diff --git a/SOURCES/0191-sudo-add-a-threshold-option-to-reduce-size-of-rules-.patch b/SOURCES/0191-sudo-add-a-threshold-option-to-reduce-size-of-rules-.patch
new file mode 100644
index 0000000..54279f3
--- /dev/null
+++ b/SOURCES/0191-sudo-add-a-threshold-option-to-reduce-size-of-rules-.patch
@@ -0,0 +1,211 @@
+From 5c159808818fcea77822815b5f1131809c0e673c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Tue, 11 Jul 2017 12:41:57 +0200
+Subject: [PATCH 191/191] sudo: add a threshold option to reduce size of rules
+ refresh filter
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If a large number of rules is expired at one time the ldap filter may
+become too large to be processed by server. This commits adds a new
+option "sudo_threshold" to sudo responder. If the threshold is
+exceeded a full refreshed is done instead of rules refresh.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/3478
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
+(cherry picked from commit a5f300adf19ec9c3087c62bd93a5175db799687a)
+---
+ src/confdb/confdb.h | 2 ++
+ src/config/SSSDConfig/__init__.py.in | 1 +
+ src/config/cfg_rules.ini | 1 +
+ src/config/etc/sssd.api.conf | 1 +
+ src/man/sssd.conf.5.xml | 19 +++++++++++++++++++
+ src/responder/sudo/sudosrv.c | 11 +++++++++++
+ src/responder/sudo/sudosrv_get_sudorules.c | 25 ++++++++++++++++++++-----
+ src/responder/sudo/sudosrv_private.h | 1 +
+ 8 files changed, 56 insertions(+), 5 deletions(-)
+
+diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
+index 2ba1bc47ee11f699726cefaf7c3335d2a8afee49..884b5bd1a493ca9a71654536524125eb8c7c4533 100644
+--- a/src/confdb/confdb.h
++++ b/src/confdb/confdb.h
+@@ -139,6 +139,8 @@
+ #define CONFDB_DEFAULT_SUDO_TIMED false
+ #define CONFDB_SUDO_INVERSE_ORDER "sudo_inverse_order"
+ #define CONFDB_DEFAULT_SUDO_INVERSE_ORDER false
++#define CONFDB_SUDO_THRESHOLD "sudo_threshold"
++#define CONFDB_DEFAULT_SUDO_THRESHOLD 50
+
+ /* autofs */
+ #define CONFDB_AUTOFS_CONF_ENTRY "config/autofs"
+diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
+index 75515ab5c68822538728900482296b9159e1547e..137a8fa4d526cb10f3136c62f3c7104d9ecb7599 100644
+--- a/src/config/SSSDConfig/__init__.py.in
++++ b/src/config/SSSDConfig/__init__.py.in
+@@ -107,6 +107,7 @@ option_strings = {
+ # [sudo]
+ 'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
+ 'sudo_inverse_order' : _('If true, SSSD will switch back to lower-wins ordering logic'),
++ 'sudo_threshold' : _('Maximum number of rules that can be refreshed at once. If this is exceeded, full refresh is performed.'),
+
+ # [autofs]
+ 'autofs_negative_timeout' : _('Negative cache timeout length (seconds)'),
+diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
+index d6506b7c3cee13f7c5400a546deb787e755abc8b..0bdcfdfbefd6cb24e0c01cb9746dbb98c63a31d2 100644
+--- a/src/config/cfg_rules.ini
++++ b/src/config/cfg_rules.ini
+@@ -144,6 +144,7 @@ option = cache_first
+ # sudo service
+ option = sudo_timed
+ option = sudo_inverse_order
++option = sudo_threshold
+
+ [rule/allowed_autofs_options]
+ validator = ini_allowed_options
+diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
+index f86589ecefa0b9e046aba781ded107f8e94395d6..9d5eaaaa23c4c5395b155563de1cdf7752aa3dde 100644
+--- a/src/config/etc/sssd.api.conf
++++ b/src/config/etc/sssd.api.conf
+@@ -79,6 +79,7 @@ pam_app_services = str, None, false
+ # sudo service
+ sudo_timed = bool, None, false
+ sudo_inverse_order = bool, None, false
++sudo_threshold = int, None, false
+
+ [autofs]
+ # autofs service
+diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
+index 89729575c724622af817f1c05a94d4ae8f1ece2d..d508df82d1d99af7835079c928839dc3cc7c28cb 100644
+--- a/src/man/sssd.conf.5.xml
++++ b/src/man/sssd.conf.5.xml
+@@ -1376,6 +1376,25 @@ pam_account_locked_message = Account locked, please contact help desk.
+ </listitem>
+ </varlistentry>
+ </variablelist>
++ <variablelist>
++ <varlistentry>
++ <term>sudo_threshold (integer)</term>
++ <listitem>
++ <para>
++ Maximum number of expired rules that can be
++ refreshed at once. If number of expired rules
++ is below threshold, those rules are refreshed
++ with <quote>rules refresh</quote> mechanism. If
++ the threshold is exceeded a
++ <quote>full refresh</quote> of sudo rules is
++ triggered instead.
