diff --git a/SOURCES/0209-SYSDB-Index-the-objectSIDString-attribute.patch b/SOURCES/0209-SYSDB-Index-the-objectSIDString-attribute.patch
new file mode 100644
index 0000000..aea17b0
--- /dev/null
+++ b/SOURCES/0209-SYSDB-Index-the-objectSIDString-attribute.patch
@@ -0,0 +1,132 @@
+From 36f2fe9d7e5bd3af72b306da7b07df3cfd557810 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Thu, 25 Jun 2015 17:33:47 +0200
+Subject: [PATCH 209/210] SYSDB: Index the objectSIDString attribute
+
+(cherry picked from commit 2302b7f53869db17fe6f733f52cce94d9714eeb4)
+---
+ src/db/sysdb.c | 7 +++++++
+ src/db/sysdb_private.h | 5 ++++-
+ src/db/sysdb_upgrade.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 62 insertions(+), 1 deletion(-)
+
+diff --git a/src/db/sysdb.c b/src/db/sysdb.c
+index 1f02585e747dda6aadde772f76f30d3d69c4cfc0..5be5da3ae70bf13313be85a59a85552d4bcce7f0 100644
+--- a/src/db/sysdb.c
++++ b/src/db/sysdb.c
+@@ -1250,6 +1250,13 @@ int sysdb_domain_init_internal(TALLOC_CTX *mem_ctx,
+ }
+ }
+
++ if (strcmp(version, SYSDB_VERSION_0_16) == 0) {
++ ret = sysdb_upgrade_16(sysdb, &version);
++ if (ret != EOK) {
++ goto done;
++ }
++ }
++
+ /* The version should now match SYSDB_VERSION.
+ * If not, it means we didn't match any of the
+ * known older versions. The DB might be
+diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h
+index 8a5b8be8cbcf0513fa4c471ac41f803a4e2a5b24..9788206a1ee125b6a838031edb57b243a42bbb60 100644
+--- a/src/db/sysdb_private.h
++++ b/src/db/sysdb_private.h
+@@ -23,6 +23,7 @@
+ #ifndef __INT_SYS_DB_H__
+ #define __INT_SYS_DB_H__
+
++#define SYSDB_VERSION_0_17 "0.17"
+ #define SYSDB_VERSION_0_16 "0.16"
+ #define SYSDB_VERSION_0_15 "0.15"
+ #define SYSDB_VERSION_0_14 "0.14"
+@@ -40,7 +41,7 @@
+ #define SYSDB_VERSION_0_2 "0.2"
+ #define SYSDB_VERSION_0_1 "0.1"
+
+-#define SYSDB_VERSION SYSDB_VERSION_0_16
++#define SYSDB_VERSION SYSDB_VERSION_0_17
+
+ #define SYSDB_BASE_LDIF \
+ "dn: @ATTRIBUTES\n" \
+@@ -68,6 +69,7 @@
+ "@IDXATTR: serviceProtocol\n" \
+ "@IDXATTR: sudoUser\n" \
+ "@IDXATTR: sshKnownHostsExpire\n" \
++ "@IDXATTR: objectSIDString\n" \
+ "@IDXONE: 1\n" \
+ "\n" \
+ "dn: @MODULES\n" \
+@@ -120,6 +122,7 @@ int sysdb_upgrade_12(struct sysdb_ctx *sysdb, const char **ver);
+ int sysdb_upgrade_13(struct sysdb_ctx *sysdb, const char **ver);
+ int sysdb_upgrade_14(struct sysdb_ctx *sysdb, const char **ver);
+ int sysdb_upgrade_15(struct sysdb_ctx *sysdb, const char **ver);
++int sysdb_upgrade_16(struct sysdb_ctx *sysdb, const char **ver);
+
+ int add_string(struct ldb_message *msg, int flags,
+ const char *attr, const char *value);
+diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c
+index 558b4f5205c333e7a2b60d0a8e11589f122c385a..816b1eff83a644e6571165ed79a1a9bf420ef847 100644
+--- a/src/db/sysdb_upgrade.c
++++ b/src/db/sysdb_upgrade.c
+@@ -1587,6 +1587,57 @@ done:
+ return ret;
+ }
+
++int sysdb_upgrade_16(struct sysdb_ctx *sysdb, const char **ver)
++{
++ struct ldb_message *msg;
++ struct upgrade_ctx *ctx;
++ errno_t ret;
++
++ ret = commence_upgrade(sysdb, sysdb->ldb, SYSDB_VERSION_0_17, &ctx);
++ if (ret) {
++ return ret;
++ }
++
++ /* add new indexes */
++ msg = ldb_msg_new(ctx);
++ if (msg == NULL) {
++ ret = ENOMEM;
++ goto done;
++ }
++
++ msg->dn = ldb_dn_new(msg, sysdb->ldb, "@INDEXLIST");
++ if (msg->dn == NULL) {
++ ret = ENOMEM;
++ goto done;
++ }
++
++ /* add index for cached */
++ ret = ldb_msg_add_empty(msg, "@IDXATTR", LDB_FLAG_MOD_ADD, NULL);
++ if (ret != LDB_SUCCESS) {
++ ret = ENOMEM;
++ goto done;
++ }
++
++ ret = ldb_msg_add_string(msg, "@IDXATTR", "objectSIDString");
++ if (ret != LDB_SUCCESS) {
++ ret = ENOMEM;
++ goto done;
++ }
++
++ ret = ldb_modify(sysdb->ldb, msg);
++ if (ret != LDB_SUCCESS) {
++ ret = sysdb_error_to_errno(ret);
++ goto done;
++ }
++
++ /* conversion done, update version number */
++ ret = update_version(ctx);
++
++done:
++ ret = finish_upgrade(ret, &ctx, ver);
++ return ret;
++}
++
+ /*
+ * Example template for future upgrades.
