diff --git a/SOURCES/0127-IPA-handle-searches-by-SID-in-apply_subdomain_homedi.patch b/SOURCES/0127-IPA-handle-searches-by-SID-in-apply_subdomain_homedi.patch
new file mode 100644
index 0000000..de65245
--- /dev/null
+++ b/SOURCES/0127-IPA-handle-searches-by-SID-in-apply_subdomain_homedi.patch
@@ -0,0 +1,75 @@
+From 5ecab6dc08ac35a400e067af09b49e7fcb0f17c0 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Tue, 12 Aug 2014 10:32:33 +0200
+Subject: [PATCH 127/130] IPA: handle searches by SID in
+ apply_subdomain_homedir
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+https://fedorahosted.org/sssd/ticket/2391
+
+apply_subdomain_homedir() didn't handle the situation where an entity
+that doesn't match was requested from the cache. For user and group
+lookups this wasn't a problem because the negative match was caught
+sooner.
+
+But SID lookups can match either user or group. When a group SID was
+requested, the preceding LDAP request matched the SID and stored the
+group in the cache. Then apply_subdomain_homedir() only tried to search
+user by SID, didn't find the entry and accessed a NULL pointer.
+
+A simple reproducer is:
+$ python
+>>> import pysss_nss_idmap
+>>> pysss_nss_idmap.getnamebysid(group_sid)
+
+The group_sid can be anything, including Domain Users (XXX-513)
+
+Reviewed-by: Michal Židek <mzidek@redhat.com>
+(cherry picked from commit 82347f452febe3cbffc36b0a3308ffb462515442)
+---
+ src/providers/ipa/ipa_subdomains_id.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
+index d8922a461fc1cbbec4bb65b8cd6e6cf25f2dc605..5517602a6e9c7d56406e42aa3afbd2527e2df7ea 100644
+--- a/src/providers/ipa/ipa_subdomains_id.c
++++ b/src/providers/ipa/ipa_subdomains_id.c
+@@ -492,6 +492,9 @@ apply_subdomain_homedir(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
+
+ if (filter_type == BE_FILTER_NAME) {
+ ret = sysdb_getpwnam(mem_ctx, dom->sysdb, dom, filter_value, &res);
++ if (res && res->count == 0) {
++ ret = ENOENT;
++ }
+ } else if (filter_type == BE_FILTER_IDNUM) {
+ errno = 0;
+ uid = strtouint32(filter_value, NULL, 10);
+@@ -500,6 +503,9 @@ apply_subdomain_homedir(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
+ goto done;
+ }
+ ret = sysdb_getpwuid(mem_ctx, dom->sysdb, dom, uid, &res);
++ if (res && res->count == 0) {
++ ret = ENOENT;
++ }
+ } else if (filter_type == BE_FILTER_SECID) {
+ ret = sysdb_search_user_by_sid_str(mem_ctx, dom->sysdb, dom,
+ filter_value, attrs, &msg);
+@@ -515,10 +521,9 @@ apply_subdomain_homedir(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
+ ("Failed to make request to our cache: [%d]: [%s]\n",
+ ret, sss_strerror(ret)));
+ goto done;
+- }
+-
+- if ((res && res->count == 0) || (msg && msg->num_elements == 0)) {
+- ret = ENOENT;
++ } else if (ret == ENOENT) {
++ DEBUG(SSSDBG_TRACE_FUNC, ("Cannot find [%s] with search type [%d]\n",
++ filter_value, filter_type));
+ goto done;
+ }
+
+--
+1.9.3
+
diff --git a/SOURCES/0128-LDAP-Ignore-returned-referrals-if-referral-support-i.patch b/SOURCES/0128-LDAP-Ignore-returned-referrals-if-referral-support-i.patch
new file mode 100644
index 0000000..3069a3b
--- /dev/null
+++ b/SOURCES/0128-LDAP-Ignore-returned-referrals-if-referral-support-i.patch
@@ -0,0 +1,82 @@
+From b224c49b8f0a9cdf343a443fdf2190dc6f047508 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Wed, 20 Aug 2014 14:00:38 +0200
+Subject: [PATCH 128/130] LDAP: Ignore returned referrals if referral support
+ is disabled
+
+Reviewed-by: Pavel Reichl <preichl@redhat.com>
+(cherry picked from commit a2ea3f5d9ef9f17efbb61e942c2bc6cff7d1ebf2)
+---
+ src/providers/ldap/sdap_async.c | 18 +++++++++++++++---
+ src/util/util_errors.c | 1 +
+ src/util/util_errors.h | 2 ++