++ </para>
++ <para>
++ Default: 50
++ </para>
++ </listitem>
++ </varlistentry>
++ </variablelist>
+ </refsect2>
+
+ <refsect2 id='AUTOFS' condition="with_autofs">
+diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c
+index b427878d4dbe9090824a01386a7475be88b699c0..dca70ea4afc0e6df6d1b1864338c7b1091a98fee 100644
+--- a/src/responder/sudo/sudosrv.c
++++ b/src/responder/sudo/sudosrv.c
+@@ -148,6 +148,17 @@ int sudo_process_init(TALLOC_CTX *mem_ctx,
+ goto fail;
+ }
+
++ /* Get sudo_inverse_order option */
++ ret = confdb_get_int(sudo_ctx->rctx->cdb,
++ CONFDB_SUDO_CONF_ENTRY, CONFDB_SUDO_THRESHOLD,
++ CONFDB_DEFAULT_SUDO_THRESHOLD,
++ &sudo_ctx->threshold);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_FATAL_FAILURE, "Error reading from confdb (%d) [%s]\n",
++ ret, strerror(ret));
++ goto fail;
++ }
++
+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
+diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c
+index cfdbfc9c9c66d96f774822d6a4d4aaaf1327abe3..3272e634d895acf4854309371779a00cf1525126 100644
+--- a/src/responder/sudo/sudosrv_get_sudorules.c
++++ b/src/responder/sudo/sudosrv_get_sudorules.c
+@@ -479,6 +479,7 @@ sudosrv_refresh_rules_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct resp_ctx *rctx,
+ struct sss_domain_info *domain,
++ int threshold,
+ uid_t uid,
+ const char *username,
+ char **groups)
+@@ -520,9 +521,20 @@ sudosrv_refresh_rules_send(TALLOC_CTX *mem_ctx,
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Refreshing %d expired rules of [%s@%s]\n",
+ num_rules, username, domain->name);
+
+- subreq = sss_dp_get_sudoers_send(state, rctx, domain, false,
+- SSS_DP_SUDO_REFRESH_RULES,
+- username, num_rules, rules);
++ if (num_rules > threshold) {
++ DEBUG(SSSDBG_TRACE_INTERNAL,
++ "Rules threshold [%d] is reached, performing full refresh "
++ "instead.\n", threshold);
++
++ subreq = sss_dp_get_sudoers_send(state, rctx, domain, false,
++ SSS_DP_SUDO_FULL_REFRESH,
++ username, 0, NULL);
++ } else {
++ subreq = sss_dp_get_sudoers_send(state, rctx, domain, false,
++ SSS_DP_SUDO_REFRESH_RULES,
++ username, num_rules, rules);
++ }
++
+ if (subreq == NULL) {
+ ret = ENOMEM;
+ goto immediately;
+@@ -609,6 +621,7 @@ struct sudosrv_get_rules_state {
+ struct sss_domain_info *domain;
+ char **groups;
+ bool inverse_order;
++ int threshold;
+
+ struct sysdb_attrs **rules;
+ uint32_t num_rules;
+@@ -640,6 +653,7 @@ struct tevent_req *sudosrv_get_rules_send(TALLOC_CTX *mem_ctx,
+ state->type = type;
+ state->uid = uid;
+ state->inverse_order = sudo_ctx->inverse_order;
++ state->threshold = sudo_ctx->threshold;
+
+ DEBUG(SSSDBG_TRACE_FUNC, "Running initgroups for [%s]\n", username);
+
+@@ -696,8 +710,9 @@ static void sudosrv_get_rules_initgr_done(struct tevent_req *subreq)
+ }
+
+ subreq = sudosrv_refresh_rules_send(state, state->ev, state->rctx,
+- state->domain, state->uid,
+- state->username, state->groups);
++ state->domain, state->threshold,
++ state->uid, state->username,
++ state->groups);
+ if (subreq == NULL) {
+ ret = ENOMEM;
+ goto done;
+diff --git a/src/responder/sudo/sudosrv_private.h b/src/responder/sudo/sudosrv_private.h
+index 94f3c4458ab20e64db3e0bfce726d5d30a70a202..c76bdd3955bc29b7ba2cda58c503a4c616d7e63a 100644
+--- a/src/responder/sudo/sudosrv_private.h
++++ b/src/responder/sudo/sudosrv_private.h
+@@ -48,6 +48,7 @@ struct sudo_ctx {
+ */
+ bool timed;
+ bool inverse_order;
++ int threshold;
+ };
+
+ struct sudo_cmd_ctx {
+--
+2.13.5
+
diff --git a/SOURCES/0192-libwbclient-Change-return-code-for-wbcAuthenticateUs.patch b/SOURCES/0192-libwbclient-Change-return-code-for-wbcAuthenticateUs.patch
new file mode 100644
index 0000000..c33350b
--- /dev/null
+++ b/SOURCES/0192-libwbclient-Change-return-code-for-wbcAuthenticateUs.patch
@@ -0,0 +1,57 @@
+From b9a2edea74ea04a09301f91fffb6835df72d8760 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Tue, 22 Aug 2017 13:09:18 +0200
+Subject: [PATCH 192/192] libwbclient: Change return code for
+ wbcAuthenticateUserEx
+
+Samba-4.6 change behaviour of few functions
+New version of code make sure session info for user is stored in cache.
+It is a performance optimisation to prevent contacting KDC for each
+session. More details in samba bug
+https://bugzilla.samba.org/show_bug.cgi?id=11259
+
+Old return code WBC_SSSD_NOT_IMPLEMENTED was translated
+to NT_STATUS_LOGON_FAILURE which caused many failures.
+
+ [2017/08/21 11:34:15.044321, 5, pid=27742, effective(0, 0), real(0, 0)]
+ ../libcli/security/security_token.c:53(security_token_debug)
+ Security token: (NULL)
+ [2017/08/21 11:34:15.044330, 5, pid=27742, effective(0, 0), real(0, 0)]
+ ../source3/auth/token_util.c:640(debug_unix_user_token)
+ UNIX token of user 0
+ Primary group is 0 and contains 0 supplementary groups
+ [2017/08/21 11:34:15.044349, 4, pid=27742, effective(0, 0), real(0, 0)]
+ ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
+ pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
+ [2017/08/21 11:34:15.044360, 1, pid=27742, effective(0, 0), real(0, 0)]
+ ../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego)
+ Failed to generate session_info (user and group token) for session
+ setup: NT_STATUS_LOGON_FAILURE
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/3461
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 725d04cd21016dc6092a9f03cd363bb83d7c054c)
+(cherry picked from commit aede6a1f4412f133e4b3fd76944f764d76fc4868)
+(cherry picked from commit 260062d946e7cc265e2671f88b1662276431c0bb)
+---
+ src/sss_client/libwbclient/wbc_pam_sssd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sss_client/libwbclient/wbc_pam_sssd.c b/src/sss_client/libwbclient/wbc_pam_sssd.c
+index 174cf1310fad0243036fe591978cc89700903896..77698f523e6e7aeb37d4db50b469d1604d7ee595 100644
+--- a/src/sss_client/libwbclient/wbc_pam_sssd.c
++++ b/src/sss_client/libwbclient/wbc_pam_sssd.c
+@@ -49,7 +49,7 @@ wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params,
+ *error = NULL;
+ }
+
+- WBC_SSSD_NOT_IMPLEMENTED;
++ return WBC_ERR_WINBIND_NOT_AVAILABLE;
+ }
+
+ /* Trigger a verification of the trust credentials of a specific domain */
+--
+2.9.4
+
diff --git a/SOURCES/0193-IPA-fix-handling-of-certmap_ctx.patch b/SOURCES/0193-IPA-fix-handling-of-certmap_ctx.patch
new file mode 100644
index 0000000..47b85fb
--- /dev/null
+++ b/SOURCES/0193-IPA-fix-handling-of-certmap_ctx.patch
@@ -0,0 +1,666 @@
+From 2fca2f1b77c0e9ae82e1a24bbf89fbc3115a5e24 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 6 Sep 2017 16:42:20 +0200
+Subject: [PATCH 193/194] IPA: fix handling of certmap_ctx
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch fixes a use-after-free in the AD provider part and
+initializes the certmap_ctx with data from the cache at startup.
