+@@ -367,6 +367,7 @@ option = account_cache_expiration
+ option = pwd_expiration_warning
+ option = filter_users
+ option = filter_groups
++option = dns_resolver_server_timeout
+ option = dns_resolver_op_timeout
+ option = dns_resolver_timeout
+ option = dns_discovery_domain
+diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
+index 355c1fc9b..a771a1148 100644
+--- a/src/config/etc/sssd.api.conf
++++ b/src/config/etc/sssd.api.conf
+@@ -170,6 +170,7 @@ account_cache_expiration = int, None, false
+ pwd_expiration_warning = int, None, false
+ filter_users = list, str, false
+ filter_groups = list, str, false
++dns_resolver_server_timeout = int, None, false
+ dns_resolver_op_timeout = int, None, false
+ dns_resolver_timeout = int, None, false
+ dns_discovery_domain = str, None, false
+diff --git a/src/man/include/failover.xml b/src/man/include/failover.xml
+index 7b451d831..f2a01b933 100644
+--- a/src/man/include/failover.xml
++++ b/src/man/include/failover.xml
+@@ -71,6 +71,20 @@
+ </citerefentry>,
+ manual page.
+ <variablelist>
++ <varlistentry>
++ <term>
++ dns_resolver_server_timeout
++ </term>
++ <listitem>
++ <para>
++ Time in milliseconds that sets how long would SSSD
++ talk to a single DNS server before trying next one.
++ </para>
++ <para>
++ Default: 2000
++ </para>
++ </listitem>
++ </varlistentry>
+ <varlistentry>
+ <term>
+ dns_resolver_op_timeout
+@@ -111,7 +125,8 @@
+ <quote>ldap_opt_timeout></quote> timeout should be set to
+ a larger value than <quote>dns_resolver_timeout</quote>
+ which in turn should be set to a larger value than
+- <quote>dns_resolver_op_timeout</quote>.
++ <quote>dns_resolver_op_timeout</quote> which should be larger
++ than <quote>dns_resolver_server_timeout</quote>.
+ </para>
+ </refsect2>
+ </refsect1>
+diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h
+index d30d81bda..e8568993a 100644
+--- a/src/providers/data_provider.h
++++ b/src/providers/data_provider.h
+@@ -328,6 +328,7 @@ enum dp_res_opts {
+ DP_RES_OPT_FAMILY_ORDER,
+ DP_RES_OPT_RESOLVER_TIMEOUT,
+ DP_RES_OPT_RESOLVER_OP_TIMEOUT,
++ DP_RES_OPT_RESOLVER_SERVER_TIMEOUT,
+ DP_RES_OPT_DNS_DOMAIN,
+
+ DP_RES_OPTS /* attrs counter */
+diff --git a/src/providers/data_provider_fo.c b/src/providers/data_provider_fo.c
+index 6e375147d..0cdb97323 100644
+--- a/src/providers/data_provider_fo.c
++++ b/src/providers/data_provider_fo.c
+@@ -835,6 +835,7 @@ static struct dp_option dp_res_default_opts[] = {
+ { "lookup_family_order", DP_OPT_STRING, { "ipv4_first" }, NULL_STRING },
+ { "dns_resolver_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER },
+ { "dns_resolver_op_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER },
++ { "dns_resolver_server_timeout", DP_OPT_NUMBER, { .number = 2000 }, NULL_NUMBER },
+ { "dns_discovery_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ DP_OPTION_TERMINATOR
+ };
+@@ -896,6 +897,8 @@ errno_t be_res_init(struct be_ctx *ctx)
+ ret = resolv_init(ctx, ctx->ev,
+ dp_opt_get_int(ctx->be_res->opts,
+ DP_RES_OPT_RESOLVER_OP_TIMEOUT),
++ dp_opt_get_int(ctx->be_res->opts,
++ DP_RES_OPT_RESOLVER_SERVER_TIMEOUT),
+ &ctx->be_res->resolv);
+ if (ret != EOK) {
+ talloc_zfree(ctx->be_res);
+diff --git a/src/resolv/async_resolv.c b/src/resolv/async_resolv.c
+index bb2701154..b833d7211 100644
