diff --git a/.gitignore b/.gitignore
index f74e090..a743af2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/sssd-2.7.3.tar.gz
+SOURCES/sssd-2.8.2.tar.gz
diff --git a/.sssd.metadata b/.sssd.metadata
index 6132eb6..6575e58 100644
--- a/.sssd.metadata
+++ b/.sssd.metadata
@@ -1 +1 @@
-0e0df66226d7e0bfdff7315a0e5e08458c822c8d SOURCES/sssd-2.7.3.tar.gz
+4101c2869e8f952fccab841cd2e46fd18f10465d SOURCES/sssd-2.8.2.tar.gz
diff --git a/SOURCES/0001-Makefile-remove-unneeded-dependency.patch b/SOURCES/0001-Makefile-remove-unneeded-dependency.patch
deleted file mode 100644
index 271a5d8..0000000
--- a/SOURCES/0001-Makefile-remove-unneeded-dependency.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 4e9e83210601043abab6098f2bda67ae6704fe3e Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Thu, 21 Jul 2022 20:16:32 +0200
-Subject: [PATCH] Makefile: remove unneeded dependency
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit c6226c2986ffae9ed17562eb40407367ca37d23f)
----
- Makefile.am | 4 ----
- 1 file changed, 4 deletions(-)
-
-diff --git a/Makefile.am b/Makefile.am
-index 669a0fc56..92d046888 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -1766,12 +1766,10 @@ sssd_kcm_CFLAGS = \
- $(KRB5_CFLAGS) \
- $(UUID_CFLAGS) \
- $(CURL_CFLAGS) \
-- $(JANSSON_CFLAGS) \
- $(NULL)
- sssd_kcm_LDADD = \
- $(LIBADD_DL) \
- $(KRB5_LIBS) \
-- $(JANSSON_LIBS) \
- $(SSSD_LIBS) \
- $(UUID_LIBS) \
- $(SYSTEMD_DAEMON_LIBS) \
-@@ -3792,7 +3790,6 @@ test_kcm_marshalling_CFLAGS = \
- $(UUID_CFLAGS) \
- $(NULL)
- test_kcm_marshalling_LDADD = \
-- $(JANSSON_LIBS) \
- $(UUID_LIBS) \
- $(KRB5_LIBS) \
- $(CMOCKA_LIBS) \
-@@ -3855,7 +3852,6 @@ test_kcm_renewals_LDFLAGS = \
- test_kcm_renewals_LDADD = \
- $(LIBADD_DL) \
- $(UUID_LIBS) \
-- $(JANSSON_LIBS) \
- $(KRB5_LIBS) \
- $(CARES_LIBS) \
- $(CMOCKA_LIBS) \
---
-2.37.1
-
diff --git a/SOURCES/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch b/SOURCES/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch
new file mode 100644
index 0000000..60feece
--- /dev/null
+++ b/SOURCES/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch
@@ -0,0 +1,158 @@
+From d7da2966f5931bac3b17f42e251adbbb7e793619 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Thu, 8 Dec 2022 15:14:05 +0100
+Subject: [PATCH] ldap: update shadow last change in sysdb as well
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Otherwise pam can use the changed information whe id chaching is
+enabled, so next authentication that fits into the id timeout
+(5 seconds by default) will still sees the password as expired.
+
+Resolves: https://github.com/SSSD/sssd/issues/6477
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+(cherry picked from commit 7e8b97c14b8ef218d6ea23214be28d25dba13886)
+---
+ src/db/sysdb.h | 4 ++++
+ src/db/sysdb_ops.c | 32 ++++++++++++++++++++++++++++++++
+ src/providers/ldap/ldap_auth.c | 21 ++++++++++++++++-----
+ 3 files changed, 52 insertions(+), 5 deletions(-)
+
+diff --git a/src/db/sysdb.h b/src/db/sysdb.h
+index 7c666f5c4..06b44f5ba 100644
+--- a/src/db/sysdb.h
++++ b/src/db/sysdb.h
+@@ -1061,6 +1061,10 @@ int sysdb_set_user_attr(struct sss_domain_info *domain,
+ struct sysdb_attrs *attrs,
+ int mod_op);
+
++errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain,
++ const char *name,
++ const char *attrname);
++
+ /* Replace group attrs */
+ int sysdb_set_group_attr(struct sss_domain_info *domain,
+ const char *name,
+diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
+index 0d6f2d5cd..ed0df9872 100644
+--- a/src/db/sysdb_ops.c
++++ b/src/db/sysdb_ops.c
+@@ -1485,6 +1485,38 @@ done:
+ return ret;
+ }
+
++errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain,
++ const char *name,
++ const char *attrname)
++{
++ struct sysdb_attrs *attrs;
++ char *value;
++ errno_t ret;
++
++ attrs = sysdb_new_attrs(NULL);
++ if (attrs == NULL) {
++ return ENOMEM;
++ }
++
++ /* The attribute contains number of days since the epoch */
++ value = talloc_asprintf(attrs, "%ld", (long)time(NULL)/86400);
++ if (value == NULL) {
++ ret = ENOMEM;
++ goto done;
++ }
++
++ ret = sysdb_attrs_add_string(attrs, attrname, value);
++ if (ret != EOK) {
++ goto done;
++ }
++
++ ret = sysdb_set_user_attr(domain, name, attrs, SYSDB_MOD_REP);
++
++done:
++ talloc_free(attrs);
++ return ret;
++}
++
+ /* =Replace-Attributes-On-Group=========================================== */
+
+ int sysdb_set_group_attr(struct sss_domain_info *domain,
+diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
+index 6404a9d3a..96b9d6df4 100644
+--- a/src/providers/ldap/ldap_auth.c
++++ b/src/providers/ldap/ldap_auth.c
+@@ -1240,6 +1240,7 @@ struct sdap_pam_chpass_handler_state {
+ struct pam_data *pd;
+ struct sdap_handle *sh;
+ char *dn;
++ enum pwexpire pw_expire_type;
+ };
+
+ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq);
+@@ -1339,7 +1340,6 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
+ {
+ struct sdap_pam_chpass_handler_state *state;
+ struct tevent_req *req;
+- enum pwexpire pw_expire_type;
+ void *pw_expire_data;
+ size_t msg_len;
+ uint8_t *msg;
+@@ -1349,7 +1349,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
+ state = tevent_req_data(req, struct sdap_pam_chpass_handler_state);