+ 3 files changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
+index 1022a093f06ec7e9a50b13160fc9a4660a255e92..7db01d979ee81a3707126a4c3eb1f36006e8b392 100644
+--- a/src/providers/ldap/sdap_async.c
++++ b/src/providers/ldap/sdap_async.c
+@@ -1404,6 +1404,10 @@ static void sdap_get_generic_ext_done(struct sdap_op *op,
+ ldap_memfree(errmsg);
+ tevent_req_error(req, ENOTSUP);
+ return;
++ } else if (result == LDAP_REFERRAL) {
++ ldap_memfree(errmsg);
++ tevent_req_error(req, ERR_REFERRAL);
++ return;
+ } else if (result != LDAP_SUCCESS && result != LDAP_NO_SUCH_OBJECT) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ ("Unexpected result from ldap: %s(%d), %s\n",
+@@ -1565,13 +1569,21 @@ static void sdap_get_generic_done(struct tevent_req *subreq)
+ {
+ struct tevent_req *req = tevent_req_callback_data(subreq,
+ struct tevent_req);
++ struct sdap_get_generic_state *state =
++ tevent_req_data(req, struct sdap_get_generic_state);
+ int ret;
+
+ ret = sdap_get_generic_ext_recv(subreq);
+ talloc_zfree(subreq);
+- if (ret) {
+- DEBUG(4, ("sdap_get_generic_ext_recv failed [%d]: %s\n",
+- ret, sss_strerror(ret)));
++ if (ret == ERR_REFERRAL) {
++ if (dp_opt_get_bool(state->opts->basic, SDAP_REFERRALS)) {
++ tevent_req_error(req, ret);
++ return;
++ }
++ } else if (ret) {
++ DEBUG(SSSDBG_CONF_SETTINGS,
++ ("sdap_get_generic_ext_recv failed [%d]: %s\n",
++ ret, sss_strerror(ret)));
+ tevent_req_error(req, ret);
+ return;
+ }
+diff --git a/src/util/util_errors.c b/src/util/util_errors.c
+index c9b507557da07555c719bb0dd18145e6799a53eb..eb7b1aec7b388e2509471cce8322cf38f9388151 100644
+--- a/src/util/util_errors.c
++++ b/src/util/util_errors.c
+@@ -53,6 +53,7 @@ struct err_string error_to_str[] = {
+ { "Missing configuration file" }, /* ERR_MISSING_CONF */
+ { "Malformed search filter" }, /* ERR_INVALID_FILTER, */
+ { "No POSIX attributes detected" }, /* ERR_NO_POSIX */
++ { "LDAP search returned a referral" }, /* ERR_REFERRAL */
+ };
+
+
+diff --git a/src/util/util_errors.h b/src/util/util_errors.h
+index 3dd94af1f304d65e22515c859c6f69a021fa7e92..2858311dec90ae0ea57dbcd7b6de4beb9fb19c50 100644
+--- a/src/util/util_errors.h
++++ b/src/util/util_errors.h
+@@ -75,6 +75,8 @@ enum sssd_errors {
+ ERR_MISSING_CONF,
+ ERR_INVALID_FILTER,
+ ERR_NO_POSIX,
++ ERR_NO_SYSBUS,
++ ERR_REFERRAL,
+ ERR_LAST /* ALWAYS LAST */
+ };
+
+--
+1.9.3
+
diff --git a/SOURCES/0129-Ignore-referrals-in-deref-and-ASQ-too.patch b/SOURCES/0129-Ignore-referrals-in-deref-and-ASQ-too.patch
new file mode 100644
index 0000000..c2da9d5
--- /dev/null
+++ b/SOURCES/0129-Ignore-referrals-in-deref-and-ASQ-too.patch
@@ -0,0 +1,76 @@
+From 5b5cb000d63c3edad40ebb420776df2a18950fcb Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Wed, 10 Sep 2014 11:55:24 +0200
+Subject: [PATCH 129/130] Ignore referrals in deref and ASQ, too
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Michal Židek <mzidek@redhat.com>
+---
+ src/providers/ldap/sdap_async.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
+index 7db01d979ee81a3707126a4c3eb1f36006e8b392..b06d94bfd9d1a60f587de5c807389c74f908af5e 100644
+--- a/src/providers/ldap/sdap_async.c
++++ b/src/providers/ldap/sdap_async.c
+@@ -1622,6 +1622,7 @@ static errno_t sdap_x_deref_parse_entry(struct sdap_handle *sh,
+ struct sdap_x_deref_search_state {
+ struct sdap_handle *sh;
+ struct sdap_op *op;
++ struct sdap_options *opts;
+ struct sdap_attr_map_info *maps;
+ LDAPControl **ctrls;
+
+@@ -1647,6 +1648,7 @@ sdap_x_deref_search_send(TALLOC_CTX *memctx, struct tevent_context *ev,
+ state->sh = sh;
+ state->maps = maps;
+ state->op = NULL;
++ state->opts = opts;
+ state->num_maps = num_maps;