+
+Related to https://pagure.io/SSSD/sssd/issue/3508
+
+Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit f2e70ec742cd7aab82b74d7e4b424ba3258da7aa)
+---
+ Makefile.am | 20 +++
+ src/providers/ipa/ipa_init.c | 7 +
+ src/providers/ipa/ipa_subdomains.c | 53 +------
+ src/providers/ipa/ipa_subdomains_server.c | 4 +-
+ src/providers/ldap/ldap_common.h | 5 +
+ src/providers/ldap/ldap_id.c | 5 +-
+ src/providers/ldap/sdap.h | 4 +-
+ src/providers/ldap/sdap_certmap.c | 152 +++++++++++++++++++
+ src/tests/cmocka/test_sdap_certmap.c | 244 ++++++++++++++++++++++++++++++
+ 9 files changed, 441 insertions(+), 53 deletions(-)
+ create mode 100644 src/providers/ldap/sdap_certmap.c
+ create mode 100644 src/tests/cmocka/test_sdap_certmap.c
+
+diff --git a/Makefile.am b/Makefile.am
+index 503c8cfd795b503f566431c08a56a56147180322..907c3256a154ebe2aae5a1667744e1dfbe8abaae 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -257,6 +257,7 @@ if HAVE_CMOCKA
+ test_search_bases \
+ test_ldap_auth \
+ test_sdap_access \
++ test_sdap_certmap \
+ sdap-tests \
+ test_sysdb_ts_cache \
+ test_sysdb_views \
+@@ -2662,6 +2663,24 @@ test_sdap_access_LDADD = \
+ libdlopen_test_providers.la \
+ $(NULL)
+
++test_sdap_certmap_SOURCES = \
++ src/tests/cmocka/test_sdap_certmap.c \
++ src/providers/ldap/sdap_certmap.c \
++ $(NULL)
++test_sdap_certmap_CFLAGS = \
++ $(AM_CFLAGS) \
++ $(TALLOC_CFLAGS) \
++ $(POPT_CFLAGS) \
++ $(NULL)
++test_sdap_certmap_LDADD = \
++ $(CMOCKA_LIBS) \
++ $(TALLOC_LIBS) \
++ $(POPT_LIBS) \
++ $(SSSD_INTERNAL_LTLIBS) \
++ libsss_test_common.la \
++ libsss_certmap.la \
++ $(NULL)
++
+ ad_access_filter_tests_SOURCES = \
+ src/tests/cmocka/test_ad_access_filter.c
+ ad_access_filter_tests_LDADD = \
+@@ -3706,6 +3725,7 @@ libsss_ldap_common_la_SOURCES = \
+ src/providers/ldap/sdap_child_helpers.c \
+ src/providers/ldap/sdap_fd_events.c \
+ src/providers/ldap/sdap_id_op.c \
++ src/providers/ldap/sdap_certmap.c \
+ src/providers/ldap/sdap_idmap.c \
+ src/providers/ldap/sdap_idmap.h \
+ src/providers/ldap/sdap_range.c \
+diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
+index 7dec4d1fb8541a48470d4e44f10838e5bea67ad5..2b58b1341463f8947d51dee2076dbe92e3093558 100644
+--- a/src/providers/ipa/ipa_init.c
++++ b/src/providers/ipa/ipa_init.c
+@@ -649,6 +649,13 @@ static errno_t ipa_init_misc(struct be_ctx *be_ctx,
+ return ENOMEM;
+ }
+
++ ret = sdap_init_certmap(sdap_id_ctx, sdap_id_ctx);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_CRIT_FAILURE,
++ "Failed to initialized certificate mapping.\n");
++ return ret;
++ }
++
+ return EOK;
+ }
+
+diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
+index ef348adf4a36e870f44387bd700f5c2beea3bfd6..6f0ff50bde234f72d62f43635d9a787316c78430 100644
+--- a/src/providers/ipa/ipa_subdomains.c
++++ b/src/providers/ipa/ipa_subdomains.c
+@@ -311,25 +311,6 @@ struct priv_sss_debug {
+ int level;
+ };
+
+-void ext_debug(void *private, const char *file, long line, const char *function,
+- const char *format, ...)