+
+ ret = auth_recv(subreq, state, &state->sh, &state->dn,
+- &pw_expire_type, &pw_expire_data);
++ &state->pw_expire_type, &pw_expire_data);
+ talloc_free(subreq);
+
+ if ((ret == EOK || ret == ERR_PASSWORD_EXPIRED) &&
+@@ -1361,7 +1361,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
+ }
+
+ if (ret == EOK) {
+- switch (pw_expire_type) {
++ switch (state->pw_expire_type) {
+ case PWEXPIRE_SHADOW:
+ ret = check_pwexpire_shadow(pw_expire_data, time(NULL), NULL);
+ break;
+@@ -1381,7 +1381,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
+ break;
+ default:
+ DEBUG(SSSDBG_CRIT_FAILURE,
+- "Unknown password expiration type %d.\n", pw_expire_type);
++ "Unknown password expiration type %d.\n",
++ state->pw_expire_type);
+ state->pd->pam_status = PAM_SYSTEM_ERR;
+ goto done;
+ }
+@@ -1392,7 +1393,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
+ case ERR_PASSWORD_EXPIRED:
+ DEBUG(SSSDBG_TRACE_LIBS,
+ "user [%s] successfully authenticated.\n", state->dn);
+- ret = sdap_pam_chpass_handler_change_step(state, req, pw_expire_type);
++ ret = sdap_pam_chpass_handler_change_step(state, req,
++ state->pw_expire_type);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sdap_pam_chpass_handler_change_step() failed.\n");
+@@ -1506,6 +1508,15 @@ static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq)
+
+ switch (ret) {
+ case EOK:
++ if (state->pw_expire_type == PWEXPIRE_SHADOW) {
++ ret = sysdb_update_user_shadow_last_change(state->be_ctx->domain,
++ state->pd->user, SYSDB_SHADOWPW_LASTCHANGE);
++ if (ret != EOK) {
++ state->pd->pam_status = PAM_SYSTEM_ERR;
++ goto done;
++ }
++ }
++
+ state->pd->pam_status = PAM_SUCCESS;
+ break;
+ case ERR_CHPASS_DENIED:
+--
+2.37.3
+
diff --git a/SOURCES/0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch b/SOURCES/0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch
deleted file mode 100644
index 6caa8fc..0000000
--- a/SOURCES/0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch
+++ /dev/null
@@ -1,155 +0,0 @@
-From 03142f8de42faf4f75465d24d3be9a49c2dd86f7 Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Fri, 29 Jul 2022 14:57:20 +0200
-Subject: [PATCH] CLIENT:MC: store context mutex outside of context as it
- should survive context destruction / re-initialization
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit 0f3a761ed9d654a61f8caed8eae3863c518b9911)
----
- src/sss_client/nss_mc.h | 4 ++--
- src/sss_client/nss_mc_common.c | 10 ++++++++--
- src/sss_client/nss_mc_group.c | 5 +++++
- src/sss_client/nss_mc_initgr.c | 5 +++++
- src/sss_client/nss_mc_passwd.c | 5 +++++
- src/sss_client/nss_mc_sid.c | 5 +++++
- 6 files changed, 30 insertions(+), 4 deletions(-)
-
-diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h
-index b66e8f09f..de1496ccc 100644
---- a/src/sss_client/nss_mc.h
-+++ b/src/sss_client/nss_mc.h
-@@ -48,7 +48,7 @@ enum sss_mc_state {
- struct sss_cli_mc_ctx {
- enum sss_mc_state initialized;
- #if HAVE_PTHREAD
-- pthread_mutex_t mutex;
-+ pthread_mutex_t *mutex;
- #endif
- int fd;
-
-@@ -67,7 +67,7 @@ struct sss_cli_mc_ctx {
- };
-
- #if HAVE_PTHREAD
--#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, PTHREAD_MUTEX_INITIALIZER, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
-+#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
- #else
- #define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
- #endif
-diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c
-index c73a93a9a..f38a4a85a 100644
---- a/src/sss_client/nss_mc_common.c
-+++ b/src/sss_client/nss_mc_common.c
-@@ -58,14 +58,14 @@ do { \
- static void sss_mt_lock(struct sss_cli_mc_ctx *ctx)
- {
- #if HAVE_PTHREAD
-- pthread_mutex_lock(&ctx->mutex);
-+ pthread_mutex_lock(ctx->mutex);
- #endif
- }
-
- static void sss_mt_unlock(struct sss_cli_mc_ctx *ctx)
- {
- #if HAVE_PTHREAD
-- pthread_mutex_unlock(&ctx->mutex);
-+ pthread_mutex_unlock(ctx->mutex);
- #endif
- }
-
-@@ -131,6 +131,9 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx)
- static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx)
- {
- uint32_t active_threads = ctx->active_threads;
-+#if HAVE_PTHREAD
-+ pthread_mutex_t *mutex = ctx->mutex;
-+#endif
-
- if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) {
- munmap(ctx->mmap_base, ctx->mmap_size);
-@@ -143,6 +146,9 @@ static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx)
-
- /* restore count of active threads */
- ctx->active_threads = active_threads;
-+#if HAVE_PTHREAD
-+ ctx->mutex = mutex;
-+#endif
- }
-
- static errno_t sss_nss_mc_init_ctx(const char *name,
-diff --git a/src/sss_client/nss_mc_group.c b/src/sss_client/nss_mc_group.c
-index 2ea40c435..d4f2a82ab 100644
---- a/src/sss_client/nss_mc_group.c
-+++ b/src/sss_client/nss_mc_group.c
-@@ -29,7 +29,12 @@
- #include "nss_mc.h"
- #include "shared/safealign.h"
-
-+#if HAVE_PTHREAD
-+static pthread_mutex_t gr_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
-+static struct sss_cli_mc_ctx gr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&gr_mc_ctx_mutex);
-+#else
- static struct sss_cli_mc_ctx gr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER;
-+#endif
-
- static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec,
- struct group *result,