+--- a/src/resolv/async_resolv.c
++++ b/src/resolv/async_resolv.c
+@@ -60,8 +60,6 @@
+ #define DNS_RR_LEN(r) DNS__16BIT((r) + 8)
+ #define DNS_RR_TTL(r) DNS__32BIT((r) + 4)
+
+-#define RESOLV_TIMEOUTMS 2000
+-
+ enum host_database default_host_dbs[] = { DB_FILES, DB_DNS, DB_SENTINEL };
+
+ struct fd_watch {
+@@ -83,6 +81,9 @@ struct resolv_ctx {
+ /* Time in milliseconds before canceling a DNS request */
+ int timeout;
+
++ /* Time in milliseconds for communication with single DNS server. */
++ int ares_timeout;
++
+ /* The timeout watcher periodically calls ares_process_fd() to check
+ * if our pending requests didn't timeout. */
+ int pending_requests;
+@@ -423,7 +424,7 @@ recreate_ares_channel(struct resolv_ctx *ctx)
+ */
+ options.sock_state_cb = fd_event;
+ options.sock_state_cb_data = ctx;
+- options.timeout = RESOLV_TIMEOUTMS;
++ options.timeout = ctx->ares_timeout;
+ /* Only affects ares_gethostbyname */
+ options.lookups = discard_const("f");
+ options.tries = 1;
+@@ -450,7 +451,7 @@ recreate_ares_channel(struct resolv_ctx *ctx)
+
+ int
+ resolv_init(TALLOC_CTX *mem_ctx, struct tevent_context *ev_ctx,
+- int timeout, struct resolv_ctx **ctxp)
++ int timeout, int ares_timeout, struct resolv_ctx **ctxp)
+ {
+ int ret;
+ struct resolv_ctx *ctx;
+@@ -467,6 +468,7 @@ resolv_init(TALLOC_CTX *mem_ctx, struct tevent_context *ev_ctx,
+
+ ctx->ev_ctx = ev_ctx;
+ ctx->timeout = timeout;
++ ctx->ares_timeout = ares_timeout;
+
+ ret = recreate_ares_channel(ctx);
+ if (ret != EOK) {
+diff --git a/src/resolv/async_resolv.h b/src/resolv/async_resolv.h
+index 90ed03707..d83a7be44 100644
+--- a/src/resolv/async_resolv.h
++++ b/src/resolv/async_resolv.h
+@@ -52,7 +52,7 @@
+ struct resolv_ctx;
+
+ int resolv_init(TALLOC_CTX *mem_ctx, struct tevent_context *ev_ctx,
+- int timeout, struct resolv_ctx **ctxp);
++ int timeout, int ares_timeout, struct resolv_ctx **ctxp);
+
+ void resolv_reread_configuration(struct resolv_ctx *ctx);
+
+diff --git a/src/tests/cmocka/test_fo_srv.c b/src/tests/cmocka/test_fo_srv.c
+index a11ebbb54..c13cf3a69 100644
+--- a/src/tests/cmocka/test_fo_srv.c
++++ b/src/tests/cmocka/test_fo_srv.c
+@@ -49,7 +49,7 @@ struct resolv_ctx {
+
+ /* mock resolver interface. The resolver test is separate */
+ int resolv_init(TALLOC_CTX *mem_ctx, struct tevent_context *ev_ctx,
+- int timeout, struct resolv_ctx **ctxp)
++ int timeout, int ares_timeout, struct resolv_ctx **ctxp)
+ {
+ *ctxp = talloc(mem_ctx, struct resolv_ctx);
+ return EOK;
+@@ -230,7 +230,7 @@ static int test_fo_setup(void **state)
+ assert_non_null(test_ctx->ctx);
+
+ ret = resolv_init(test_ctx, test_ctx->ctx->ev,
+- TEST_RESOLV_TIMEOUT, &test_ctx->resolv);
++ TEST_RESOLV_TIMEOUT, 2000, &test_ctx->resolv);
+ assert_non_null(test_ctx->resolv);
+
+ memset(&fopts, 0, sizeof(fopts));
+diff --git a/src/tests/cmocka/test_resolv_fake.c b/src/tests/cmocka/test_resolv_fake.c
+index 4cb3d4027..0f4011a39 100644
+--- a/src/tests/cmocka/test_resolv_fake.c
++++ b/src/tests/cmocka/test_resolv_fake.c
+@@ -240,7 +240,7 @@ static int test_resolv_fake_setup(void **state)
+ assert_non_null(test_ctx->ctx);
+
+ ret = resolv_init(test_ctx, test_ctx->ctx->ev,
+- TEST_DEFAULT_TIMEOUT, &test_ctx->resolv);
++ TEST_DEFAULT_TIMEOUT, 2000, &test_ctx->resolv);
+ assert_int_equal(ret, EOK);
+