+-{
+- va_list ap;
+- struct priv_sss_debug *data = private;
+- int level = SSSDBG_OP_FAILURE;
+-
+- if (data != NULL) {
+- level = data->level;
+- }
+-
+- if (DEBUG_IS_SET(level)) {
+- va_start(ap, format);
+- sss_vdebug_fn(file, line, function, level, APPEND_LINE_FEED,
+- format, ap);
+- va_end(ap);
+- }
+-}
+-
+ static errno_t ipa_certmap_parse_results(TALLOC_CTX *mem_ctx,
+ struct sss_domain_info *domain,
+ struct sdap_options *sdap_opts,
+@@ -344,7 +325,6 @@ static errno_t ipa_certmap_parse_results(TALLOC_CTX *mem_ctx,
+ size_t c;
+ size_t lc = 0;
+ int ret;
+- struct sss_certmap_ctx *certmap_ctx = NULL;
+ const char **ocs = NULL;
+ bool user_name_hint = false;
+
+@@ -444,50 +424,29 @@ static errno_t ipa_certmap_parse_results(TALLOC_CTX *mem_ctx,
+
+ certmap_list[lc] = NULL;
+
+- ret = sss_certmap_init(mem_ctx, ext_debug, NULL, &certmap_ctx);
+- if (ret != 0) {
+- DEBUG(SSSDBG_OP_FAILURE, "sss_certmap_init failed.\n");
++ ret = sdap_setup_certmap(sdap_opts->sdap_certmap_ctx, certmap_list);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_OP_FAILURE, "sdap_setup_certmap failed.\n");
+ goto done;
+ }
+
+- for (c = 0; certmap_list[c] != NULL; c++) {
+- DEBUG(SSSDBG_TRACE_ALL, "Trying to add rule [%s][%d][%s][%s].\n",
+- certmap_list[c]->name,
+- certmap_list[c]->priority,
+- certmap_list[c]->match_rule,
+- certmap_list[c]->map_rule);
+-
+- ret = sss_certmap_add_rule(certmap_ctx, certmap_list[c]->priority,
+- certmap_list[c]->match_rule,
+- certmap_list[c]->map_rule,
+- certmap_list[c]->domains);
+- if (ret != 0) {
+- DEBUG(SSSDBG_CRIT_FAILURE,
+- "sss_certmap_add_rule failed for rule [%s], skipping. "
+- "Please check for typos and if rule syntax is supported.\n",
+- certmap_list[c]->name);
+- goto done;
+- }
+- }
+-
+ ret = sysdb_update_certmap(domain->sysdb, certmap_list, user_name_hint);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_update_certmap failed");
+ goto done;
+ }
+
+- sss_certmap_free_ctx(sdap_opts->certmap_ctx);
+- sdap_opts->certmap_ctx = talloc_steal(sdap_opts, certmap_ctx);
+-
+ if (_certmap_list != NULL) {
+ *_certmap_list = certmap_list;
++ } else {
++ talloc_free(certmap_list);
+ }
++
+ ret = EOK;
+
+ done:
+ talloc_free(ocs);
+ if (ret != EOK) {
+- sss_certmap_free_ctx(certmap_ctx);
+ talloc_free(certmap_list);
+ }
+
+diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
+index 443d83824f329b9d8c3d8e820113e1029f832240..56470ac824feaa59eecbd9f442682220237c2412 100644
+--- a/src/providers/ipa/ipa_subdomains_server.c
++++ b/src/providers/ipa/ipa_subdomains_server.c
+@@ -361,8 +361,8 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx,
+ id_ctx->sdap_id_ctx->opts->idmap_ctx;
+
+ /* Set up the certificate mapping context */
+- ad_id_ctx->sdap_id_ctx->opts->certmap_ctx =
+- id_ctx->sdap_id_ctx->opts->certmap_ctx;
++ ad_id_ctx->sdap_id_ctx->opts->sdap_certmap_ctx =
++ id_ctx->sdap_id_ctx->opts->sdap_certmap_ctx;
+
+ *_ad_id_ctx = ad_id_ctx;
+ return EOK;
+diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
+index 1acda4147576503b18f61e0bb56f8efd2263fd44..0510b7d5ab5121bd96f699e8e59520a2a18a604f 100644
+--- a/src/providers/ldap/ldap_common.h
++++ b/src/providers/ldap/ldap_common.h
+@@ -362,4 +362,9 @@ sdap_id_ctx_new(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
+ errno_t sdap_refresh_init(struct be_refresh_ctx *refresh_ctx,
+ struct sdap_id_ctx *id_ctx);
+
++errno_t sdap_init_certmap(TALLOC_CTX *mem_ctx, struct sdap_id_ctx *id_ctx);
++
++errno_t sdap_setup_certmap(struct sdap_certmap_ctx *sdap_certmap_ctx,
++ struct certmap_info **certmap_list);
++struct sss_certmap_ctx *sdap_get_sss_certmap(struct sdap_certmap_ctx *ctx);
+ #endif /* _LDAP_COMMON_H_ */
+diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
+index 557712e8dc2b2bde664b4054fa2f8eb39df84d73..93204d35ea3782c9aa5d622a962c295869472631 100644
+--- a/src/providers/ldap/ldap_id.c
++++ b/src/providers/ldap/ldap_id.c
+@@ -252,9 +252,8 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
+ }
+
+ ret = sss_cert_derb64_to_ldap_filter(state, filter_value, attr_name,
+- ctx->opts->certmap_ctx,
+- state->domain,
+- &user_filter);
++ sdap_get_sss_certmap(ctx->opts->sdap_certmap_ctx),
++ state->domain, &user_filter);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sss_cert_derb64_to_ldap_filter failed.\n");
+diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
+index afdc01948eefe9dda943c8c7ad01a42dd76a1da8..c85fbe9e78e5eefa7e33ea8055730118b0871a4c 100644
+--- a/src/providers/ldap/sdap.h
++++ b/src/providers/ldap/sdap.h
+@@ -446,6 +446,8 @@ struct sdap_ext_member_ctx {
+ ext_member_recv_fn_t ext_member_resolve_recv;
+ };
+
++struct sdap_certmap_ctx;
++
+ struct sdap_options {
+ struct dp_option *basic;
+ struct sdap_attr_map *gen_map;
+@@ -481,7 +483,7 @@ struct sdap_options {
+ enum dc_functional_level dc_functional_level;
+
+ /* Certificate mapping support */
+- struct sss_certmap_ctx *certmap_ctx;
++ struct sdap_certmap_ctx *sdap_certmap_ctx;
+ };
+
+ struct sdap_server_opts {
+diff --git a/src/providers/ldap/sdap_certmap.c b/src/providers/ldap/sdap_certmap.c
+new file mode 100644
+index 0000000000000000000000000000000000000000..fcf88a9c69482c8668d486cd2ab0ba37c847e46d
+--- /dev/null
++++ b/src/providers/ldap/sdap_certmap.c
+@@ -0,0 +1,152 @@
++
++/*
++ SSSD
++
++ Authors:
++ Sumit Bose <sbose@redhat.com>
++
++ Copyright (C) 2017 Red Hat
++
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; either version 3 of the License, or
++ (at your option) any later version.
++
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU General Public License for more details.
++
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <http://www.gnu.org/licenses/>.
++*/
++
++#include "util/util.h"
++#include "lib/certmap/sss_certmap.h"
++#include "providers/ldap/ldap_common.h"
++
++struct sdap_certmap_ctx {
++ struct sss_certmap_ctx *certmap_ctx;
++};
++
++struct priv_sss_debug {
++ int level;
++};
++
++static void ext_debug(void *private, const char *file, long line,
++ const char *function, const char *format, ...)
