diff --git a/SOURCES/0157-SSH-Use-default_domain_suffix-for-users-authorized-k.patch b/SOURCES/0157-SSH-Use-default_domain_suffix-for-users-authorized-k.patch
new file mode 100644
index 0000000..cbfdcb1
--- /dev/null
+++ b/SOURCES/0157-SSH-Use-default_domain_suffix-for-users-authorized-k.patch
@@ -0,0 +1,80 @@
+From dfdd2fe5c177d70a0c5db383820f237ebc7e722f Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Thu, 24 Nov 2016 18:07:56 +0100
+Subject: [PATCH 157/157] SSH: Use default_domain_suffix for users' authorized
+ keys
+
+In commit eeecc48d22a28bb69da56f6ffd8824163fc9bf00 we disabled
+default_domain_suffix for the SSH responder, but in a wrong way -- we
+disabled the functionality completely, also for users, not only for
+computers. This might have been correct at the time, since SSH keys in ID
+overrides are a relatively new feature, but it's definitely not correct
+in general.
+
+Instead, this patch restores the use of default_domain_suffix, but only
+for looking up public keys of users, not of computers.
+
+Resolves:
+https://fedorahosted.org/sssd/ticket/3259
+
+Reviewed-by: Petr Cech <pcech@redhat.com>
+(cherry picked from commit ed71fba97dfcf5b3f0f1834c06660c481b9ab3ce)
+(cherry picked from commit 2949fe58ac344c44d756ca309d4b2b7f3590cee3)
+---
+ src/responder/ssh/sshsrv_cmd.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/src/responder/ssh/sshsrv_cmd.c b/src/responder/ssh/sshsrv_cmd.c
+index ab721d66e5299ba6810a599a15a10094d5792092..2e64893dfc2018727e6fc5fb80b47bd7eb1fac58 100644
+--- a/src/responder/ssh/sshsrv_cmd.c
++++ b/src/responder/ssh/sshsrv_cmd.c
+@@ -36,7 +36,8 @@
+ #include "responder/ssh/sshsrv_private.h"
+
+ static errno_t
+-ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx);
++ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx,
++ char *default_domain);
+
+ static errno_t
+ ssh_user_pubkeys_search(struct ssh_cmd_ctx *cmd_ctx);
+@@ -57,7 +58,7 @@ sss_ssh_cmd_get_user_pubkeys(struct cli_ctx *cctx)
+ cmd_ctx->cctx = cctx;
+ cmd_ctx->is_user = true;
+
+- ret = ssh_cmd_parse_request(cmd_ctx);
++ ret = ssh_cmd_parse_request(cmd_ctx, cctx->rctx->default_domain);
+ if (ret != EOK) {
+ goto done;
+ }
+@@ -107,7 +108,7 @@ sss_ssh_cmd_get_host_pubkeys(struct cli_ctx *cctx)
+ cmd_ctx->cctx = cctx;
+ cmd_ctx->is_user = false;
+
+- ret = ssh_cmd_parse_request(cmd_ctx);
++ ret = ssh_cmd_parse_request(cmd_ctx, NULL);
+ if (ret != EOK) {
+ goto done;
+ }
+@@ -681,7 +682,8 @@ done:
+ }
+
+ static errno_t
+-ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx)
++ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx,
++ char *default_domain)
+ {
+ struct cli_protocol *pctx;
+ struct ssh_ctx *ssh_ctx;
+@@ -754,6 +756,8 @@ ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx)
+ return EINVAL;
+ }
+ c += domain_len;
++ } else {
++ domain = default_domain;
+ }
+
+ DEBUG(SSSDBG_TRACE_FUNC,
+--
+2.9.3
+
diff --git a/SOURCES/0158-SERVER-Set-the-process-group-during-server_setup.patch b/SOURCES/0158-SERVER-Set-the-process-group-during-server_setup.patch
new file mode 100644
index 0000000..7fc6190
--- /dev/null
+++ b/SOURCES/0158-SERVER-Set-the-process-group-during-server_setup.patch
@@ -0,0 +1,92 @@
+From 7e0a61d1c10f30e694f5f536b374c72f774b50a1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
+Date: Sun, 8 Jan 2017 23:27:57 +0100
+Subject: [PATCH 158/160] SERVER: Set the process group during server_setup()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+By calling setpgid() in server_setup() we are able to kill the process
+in the watchdog by simply doing kill(-getpid(), SIGTERM).
+
+However, in order to have it working properly the SELinux policy for
+SSSD has to be updated and unless SSSD is ran with SELinux on permissive
+mode, each of the responders and the monitor will trigger a similar
+message:
+
+ Jan 09 14:31:50 client1.ipa.example audit[11630]: AVC avc: denied
+ { setpgid } for pid=11630 comm="sssd_pac"
+ scontext=system_u:system_r:sssd_t:s0
+ tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0
+
+It's important to say that till SELinux policy is fixed, we might end up
+leaking some processes.