-diff --git a/src/sss_client/nss_mc_initgr.c b/src/sss_client/nss_mc_initgr.c
-index b05946263..bd7282935 100644
---- a/src/sss_client/nss_mc_initgr.c
-+++ b/src/sss_client/nss_mc_initgr.c
-@@ -32,7 +32,12 @@
- #include "nss_mc.h"
- #include "shared/safealign.h"
-
-+#if HAVE_PTHREAD
-+static pthread_mutex_t initgr_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
-+static struct sss_cli_mc_ctx initgr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&initgr_mc_ctx_mutex);
-+#else
- static struct sss_cli_mc_ctx initgr_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER;
-+#endif
-
- static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec,
- long int *start, long int *size,
-diff --git a/src/sss_client/nss_mc_passwd.c b/src/sss_client/nss_mc_passwd.c
-index 01c6801da..256d48444 100644
---- a/src/sss_client/nss_mc_passwd.c
-+++ b/src/sss_client/nss_mc_passwd.c
-@@ -28,7 +28,12 @@
- #include <time.h>
- #include "nss_mc.h"
-
-+#if HAVE_PTHREAD
-+static pthread_mutex_t pw_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
-+static struct sss_cli_mc_ctx pw_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&pw_mc_ctx_mutex);
-+#else
- static struct sss_cli_mc_ctx pw_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER;
-+#endif
-
- static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec,
- struct passwd *result,
-diff --git a/src/sss_client/nss_mc_sid.c b/src/sss_client/nss_mc_sid.c
-index af7d7bbd5..52e684da5 100644
---- a/src/sss_client/nss_mc_sid.c
-+++ b/src/sss_client/nss_mc_sid.c
-@@ -30,7 +30,12 @@
- #include "util/mmap_cache.h"
- #include "idmap/sss_nss_idmap.h"
-
-+#if HAVE_PTHREAD
-+static pthread_mutex_t sid_mc_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
-+static struct sss_cli_mc_ctx sid_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER(&sid_mc_ctx_mutex);
-+#else
- static struct sss_cli_mc_ctx sid_mc_ctx = SSS_CLI_MC_CTX_INITIALIZER;
-+#endif
-
- static errno_t mc_get_sid_by_typed_id(uint32_t id, enum sss_id_type object_type,
- char **sid, uint32_t *type,
---
-2.37.1
-
diff --git a/SOURCES/0002-MAN-mention-attributes-in-see-also.patch b/SOURCES/0002-MAN-mention-attributes-in-see-also.patch
new file mode 100644
index 0000000..c103d64
--- /dev/null
+++ b/SOURCES/0002-MAN-mention-attributes-in-see-also.patch
@@ -0,0 +1,29 @@
+From 897ccf40b2e7ab30c3b8a3fb42584d1d5b8c4bb3 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Fri, 13 Jan 2023 18:58:05 +0100
+Subject: [PATCH] MAN: mention `attributes` in 'see also'
+
+Reviewed-by: Justin Stephenson <jstephen@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit b631c3174a3f8f5c169e9507969015dd79fdfd80)
+---
+ src/man/include/seealso.xml | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/man/include/seealso.xml b/src/man/include/seealso.xml
+index 9999496fa..7f0bbe9df 100644
+--- a/src/man/include/seealso.xml
++++ b/src/man/include/seealso.xml
+@@ -10,6 +10,9 @@
+ <citerefentry>
+ <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
++ <citerefentry>
++ <refentrytitle>sssd-ldap-attributes</refentrytitle><manvolnum>5</manvolnum>
++ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+--
+2.37.3
+
diff --git a/SOURCES/0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch b/SOURCES/0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch
deleted file mode 100644
index 965ceaa..0000000
--- a/SOURCES/0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 49eb871847a94311bbd2190a315230e4bae1ea2c Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Mon, 1 Aug 2022 09:54:51 -0400
-Subject: [PATCH] CACHE_REQ: Fix hybrid lookup log spamming
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Skip calling cache_req_data_set_hybrid_lookup() when hybrid data
-is NULL for certain NSS request types (e.g. Service by Name).
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit 96a1dce8096d45e986ab01aaac11d8c77c36d1d7)
----
- src/responder/nss/nss_get_object.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/src/responder/nss/nss_get_object.c b/src/responder/nss/nss_get_object.c
-index 9762d6bfe..5a2e7e9bd 100644
---- a/src/responder/nss/nss_get_object.c
-+++ b/src/responder/nss/nss_get_object.c
-@@ -171,7 +171,9 @@ hybrid_domain_retry_data(TALLOC_CTX *mem_ctx,
- input_name);
- }
-
-- cache_req_data_set_hybrid_lookup(hybrid_data, true);
-+ if (hybrid_data != NULL) {
-+ cache_req_data_set_hybrid_lookup(hybrid_data, true);
-+ }
-
- return hybrid_data;
- }
---
-2.37.1
-
diff --git a/SOURCES/0003-SSS_CLIENT-delete-key-in-lib-destructor.patch b/SOURCES/0003-SSS_CLIENT-delete-key-in-lib-destructor.patch
new file mode 100644
index 0000000..df981a7
--- /dev/null
+++ b/SOURCES/0003-SSS_CLIENT-delete-key-in-lib-destructor.patch
@@ -0,0 +1,90 @@
+From 45a5630e0cfe95ab90bf4a7dd1b32f418c4c759e Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Fri, 23 Dec 2022 16:36:58 +0100
+Subject: [PATCH] SSS_CLIENT: delete key in lib destructor
+
+pthread_key_delete() disables thread at-exit destructors.
+Otherwise an attempt to execute already unloaded `sss_at_thread_exit()`
+would trigger segfault.
+
+This doesn't solve an issue with leaking on `dlclose()` FDs initialized in
+multiple threads, but better than crash.