++{
++ va_list ap;
++ struct priv_sss_debug *data = private;
++ int level = SSSDBG_OP_FAILURE;
++
++ if (data != NULL) {
++ level = data->level;
++ }
++
++ if (DEBUG_IS_SET(level)) {
++ va_start(ap, format);
++ sss_vdebug_fn(file, line, function, level, APPEND_LINE_FEED,
++ format, ap);
++ va_end(ap);
++ }
++}
++
++struct sss_certmap_ctx *sdap_get_sss_certmap(struct sdap_certmap_ctx *ctx)
++{
++ return ctx == NULL ? NULL : ctx->certmap_ctx;
++}
++
++errno_t sdap_setup_certmap(struct sdap_certmap_ctx *sdap_certmap_ctx,
++ struct certmap_info **certmap_list)
++{
++ int ret;
++ struct sss_certmap_ctx *sss_certmap_ctx = NULL;
++ size_t c;
++
++ if (sdap_certmap_ctx == NULL) {
++ DEBUG(SSSDBG_CRIT_FAILURE, "Missing sdap_certmap_ctx.\n");
++ return EINVAL;
++ }
++
++ if (certmap_list == NULL || *certmap_list == NULL) {
++ DEBUG(SSSDBG_TRACE_ALL, "No certmap data, nothing to do.\n");
++ ret = EOK;
++ goto done;
++ }
++
++ ret = sss_certmap_init(sdap_certmap_ctx, ext_debug, NULL, &sss_certmap_ctx);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_OP_FAILURE, "sss_certmap_init failed.\n");
++ goto done;
++ }
++
++ for (c = 0; certmap_list[c] != NULL; c++) {
++ DEBUG(SSSDBG_TRACE_ALL, "Trying to add rule [%s][%d][%s][%s].\n",
++ certmap_list[c]->name,
++ certmap_list[c]->priority,
++ certmap_list[c]->match_rule,
++ certmap_list[c]->map_rule);
++
++ ret = sss_certmap_add_rule(sss_certmap_ctx, certmap_list[c]->priority,
++ certmap_list[c]->match_rule,
++ certmap_list[c]->map_rule,
++ certmap_list[c]->domains);
++ if (ret != 0) {
++ DEBUG(SSSDBG_CRIT_FAILURE,
++ "sss_certmap_add_rule failed for rule [%s] "
++ "with error [%d][%s], skipping. "
++ "Please check for typos and if rule syntax is supported.\n",
++ certmap_list[c]->name, ret, sss_strerror(ret));
++ continue;
++ }
++ }
++
++ ret = EOK;
++
++done:
++ if (ret == EOK) {
++ sss_certmap_free_ctx(sdap_certmap_ctx->certmap_ctx);
++ sdap_certmap_ctx->certmap_ctx = sss_certmap_ctx;
++ } else {
++ sss_certmap_free_ctx(sss_certmap_ctx);
++ }
++
++ return ret;
++}
++
++errno_t sdap_init_certmap(TALLOC_CTX *mem_ctx, struct sdap_id_ctx *id_ctx)
++{
++ int ret;
++ bool hint;
++ struct certmap_info **certmap_list = NULL;
++
++ if (id_ctx->opts->sdap_certmap_ctx == NULL) {
++ id_ctx->opts->sdap_certmap_ctx = talloc_zero(mem_ctx,
++ struct sdap_certmap_ctx);
++ if (id_ctx->opts->sdap_certmap_ctx == NULL) {
++ DEBUG(SSSDBG_OP_FAILURE, "talloc_zero failed.\n");
++ return ENOMEM;
++ }
++ }
++
++ ret = sysdb_get_certmap(mem_ctx, id_ctx->be->domain->sysdb,
++ &certmap_list, &hint);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_certmap failed.\n");
++ goto done;
++ }
++
++ ret = sdap_setup_certmap(id_ctx->opts->sdap_certmap_ctx, certmap_list);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_OP_FAILURE, "sdap_setup_certmap failed.\n");
++ goto done;
++ }
++
++ ret = EOK;
++
++done:
++ talloc_free(certmap_list);
++
++ return ret;
++}
+diff --git a/src/tests/cmocka/test_sdap_certmap.c b/src/tests/cmocka/test_sdap_certmap.c
+new file mode 100644
+index 0000000000000000000000000000000000000000..9df5666844c8582a3fdb5b086720f1f2819f53f3
+--- /dev/null
++++ b/src/tests/cmocka/test_sdap_certmap.c
+@@ -0,0 +1,244 @@
++/*
++ Authors:
++ Sumit Bose <sbose@redhat.com>
++
++ Copyright (C) 2017 Red Hat
++
++ SSSD tests - sdap certmap
++
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; either version 3 of the License, or
++ (at your option) any later version.
++
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU General Public License for more details.
++
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <http://www.gnu.org/licenses/>.