+
+Related:
+https://fedorahosted.org/sssd/ticket/3266
+
+Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
+Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
+(cherry picked from commit 087162b85e191af51637904702813969b35eaadc)
+(cherry picked from commit 442985a7af2262fab57f56c7a8cd40af10081610)
+---
+ src/monitor/monitor.c | 6 +++---
+ src/util/server.c | 11 +++++++++++
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
+index 0f01580e01b6a0a9ab507a54183e5813133be5a9..17e980dbf165634491a05012399945f2d21c2056 100644
+--- a/src/monitor/monitor.c
++++ b/src/monitor/monitor.c
+@@ -1606,7 +1606,7 @@ static void monitor_quit(struct mt_ctx *mt_ctx, int ret)
+ "Terminating [%s][%d]\n", svc->name, svc->pid);
+ do {
+ errno = 0;
+- kret = kill(svc->pid, SIGTERM);
++ kret = kill(-svc->pid, SIGTERM);
+ if (kret < 0) {
+ error = errno;
+ DEBUG(SSSDBG_CRIT_FAILURE, "Couldn't kill [%s][%d]: [%s]\n",
+@@ -1627,7 +1627,7 @@ static void monitor_quit(struct mt_ctx *mt_ctx, int ret)
+ "[%d][%s] while waiting for [%s]\n",
+ error, strerror(error), svc->name);
+ /* Forcibly kill this child */
+- kill(svc->pid, SIGKILL);
++ kill(-svc->pid, SIGKILL);
+ break;
+ }
+ } else if (pid != 0) {
+@@ -1642,7 +1642,7 @@ static void monitor_quit(struct mt_ctx *mt_ctx, int ret)
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Child [%s] did not exit cleanly\n", svc->name);
+ /* Forcibly kill this child */
+- kill(svc->pid, SIGKILL);
++ kill(-svc->pid, SIGKILL);
+ }
+ killed = true;
+ }
+diff --git a/src/util/server.c b/src/util/server.c
+index 013e572e6284b16534910088f7801219251896d8..d333c3c3c771c38005183831fc7a4b004a59a6c3 100644
+--- a/src/util/server.c
++++ b/src/util/server.c
+@@ -460,6 +460,17 @@ int server_setup(const char *name, int flags,
+ struct logrotate_ctx *lctx;
+ char *locale;
+ int watchdog_interval;
++ pid_t my_pid;
++
++ my_pid = getpid();
++ ret = setpgid(my_pid, my_pid);
++ if (ret != EOK) {
++ ret = errno;
++ DEBUG(SSSDBG_MINOR_FAILURE,
++ "Failed setting process group: %s[%d]. "
++ "We might leak processes in case of failure\n",
++ sss_strerror(ret), ret);
++ }
+
+ ret = chown_debug_file(NULL, uid, gid);
+ if (ret != EOK) {
+--
+2.9.3
+
diff --git a/SOURCES/0159-WATCHDOG-define-and-use-_MAX_TICKS-as-3.patch b/SOURCES/0159-WATCHDOG-define-and-use-_MAX_TICKS-as-3.patch
new file mode 100644
index 0000000..9e2d757
--- /dev/null
+++ b/SOURCES/0159-WATCHDOG-define-and-use-_MAX_TICKS-as-3.patch
@@ -0,0 +1,44 @@
+From 57404a6b7ca0d86ba661e358f3544a32ef4e15bc Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Mon, 15 Aug 2016 12:54:20 +0200
+Subject: [PATCH 159/160] WATCHDOG: define and use _MAX_TICKS as 3
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Instead of using the number 3 directly, let's introduce and use
+WATCHDOG_MAX_TICKS.
+
+Reviewed-by: Petr Čech <pcech@redhat.com>
+(cherry picked from commit d7075a255a1f28e890539072e06d0140ffe0927c)
+---
+ src/util/util_watchdog.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c
+index 1c27d73f13b3042ecb549a2184e1368e8339d199..c184fbd759bdbca4a9eae379ff0d87e2d1628470 100644
+--- a/src/util/util_watchdog.c
++++ b/src/util/util_watchdog.c
+@@ -22,6 +22,7 @@
+ #include "util/util.h"
+
+ #define WATCHDOG_DEF_INTERVAL 10
++#define WATCHDOG_MAX_TICKS 3
+
+ /* this is intentionally a global variable */
+ struct watchdog_ctx {
+@@ -75,9 +76,8 @@ static void watchdog_handler(int sig)
+ return;
+ }
+
+- /* if 3 ticks passed by kills itself */
+-
+- if (__sync_add_and_fetch(&watchdog_ctx.ticks, 1) > 3) {
++ /* if a pre-defined number of ticks passed by kills itself */
++ if (__sync_add_and_fetch(&watchdog_ctx.ticks, 1) > WATCHDOG_MAX_TICKS) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Watchdog timer overflow, killing process!\n");
+ orderly_shutdown(1);
+--
+2.9.3
+
diff --git a/SOURCES/0160-WATCHDOG-Avoid-non-async-signal-safe-from-the-signal.patch b/SOURCES/0160-WATCHDOG-Avoid-non-async-signal-safe-from-the-signal.patch
new file mode 100644
index 0000000..68c466e
--- /dev/null
+++ b/SOURCES/0160-WATCHDOG-Avoid-non-async-signal-safe-from-the-signal.patch
@@ -0,0 +1,294 @@
+From 6955a5c2a0abf38adace2553f21ea072416b1f61 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
+Date: Wed, 7 Dec 2016 21:36:56 +0100
+Subject: [PATCH 160/160] WATCHDOG: Avoid non async-signal-safe from the
+ signal_handler
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+While debugging rhbz#1396912 a deadlock on sssd_be was noticed[0] and
+it's been caused by the use of non async-signal-safe functions from the
+signal_handler (please, see man 7 signal for more info about which are
+the async-signal-safe functions that can be used).
+
+In order to work this situation around a pipe has been added to the
+watchdog_ctx structure and, in case of clock screw, a single byte is
+written to this pipe (which is an async-signal-safe operation) and the
+logic currently done by the timer handler to reset the watchdog will be
+done inside the fd handler in a safe way.
+
+With this patch we ended up losing some debug messages as
+orderly_shutdown() has been replaced by kill(-getpgrp(), SIGTERM) (or
+_exit(1) considering the cases where setting up the process group during
+the server_setup() has failed).
+Personally I don't think is worth the trouble to try to log those messages
+properly in this specific case.
+
+It's really worth to mention that a proper fix the clock screw situation
+should be implemented on samba's side, by having tevent using monotonic
+(or boottime) clock.