+
+Resolves: https://github.com/SSSD/sssd/issues/6505
+
+Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 08ccd23fb2c831d6ea918a59b777a0073d414858)
+---
+ src/sss_client/common.c | 24 +++++++++++++++++++-----
+ 1 file changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/src/sss_client/common.c b/src/sss_client/common.c
+index d762dff49..2c888faa9 100644
+--- a/src/sss_client/common.c
++++ b/src/sss_client/common.c
+@@ -27,6 +27,7 @@
+ #include <nss.h>
+ #include <security/pam_modules.h>
+ #include <errno.h>
++#include <stdatomic.h>
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ #include <sys/un.h>
+@@ -63,7 +64,8 @@
+
+ #ifdef HAVE_PTHREAD_EXT
+ static pthread_key_t sss_sd_key;
+-static pthread_once_t sss_sd_key_initialized = PTHREAD_ONCE_INIT;
++static pthread_once_t sss_sd_key_init = PTHREAD_ONCE_INIT;
++static atomic_bool sss_sd_key_initialized = false;
+ static __thread int sss_cli_sd = -1; /* the sss client socket descriptor */
+ static __thread struct stat sss_cli_sb; /* the sss client stat buffer */
+ #else
+@@ -71,9 +73,6 @@ static int sss_cli_sd = -1; /* the sss client socket descriptor */
+ static struct stat sss_cli_sb; /* the sss client stat buffer */
+ #endif
+
+-#if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR
+-__attribute__((destructor))
+-#endif
+ void sss_cli_close_socket(void)
+ {
+ if (sss_cli_sd != -1) {
+@@ -91,9 +90,24 @@ static void sss_at_thread_exit(void *v)
+ static void init_sd_key(void)
+ {
+ pthread_key_create(&sss_sd_key, sss_at_thread_exit);
++ sss_sd_key_initialized = true;
++}
++#endif
++
++#if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR
++__attribute__((destructor)) void sss_at_lib_unload(void)
++{
++#ifdef HAVE_PTHREAD_EXT
++ if (sss_sd_key_initialized) {
++ sss_sd_key_initialized = false;
++ pthread_key_delete(sss_sd_key);
++ }
++#endif
++ sss_cli_close_socket();
+ }
+ #endif
+
++
+ /* Requests:
+ *
+ * byte 0-3: 32bit unsigned with length (the complete packet length: 0 to X)
+@@ -572,7 +586,7 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout
+ }
+
+ #ifdef HAVE_PTHREAD_EXT
+- pthread_once(&sss_sd_key_initialized, init_sd_key); /* once for all threads */
++ pthread_once(&sss_sd_key_init, init_sd_key); /* once for all threads */
+
+ /* It actually doesn't matter what value to set for a key.
+ * The only important thing: key must be non-NULL to ensure
+--
+2.37.3
+
diff --git a/SOURCES/0004-Analyzer-Fix-escaping-raw-fstring.patch b/SOURCES/0004-Analyzer-Fix-escaping-raw-fstring.patch
deleted file mode 100644
index 7f87ccc..0000000
--- a/SOURCES/0004-Analyzer-Fix-escaping-raw-fstring.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From f90205831c44cc2849c7221e5117b6af808411c3 Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Thu, 14 Jul 2022 11:21:04 -0400
-Subject: [PATCH] Analyzer: Fix escaping raw fstring
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
-(cherry picked from commit 3d8622031b5240e215201aae1f9c9d05624cca19)
----
- src/tools/analyzer/modules/request.py | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
-index b8dd9b25c..935e13adc 100644
---- a/src/tools/analyzer/modules/request.py
-+++ b/src/tools/analyzer/modules/request.py
-@@ -243,8 +243,8 @@ class RequestAnalyzer:
- be_results = False
- component = source.Component.NSS
- resp = "nss"
-- pattern = [rf'REQ_TRACE.*\[CID #{cid}\\]']
-- pattern.append(rf"\[CID#{cid}\\]")
-+ pattern = [rf'REQ_TRACE.*\[CID #{cid}\]']
-+ pattern.append(rf"\[CID#{cid}\]")
-
- if args.pam:
- component = source.Component.PAM
---
-2.37.1
-
diff --git a/SOURCES/0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch b/SOURCES/0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch
deleted file mode 100644
index a820d44..0000000
--- a/SOURCES/0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 0eae0862069e4bbbdd87b809193fc873f3003cff Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Tue, 16 Aug 2022 21:48:43 +0200
-Subject: [PATCH 5/6] CLIENT:MC: -1 is more appropriate initial value for fd
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
-(cherry picked from commit 579cc0b266d5f8954bc71cfcd3fe68002d681a5f)
----
- src/sss_client/nss_mc.h | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h
-index de1496ccc..0f88521e9 100644
---- a/src/sss_client/nss_mc.h
-+++ b/src/sss_client/nss_mc.h
-@@ -67,9 +67,9 @@ struct sss_cli_mc_ctx {
- };
-
- #if HAVE_PTHREAD
--#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
-+#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), -1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
- #else
--#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, 1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
-+#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, -1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
- #endif
-
- errno_t sss_nss_mc_get_ctx(const char *name, struct sss_cli_mc_ctx *ctx);
---
-2.37.1
-
diff --git a/SOURCES/0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch b/SOURCES/0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch
deleted file mode 100644
index f759975..0000000
--- a/SOURCES/0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From d386e94ef49d95d7305a3e6578e41a2cf61dfc5c Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Tue, 16 Aug 2022 21:51:03 +0200
-Subject: [PATCH 6/6] CLIENT:MC: pointer to the context mutex shouldn't be
- touched
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Even brief window inside `sss_nss_mc_destroy_ctx()` when `mutex == NULL`
-was creating a possibility for a race.
-
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
-(cherry picked from commit 4ac93d9c5df59cdb7f397b4467f1c1c4822ff757)
----
- src/sss_client/nss_mc.h | 4 +++-
- src/sss_client/nss_mc_common.c | 20 ++++++++++----------
- 2 files changed, 13 insertions(+), 11 deletions(-)
-
-diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h
-index 0f88521e9..9ab2736fa 100644
---- a/src/sss_client/nss_mc.h
-+++ b/src/sss_client/nss_mc.h
-@@ -44,7 +44,9 @@ enum sss_mc_state {
- RECYCLED,
- };
-
--/* common stuff */
-+/* In the case this structure is extended, don't forget to update
-+ * `SSS_CLI_MC_CTX_INITIALIZER` and `sss_nss_mc_destroy_ctx()`.