++*/
++
++#include <stdarg.h>
++#include <stdbool.h>
++#include <setjmp.h>
++#include <unistd.h>
++#include <cmocka.h>
++#include <popt.h>
++
++#include "providers/ldap/ldap_common.h"
++#include "tests/common.h"
++#include "db/sysdb.h"
++
++#define TESTS_PATH "certmap_" BASE_FILE_STEM
++#define TEST_CONF_DB "test_sysdb_certmap.ldb"
++#define TEST_ID_PROVIDER "ldap"
++#define TEST_DOM_NAME "certmap_test"
++
++struct certmap_info map_a = { discard_const("map_a"), 11,
++ NULL, discard_const("(abc=def)"),
++ NULL };
++struct certmap_info map_b = { discard_const("map_b"), UINT_MAX,
++ NULL, NULL, NULL };
++struct certmap_info *certmap[] = { &map_a, &map_b, NULL };
++
++struct certmap_test_ctx {
++ struct sss_test_ctx *tctx;
++ struct sdap_id_ctx *id_ctx;
++};
++
++static int test_sysdb_setup(void **state)
++{
++ int ret;
++ struct certmap_test_ctx *test_ctx;
++ struct sss_test_conf_param params[] = {
++ { NULL, NULL }, /* Sentinel */
++ };
++
++ assert_true(leak_check_setup());
++
++ test_ctx = talloc_zero(global_talloc_context,
++ struct certmap_test_ctx);
++ assert_non_null(test_ctx);
++ check_leaks_push(test_ctx);
++
++ test_dom_suite_setup(TESTS_PATH);
++
++ test_ctx->tctx = create_dom_test_ctx(test_ctx, TESTS_PATH,
++ TEST_CONF_DB, TEST_DOM_NAME,
++ TEST_ID_PROVIDER, params);
++ assert_non_null(test_ctx->tctx);
++
++ ret = sysdb_update_certmap(test_ctx->tctx->sysdb, certmap, false);
++ assert_int_equal(ret, EOK);
++
++ test_ctx->id_ctx = talloc_zero(test_ctx->tctx, struct sdap_id_ctx);
++ assert_non_null(test_ctx->id_ctx);
++
++ test_ctx->id_ctx->opts = talloc_zero(test_ctx->tctx, struct sdap_options);
++ assert_non_null(test_ctx->id_ctx->opts);
++
++ test_ctx->id_ctx->be = talloc_zero(test_ctx->tctx, struct be_ctx);
++ assert_non_null(test_ctx->id_ctx->be);
++ test_ctx->id_ctx->be->domain = test_ctx->tctx->dom;
++
++ *state = test_ctx;
++ return 0;
++}
++
++static int test_sysdb_teardown(void **state)
++{
++ struct certmap_test_ctx *test_ctx =
++ talloc_get_type(*state, struct certmap_test_ctx);
++
++ test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME);
++ talloc_free(test_ctx->tctx);
++ assert_true(check_leaks_pop(test_ctx));
++ talloc_free(test_ctx);
++ assert_true(leak_check_teardown());
++ return 0;
++}
++
++static void test_sdap_certmap_init(void **state)
++{
++ int ret;
++ struct certmap_test_ctx *test_ctx = talloc_get_type(*state,
++ struct certmap_test_ctx);
++
++ ret = sdap_init_certmap(test_ctx, test_ctx->id_ctx);
++ assert_int_equal(ret, EOK);
++
++ talloc_free(test_ctx->id_ctx->opts->sdap_certmap_ctx);
++}
++
++static void test_sdap_get_sss_certmap(void **state)
++{
++ int ret;
++ struct certmap_test_ctx *test_ctx = talloc_get_type(*state,
++ struct certmap_test_ctx);
++ struct sss_certmap_ctx *sss_certmap_ctx;
++
++ sss_certmap_ctx = sdap_get_sss_certmap(NULL);
++ assert_null(sss_certmap_ctx);
++
++ ret = sdap_init_certmap(test_ctx, test_ctx->id_ctx);
++ assert_int_equal(ret, EOK);
++
++ sss_certmap_ctx = sdap_get_sss_certmap(
++ test_ctx->id_ctx->opts->sdap_certmap_ctx);
++ assert_non_null(sss_certmap_ctx);
++
++ talloc_free(test_ctx->id_ctx->opts->sdap_certmap_ctx);
++}
++
++static void test_sdap_certmap_init_twice(void **state)
++{
++ int ret;
++ struct certmap_test_ctx *test_ctx = talloc_get_type(*state,
++ struct certmap_test_ctx);
++ struct sdap_certmap_ctx *sdap_certmap_ref;
++ struct sss_certmap_ctx *sss_certmap_ref;
++
++ ret = sdap_init_certmap(test_ctx, test_ctx->id_ctx);
++ assert_int_equal(ret, EOK);
++
++ sdap_certmap_ref = test_ctx->id_ctx->opts->sdap_certmap_ctx;
++ sss_certmap_ref = sdap_get_sss_certmap(sdap_certmap_ref);
++
++ ret = sdap_init_certmap(test_ctx, test_ctx->id_ctx);
++ assert_int_equal(ret, EOK);
++
++ assert_ptr_equal(sdap_certmap_ref,
++ test_ctx->id_ctx->opts->sdap_certmap_ctx);
++ assert_ptr_not_equal(sss_certmap_ref,
++ sdap_get_sss_certmap(sdap_certmap_ref));
++
++ talloc_free(test_ctx->id_ctx->opts->sdap_certmap_ctx);
++}
++
++
++static void test_sdap_setup_certmap(void **state)
++{
++ int ret;
++ struct certmap_test_ctx *test_ctx = talloc_get_type(*state,
++ struct certmap_test_ctx);
++ struct sdap_certmap_ctx *sdap_certmap_ref;
++ struct sss_certmap_ctx *sss_certmap_ref;
++
++ ret = sdap_init_certmap(test_ctx, test_ctx->id_ctx);
++ assert_int_equal(ret, EOK);
++
++ sdap_certmap_ref = test_ctx->id_ctx->opts->sdap_certmap_ctx;
++ sss_certmap_ref = sdap_get_sss_certmap(sdap_certmap_ref);
++
++ ret = sdap_setup_certmap(NULL, NULL);
++ assert_int_equal(ret, EINVAL);
++ assert_ptr_equal(sdap_certmap_ref,
++ test_ctx->id_ctx->opts->sdap_certmap_ctx);
++ assert_ptr_equal(sss_certmap_ref, sdap_get_sss_certmap(sdap_certmap_ref));
++
++ ret = sdap_setup_certmap(NULL, certmap);
++ assert_int_equal(ret, EINVAL);
++ assert_ptr_equal(sdap_certmap_ref,
++ test_ctx->id_ctx->opts->sdap_certmap_ctx);
++ assert_ptr_equal(sss_certmap_ref, sdap_get_sss_certmap(sdap_certmap_ref));
++
++ ret = sdap_setup_certmap(sdap_certmap_ref, certmap);
++ assert_int_equal(ret, EOK);
++ assert_ptr_equal(sdap_certmap_ref,
++ test_ctx->id_ctx->opts->sdap_certmap_ctx);
++ assert_ptr_not_equal(sss_certmap_ref,
++ sdap_get_sss_certmap(sdap_certmap_ref));
++
++ talloc_free(test_ctx->id_ctx->opts->sdap_certmap_ctx);
++}
++
++int main(int argc, const char *argv[])
++{
++ int rv;
++ poptContext pc;
++ int opt;
++ struct poptOption long_options[] = {