+ *state = test_ctx;
+diff --git a/src/tests/fail_over-tests.c b/src/tests/fail_over-tests.c
+index 5312b2772..b2269ef3b 100644
+--- a/src/tests/fail_over-tests.c
++++ b/src/tests/fail_over-tests.c
+@@ -73,7 +73,7 @@ setup_test(void)
+ fail("Could not init tevent context");
+ }
+
+- ret = resolv_init(ctx, ctx->ev, 5, &ctx->resolv);
++ ret = resolv_init(ctx, ctx->ev, 5, 2000, &ctx->resolv);
+ if (ret != EOK) {
+ talloc_free(ctx);
+ fail("Could not init resolv context");
+diff --git a/src/tests/resolv-tests.c b/src/tests/resolv-tests.c
+index 4a2b3b904..bc4cd7cc1 100644
+--- a/src/tests/resolv-tests.c
++++ b/src/tests/resolv-tests.c
+@@ -76,7 +76,7 @@ static int setup_resolv_test(int timeout, struct resolv_test_ctx **ctx)
+ return EFAULT;
+ }
+
+- ret = resolv_init(test_ctx, test_ctx->ev, timeout, &test_ctx->resolv);
++ ret = resolv_init(test_ctx, test_ctx->ev, timeout, 2000, &test_ctx->resolv);
+ if (ret != EOK) {
+ fail("Could not init resolv context");
+ talloc_free(test_ctx);
+--
+2.21.3
+
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index 5a57ad9..ff965ad 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -50,7 +50,7 @@
Name: sssd
Version: 1.16.5
-Release: 10%{?dist}.5
+Release: 10%{?dist}.6
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@@ -102,6 +102,20 @@ Patch0040: 0040-UTIL-DN-sanitization.patch
Patch0041: 0041-UTIL-Use-sss_sanitize_dn-where-we-deal-with-DN.patch
Patch0042: 0042-UTIL-Use-sss_sanitize_dn-where-we-deal-with-DN-2.patch
Patch0043: 0043-ldap-use-member-DN-to-create-ghost-user-hash-table.patch
+Patch0044: 0044-SYSDB-merge_res_sysdb_attrs-fixed-to-avoid-NULL-ptr-.patch
+Patch0045: 0045-DEBUG-journal_send-was-made-static.patch
+Patch0046: 0046-DEBUG-fixes-program-identifier-as-seen-in-syslog.patch
+Patch0047: 0047-ifp-fix-use-after-free.patch
+Patch0048: 0048-fp-fix-original-fix-use-after-free-1.16-version.patch
+Patch0049: 0049-krb5-only-try-pkinit-with-Smartcard-credentials.patch
+Patch0050: 0050-negcache-make-sure-domain-config-does-not-leak-into-.patch
+Patch0051: 0051-utils-add-SSS_GND_SUBDOMAINS-flag-for-get_next_domai.patch
+Patch0052: 0052-negcache-make-sure-short-names-are-added-to-sub-doma.patch
+Patch0053: 0053-negcache-do-not-use-default_domain_suffix.patch
+Patch0054: 0054-ad-add-ad_allow_remote_domain_local_groups.patch
+Patch0055: 0055-man-fix-description-of-dns_resolver_op_timeout.patch
+Patch0056: 0056-man-fix-description-of-dns_resolver_timeout.patch
+Patch0057: 0057-failover-add-dns_resolver_server_timeout-option.patch
#Those patches should not be removed in RHEL-7
Patch0999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec
@@ -1135,6 +1149,7 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us
%pre common
getent group sssd >/dev/null || groupadd -r sssd
getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd
+rm -f /var/tmp/sssd_is_running
/bin/systemctl is-active --quiet sssd.service && touch /var/tmp/sssd_is_running || :
%post common
@@ -1276,61 +1291,71 @@ systemctl try-restart sssd >/dev/null 2>&1 || :
}
%changelog
-* Fri Aug 28 2020 Alexey Tikhonov <Alexey Tikhonov> 1.16.5-10.5
+* Wed Nov 25 2020 Alexey Tikhonov <atikhono@redhat.com> 1.16.5-10.6
+- Resolves: rhbz#1899593 - sssd_be segfaults at be_refresh_get_values_ex() due to NULL ptrs in results of sysdb_search_with_ts_attr() [rhel-7.9.z]