-+ */
- struct sss_cli_mc_ctx {
- enum sss_mc_state initialized;
- #if HAVE_PTHREAD
-diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c
-index f38a4a85a..3128861bf 100644
---- a/src/sss_client/nss_mc_common.c
-+++ b/src/sss_client/nss_mc_common.c
-@@ -130,25 +130,25 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx)
-
- static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx)
- {
-- uint32_t active_threads = ctx->active_threads;
--#if HAVE_PTHREAD
-- pthread_mutex_t *mutex = ctx->mutex;
--#endif
-
- if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) {
- munmap(ctx->mmap_base, ctx->mmap_size);
- }
-+ ctx->mmap_base = NULL;
-+ ctx->mmap_size = 0;
-+
- if (ctx->fd != -1) {
- close(ctx->fd);
- }
-- memset(ctx, 0, sizeof(struct sss_cli_mc_ctx));
- ctx->fd = -1;
-
-- /* restore count of active threads */
-- ctx->active_threads = active_threads;
--#if HAVE_PTHREAD
-- ctx->mutex = mutex;
--#endif
-+ ctx->seed = 0;
-+ ctx->data_table = NULL;
-+ ctx->dt_size = 0;
-+ ctx->hash_table = NULL;
-+ ctx->ht_size = 0;
-+ ctx->initialized = UNINITIALIZED;
-+ /* `mutex` and `active_threads` should be left intact */
- }
-
- static errno_t sss_nss_mc_init_ctx(const char *name,
---
-2.37.1
-
diff --git a/SOURCES/0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch b/SOURCES/0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch
deleted file mode 100644
index 0e06c29..0000000
--- a/SOURCES/0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From f8704cc24eafe190e6c78dc21535f6029d51d647 Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Mon, 15 Aug 2022 16:17:59 -0400
-Subject: [PATCH] SSSCTL: Allow analyzer to work without SSSD setup
-
-Fixes an issue when the sssctl analyzer option is
-used on systems where SSSD is not running or configured. This is
-an expected use case when using --logdir option to analyze external
-log files.
-
-Resolves: https://github.com/SSSD/sssd/issues/6298
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
----
- src/tools/sssctl/sssctl.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
-index 3816125ad..f18689f9f 100644
---- a/src/tools/sssctl/sssctl.c
-+++ b/src/tools/sssctl/sssctl.c
-@@ -296,7 +296,7 @@ int main(int argc, const char **argv)
- SSS_TOOL_COMMAND("logs-remove", "Remove existing SSSD log files", 0, sssctl_logs_remove),
- SSS_TOOL_COMMAND("logs-fetch", "Archive SSSD log files in tarball", 0, sssctl_logs_fetch),
- SSS_TOOL_COMMAND("debug-level", "Change SSSD debug level", 0, sssctl_debug_level),
-- SSS_TOOL_COMMAND("analyze", "Analyze logged data", 0, sssctl_analyze),
-+ SSS_TOOL_COMMAND_FLAGS("analyze", "Analyze logged data", 0, sssctl_analyze, SSS_TOOL_FLAG_SKIP_CMD_INIT),
- #ifdef HAVE_LIBINI_CONFIG_V1_3
- SSS_TOOL_DELIMITER("Configuration files tools:"),
- SSS_TOOL_COMMAND_FLAGS("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check, SSS_TOOL_FLAG_SKIP_CMD_INIT),
---
-2.37.1
-
diff --git a/SOURCES/0008-RESPONDER-Fix-client-ID-tracking.patch b/SOURCES/0008-RESPONDER-Fix-client-ID-tracking.patch
deleted file mode 100644
index 769e082..0000000
--- a/SOURCES/0008-RESPONDER-Fix-client-ID-tracking.patch
+++ /dev/null
@@ -1,297 +0,0 @@
-From e6d450d4f67c3c639a6ab7e891adccc361d80ecd Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Fri, 19 Aug 2022 09:50:22 -0400
-Subject: [PATCH 8/9] RESPONDER: Fix client ID tracking
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Client ID is not stored properly to match requests
-when parallel requests are made to client SSSD
-
-Resolves: https://github.com/SSSD/sssd/issues/6307
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
----
- src/responder/common/cache_req/cache_req.c | 5 +++--
- .../plugins/cache_req_autofs_entry_by_name.c | 3 ++-
- .../cache_req/plugins/cache_req_autofs_map_by_name.c | 3 ++-
- .../cache_req/plugins/cache_req_autofs_map_entries.c | 3 ++-
- .../plugins/cache_req_ssh_host_id_by_name.c | 3 ++-
- src/responder/common/responder.h | 2 +-
- src/responder/common/responder_common.c | 12 +++++++-----
- src/responder/common/responder_dp.c | 5 +++--
- src/responder/common/responder_get_domains.c | 3 ++-
- src/responder/pam/pamsrv_cmd.c | 4 ++--
- 10 files changed, 26 insertions(+), 17 deletions(-)
-
-diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
-index 4dd45b038..bc65bae71 100644
---- a/src/responder/common/cache_req/cache_req.c
-+++ b/src/responder/common/cache_req/cache_req.c
-@@ -24,6 +24,7 @@
- #include <errno.h>
-
- #include "util/util.h"
-+#include "util/sss_chain_id.h"
- #include "responder/common/responder.h"
- #include "responder/common/cache_req/cache_req_private.h"
- #include "responder/common/cache_req/cache_req_plugin.h"
-@@ -1124,8 +1125,8 @@ struct tevent_req *cache_req_send(TALLOC_CTX *mem_ctx,
- }
- state->first_iteration = true;
-
-- SSS_REQ_TRACE_CID_CR(SSSDBG_TRACE_FUNC, cr, "New request [CID #%u] '%s'\n",
-- rctx->client_id_num, cr->reqname);
-+ SSS_REQ_TRACE_CID_CR(SSSDBG_TRACE_FUNC, cr, "New request [CID #%lu] '%s'\n",
-+ sss_chain_id_get(), cr->reqname);
-
- ret = cache_req_is_well_known_object(state, cr, &result);
- if (ret == EOK) {
-diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
-index 788b6708c..b2b0a06eb 100644
---- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
-+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
-@@ -24,6 +24,7 @@
- #include "db/sysdb.h"
- #include "db/sysdb_autofs.h"
- #include "util/util.h"
-+#include "util/sss_chain_id.h"
- #include "providers/data_provider.h"
- #include "responder/common/cache_req/cache_req_plugin.h"
-
-@@ -86,7 +87,7 @@ cache_req_autofs_entry_by_name_dp_send(TALLOC_CTX *mem_ctx,
- be_conn->bus_name, SSS_BUS_PATH,
- 0, data->name.name,
- data->autofs_entry_name,
-- cr->rctx->client_id_num);
-+ sss_chain_id_get());
- }
-
- bool
-diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
-index 5d82641cc..23b11b1cd 100644
---- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
-+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
-@@ -24,6 +24,7 @@
- #include "db/sysdb.h"
- #include "db/sysdb_autofs.h"
- #include "util/util.h"
-+#include "util/sss_chain_id.h"
- #include "providers/data_provider.h"
- #include "responder/common/cache_req/cache_req_plugin.h"
-
-@@ -82,7 +83,7 @@ cache_req_autofs_map_by_name_dp_send(TALLOC_CTX *mem_ctx,
- return sbus_call_dp_autofs_GetMap_send(mem_ctx, be_conn->conn,
- be_conn->bus_name, SSS_BUS_PATH,
- 0, data->name.name,
-- cr->rctx->client_id_num);
-+ sss_chain_id_get());
- }
-
- bool
-diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
-index 29f289723..18c08ca39 100644
---- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
-+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
-@@ -24,6 +24,7 @@
- #include "db/sysdb.h"
- #include "db/sysdb_autofs.h"
- #include "util/util.h"
-+#include "util/sss_chain_id.h"
- #include "providers/data_provider.h"
- #include "responder/common/cache_req/cache_req_plugin.h"
-
-@@ -114,7 +115,7 @@ cache_req_autofs_map_entries_dp_send(TALLOC_CTX *mem_ctx,
- return sbus_call_dp_autofs_Enumerate_send(mem_ctx, be_conn->conn,
- be_conn->bus_name, SSS_BUS_PATH,
- 0, data->name.name,
-- cr->rctx->client_id_num);
-+ sss_chain_id_get());
- }
-
- bool
-diff --git a/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c b/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c
-index a8b8f47a8..29f52f10d 100644
---- a/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c
-+++ b/src/responder/common/cache_req/plugins/cache_req_ssh_host_id_by_name.c
-@@ -23,6 +23,7 @@
-
- #include "db/sysdb_ssh.h"
- #include "util/util.h"
-+#include "util/sss_chain_id.h"
- #include "providers/data_provider.h"
- #include "responder/common/cache_req/cache_req_plugin.h"
-
-@@ -86,7 +87,7 @@ cache_req_host_by_name_dp_send(TALLOC_CTX *mem_ctx,
- return sbus_call_dp_dp_hostHandler_send(mem_ctx, be_conn->conn,
- be_conn->bus_name, SSS_BUS_PATH,
- 0, data->name.name, data->alias,
-- cr->rctx->client_id_num);
-+ sss_chain_id_get());
- }
-
- static bool
-diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
-index 5cb79e3e6..259b3ff13 100644
---- a/src/responder/common/responder.h
-+++ b/src/responder/common/responder.h
-@@ -165,13 +165,13 @@ struct cli_ctx {
-
- struct cli_creds *creds;
- char *cmd_line;
-- uint64_t old_chain_id;
-
- void *protocol_ctx;
- void *state_ctx;
-
- struct tevent_timer *idle;
- time_t last_request_time;
-+ uint32_t client_id_num;
- };
-
- struct sss_cmd_table {
-diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
-index 6e3b61ef0..a4ba8ea71 100644
---- a/src/responder/common/responder_common.c
-+++ b/src/responder/common/responder_common.c
-@@ -87,8 +87,6 @@ static void client_close_fn(struct tevent_context *ev,
- "Failed to close fd [%d]: [%s]\n",
- ctx->cfd, strerror(ret));
- }
-- /* Restore the original chain id */
-- sss_chain_id_set(ctx->old_chain_id);
-
- DEBUG(SSSDBG_TRACE_INTERNAL,
- "Terminated client [%p][%d]\n",
-@@ -526,7 +524,6 @@ static void accept_fd_handler(struct tevent_context *ev,
- int fd = accept_ctx->is_private ? rctx->priv_lfd : rctx->lfd;
-
- rctx->client_id_num++;
--
- if (accept_ctx->is_private) {
- ret = stat(rctx->priv_sock_name, &stat_buf);
- if (ret == -1) {
-@@ -557,6 +554,8 @@ static void accept_fd_handler(struct tevent_context *ev,
-
- talloc_set_destructor(cctx, cli_ctx_destructor);
-
-+ cctx->client_id_num = rctx->client_id_num;
-+
- len = sizeof(cctx->addr);
- cctx->cfd = accept(fd, (struct sockaddr *)&cctx->addr, &len);
- if (cctx->cfd == -1) {
-@@ -645,7 +644,7 @@ static void accept_fd_handler(struct tevent_context *ev,
-
- DEBUG(SSSDBG_TRACE_FUNC,
- "[CID#%u] Client [cmd %s][uid %u][%p][%d] connected%s!\n",
-- rctx->client_id_num, cctx->cmd_line, cli_creds_get_uid(cctx->creds),
-+ cctx->client_id_num, cctx->cmd_line, cli_creds_get_uid(cctx->creds),
- cctx, cctx->cfd, accept_ctx->is_private ? " to privileged pipe" : "");
-
- return;
-@@ -1090,6 +1089,7 @@ void sss_client_fd_handler(void *ptr,
- uint16_t flags)
- {
- errno_t ret;
-+ uint64_t old_chain_id;
- struct cli_ctx *cctx = talloc_get_type(ptr, struct cli_ctx);
-
- /* Always reset the responder idle timer on any activity */
-@@ -1105,7 +1105,7 @@ void sss_client_fd_handler(void *ptr,
- }
-
- /* Set the chain id */
-- cctx->old_chain_id = sss_chain_id_set(cctx->rctx->client_id_num);
-+ old_chain_id = sss_chain_id_set(cctx->client_id_num);
-
- if (flags & TEVENT_FD_READ) {
- recv_fn(cctx);
-@@ -1116,6 +1116,8 @@ void sss_client_fd_handler(void *ptr,
- send_fn(cctx);
- return;
- }
-+ /* Restore the original chain id */
-+ sss_chain_id_set(old_chain_id);
- }
-
- int sss_connection_setup(struct cli_ctx *cctx)
-diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
-index d549e02d3..4b4770da1 100644
---- a/src/responder/common/responder_dp.c
-+++ b/src/responder/common/responder_dp.c
-@@ -23,6 +23,7 @@
- #include <sys/time.h>
- #include <time.h>
- #include "util/util.h"
-+#include "util/sss_chain_id.h"
- #include "responder/common/responder_packet.h"
- #include "responder/common/responder.h"
- #include "providers/data_provider.h"
-@@ -276,7 +277,7 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx,
- subreq = sbus_call_dp_dp_getAccountInfo_send(state, be_conn->conn,
- be_conn->bus_name, SSS_BUS_PATH, dp_flags,
- entry_type, filter, dom->name, extra,
-- rctx->client_id_num);
-+ sss_chain_id_get());
- if (subreq == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n");
- ret = ENOMEM;
-@@ -406,7 +407,7 @@ sss_dp_resolver_get_send(TALLOC_CTX *mem_ctx,
- SSS_BUS_PATH,
- dp_flags, entry_type,
- filter_type, filter_value,
-- rctx->client_id_num);