+
+[0]:
+ [root@dusan ~]# pstack 17922
+ #0 __lll_lock_wait_private () at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:95
+ #1 0x00007fe707d04f93 in _L_lock_14932 () from /lib64/libc.so.6
+ #2 0x00007fe707d02013 in __GI___libc_malloc (bytes=140630248638304, bytes@entry=15) at malloc.c:2891
+ #3 0x00007fe707d0888a in __GI___strdup (s=0x7fe707dff4f7 "/etc/localtime") at strdup.c:42
+ #4 0x00007fe707d31b61 in tzset_internal (always=<optimized out>, explicit=explicit@entry=1) at tzset.c:438
+ #5 0x00007fe707d32523 in __tz_convert (timer=timer@entry=0x7ffcd5d2b090, use_localtime=use_localtime@entry=1, tp=tp@entry=0x7fe708041d40 <_tmbuf>) at tzset.c:621
+ #6 0x00007fe707d30521 in __GI_localtime (t=t@entry=0x7ffcd5d2b090) at localtime.c:42
+ #7 0x00007fe70886c7b0 in sss_vdebug_fn (file=<optimized out>, line=<optimized out>, function=0x7fe70bff27f0 <__FUNCTION__.9379> "watchdog_handler", level=16, flags=flags@entry=0, format=format@entry=0x7fe70bff2760 "Watchdog timer overflow, killing process!\n", ap=ap@entry=0x7ffcd5d2b130) at src/util/debug.c:248
+ #8 0x00007fe70886c995 in sss_debug_fn (file=file@entry=0x7fe70bff263b "src/util/util_watchdog.c", line=line@entry=82, function=function@entry=0x7fe70bff27f0 <__FUNCTION__.9379> "watchdog_handler", level=level@entry=16, format=format@entry=0x7fe70bff2760 "Watchdog timer overflow, killing process!\n") at src/util/debug.c:284
+ #9 0x00007fe70bfdb409 in watchdog_handler (sig=<optimized out>) at src/util/util_watchdog.c:81
+ #10 <signal handler called>
+ #11 0x00007fe707cff664 in _int_malloc (av=av@entry=0x7fe70803c760 <main_arena>, bytes=bytes@entry=151) at malloc.c:3494
+ #12 0x00007fe707d01fbc in __GI___libc_malloc (bytes=bytes@entry=151) at malloc.c:2893
+ #13 0x00007fe708450749 in __talloc_with_prefix (prefix_len=0, size=55, context=0x7fe718373210) at ../talloc.c:668
+ #14 __talloc (size=55, context=0x7fe718373210) at ../talloc.c:708
+ #15 _talloc_named_const (name=0x7fe70bb7015d "../common/ldb_pack.c:425", size=55, context=0x7fe718373210) at ../talloc.c:865
+ #16 talloc_named_const (context=<optimized out>, size=size@entry=55, name=name@entry=0x7fe70bb7015d "../common/ldb_pack.c:425") at ../talloc.c:1606
+ #17 0x00007fe70bb61803 in ldb_unpack_data_only_attr_list (ldb=ldb@entry=0x7fe70e4d52c0, data=data@entry=0x7ffcd5d2b990, message=0x7fe7184aa1e0, list=list@entry=0x0, list_size=list_size@entry=0, nb_elements_in_db=nb_elements_in_db@entry=0x0) at ../common/ldb_pack.c:425
+ #18 0x00007fe70bb61a7d in ldb_unpack_data (ldb=ldb@entry=0x7fe70e4d52c0, data=data@entry=0x7ffcd5d2b990, message=<optimized out>) at ../common/ldb_pack.c:470
+ #19 0x00007fe6fdc29b46 in ltdb_parse_data_unpack (key=..., data=..., private_data=0x7ffcd5d2ba70) at ../ldb_tdb/ldb_search.c:249
+ #20 0x00007fe70a5e0a24 in tdb_parse_data (tdb=tdb@entry=0x7fe70e4eaa10, key=..., offset=15619748, len=414772, parser=parser@entry=0x7fe6fdc29b10 <ltdb_parse_data_unpack>, private_data=private_data@entry=0x7ffcd5d2ba70) at ../common/io.c:637
+ #21 0x00007fe70a5dc1fc in tdb_parse_record (tdb=0x7fe70e4eaa10, key=..., parser=parser@entry=0x7fe6fdc29b10 <ltdb_parse_data_unpack>, private_data=private_data@entry=0x7ffcd5d2ba70) at ../common/tdb.c:253
+ #22 0x00007fe6fdc29e7b in ltdb_search_dn1 (module=module@entry=0x7fe70e4eab50, dn=dn@entry=0x7fe7183c4940, msg=msg@entry=0x7fe7184aa1e0) at ../ldb_tdb/ldb_search.c:287
+ #23 0x00007fe6fdc2acbb in ltdb_dn_list_load (module=module@entry=0x7fe70e4eab50, dn=dn@entry=0x7fe7183c4940, list=list@entry=0x7fe7183c3a30) at ../ldb_tdb/ldb_index.c:181
+ #24 0x00007fe6fdc2bbbb in ltdb_index_add1 (module=module@entry=0x7fe70e4eab50, dn=dn@entry=0x7fe7183bf3e0 "name=testuser7045@domain.com,cn=users,cn=DOMAIN.COM,cn=sysdb", v_idx=v_idx@entry=0, el=<optimized out>, el=<optimized out>) at ../ldb_tdb/ldb_index.c:1134
+ #25 0x00007fe6fdc2c62c in ltdb_index_add_el (el=0x7fe7184aa3e0, dn=0x7fe7183bf3e0 "name=testuser7045@domain.com,cn=users,cn=DOMAIN.COM,cn=sysdb", module=0x7fe70e4eab50) at ../ldb_tdb/ldb_index.c:1180
+ #26 ltdb_index_add_element (module=module@entry=0x7fe70e4eab50, dn=<optimized out>, el=el@entry=0x7fe7184aa3e0) at ../ldb_tdb/ldb_index.c:1290
+ #27 0x00007fe6fdc290bb in ltdb_modify_internal (module=module@entry=0x7fe70e4eab50, msg=0x7fe7183bf0c0, req=req@entry=0x7fe7183bdc10) at ../ldb_tdb/ldb_tdb.c:903
+ #28 0x00007fe6fdc2958a in ltdb_modify (ctx=0x7fe7183c2950, ctx=0x7fe7183c2950) at ../ldb_tdb/ldb_tdb.c:998
+ #29 ltdb_callback (ev=<optimized out>, te=<optimized out>, t=..., private_data=<optimized out>) at ../ldb_tdb/ldb_tdb.c:1380
+ #30 0x00007fe708664b4f in tevent_common_loop_timer_delay (ev=ev@entry=0x7fe70e4d2890) at ../tevent_timed.c:341
