diff --git a/SOURCES/0209-SYSDB-Index-the-objectSIDString-attribute.patch b/SOURCES/0209-SYSDB-Index-the-objectSIDString-attribute.patch
new file mode 100644
index 0000000..aea17b0
--- /dev/null
+++ b/SOURCES/0209-SYSDB-Index-the-objectSIDString-attribute.patch
@@ -0,0 +1,132 @@
+From 36f2fe9d7e5bd3af72b306da7b07df3cfd557810 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Thu, 25 Jun 2015 17:33:47 +0200
+Subject: [PATCH 209/210] SYSDB: Index the objectSIDString attribute
+
+(cherry picked from commit 2302b7f53869db17fe6f733f52cce94d9714eeb4)
+---
+ src/db/sysdb.c         |  7 +++++++
+ src/db/sysdb_private.h |  5 ++++-
+ src/db/sysdb_upgrade.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 62 insertions(+), 1 deletion(-)
+
+diff --git a/src/db/sysdb.c b/src/db/sysdb.c
+index 1f02585e747dda6aadde772f76f30d3d69c4cfc0..5be5da3ae70bf13313be85a59a85552d4bcce7f0 100644
+--- a/src/db/sysdb.c
++++ b/src/db/sysdb.c
+@@ -1250,6 +1250,13 @@ int sysdb_domain_init_internal(TALLOC_CTX *mem_ctx,
+             }
+         }
+ 
++        if (strcmp(version, SYSDB_VERSION_0_16) == 0) {
++            ret = sysdb_upgrade_16(sysdb, &version);
++            if (ret != EOK) {
++                goto done;
++            }
++        }
++
+         /* The version should now match SYSDB_VERSION.
+          * If not, it means we didn't match any of the
+          * known older versions. The DB might be
+diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h
+index 8a5b8be8cbcf0513fa4c471ac41f803a4e2a5b24..9788206a1ee125b6a838031edb57b243a42bbb60 100644
+--- a/src/db/sysdb_private.h
++++ b/src/db/sysdb_private.h
+@@ -23,6 +23,7 @@
+ #ifndef __INT_SYS_DB_H__
+ #define __INT_SYS_DB_H__
+ 
++#define SYSDB_VERSION_0_17 "0.17"
+ #define SYSDB_VERSION_0_16 "0.16"
+ #define SYSDB_VERSION_0_15 "0.15"
+ #define SYSDB_VERSION_0_14 "0.14"
+@@ -40,7 +41,7 @@
+ #define SYSDB_VERSION_0_2 "0.2"
+ #define SYSDB_VERSION_0_1 "0.1"
+ 
+-#define SYSDB_VERSION SYSDB_VERSION_0_16
++#define SYSDB_VERSION SYSDB_VERSION_0_17
+ 
+ #define SYSDB_BASE_LDIF \
+      "dn: @ATTRIBUTES\n" \
+@@ -68,6 +69,7 @@
+      "@IDXATTR: serviceProtocol\n" \
+      "@IDXATTR: sudoUser\n" \
+      "@IDXATTR: sshKnownHostsExpire\n" \
++     "@IDXATTR: objectSIDString\n" \
+      "@IDXONE: 1\n" \
+      "\n" \
+      "dn: @MODULES\n" \
+@@ -120,6 +122,7 @@ int sysdb_upgrade_12(struct sysdb_ctx *sysdb, const char **ver);
+ int sysdb_upgrade_13(struct sysdb_ctx *sysdb, const char **ver);
+ int sysdb_upgrade_14(struct sysdb_ctx *sysdb, const char **ver);
+ int sysdb_upgrade_15(struct sysdb_ctx *sysdb, const char **ver);
++int sysdb_upgrade_16(struct sysdb_ctx *sysdb, const char **ver);
+ 
+ int add_string(struct ldb_message *msg, int flags,