+- Resolves: rhbz#1888409 - sssd component logging is now too generic in syslog/journal [rhel-7.9.z]
+- Resolves: rhbz#1852659 - sssd service is starting even though it is disabled state [rhel-7.9.z]
+- Resolves: rhbz#1893443 - User lookups over the InfoPipe responder fail intermittently [rhel-7.9.z]
+- Resolves: rhbz#1871288 - krb5_child denies ssh users when pki device detected [rhel-7.9.z]
+- Resolves: rhbz#1853703 - Unexpected behavior and issue with filter_users/filter_groups option [rhel-7.9.z]
+- Resolves: rhbz#1756240 - [RfE] Implement a new sssd.conf option to disable the filter for AD domain local groups from trusted domains [rhel-7.9.z]
+- Resolves: rhbz#1851112 - LDAP bind can fail due to unconfigurable DNS server timeouts that inhibit SSSD failover [rhel-7.9.z]
+
+* Fri Aug 28 2020 Alexey Tikhonov <atikhono@redhat.com> 1.16.5-10.5
- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z]
(Previous attempt to fix this issue was incomplete (again))
- just bumping the version to build for proper target
-* Fri Aug 28 2020 Alexey Tikhonov <Alexey Tikhonov> 1.16.5-10.4
+* Fri Aug 28 2020 Alexey Tikhonov <atikhono@redhat.com> 1.16.5-10.4
- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z]
(Previous attempt to fix this issue was incomplete (again))
-* Wed Aug 19 2020 Alexey Tikhonov <Alexey Tikhonov> 1.16.5-10.3
+* Wed Aug 19 2020 Alexey Tikhonov <atikhono@redhat.com> 1.16.5-10.3
- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z]
(Previous attempt to fix this issue was incomplete)
-* Tue Aug 18 2020 Alexey Tikhonov <Alexey Tikhonov> 1.16.5-10.2
+* Tue Aug 18 2020 Alexey Tikhonov <atikhono@redhat.com> 1.16.5-10.2
- Resolves: rhbz#1854317 - sssd crashes after last update to sssd-common-1.16.4-37.el7_8.1 with servers configured with multiple domains [rhel-7.9.z]
- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z]
- just bumping the version to build for proper target
-* Tue Aug 18 2020 Alexey Tikhonov <Alexey Tikhonov> 1.16.5-10.1
+* Tue Aug 18 2020 Alexey Tikhonov <atikhono@redhat.com> 1.16.5-10.1
- Resolves: rhbz#1854317 - sssd crashes after last update to sssd-common-1.16.4-37.el7_8.1 with servers configured with multiple domains [rhel-7.9.z]
- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z]
-* Fri Jun 05 2020 Alexey Tikhonov <Alexey Tikhonov> 1.16.5-10
+* Fri Jun 05 2020 Alexey Tikhonov <atikhono@redhat.com> 1.16.5-10
- Resolves: rhbz#1804005 - sssd doesn't follow the link order of AD Group Policy Management
- Resolves: rhbz#1773409 - sssd is failing to discover other subdomains in the forest if LDAP entries do not contain AD forest root information
- Resolves: rhbz#1551077 - GDM failure loop when no user mapped for smart card
- Resolves: rhbz#1507683 - GDM password prompt when cert mapped to multiple users and promptusername is False
-* Fri May 29 2020 Alexey Tikhonov <Alexey Tikhonov> 1.16.5-9
+* Fri May 29 2020 Alexey Tikhonov <atikhono@redhat.com> 1.16.5-9
- Resolves: rhbz#1796873 - [sssd] RHEL 7.9 Tier 0 Localization
-* Wed May 27 2020 Alexey Tikhonov <Alexey Tikhonov> 1.16.5-8
+* Wed May 27 2020 Alexey Tikhonov <atikhono@redhat.com> 1.16.5-8
- Resolves: rhbz#1553784 - Document how to prevent invalid selinux context for default home directories in SSSD-AD direct integration.