+ #31 0x00007fe708665b5a in epoll_event_loop_once (ev=0x7fe70e4d2890, location=<optimized out>) at ../tevent_epoll.c:911
+ #32 0x00007fe708664257 in std_event_loop_once (ev=0x7fe70e4d2890, location=0x7fe70bb72ec5 "../common/ldb.c:631") at ../tevent_standard.c:114
+ #33 0x00007fe70866040d in _tevent_loop_once (ev=ev@entry=0x7fe70e4d2890, location=location@entry=0x7fe70bb72ec5 "../common/ldb.c:631") at ../tevent.c:533
+ #34 0x00007fe70bb6bc4f in ldb_wait (handle=0x7fe7183c4530, type=<optimized out>) at ../common/ldb.c:631
+ #35 0x00007fe70bb6c793 in ldb_autotransaction_request (ldb=0x7fe70e4d52c0, req=0x7fe7183bdc10) at ../common/ldb.c:573
+ #36 0x00007fe70bb6d263 in ldb_modify (ldb=ldb@entry=0x7fe70e4d52c0, message=<optimized out>) at ../common/ldb.c:1655
+ #37 0x00007fe70bfa2ab5 in sysdb_set_cache_entry_attr (ldb=0x7fe70e4d52c0, entry_dn=entry_dn@entry=0x7fe7183c4760, attrs=attrs@entry=0x7fe7183bf680, mod_op=mod_op@entry=2) at src/db/sysdb_ops.c:1159
+ #38 0x00007fe70bfa304d in sysdb_rep_ts_entry_attr (sysdb=0x7fe70e4eadd0, attrs=0x7fe7183bf680, entry_dn=0x7fe7183c4760) at src/db/sysdb_ops.c:1218
+ #39 sysdb_set_ts_entry_attr (sysdb=sysdb@entry=0x7fe70e4eadd0, entry_dn=entry_dn@entry=0x7fe7183c4760, attrs=attrs@entry=0x7fe7183bb840, mod_op=mod_op@entry=2) at src/db/sysdb_ops.c:1248
+ #40 0x00007fe70bfa4aa9 in sysdb_set_entry_attr (sysdb=0x7fe70e4eadd0, entry_dn=0x7fe7183c4760, attrs=attrs@entry=0x7fe7183bb840, mod_op=mod_op@entry=2) at src/db/sysdb_ops.c:1199
+ #41 0x00007fe70bfa4b5f in sysdb_set_user_attr (domain=domain@entry=0x7fe70e4d62f0, name=name@entry=0x7fe7183c01f0 "testuser7045@domain.com", attrs=attrs@entry=0x7fe7183bb840, mod_op=mod_op@entry=2) at src/db/sysdb_ops.c:1285
+ #42 0x00007fe70bfa58c3 in sysdb_add_user (domain=domain@entry=0x7fe70e4d62f0, name=name@entry=0x7fe7183c01f0 "testuser7045@domain.com", uid=uid@entry=1415408147, gid=<optimized out>, gid@entry=1415400513, gecos=gecos@entry=0x7fe710465d00 "Test User7045", homedir=homedir@entry=0x0, shell=shell@entry=0x0, orig_dn=orig_dn@entry=0x7fe710465940 "CN=Test User7045,OU=Sales,DC=DOMAIN,DC=COM", attrs=attrs@entry=0x7fe7183bb840, cache_timeout=cache_timeout@entry=5400, now=now@entry=1481105315) at src/db/sysdb_ops.c:1928
+ #43 0x00007fe70bfab271 in sysdb_store_new_user (now=1481105315, cache_timeout=5400, attrs=0x7fe7183bb840, orig_dn=0x7fe710465940 "CN=Test User7045,OU=Sales,DC=DOMAIN,DC=COM", shell=0x0, homedir=0x0, gecos=0x7fe710465d00 "Test User7045", gid=1415400513, uid=1415408147, name=0x7fe7183c01f0 "testuser7045@domain.com", domain=0x7fe70e4d62f0) at src/db/sysdb_ops.c:2549
+ #44 sysdb_store_user (domain=domain@entry=0x7fe70e4d62f0, name=0x7fe7183c01f0 "testuser7045@domain.com", pwd=pwd@entry=0x0, uid=1415408147, gid=1415400513, gecos=gecos@entry=0x7fe710465d00 "Test User7045", homedir=homedir@entry=0x0, shell=shell@entry=0x0, orig_dn=orig_dn@entry=0x7fe710465940 "CN=Test User7045,OU=Sales,DC=DOMAIN,DC=COM", attrs=attrs@entry=0x7fe7183bb840, remove_attrs=0x7fe7183c08a0, cache_timeout=cache_timeout@entry=5400, now=now@entry=1481105315) at src/db/sysdb_ops.c:2499
+ #45 0x00007fe6fba0d9f9 in sdap_save_user (memctx=memctx@entry=0x7fe70e544ee0, opts=opts@entry=0x7fe70e518400, dom=dom@entry=0x7fe70e4d62f0, attrs=<optimized out>, _usn_value=_usn_value@entry=0x7ffcd5d2c260, now=now@entry=1481105315) at src/providers/ldap/sdap_async_users.c:509
+ #46 0x00007fe6fba0df9a in sdap_save_users (memctx=memctx@entry=0x7fe70e544e40, sysdb=0x7fe70e4eadd0, dom=0x7fe70e4d62f0, opts=0x7fe70e518400, users=<optimized out>, num_users=10006, _usn_value=_usn_value@entry=0x7fe70e544e60) at src/providers/ldap/sdap_async_users.c:572
+ #47 0x00007fe6fba0e460 in sdap_get_users_done (subreq=<optimized out>) at src/providers/ldap/sdap_async_users.c:938
+ #48 0x00007fe6fba0c9d5 in sdap_search_user_process (subreq=0x0) at src/providers/ldap/sdap_async_users.c:814
+ #49 0x00007fe6fba07379 in generic_ext_search_handler (subreq=0x0, opts=<optimized out>) at src/providers/ldap/sdap_async.c:1689
+ #50 0x00007fe6fba0991b in sdap_get_generic_op_finished (op=<optimized out>, reply=<optimized out>, error=<optimized out>, pvt=<optimized out>) at src/providers/ldap/sdap_async.c:1621
+ #51 0x00007fe6fba083cd in sdap_process_message (ev=<optimized out>, sh=<optimized out>, msg=0x7fe70e5f9ce0) at src/providers/ldap/sdap_async.c:353
+ #52 sdap_process_result (ev=<optimized out>, pvt=<optimized out>) at src/providers/ldap/sdap_async.c:197
+ #53 0x00007fe708664b4f in tevent_common_loop_timer_delay (ev=ev@entry=0x7fe70e4cbc30) at ../tevent_timed.c:341
+ #54 0x00007fe708665b5a in epoll_event_loop_once (ev=0x7fe70e4cbc30, location=<optimized out>) at ../tevent_epoll.c:911