++ POPT_AUTOHELP
++ SSSD_DEBUG_OPTS
++ POPT_TABLEEND
++ };
++
++ const struct CMUnitTest tests[] = {
++ cmocka_unit_test_setup_teardown(test_sdap_certmap_init,
++ test_sysdb_setup,
++ test_sysdb_teardown),
++ cmocka_unit_test_setup_teardown(test_sdap_get_sss_certmap,
++ test_sysdb_setup,
++ test_sysdb_teardown),
++ cmocka_unit_test_setup_teardown(test_sdap_certmap_init_twice,
++ test_sysdb_setup,
++ test_sysdb_teardown),
++ cmocka_unit_test_setup_teardown(test_sdap_setup_certmap,
++ test_sysdb_setup,
++ test_sysdb_teardown),
++ };
++
++ /* Set debug level to invalid value so we can deside if -d 0 was used. */
++ debug_level = SSSDBG_INVALID;
++
++ pc = poptGetContext(argv[0], argc, argv, long_options, 0);
++ while((opt = poptGetNextOpt(pc)) != -1) {
++ switch(opt) {
++ default:
++ fprintf(stderr, "\nInvalid option %s: %s\n\n",
++ poptBadOption(pc, 0), poptStrerror(opt));
++ poptPrintUsage(pc, stderr, 0);
++ return 1;
++ }
++ }
++ poptFreeContext(pc);
++
++ DEBUG_CLI_INIT(debug_level);
++
++ tests_set_cwd();
++ rv = cmocka_run_group_tests(tests, NULL, NULL);
++
++ return rv;
++}
+--
+2.13.5
+
diff --git a/SOURCES/0194-certmap-make-sure-eku_oid_list-is-always-allocated.patch b/SOURCES/0194-certmap-make-sure-eku_oid_list-is-always-allocated.patch
new file mode 100644
index 0000000..c2f4d5d
--- /dev/null
+++ b/SOURCES/0194-certmap-make-sure-eku_oid_list-is-always-allocated.patch
@@ -0,0 +1,95 @@
+From 27ef368b4105f19382360fe62f944b36ca74adb7 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 6 Sep 2017 12:20:25 +0200
+Subject: [PATCH 194/194] certmap: make sure eku_oid_list is always allocated
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If there are only OIDs in a <EKU> part of a matching rule a NULL pointer
+dereference might occur.
+
+Related to https://pagure.io/SSSD/sssd/issue/3508
+
+Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit f5a8cd60c6f377af1954b58f007d16cf3f6dc846)
+---
+ src/lib/certmap/sss_certmap_krb5_match.c | 21 ++++++++++++---------
+ src/tests/cmocka/test_certmap.c | 17 +++++++++++++++++
+ 2 files changed, 29 insertions(+), 9 deletions(-)
+
+diff --git a/src/lib/certmap/sss_certmap_krb5_match.c b/src/lib/certmap/sss_certmap_krb5_match.c
+index e40f17b8ace46e61087e0a2fa570a362a84cead2..0a77ac225d73f3506e102fdbdc9084faa0f19cf0 100644
+--- a/src/lib/certmap/sss_certmap_krb5_match.c
++++ b/src/lib/certmap/sss_certmap_krb5_match.c
+@@ -179,19 +179,17 @@ static int parse_krb5_get_eku_value(TALLOC_CTX *mem_ctx,
+ goto done;
+ }
+
++ comp->eku_oid_list = talloc_zero_array(comp, const char *,
++ eku_list_size + 1);
++ if (comp->eku_oid_list == NULL) {
++ ret = ENOMEM;
++ goto done;
++ }
++
+ for (c = 0; eku_list[c] != NULL; c++) {
+ for (k = 0; ext_key_usage[k].name != NULL; k++) {
+ CM_DEBUG(ctx, "[%s][%s].", eku_list[c], ext_key_usage[k].name);
+ if (strcasecmp(eku_list[c], ext_key_usage[k].name) == 0) {
+- if (comp->eku_oid_list == NULL) {
+- comp->eku_oid_list = talloc_zero_array(comp, const char *,
+- eku_list_size + 1);
+- if (comp->eku_oid_list == NULL) {
+- ret = ENOMEM;
+- goto done;
+- }
+- }
+-
+ comp->eku_oid_list[e] = talloc_strdup(comp->eku_oid_list,
+ ext_key_usage[k].oid);
+ if (comp->eku_oid_list[e] == NULL) {
+@@ -225,6 +223,11 @@ CM_DEBUG(ctx, "[%s][%s].", eku_list[c], ext_key_usage[k].name);
+ }
+ }
+
++ if (e == 0) {
++ talloc_free(comp->eku_oid_list);
++ comp->eku_oid_list = NULL;
++ }
++
+ ret = 0;
+
+ done:
+diff --git a/src/tests/cmocka/test_certmap.c b/src/tests/cmocka/test_certmap.c
+index c998443d086eaa72cc2a05c38ddfc5ba590a1ce7..e732bb214476943d0f723b318ab64d3b4156cace 100644
+--- a/src/tests/cmocka/test_certmap.c
++++ b/src/tests/cmocka/test_certmap.c
+@@ -445,6 +445,23 @@ static void test_sss_certmap_add_matching_rule(void **state)
+ assert_null(
+ ctx->prio_list->rule_list->parsed_match_rule->eku->eku_oid_list[3]);
+
++ ret = sss_certmap_add_rule(ctx, 96,
++ "KRB5:<EKU>1.2.3",
++ NULL, NULL);
++ assert_int_equal(ret, 0);
++ assert_non_null(ctx->prio_list);
++ assert_non_null(ctx->prio_list->rule_list);
++ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule);
++ assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->r,
++ relation_and);
++ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->eku);
++ assert_true(string_in_list("1.2.3",
++ discard_const(
++ ctx->prio_list->rule_list->parsed_match_rule->eku->eku_oid_list),
++ true));
++ assert_null(
++ ctx->prio_list->rule_list->parsed_match_rule->eku->eku_oid_list[1]);
++
+ /* SAN tests */
+ ret = sss_certmap_add_rule(ctx, 89, "KRB5:<SAN>abc", NULL, NULL);
+ assert_int_equal(ret, 0);
+--
+2.13.5
+
diff --git a/SOURCES/0195-cache_req-Look-for-name-attribute-also-in-nss_cmd_ge.patch b/SOURCES/0195-cache_req-Look-for-name-attribute-also-in-nss_cmd_ge.patch
new file mode 100644
index 0000000..2841962
--- /dev/null
+++ b/SOURCES/0195-cache_req-Look-for-name-attribute-also-in-nss_cmd_ge.patch
@@ -0,0 +1,62 @@
+From cf75c30a42059480eca4c352598ceb3760c27e46 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Mon, 21 Aug 2017 11:42:43 +0200
+Subject: [PATCH 195/195] cache_req: Look for name attribute also in
+ nss_cmd_getsidbyid
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We always check negcache after getting data from backend since commit
+4c09cd008967c5c0ec358dc658ffc6fc1cef2697 because we usually do have a name
+in begging of requests "* by ID".