- Resolves: rhbz#1836910 - Rhel7.7 server have an issue regarding dyndns update for PTR-records which is done by sssd on active directory DNS servers.
It is done in two steps (two different nsupdate messages).
-* Thu May 21 2020 Alexey Tikhonov <Alexey Tikhonov> 1.16.5-7
+* Thu May 21 2020 Alexey Tikhonov <atikhono@redhat.com> 1.16.5-7
- Resolves: rhbz#1835813 - sssd boots offline if symlink for /etc/resolv.conf is broken/missing
- Resolves: rhbz#1837545 - Users must be informed better when internal WATCHDOG terminates process.
-* Wed May 20 2020 Alexey Tikhonov <Alexey Tikhonov> 1.16.5-6
+* Wed May 20 2020 Alexey Tikhonov <atikhono@redhat.com> 1.16.5-6
- Resolves: rhbz#1819013 - pam_sss reports PAM_CRED_ERR when providing wrong password for an existing IPA user, but this error's description is misleading
- Resolves: rhbz#1800571 - Multiples Kerberos ticket on RHEL 7.7 after lock and unlock screen
-* Tue May 19 2020 Alexey Tikhonov <Alexey Tikhonov> 1.16.5-5
+* Tue May 19 2020 Alexey Tikhonov <atikhono@redhat.com> 1.16.5-5
- Resolves: rhbz#1834266 - "off-by-one error" in watchdog implementation
-* Mon May 11 2020 Alexey Tikhonov <Alexey Tikhonov> 1.16.5-4
+* Mon May 11 2020 Alexey Tikhonov <atikhono@redhat.com> 1.16.5-4
- Resolves: rhbz#1829806 - [Bug] Reduce logging about flat names
- Resolves: rhbz#1800564 - `sssd.api.conf` and `sssd.api.d` should belong to `python-sssdconfig` package
-* Thu May 07 2020 Alexey Tikhonov <Alexey Tikhonov> 1.16.5-3
+* Thu May 07 2020 Alexey Tikhonov <atikhono@redhat.com> 1.16.5-3
- Resolves: rhbz#1683946 - sssd or sssd-ad not updating their dependencies on "yum update" which breaks working setup
-* Thu Apr 23 2020 Alexey Tikhonov <Alexey Tikhonov> 1.16.5-2
+* Thu Apr 23 2020 Alexey Tikhonov <atikhono@redhat.com> 1.16.5-2
- Resolves: rhbz#1513371 - [abrt] [faf] sssd: raise(): /usr/libexec/sssd/sssd_be[PROXY] killed by 6
- Resolves: rhbz#1568083 - subdomain lookup fails when certmaprule contains DN
- Resolves: rhbz#1781539 - PKINIT with KCM does not work
@@ -1341,7 +1366,7 @@ systemctl try-restart sssd >/dev/null 2>&1 || :
- Resolves: rhbz#1822461 - background refresh task does not refresh updated netgroup entries
- Added missing 'Requires' to resolves some of rpmdiff tool warnings
-* Fri Mar 20 2020 Alexey Tikhonov <Alexey Tikhonov> 1.16.5-1
+* Fri Mar 20 2020 Alexey Tikhonov <atikhono@redhat.com> 1.16.5-1
- Resolves: rhbz#1796352 - Rebase SSSD for RHEL 7.9
* Wed Mar 18 2020 Michal Židek <mzidek@redhat.com> - 1.16.4-38