-+ sss_chain_id_get());
- if (subreq == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n");
- ret = ENOMEM;
-diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c
-index 918124756..aeff28d73 100644
---- a/src/responder/common/responder_get_domains.c
-+++ b/src/responder/common/responder_get_domains.c
-@@ -19,6 +19,7 @@
- */
-
- #include "util/util.h"
-+#include "util/sss_chain_id.h"
- #include "responder/common/responder.h"
- #include "providers/data_provider.h"
- #include "db/sysdb.h"
-@@ -751,7 +752,7 @@ sss_dp_get_account_domain_send(TALLOC_CTX *mem_ctx,
- be_conn->bus_name,
- SSS_BUS_PATH, dp_flags,
- entry_type, filter,
-- rctx->client_id_num);
-+ sss_chain_id_get());
- if (subreq == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n");
- ret = ENOMEM;
-diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
-index cb0e1b82f..1695554fc 100644
---- a/src/responder/pam/pamsrv_cmd.c
-+++ b/src/responder/pam/pamsrv_cmd.c
-@@ -1492,7 +1492,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
- }
- preq->cctx = cctx;
- preq->cert_auth_local = false;
-- preq->client_id_num = pctx->rctx->client_id_num;
-+ preq->client_id_num = cctx->client_id_num;
-
- preq->pd = create_pam_data(preq);
- if (!preq->pd) {
-@@ -1513,7 +1513,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
-
- pd->cmd = pam_cmd;
- pd->priv = cctx->priv;
-- pd->client_id_num = pctx->rctx->client_id_num;
-+ pd->client_id_num = cctx->client_id_num;
-
- ret = pam_forwarder_parse_data(cctx, pd);
- if (ret == EAGAIN) {
---
-2.37.1
-
diff --git a/SOURCES/0009-Analyzer-support-parallel-requests-parsing.patch b/SOURCES/0009-Analyzer-support-parallel-requests-parsing.patch
deleted file mode 100644
index b2c49e1..0000000
--- a/SOURCES/0009-Analyzer-support-parallel-requests-parsing.patch
+++ /dev/null
@@ -1,185 +0,0 @@
-From d22ea2df62b6e245eef75d7201b678601bf63e98 Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Fri, 19 Aug 2022 14:44:11 -0400
-Subject: [PATCH 9/9] Analyzer: support parallel requests parsing
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Analyzer code(primarily the list verbose command) needs
-changes to handle parsing the necessary lines from
-NSS/PAM log files when multiple intermixed/parallel
-client requests are sent to SSSD.
-
-Resolves: https://github.com/SSSD/sssd/issues/6307
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
----
- src/tools/analyzer/modules/request.py | 119 +++++++++++++++-----------
- 1 file changed, 67 insertions(+), 52 deletions(-)
-
-diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
-index 935e13adc..b9fe3caf8 100644
---- a/src/tools/analyzer/modules/request.py
-+++ b/src/tools/analyzer/modules/request.py
-@@ -16,7 +16,6 @@ class RequestAnalyzer:
- """
- module_parser = None
- consumed_logs = []
-- done = ""
- list_opts = [
- Option('--verbose', 'Verbose output', bool, '-v'),
- Option('--pam', 'Filter only PAM requests', bool),
-@@ -149,58 +148,74 @@ class RequestAnalyzer:
- print(line)
- return found_results
-
-- def print_formatted(self, line, verbose):
-+ def print_formatted_verbose(self, source, patterns):
-+ """
-+ Parse line and print formatted verbose list_requests output
-+
-+ Args:
-+ source (Reader): source Reader object
-+ patterns (list): List of regex patterns to use for
-+ matching lines
-+ """
-+ # Get CID number, and print the basic line first
-+ for line in self.matched_line(source, patterns):
-+ cid = self.print_formatted(line)
-+
-+ # Loop through each line with this CID number to extract and
-+ # print the verbose data needed
-+ verbose_patterns = ["(cache_req_send|cache_req_process_input|"
-+ "cache_req_search_send)"]
-+ for cidline in self.matched_line(source, verbose_patterns):
-+ plugin = ""
-+ name = ""
-+ id = ""
-+
-+ # skip any lines not pertaining to this CID
-+ if f"CID#{cid}]" not in cidline:
-+ continue
-+ if "refreshed" in cidline:
-+ continue
-+ # CR Plugin name
-+ if re.search("cache_req_send", cidline):
-+ plugin = cidline.split('\'')[1]
-+ # CR Input name
-+ elif re.search("cache_req_process_input", cidline):
-+ name = cidline.rsplit('[')[-1]
-+ # CR Input id
-+ elif re.search("cache_req_search_send", cidline):
-+ id = cidline.rsplit()[-1]
-+
-+ if plugin:
-+ print(" - " + plugin)
-+ if name:
-+ print(" - " + name[:-2])
-+ if (id and ("UID" in cidline or "GID" in cidline)):
-+ print(" - " + id)
-+
-+ def print_formatted(self, line):
- """
- Parse line and print formatted list_requests output
-
- Args:
- line (str): line to parse
-- verbose (bool): If true, enable verbose output
-+ Returns:
-+ Client ID from printed line, 0 otherwise
- """
-- plugin = ""
-- name = ""
-- id = ""
--
- # exclude backtrace logs
- if line.startswith(' * '):
-- return
-- fields = line.split("[")
-- cr_field = fields[3][7:]
-- cr = cr_field.split(":")[0][4:]
-+ return 0
- if "refreshed" in line:
-- return
-- # CR Plugin name
-- if re.search("cache_req_send", line):
-- plugin = line.split('\'')[1]
-- # CR Input name
-- elif re.search("cache_req_process_input", line):
-- name = line.rsplit('[')[-1]
-- # CR Input id
-- elif re.search("cache_req_search_send", line):
-- id = line.rsplit()[-1]
-- # CID and client process name
-- else:
-- ts = line.split(")")[0]
-- ts = ts[1:]
-- fields = line.split("[")
-- cid = fields[3][4:-9]
-- cmd = fields[4][4:-1]
-- uid = fields[5][4:-1]
-- if not uid.isnumeric():
-- uid = fields[6][4:-1]
-- print(f'{ts}: [uid {uid}] CID #{cid}: {cmd}')
--
-- if verbose:
-- if plugin:
-- print(" - " + plugin)
-- if name:
-- if cr not in self.done:
-- print(" - " + name[:-2])
-- self.done = cr
-- if id:
-- if cr not in self.done:
-- print(" - " + id)
-- self.done = cr
-+ return 0
-+ ts = line.split(")")[0]
-+ ts = ts[1:]
-+ fields = line.split("[")
-+ cid = fields[3][4:-9]
-+ cmd = fields[4][4:-1]