+ #55 0x00007fe708664257 in std_event_loop_once (ev=0x7fe70e4cbc30, location=0x7fe70bfee8e7 "src/util/server.c:702") at ../tevent_standard.c:114
+ #56 0x00007fe70866040d in _tevent_loop_once (ev=ev@entry=0x7fe70e4cbc30, location=location@entry=0x7fe70bfee8e7 "src/util/server.c:702") at ../tevent.c:533
+ #57 0x00007fe7086605ab in tevent_common_loop_wait (ev=0x7fe70e4cbc30, location=0x7fe70bfee8e7 "src/util/server.c:702") at ../tevent.c:637
+ #58 0x00007fe7086641f7 in std_event_loop_wait (ev=0x7fe70e4cbc30, location=0x7fe70bfee8e7 "src/util/server.c:702") at ../tevent_standard.c:140
+ #59 0x00007fe70bfd1993 in server_loop (main_ctx=0x7fe70e4cd080) at src/util/server.c:702
+ #60 0x00007fe70c84cb82 in main (argc=8, argv=<optimized out>) at src/providers/data_provider_be.c:587
+
+Resolves:
+https://fedorahosted.org/sssd/ticket/3266
+
+Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+Reviewed-by: Simo Sorce <simo@redhat.com>
+(cherry picked from commit e6a5f8c58539fc31fd81fac89cfc85703b4250ea)
+(cherry picked from commit 0606a71b698c4acf954ba7284e62acbd0aa5e52d)
+---
+ src/util/util_watchdog.c | 118 ++++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 96 insertions(+), 22 deletions(-)
+
+diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c
+index c184fbd759bdbca4a9eae379ff0d87e2d1628470..0df85b71c0b078dc2dfd23a39df82d1a10bad7d6 100644
+--- a/src/util/util_watchdog.c
++++ b/src/util/util_watchdog.c
+@@ -23,6 +23,7 @@
+
+ #define WATCHDOG_DEF_INTERVAL 10
+ #define WATCHDOG_MAX_TICKS 3
++#define DEFAULT_BUFFER_SIZE 4096
+
+ /* this is intentionally a global variable */
+ struct watchdog_ctx {
+@@ -35,32 +36,27 @@ struct watchdog_ctx {
+ struct tevent_context *ev;
+ int input_interval;
+ time_t timestamp;
++ struct tevent_fd *tfd;
++ int pipefd[2];
+ } watchdog_ctx;
+
+-static bool watchdog_detect_timeshift(void)
++static void watchdog_detect_timeshift(void)
+ {
+ time_t prev_time;
+ time_t cur_time;
+- errno_t ret;
+
+ prev_time = watchdog_ctx.timestamp;
+ cur_time = watchdog_ctx.timestamp = time(NULL);
+ if (cur_time < prev_time) {
+ /* Time shift detected. We need to restart watchdog. */
+- DEBUG(SSSDBG_IMPORTANT_INFO, "Time shift detected, "
+- "restarting watchdog!\n");
+- teardown_watchdog();
+- ret = setup_watchdog(watchdog_ctx.ev, watchdog_ctx.input_interval);
+- if (ret != EOK) {
+- DEBUG(SSSDBG_FATAL_FAILURE, "Unable to restart watchdog "
+- "[%d]: %s\n", ret, sss_strerror(ret));
+- orderly_shutdown(1);
++ if (write(watchdog_ctx.pipefd[1], "1", 1) != 1) {
++ if (getpid() == getpgrp()) {
++ kill(-getpgrp(), SIGTERM);
++ } else {
++ _exit(1);
++ }
+ }
+-
+- return true;
+ }
+-
+- return false;
+ }
+
+ /* the watchdog is purposefully *not* handled by the tevent
+@@ -70,17 +66,16 @@ static bool watchdog_detect_timeshift(void)
+ * signals either */
+ static void watchdog_handler(int sig)
+ {
+- /* Do not count ticks if time shift was detected
+- * since watchdog was restarted. */
+- if (watchdog_detect_timeshift()) {
+- return;
+- }
++
++ watchdog_detect_timeshift();
+
+ /* if a pre-defined number of ticks passed by kills itself */
+ if (__sync_add_and_fetch(&watchdog_ctx.ticks, 1) > WATCHDOG_MAX_TICKS) {
+- DEBUG(SSSDBG_FATAL_FAILURE,
+- "Watchdog timer overflow, killing process!\n");
+- orderly_shutdown(1);
++ if (getpid() == getpgrp()) {
++ kill(-getpgrp(), SIGTERM);
++ } else {
++ _exit(1);
++ }
+ }
+ }
+
+@@ -109,10 +104,67 @@ static void watchdog_event_handler(struct tevent_context *ev,
+ }
+ }
+
++static errno_t watchdog_fd_recv_data(int fd)
++{
++ ssize_t len;
++ char buffer[DEFAULT_BUFFER_SIZE];
++ errno_t ret;
++
++ errno = 0;
++ len = read(fd, buffer, DEFAULT_BUFFER_SIZE);
++ if (len == -1) {
++ if (errno == EAGAIN || errno == EWOULDBLOCK || errno == EINTR) {
++ return EAGAIN;
++ } else {
++ ret = errno;
++ DEBUG(SSSDBG_CRIT_FAILURE,
++ "write failed [%d]: %s\n", ret, strerror(ret));
++ return ret;
++ }
++ }
++
++ return EOK;
++}
++
++static void watchdog_fd_read_handler(struct tevent_context *ev,
++ struct tevent_fd *fde,
++ uint16_t flags,
++ void *data)
++{
++ errno_t ret;
++
++ ret = watchdog_fd_recv_data(watchdog_ctx.pipefd[0]);
++ switch(ret) {
++ case EAGAIN:
++ DEBUG(SSSDBG_TRACE_ALL,
++ "Interrupted before any data could be read, retry later.\n");
++ return;
++ case EOK:
++ /* all fine */
++ break;
++ default:
++ DEBUG(SSSDBG_FATAL_FAILURE,
++ "Failed to receive data [%d]: %s. "
++ "orderly_shutdown() will be called.\n", ret, strerror(ret));
++ orderly_shutdown(1);
++ }
++
++ DEBUG(SSSDBG_IMPORTANT_INFO, "Time shift detected, "
++ "restarting watchdog!\n");
++ teardown_watchdog();
++ ret = setup_watchdog(watchdog_ctx.ev, watchdog_ctx.input_interval);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to restart watchdog "