+                const char *attr, const char *value);
+diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c
+index 558b4f5205c333e7a2b60d0a8e11589f122c385a..816b1eff83a644e6571165ed79a1a9bf420ef847 100644
+--- a/src/db/sysdb_upgrade.c
++++ b/src/db/sysdb_upgrade.c
+@@ -1587,6 +1587,57 @@ done:
+     return ret;
+ }
+ 
++int sysdb_upgrade_16(struct sysdb_ctx *sysdb, const char **ver)
++{
++    struct ldb_message *msg;
++    struct upgrade_ctx *ctx;
++    errno_t ret;
++
++    ret = commence_upgrade(sysdb, sysdb->ldb, SYSDB_VERSION_0_17, &ctx);
++    if (ret) {
++        return ret;
++    }
++
++    /* add new indexes */
++    msg = ldb_msg_new(ctx);
++    if (msg == NULL) {
++        ret = ENOMEM;
++        goto done;
++    }
++
++    msg->dn = ldb_dn_new(msg, sysdb->ldb, "@INDEXLIST");
++    if (msg->dn == NULL) {
++        ret = ENOMEM;
++        goto done;
++    }
++
++    /* add index for cached */
++    ret = ldb_msg_add_empty(msg, "@IDXATTR", LDB_FLAG_MOD_ADD, NULL);
++    if (ret != LDB_SUCCESS) {
++        ret = ENOMEM;
++        goto done;
++    }
++
++    ret = ldb_msg_add_string(msg, "@IDXATTR", "objectSIDString");
++    if (ret != LDB_SUCCESS) {
++        ret = ENOMEM;
++        goto done;
++    }
++
++    ret = ldb_modify(sysdb->ldb, msg);
++    if (ret != LDB_SUCCESS) {
++        ret = sysdb_error_to_errno(ret);
++        goto done;
++    }
++
++    /* conversion done, update version number */
++    ret = update_version(ctx);
++
++done:
++    ret = finish_upgrade(ret, &ctx, ver);
++    return ret;
++}
++
+ /*
+  * Example template for future upgrades.
+  * Copy and change version numbers as appropriate.
+-- 
+2.4.3
+
diff --git a/SOURCES/0210-IPA-Remove-MPG-groups-if-getgrgid-was-called-before-.patch b/SOURCES/0210-IPA-Remove-MPG-groups-if-getgrgid-was-called-before-.patch
new file mode 100644
index 0000000..ae6d246
--- /dev/null
+++ b/SOURCES/0210-IPA-Remove-MPG-groups-if-getgrgid-was-called-before-.patch
@@ -0,0 +1,88 @@
+From 09bf564bfe4f6f8407056e3261bfc7948d45bdbf Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Tue, 21 Jul 2015 11:44:03 +0200
+Subject: [PATCH 210/210] IPA: Remove MPG groups if getgrgid was called before
+ getpw()
+
+https://fedorahosted.org/sssd/ticket/2724
+
+This bug only affects IPA clients that are connected to IPA servers with
+AD trust and ID mapping in effect.
+
+If an IPA client calls getgrgid() for an ID that matches a user, the
+user's private group would be returned and stored as a group entry.
+
+Subsequent queries for that user would fail, because MPG domains impose
+uniqueness restriction for both the ID and name space across groups and
+users.
+
+To work around that, we remove the UPG groups in MPG domains during a
+group lookup.