+ * Copy and change version numbers as appropriate.
+--
+2.4.3
+
diff --git a/SOURCES/0210-IPA-Remove-MPG-groups-if-getgrgid-was-called-before-.patch b/SOURCES/0210-IPA-Remove-MPG-groups-if-getgrgid-was-called-before-.patch
new file mode 100644
index 0000000..ae6d246
--- /dev/null
+++ b/SOURCES/0210-IPA-Remove-MPG-groups-if-getgrgid-was-called-before-.patch
@@ -0,0 +1,88 @@
+From 09bf564bfe4f6f8407056e3261bfc7948d45bdbf Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Tue, 21 Jul 2015 11:44:03 +0200
+Subject: [PATCH 210/210] IPA: Remove MPG groups if getgrgid was called before
+ getpw()
+
+https://fedorahosted.org/sssd/ticket/2724
+
+This bug only affects IPA clients that are connected to IPA servers with
+AD trust and ID mapping in effect.
+
+If an IPA client calls getgrgid() for an ID that matches a user, the
+user's private group would be returned and stored as a group entry.
+
+Subsequent queries for that user would fail, because MPG domains impose
+uniqueness restriction for both the ID and name space across groups and
+users.
+
+To work around that, we remove the UPG groups in MPG domains during a
+group lookup.
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/providers/ipa/ipa_s2n_exop.c | 41 ++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 39 insertions(+), 2 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
+index 292f174257fbf6f6ebc8db6d1eb38cb4b5349b81..8de46136d0bc9d1c26b44c532d7bd405880aca50 100644
+--- a/src/providers/ipa/ipa_s2n_exop.c
++++ b/src/providers/ipa/ipa_s2n_exop.c
+@@ -1757,6 +1757,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
+ int tret;
+ struct sysdb_attrs *gid_override_attrs = NULL;
+ char ** exop_grouplist;
++ struct ldb_message *msg;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+@@ -1997,8 +1998,44 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
+ attrs->a.user.pw_dir, attrs->a.user.pw_shell,
+ NULL, attrs->sysdb_attrs, NULL,
+ timeout, now);
+- if (ret != EOK) {
+- DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_user failed.\n");
++ if (ret == EEXIST && dom->mpg == true) {
++ /* This handles the case where getgrgid() was called for
++ * this user, so a group was created in the cache
++ */
++ ret = sysdb_search_group_by_name(tmp_ctx, dom, name, NULL, &msg);
++ if (ret != EOK) {
++ /* Fail even on ENOENT, the group must be around */
++ DEBUG(SSSDBG_OP_FAILURE,
++ "Could not delete MPG group [%d]: %s\n",
++ ret, sss_strerror(ret));
++ goto done;
++ }
++
++ ret = sysdb_delete_group(dom, NULL, attrs->a.user.pw_uid);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_OP_FAILURE,
++ "sysdb_delete_group failed for MPG group [%d]: %s\n",
++ ret, sss_strerror(ret));
++ goto done;
++ }
++
++ ret = sysdb_store_user(dom, name, NULL,
++ attrs->a.user.pw_uid,
++ gid, attrs->a.user.pw_gecos,
++ attrs->a.user.pw_dir,
++ attrs->a.user.pw_shell,
++ NULL, attrs->sysdb_attrs, NULL,
++ timeout, now);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_OP_FAILURE,
++ "sysdb_store_user failed for MPG user [%d]: %s\n",
++ ret, sss_strerror(ret));
++ goto done;
++ }
++ } else if (ret != EOK) {
++ DEBUG(SSSDBG_OP_FAILURE,
++ "sysdb_store_user failed [%d]: %s\n",
++ ret, sss_strerror(ret));
+ goto done;
+ }
+
+--
+2.4.3
+
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index aef7830..4eb7589 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -23,7 +23,7 @@
Name: sssd
Version: 1.12.2
-Release: 58%{?dist}.14
+Release: 58%{?dist}.17
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@@ -240,6 +240,8 @@ Patch0205: 0205-SDAP-Add-sdap_copy_map_entry.patch
Patch0206: 0206-UTIL-Inherit-ignore_group_members.patch
Patch0207: 0207-subdomains-Inherit-cleanup-period-and-tokengroup-set.patch
Patch0208: 0208-sudo-sanitize-filter-values.patch
+Patch0209: 0209-SYSDB-Index-the-objectSIDString-attribute.patch
+Patch0210: 0210-IPA-Remove-MPG-groups-if-getgrgid-was-called-before-.patch
### Dependencies ###
@@ -1104,6 +1106,19 @@ fi
/usr/bin/rm -f /var/tmp/sssd.upgrade || :
%changelog
+* Thu Sep 3 2015 Jakub Hrozek <jhrozek@redhat.com> - 1.12.2-58.17
+- Actually apply the patch for rhbz#1255442
+- Resolves: rhbz#1255442 - getgrgid for user's UID on a trust client
+ prevents getpw*
+
+* Thu Aug 20 2015 Jakub Hrozek <jhrozek@redhat.com> - 1.12.2-58.16
+- Resolves: rhbz#1255443 - Add index for 'objectSIDString' and maybe to
+ other cache attributes
+
+* Thu Aug 20 2015 Jakub Hrozek <jhrozek@redhat.com> - 1.12.2-58.15
+- Resolves: rhbz#1255442 - getgrgid for user's UID on a trust client
+ prevents getpw*
+
* Mon Jul 20 2015 Jakub Hrozek <jhrozek@redhat.com> - 1.12.2-58.14
- Resolves: rhbz#1244761 - Relax the libldb requirements to unblock
RH Storage