+
+We were not interested in name in request sid by id before. However, function
+cache_req_search_ncache_filter always expect name otherwise it returns
+ERR_INTERNAL.
+
+[sssd[nss]] [cache_req_set_plugin] (0x2000): CR #8: Setting "Object by ID" plugin
+[sssd[nss]] [cache_req_send] (0x0400): CR #8: New request 'Object by ID'
+[sssd[nss]] [cache_req_select_domains] (0x0400): CR #8: Performing a multi-domain search
+[sssd[nss]] [cache_req_search_domains] (0x0400): CR #8: Search will check the cache and check the data provider
+[sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain sssdad2012r2.com type POSIX is valid
+[sssd[nss]] [cache_req_set_domain] (0x0400): CR #8: Using domain [sssdad2012r2.com]
+[sssd[nss]] [cache_req_search_send] (0x0400): CR #8: Looking up ID:233600513@sssdad2012r2.com
+[sssd[nss]] [cache_req_search_ncache] (0x0400): CR #8: Checking negative cache for [ID:233600513@sssdad2012r2.com]
+[sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/UID/sssdad2012r2.com/233600513]
+[sssd[nss]] [cache_req_search_ncache] (0x0400): CR #8: [ID:233600513@sssdad2012r2.com] is not present in negative cache
+[sssd[nss]] [cache_req_search_cache] (0x0400): CR #8: Looking up [ID:233600513@sssdad2012r2.com] in cache
+[sssd[nss]] [cache_req_search_send] (0x0400): CR #8: Returning [ID:233600513@sssdad2012r2.com] from cache
+[sssd[nss]] [cache_req_search_ncache_filter] (0x0400): CR #8: Filtering out results by negative cache
+[sssd[nss]] [cache_req_search_ncache_filter] (0x0020): CR #8: sss_get_name_from_msg() returned NULL, which should never happen in this scenario!
+[sssd[nss]] [cache_req_process_result] (0x0400): CR #8: Finished: Error 1432158209: Internal Error
+[sssd[nss]] [nss_protocol_done] (0x4000): Sending reply: error [1432158209]: Internal Error
+[sssd[nss]] [client_recv] (0x0200): Client disconnected!
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/3485
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit 2e72ababbbadda4c4036f99528460c1d595e0941)
+---
+ src/responder/common/cache_req/cache_req_data.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/responder/common/cache_req/cache_req_data.c b/src/responder/common/cache_req/cache_req_data.c
+index 5ab1493b81dbcd1529f1124a2bb1f99d3ae82281..3c365e2fe5826fd58c75f07b08193e5566db2563 100644
+--- a/src/responder/common/cache_req/cache_req_data.c
++++ b/src/responder/common/cache_req/cache_req_data.c
+@@ -26,7 +26,9 @@ static const char **
+ cache_req_data_create_attrs(TALLOC_CTX *mem_ctx,
+ const char **requested)
+ {
+- static const char *defattrs[] = { SYSDB_DEFAULT_ATTRS };
++ static const char *defattrs[] = { SYSDB_DEFAULT_ATTRS, SYSDB_NAME,
++ OVERRIDE_PREFIX SYSDB_NAME,
++ SYSDB_DEFAULT_OVERRIDE_NAME };
+ static size_t defnum = sizeof(defattrs) / sizeof(defattrs[0]);
+ const char **attrs;
+ size_t reqnum;
+--
+2.13.5
+
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index 8dfde90..af001cd 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -40,7 +40,7 @@
Name: sssd
Version: 1.15.2
-Release: 50%{?dist}.2
+Release: 50%{?dist}.6
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@@ -239,6 +239,11 @@ Patch0187: 0187-RESPONDERS-Fix-terminating-idle-connections.patch
Patch0188: 0188-TESTS-Integration-test-for-idle-timeout.patch
Patch0189: 0189-MAN-Document-that-client_idle_timeout-can-t-be-short.patch
Patch0190: 0190-ad_account_can_shortcut-shortcut-if-ID-is-unknown.patch
+Patch0191: 0191-sudo-add-a-threshold-option-to-reduce-size-of-rules-.patch
+Patch0192: 0192-libwbclient-Change-return-code-for-wbcAuthenticateUs.patch
+Patch0193: 0193-IPA-fix-handling-of-certmap_ctx.patch
+Patch0194: 0194-certmap-make-sure-eku_oid_list-is-always-allocated.patch
+Patch0195: 0195-cache_req-Look-for-name-attribute-also-in-nss_cmd_ge.patch
#This patch should not be removed in RHEL-7
Patch999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec
@@ -1375,6 +1380,22 @@ fi
}
%changelog
+* Wed Sep 27 2017 Fabiano Fidêncio <fidencio@redhat.com> - 1.15.2-50.6
+- Add a patch that was missed in 1.15.2-50.4
+- Related: rhbz#1489290 - samba shares with sssd authentication broken
+ on 7.4 [rhel-7.4.z]
+
+* Thu Sep 21 2017 Fabiano Fidêncio <fidencio@redhat.com> - 1.15.2-50.5
+- Resolves: rhbz#1493916 - Issues with certificate mapping rules [rhel-7.4.z]
+
+* Mon Sep 11 2017 Jakub Hrozek <jhrozek@redhat.com> - 1.15.2-50.4
+- Resolves: rhbz#1489290 - samba shares with sssd authentication broken
+ on 7.4 [rhel-7.4.z]
+
+* Fri Aug 18 2017 Fabiano Fidêncio <fidencio@redhat.com> - 1.15.2-50.3
+- Resolves: rhbz#1482927 - sssd_be is utilizing more CPU during sudoi
+ rules refresh [rhel-7.4.z]
+
* Sun Aug 6 2017 Jakub Hrozek <jhrozek@redhat.com> - 1.15.2-50.2
- Resolves: rhbz#1478252 - Querying the AD domain for external domain's
ID can mark the AD domain offline [rhel-7.4.z]