-+ uid = fields[5][4:-1]
-+ if not uid.isnumeric():
-+ uid = fields[6][4:-1]
-+ print(f'{ts}: [uid {uid}] CID #{cid}: {cmd}')
-+ return cid
-
- def list_requests(self, args):
- """
-@@ -215,20 +230,20 @@ class RequestAnalyzer:
- # Log messages matching the following regex patterns contain
- # the useful info we need to produce list output
- patterns = [r'\[cmd']
-- patterns.append("(cache_req_send|cache_req_process_input|"
-- "cache_req_search_send)")
- if args.pam:
- component = source.Component.PAM
- resp = "pam"
-
- logger.info(f"******** Listing {resp} client requests ********")
- source.set_component(component, False)
-- self.done = ""
-- for line in self.matched_line(source, patterns):
-- if isinstance(source, Journald):
-- print(line)
-- else:
-- self.print_formatted(line, args.verbose)
-+ if args.verbose:
-+ self.print_formatted_verbose(source, patterns)
-+ else:
-+ for line in self.matched_line(source, patterns):
-+ if isinstance(source, Journald):
-+ print(line)
-+ else:
-+ self.print_formatted(line)
-
- def track_request(self, args):
- """
---
-2.37.1
-
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index be99c00..f598498 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -26,23 +26,17 @@
%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
Name: sssd
-Version: 2.7.3
-Release: 3%{?dist}
+Version: 2.8.2
+Release: 2%{?dist}
Summary: System Security Services Daemon
License: GPLv3+
URL: https://github.com/SSSD/sssd/
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
### Patches ###
-Patch0001: 0001-Makefile-remove-unneeded-dependency.patch
-Patch0002: 0002-CLIENT-MC-store-context-mutex-outside-of-context-as-.patch
-Patch0003: 0003-CACHE_REQ-Fix-hybrid-lookup-log-spamming.patch
-Patch0004: 0004-Analyzer-Fix-escaping-raw-fstring.patch
-Patch0005: 0005-CLIENT-MC-1-is-more-appropriate-initial-value-for-fd.patch
-Patch0006: 0006-CLIENT-MC-pointer-to-the-context-mutex-shouldn-t-be-.patch
-Patch0007: 0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch
-Patch0008: 0008-RESPONDER-Fix-client-ID-tracking.patch
-Patch0009: 0009-Analyzer-support-parallel-requests-parsing.patch
+Patch0001: 0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch
+Patch0002: 0002-MAN-mention-attributes-in-see-also.patch
+Patch0003: 0003-SSS_CLIENT-delete-key-in-lib-destructor.patch
### Dependencies ###
@@ -126,6 +120,7 @@ BuildRequires: samba-winbind
BuildRequires: selinux-policy-targeted
# required for p11_child smartcard tests
BuildRequires: softhsm >= 2.1.0
+BuildRequires: bc
BuildRequires: systemd-devel
BuildRequires: systemtap-sdt-devel
BuildRequires: uid_wrapper
@@ -1067,6 +1062,40 @@ fi
%systemd_postun_with_restart sssd.service
%changelog
+* Mon Jan 16 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-2
+- Resolves: rhbz#2160001 - Reference to 'sssd-ldap-attributes' man page is missing in 'sssd-ldap', etc man pages
+- Resolves: rhbz#2143159 - automount killed by SIGSEGV
+
+* Fri Dec 16 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-1
+- Resolves: rhbz#2127510 - Rebase SSSD for RHEL 9.2
+- Resolves: rhbz#1608496 - sssd failing to register dynamic DNS addresses against an AD server due to unnecessary DNS search
+- Resolves: rhbz#2110091 - SSSD doesn't handle changes in 'resolv.conf' properly (when started right before network service)
+- Resolves: rhbz#2136791 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level.
+- Resolves: rhbz#2139684 - [sssd] RHEL 9.2 Tier 0 Localization
+- Resolves: rhbz#2139837 - Analyzer: Optimize and remove duplicate messages in verbose list
+- Resolves: rhbz#2142794 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged
+- Resolves: rhbz#2144893 - changing password with ldap_password_policy = shadow does not take effect immediately
+- Resolves: rhbz#2148737 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around
+
+* Fri Nov 4 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.8.1-1
+- Resolves: rhbz#2127510 - Rebase SSSD for RHEL 9.2
+- Resolves: rhbz#1507035 - [RFE] SSSD does not support to change the user’s password when option ldap_pwd_policy equals to shadow in sssd.conf file
+- Resolves: rhbz#1766490 - Use negative cache better and domain checks for lookup by SIDs
+- Resolves: rhbz#1964121 - RFE: Add an option to sssd config to convert home directories to lowercase (or add a new template for the 'override_homedir' option)
+- Resolves: rhbz#2074307 - reduce debug level in case well_known_sid_to_name() fails
+- Resolves: rhbz#2096031 - SSSD: sdap_handle_id_collision_for_incomplete_groups debug message missing a new line
+- Resolves: rhbz#2103325 - Supported AD group types should be explained in the docs
+- Resolves: rhbz#2111388 - authenticating against external IdP services okta (native app) with OAuth client secret failed
+- Resolves: rhbz#2115171 - SSSD: duplicate dns_resolver_* option in man sssd.conf
+- Resolves: rhbz#2127492 - sssd timezone issues sudonotafter
+- Resolves: rhbz#2128840 - [RFE] provide dbus method to find users by attr
+- Resolves: rhbz#2128883 - Cannot SSH with AD user to ipa-client (`krb5_validate` and `pac_check` settings conflict)
+- Resolves: rhbz#2136791 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level.
+- Resolves: rhbz#2139837 - Analyzer: Optimize and remove duplicate messages in verbose list
+
+* Fri Aug 26 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-4
+- Related: rhbz#1978119 - [Improvement] avoid interlocking among threads that use `libsss_nss_idmap` API (or other sss_client libs)
+
* Tue Aug 23 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-3
- Resolves: rhbz#2116389 - rpc.gssd crash when access a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-2.el9
- Resolves: rhbz#2119373 - sssctl analyze --logdir option requires sssd to be configured