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/providers/ipa/ipa_s2n_exop.c | 41 ++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 39 insertions(+), 2 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
+index 292f174257fbf6f6ebc8db6d1eb38cb4b5349b81..8de46136d0bc9d1c26b44c532d7bd405880aca50 100644
+--- a/src/providers/ipa/ipa_s2n_exop.c
++++ b/src/providers/ipa/ipa_s2n_exop.c
+@@ -1757,6 +1757,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
+     int tret;
+     struct sysdb_attrs *gid_override_attrs = NULL;
+     char ** exop_grouplist;
++    struct ldb_message *msg;
+ 
+     tmp_ctx = talloc_new(NULL);
+     if (tmp_ctx == NULL) {
+@@ -1997,8 +1998,44 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
+                                    attrs->a.user.pw_dir, attrs->a.user.pw_shell,
+                                    NULL, attrs->sysdb_attrs, NULL,
+                                    timeout, now);
+-            if (ret != EOK) {
+-                DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_user failed.\n");
++            if (ret == EEXIST && dom->mpg == true) {
++                /* This handles the case where getgrgid() was called for
++                 * this user, so a group was created in the cache
++                 */
++                ret = sysdb_search_group_by_name(tmp_ctx, dom, name, NULL, &msg);
++                if (ret != EOK) {
++                    /* Fail even on ENOENT, the group must be around */
++                    DEBUG(SSSDBG_OP_FAILURE,
++                          "Could not delete MPG group [%d]: %s\n",
++                          ret, sss_strerror(ret));
++                    goto done;
++                }
++
++                ret = sysdb_delete_group(dom, NULL, attrs->a.user.pw_uid);
++                if (ret != EOK) {
++                    DEBUG(SSSDBG_OP_FAILURE,
++                          "sysdb_delete_group failed for MPG group [%d]: %s\n",
++                          ret, sss_strerror(ret));
++                    goto done;
++                }
++
++                ret = sysdb_store_user(dom, name, NULL,
++                                       attrs->a.user.pw_uid,
++                                       gid, attrs->a.user.pw_gecos,
++                                       attrs->a.user.pw_dir,
++                                       attrs->a.user.pw_shell,
++                                       NULL, attrs->sysdb_attrs, NULL,
++                                       timeout, now);
++                if (ret != EOK) {
++                    DEBUG(SSSDBG_OP_FAILURE,
++                          "sysdb_store_user failed for MPG user [%d]: %s\n",
++                          ret, sss_strerror(ret));
++                    goto done;
++                }
++            } else if (ret != EOK) {
++                DEBUG(SSSDBG_OP_FAILURE,
++                      "sysdb_store_user failed [%d]: %s\n",
++                      ret, sss_strerror(ret));
+                 goto done;
+             }
+ 
+-- 
+2.4.3
+
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index aef7830..4eb7589 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -23,7 +23,7 @@
 
 Name: sssd
 Version: 1.12.2
-Release: 58%{?dist}.14
+Release: 58%{?dist}.17
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@@ -240,6 +240,8 @@ Patch0205:  0205-SDAP-Add-sdap_copy_map_entry.patch
 Patch0206:  0206-UTIL-Inherit-ignore_group_members.patch
 Patch0207:  0207-subdomains-Inherit-cleanup-period-and-tokengroup-set.patch
 Patch0208:  0208-sudo-sanitize-filter-values.patch
+Patch0209:  0209-SYSDB-Index-the-objectSIDString-attribute.patch
+Patch0210:  0210-IPA-Remove-MPG-groups-if-getgrgid-was-called-before-.patch
 
 
 ### Dependencies ###
@@ -1104,6 +1106,19 @@ fi
 /usr/bin/rm -f /var/tmp/sssd.upgrade || :
 
 %changelog
+* Thu Sep  3 2015 Jakub Hrozek <jhrozek@redhat.com> - 1.12.2-58.17
+- Actually apply the patch for rhbz#1255442
+- Resolves: rhbz#1255442 - getgrgid for user's UID on a trust client
+                           prevents getpw*
+
+* Thu Aug 20 2015 Jakub Hrozek <jhrozek@redhat.com> - 1.12.2-58.16
+- Resolves: rhbz#1255443 - Add index for 'objectSIDString' and maybe to
+                           other cache attributes
+
+* Thu Aug 20 2015 Jakub Hrozek <jhrozek@redhat.com> - 1.12.2-58.15
+- Resolves: rhbz#1255442 - getgrgid for user's UID on a trust client
+                           prevents getpw*
+
 * Mon Jul 20 2015 Jakub Hrozek <jhrozek@redhat.com> - 1.12.2-58.14
 - Resolves: rhbz#1244761 - Relax the libldb requirements to unblock
                            RH Storage