++ "[%d]: %s\n", ret, sss_strerror(ret));
++ orderly_shutdown(1);
++ }
++}
++
+ int setup_watchdog(struct tevent_context *ev, int interval)
+ {
+ struct sigevent sev;
+ struct itimerspec its;
++ struct tevent_fd *tfd;
+ int signum = SIGRTMIN;
+ int ret;
+
+@@ -142,6 +194,21 @@ int setup_watchdog(struct tevent_context *ev, int interval)
+ watchdog_ctx.input_interval = interval;
+ watchdog_ctx.timestamp = time(NULL);
+
++ ret = pipe(watchdog_ctx.pipefd);
++ if (ret == -1) {
++ ret = errno;
++ DEBUG(SSSDBG_FATAL_FAILURE,
++ "pipe failed [%d] [%s].\n", ret, strerror(ret));
++ return ret;
++ }
++
++ sss_fd_nonblocking(watchdog_ctx.pipefd[0]);
++ sss_fd_nonblocking(watchdog_ctx.pipefd[1]);
++
++ tfd = tevent_add_fd(ev, (TALLOC_CTX *)ev, watchdog_ctx.pipefd[0],
++ TEVENT_FD_READ, watchdog_fd_read_handler, NULL);
++ watchdog_ctx.tfd = tfd;
++
+ /* Start the timer */
+ /* we give 1 second head start to the watchdog event */
+ its.it_value.tv_sec = interval + 1;
+@@ -178,6 +245,13 @@ void teardown_watchdog(void)
+ ret, strerror(ret));
+ }
+
++ /* Free the tevent_fd */
++ talloc_zfree(watchdog_ctx.tfd);
++
++ /* Close the pipefds */
++ PIPE_FD_CLOSE(watchdog_ctx.pipefd[0]);
++ PIPE_FD_CLOSE(watchdog_ctx.pipefd[1]);
++
+ /* and kill the watchdog event */
+ talloc_free(watchdog_ctx.te);
+ }
+--
+2.9.3
+
diff --git a/SOURCES/0161-TESTS-Extending-sysdb-sudo-store-tests.patch b/SOURCES/0161-TESTS-Extending-sysdb-sudo-store-tests.patch
new file mode 100644
index 0000000..23939a1
--- /dev/null
+++ b/SOURCES/0161-TESTS-Extending-sysdb-sudo-store-tests.patch
@@ -0,0 +1,225 @@
+From e2f39220bc1cbfc87bbe41e84042ab8be9d046ec Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
+Date: Thu, 13 Oct 2016 09:31:52 +0200
+Subject: [PATCH 161/162] TESTS: Extending sysdb sudo store tests
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We covered diference between case sensitive and case insensitive
+domains. If domain is case insensitive we add lowercase form of
+sudoUser to local sysdb cache.
+
+Resolves:
+https://fedorahosted.org/sssd/ticket/3203
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit 23637e2fd2b1fe42bdd2335893a11ac8016f56bc)
+(cherry picked from commit 143b1dcbbe865a139616a22b139e19bd772e46f0)
+---
+ src/tests/cmocka/test_sysdb_sudo.c | 168 ++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 167 insertions(+), 1 deletion(-)
+
+diff --git a/src/tests/cmocka/test_sysdb_sudo.c b/src/tests/cmocka/test_sysdb_sudo.c
+index 889de72371ac724de7c791d889a670cf25a36968..f21ff3655efbdc5b66a1fdbc24a51ec8174c3c8c 100644
+--- a/src/tests/cmocka/test_sysdb_sudo.c
++++ b/src/tests/cmocka/test_sysdb_sudo.c
+@@ -44,7 +44,7 @@ struct test_user {
+ const char *name;
+ uid_t uid;
+ gid_t gid;
+-} users[] = { { "test_user1", 1001, 1001 },
++} users[] = { { "test_USER1", 1001, 1001 },
+ { "test_user2", 1002, 1002 },
+ { "test_user3", 1003, 1003 } };
+
+@@ -104,6 +104,29 @@ static void create_rule_attrs(struct sysdb_attrs *rule, int i)
+ assert_int_equal(ret, EOK);
+ }
+
++static void create_rule_attrs_multiple_sudoUser(struct sysdb_attrs *rule)
++{
++ errno_t ret;
++
++ ret = sysdb_attrs_add_string_safe(rule, SYSDB_SUDO_CACHE_AT_CN,
++ rules[0].name);
++ assert_int_equal(ret, EOK);
++
++ ret = sysdb_attrs_add_string_safe(rule, SYSDB_SUDO_CACHE_AT_HOST,
++ rules[0].host);
++ assert_int_equal(ret, EOK);
++
++ ret = sysdb_attrs_add_string_safe(rule, SYSDB_SUDO_CACHE_AT_RUNASUSER,
++ rules[0].as_user);
++ assert_int_equal(ret, EOK);
++
++ for (int i = 0; i < 3; i++ ) {
++ ret = sysdb_attrs_add_string_safe(rule, SYSDB_SUDO_CACHE_AT_USER,
++ users[i].name);
++ assert_int_equal(ret, EOK);
++ }
++}
++
+ static int get_stored_rules_count(struct sysdb_test_ctx *test_ctx)
+ {
+ errno_t ret;
+@@ -217,6 +240,143 @@ void test_store_sudo(void **state)
+ talloc_zfree(msgs);
+ }
+
++void test_store_sudo_case_sensitive(void **state)
++{
++ errno_t ret;
++ char *filter;
++ const char *attrs[] = { SYSDB_SUDO_CACHE_AT_CN, SYSDB_SUDO_CACHE_AT_HOST,
++ SYSDB_SUDO_CACHE_AT_RUNASUSER,
++ SYSDB_SUDO_CACHE_AT_USER, NULL };
++ struct ldb_message **msgs = NULL;
++ size_t msgs_count;
++ const char *result;
++ struct ldb_message_element *element;
++ struct sysdb_attrs *rule;
++ struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state,
++ struct sysdb_test_ctx);
++ const char *lowered_name = sss_tc_utf8_str_tolower(test_ctx, users[0].name);
++
++ rule = sysdb_new_attrs(test_ctx);
++ assert_non_null(rule);
++ create_rule_attrs_multiple_sudoUser(rule);
++
++ test_ctx->tctx->dom->case_sensitive = true;
++
++ ret = sysdb_sudo_store(test_ctx->tctx->dom, &rule, 1);
++ assert_int_equal(ret, EOK);
++
++ filter = sysdb_sudo_filter_user(test_ctx, users[0].name, NULL, 0);
++ assert_non_null(filter);
++
++ ret = sysdb_search_sudo_rules(test_ctx, test_ctx->tctx->dom, filter,
++ attrs, &msgs_count, &msgs);
++ assert_int_equal(ret, EOK);
++
++ assert_int_equal(msgs_count, 1);
++
++ result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_CN, NULL);
++ assert_non_null(result);
++ assert_string_equal(result, rules[0].name);
++
++ result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_HOST,
++ NULL);
++ assert_non_null(result);
++ assert_string_equal(result, rules[0].host);
++
++ result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_RUNASUSER,
++ NULL);
++ assert_non_null(result);
++ assert_string_equal(result, rules[0].as_user);
++
++ ret = ldb_msg_check_string_attribute(msgs[0], SYSDB_SUDO_CACHE_AT_USER,
++ users[0].name);
++ assert_int_equal(ret, 1);
++
++ ret = ldb_msg_check_string_attribute(msgs[0], SYSDB_SUDO_CACHE_AT_USER,
++ lowered_name);
++ assert_int_equal(ret, 0);
++
++ ret = ldb_msg_check_string_attribute(msgs[0], SYSDB_SUDO_CACHE_AT_USER,
++ users[1].name);
++ assert_int_equal(ret, 1);
++
++ ret = ldb_msg_check_string_attribute(msgs[0], SYSDB_SUDO_CACHE_AT_USER,
++ users[2].name);
++ assert_int_equal(ret, 1);
++
++ element = ldb_msg_find_element(msgs[0], SYSDB_SUDO_CACHE_AT_USER);
++ assert_int_equal(element->num_values, 3);
++
++ talloc_zfree(lowered_name);
++ talloc_zfree(rule);
++ talloc_zfree(filter);
++ talloc_zfree(msgs);
++}
++
++void test_store_sudo_case_insensitive(void **state)
++{
++ errno_t ret;
++ char *filter;
++ const char *attrs[] = { SYSDB_SUDO_CACHE_AT_CN, SYSDB_SUDO_CACHE_AT_HOST,
++ SYSDB_SUDO_CACHE_AT_RUNASUSER,
++ SYSDB_SUDO_CACHE_AT_USER, NULL };
++ struct ldb_message **msgs = NULL;
++ size_t msgs_count;
++ const char *result;
++ struct ldb_message_element *element;
++ struct sysdb_attrs *rule;
++ struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state,
++ struct sysdb_test_ctx);
++ const char *lowered_name = sss_tc_utf8_str_tolower(test_ctx, users[0].name);
++
++ rule = sysdb_new_attrs(test_ctx);
++ assert_non_null(rule);
++ create_rule_attrs_multiple_sudoUser(rule);
++
++ test_ctx->tctx->dom->case_sensitive = false;
++
++ ret = sysdb_sudo_store(test_ctx->tctx->dom, &rule, 1);
++ assert_int_equal(ret, EOK);
++
++ filter = sysdb_sudo_filter_user(test_ctx, users[0].name, NULL, 0);
++ assert_non_null(filter);
++
++ ret = sysdb_search_sudo_rules(test_ctx, test_ctx->tctx->dom, filter,
++ attrs, &msgs_count, &msgs);
++ assert_int_equal(ret, EOK);
++
++ assert_int_equal(msgs_count, 1);
++
++ result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_CN, NULL);
++ assert_non_null(result);
++ assert_string_equal(result, rules[0].name);
++
++ result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_HOST,
++ NULL);
++ assert_non_null(result);
++ assert_string_equal(result, rules[0].host);
++
++ result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_RUNASUSER,
++ NULL);
++ assert_non_null(result);
++ assert_string_equal(result, rules[0].as_user);
++
++ for (int i = 0; i < 3; i++) {
++ ret = ldb_msg_check_string_attribute(msgs[0], SYSDB_SUDO_CACHE_AT_USER,
++ users[i].name);
++ assert_int_equal(ret, 1);
++ }
++
++ /* test there is no duplication of lowercase forms */
++ element = ldb_msg_find_element(msgs[0], SYSDB_SUDO_CACHE_AT_USER);
++ assert_int_equal(element->num_values, 4);
++
++ talloc_zfree(lowered_name);
++ talloc_zfree(rule);
++ talloc_zfree(filter);
++ talloc_zfree(msgs);
++}
++
+ void test_sudo_purge_by_filter(void **state)
+ {
+ errno_t ret;
+@@ -648,6 +808,12 @@ int main(int argc, const char *argv[])
+ cmocka_unit_test_setup_teardown(test_store_sudo,
+ test_sysdb_setup,
+ test_sysdb_teardown),
++ cmocka_unit_test_setup_teardown(test_store_sudo_case_sensitive,
++ test_sysdb_setup,
++ test_sysdb_teardown),
++ cmocka_unit_test_setup_teardown(test_store_sudo_case_insensitive,
++ test_sysdb_setup,
++ test_sysdb_teardown),
+
+ /* sysdb_sudo_purge() */
+ cmocka_unit_test_setup_teardown(test_sudo_purge_by_filter,
+--
+2.9.3
+
diff --git a/SOURCES/0162-SUDO-Only-store-lowercased-attribute-value-once.patch b/SOURCES/0162-SUDO-Only-store-lowercased-attribute-value-once.patch
new file mode 100644
index 0000000..7435a9f
--- /dev/null
+++ b/SOURCES/0162-SUDO-Only-store-lowercased-attribute-value-once.patch
@@ -0,0 +1,85 @@
+From 68cf1c69d2a19caca93d838745389f005ad66f5c Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Sun, 5 Feb 2017 20:25:23 +0100
+Subject: [PATCH 162/162] SUDO: Only store lowercased attribute value once
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The current code doesn't handle the situation where lowercasing the
+sudoUser attribute would yield the same value again.
+
+For example:
+ sudoUser: TUSER
+ sudoUser tuser
+would break.
+
+This patch switches to using the utility function
+sysdb_attrs_add_lower_case_string() which already checks for duplicates.
+
+Resolves:
+https://fedorahosted.org/sssd/ticket/3301
+
+Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit a5ecc93abb01cece628fdef04ebad43bba267419)
+(cherry picked from commit d5ddca8b44d00b92d4a70ea90d48247635a4e1ca)
+---
+ src/db/sysdb_sudo.c | 17 +++--------------
+ src/tests/cmocka/test_sysdb_sudo.c | 5 +++++
+ 2 files changed, 8 insertions(+), 14 deletions(-)
+
+diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
+index f5160f19012028f92723b9012fad85d803aa5137..97a1bee99c0255579f42cc7263d3d755429cd417 100644
+--- a/src/db/sysdb_sudo.c
++++ b/src/db/sysdb_sudo.c
+@@ -857,7 +857,6 @@ static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain,
+ {
+ TALLOC_CTX *tmp_ctx;
+ const char **users = NULL;
+- const char *lowered = NULL;
+ errno_t ret;
+
+ if (domain->case_sensitive == true || rule == NULL) {
+@@ -884,19 +883,9 @@ static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain,
+ }
+
+ for (int i = 0; users[i] != NULL; i++) {
+- lowered = sss_tc_utf8_str_tolower(tmp_ctx, users[i]);
+- if (lowered == NULL) {
+- DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
+- ret = ENOMEM;
+- goto done;
+- }
+-
+- if (strcmp(users[i], lowered) == 0) {
+- /* It protects us from adding duplicate. */
+- continue;
+- }
+-
+- ret = sysdb_attrs_add_string(rule, SYSDB_SUDO_CACHE_AT_USER, lowered);
++ ret = sysdb_attrs_add_lower_case_string(rule, true,
++ SYSDB_SUDO_CACHE_AT_USER,
++ users[i]);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Unable to add %s attribute [%d]: %s\n",
+diff --git a/src/tests/cmocka/test_sysdb_sudo.c b/src/tests/cmocka/test_sysdb_sudo.c
+index f21ff3655efbdc5b66a1fdbc24a51ec8174c3c8c..34afe120d97e99e3213a85bf7489a5e0f6309e4b 100644
+--- a/src/tests/cmocka/test_sysdb_sudo.c
++++ b/src/tests/cmocka/test_sysdb_sudo.c
+@@ -335,6 +335,11 @@ void test_store_sudo_case_insensitive(void **state)
+
+ test_ctx->tctx->dom->case_sensitive = false;
+
++ ret = sysdb_attrs_add_lower_case_string(rule, false,
++ SYSDB_SUDO_CACHE_AT_USER,
++ users[0].name);
++ assert_int_equal(ret, EOK);
++
+ ret = sysdb_sudo_store(test_ctx->tctx->dom, &rule, 1);
+ assert_int_equal(ret, EOK);
+
+--
+2.9.3
+
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index 7cc3dc1..6d572df 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -33,7 +33,7 @@
Name: sssd
Version: 1.14.0
-Release: 43%{?dist}.11
+Release: 43%{?dist}.14
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@@ -197,6 +197,12 @@ Patch0153: 0153-SYSDB-Fixing-of-sudorule-without-a-sudoUser.patch
Patch0154: 0154-MONITOR-Do-not-set-up-watchdog-for-monitor.patch
Patch0155: 0155-AUTOFS-Fix-offline-resolution-of-autofs-maps.patch
Patch0156: 0156-Prevent-use-after-free-in-fd_input_available.patch
+Patch0157: 0157-SSH-Use-default_domain_suffix-for-users-authorized-k.patch
+Patch0158: 0158-SERVER-Set-the-process-group-during-server_setup.patch
+Patch0159: 0159-WATCHDOG-define-and-use-_MAX_TICKS-as-3.patch
+Patch0160: 0160-WATCHDOG-Avoid-non-async-signal-safe-from-the-signal.patch
+Patch0161: 0161-TESTS-Extending-sysdb-sudo-store-tests.patch
+Patch0162: 0162-SUDO-Only-store-lowercased-attribute-value-once.patch
#This patch should not be removed in RHEL-7
Patch999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec
@@ -288,10 +294,10 @@ Summary: Common files for the SSSD
Group: Applications/System
License: GPLv3+
# Conflicts
-Conflicts: selinux-policy < 3.10.0-46
Conflicts: sssd < 1.10.0-8%{?dist}.beta2
-# Requires
+# Requires
+Requires: selinux-policy >= 3.13.1-102.el7_3.15
Requires: sssd-client%{?_isa} = %{version}-%{release}
Requires: libsss_idmap%{?_isa} = %{version}-%{release}
Requires: libsss_sudo%{?_isa} = %{version}-%{release}
@@ -1191,6 +1197,21 @@ fi
/usr/bin/rm -f /var/tmp/sssd.upgrade || :
%changelog
+* Wed Feb 15 2017 Jakub Hrozek <jhrozek@redhat.com> - 1.14.0-43.14
+- Resolves: rhbz#1422183 - Fails to accept any sudo rules if there are
+ two user entries in an ldap role with the same
+ sudo user.
+
+* Fri Feb 3 2017 Jakub Hrozek <jhrozek@redhat.com> - 1.14.0-43.13
+- Resolves: rhbz#1418943 - If a long-running task (e.g. enumeration) blocks the
+ sssd_be process, sssd_be can deadlock
+- Also Require a new-enough version of selinux-policy so that setpgid() by sssd
+ is allowed
+
+* Wed Jan 11 2017 Jakub Hrozek <jhrozek@redhat.com> - 1.14.0-43.12
+- Resolves: rhbz#1405584 - SSH: default_domain_suffix is not being used
+ for users' authorized keys
+
* Tue Dec 13 2016 Jakub Hrozek <jhrozek@redhat.com> - 1.14.0-43.11
- Resolves: rhbz#1404340 - Use-after free in resolver in case the fd is
writeable and readable at the same time