+ state->ctrls = talloc_zero_array(state, LDAPControl *, 2);
+ if (state->ctrls == NULL) {
+@@ -1797,11 +1799,18 @@ static void sdap_x_deref_search_done(struct tevent_req *subreq)
+ {
+ struct tevent_req *req = tevent_req_callback_data(subreq,
+ struct tevent_req);
++ struct sdap_x_deref_search_state *state = tevent_req_data(req,
++ struct sdap_x_deref_search_state);
+ int ret;
+
+ ret = sdap_get_generic_ext_recv(subreq);
+ talloc_zfree(subreq);
+- if (ret) {
++ if (ret == ERR_REFERRAL) {
++ if (dp_opt_get_bool(state->opts->basic, SDAP_REFERRALS)) {
++ tevent_req_error(req, ret);
++ return;
++ }
++ } else if (ret) {
+ DEBUG(4, ("sdap_get_generic_ext_recv failed [%d]: %s\n",
+ ret, sss_strerror(ret)));
+ tevent_req_error(req, ret);
+@@ -2056,11 +2065,18 @@ static void sdap_asq_search_done(struct tevent_req *subreq)
+ {
+ struct tevent_req *req = tevent_req_callback_data(subreq,
+ struct tevent_req);
++ struct sdap_asq_search_state *state =
++ tevent_req_data(req, struct sdap_asq_search_state);
+ int ret;
+
+ ret = sdap_get_generic_ext_recv(subreq);
+ talloc_zfree(subreq);
+- if (ret) {
++ if (ret == ERR_REFERRAL) {
++ if (dp_opt_get_bool(state->opts->basic, SDAP_REFERRALS)) {
++ tevent_req_error(req, ret);
++ return;
++ }
++ } else if (ret) {
+ DEBUG(4, ("sdap_get_generic_ext_recv failed [%d]: %s\n",
+ ret, sss_strerror(ret)));
+ tevent_req_error(req, ret);
+--
+1.9.3
+
diff --git a/SOURCES/0130-IPA-Use-GC-for-group-lookups-in-server-mode.patch b/SOURCES/0130-IPA-Use-GC-for-group-lookups-in-server-mode.patch
new file mode 100644
index 0000000..b42b8e4
--- /dev/null
+++ b/SOURCES/0130-IPA-Use-GC-for-group-lookups-in-server-mode.patch
@@ -0,0 +1,52 @@
+From 756a944b898e55a83c212999b31ba6550af4b1ce Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Tue, 9 Sep 2014 22:13:52 +0200
+Subject: [PATCH 130/130] IPA: Use GC for group lookups in server mode
+
+https://fedorahosted.org/sssd/ticket/2412
+
+Even though AD trusts often work with POSIX attributes which are
+normally not replicated to GC, our group lookups are smart since commit
+008e1ee835602023891ac45408483d87f41e4d5c and look up the group itself using
+the LDAP connection and only use the GC connection to look up the members.
+
+Reviewed-by: Pavel Reichl <preichl@redhat.com>
+(cherry picked from commit a20ce8cd43d72c89e2ea1d65aefe24ba270f040f)
+---
+ src/providers/ipa/ipa_subdomains_id.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
+index 5517602a6e9c7d56406e42aa3afbd2527e2df7ea..9a90bc2d68561ce518bd31d74ec010c697036352 100644
+--- a/src/providers/ipa/ipa_subdomains_id.c
++++ b/src/providers/ipa/ipa_subdomains_id.c
+@@ -304,17 +304,21 @@ ipa_get_ad_acct_send(TALLOC_CTX *mem_ctx,
+ }
+ sdap_id_ctx = ad_id_ctx->sdap_id_ctx;
+
+- /* Currently only LDAP port for AD is used because POSIX
+- * attributes are not replicated to GC by default
++ /* We read users and groups from GC. From groups, we may switch to
++ * using LDAP connection in the group request itself, but in order
++ * to resolve Universal group memberships, we also need the GC
++ * connection
+ */
+-
+- if ((state->ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_INITGROUPS) {
++ switch (state->ar->entry_type & BE_REQ_TYPE_MASK) {
++ case BE_REQ_INITGROUPS:
++ case BE_REQ_GROUP:
+ clist = ad_gc_conn_list(req, ad_id_ctx, state->user_dom);
+ if (clist == NULL) {
+ ret = ENOMEM;
+ goto fail;
+ }
+- } else {
++ break;
++ default:
+ clist = talloc_zero_array(req, struct sdap_id_conn_ctx *, 2);
+ if (clist == NULL) {
+ ret = ENOMEM;
+--
+1.9.3
+
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index b268d74..82408f1 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -8,7 +8,7 @@
Name: sssd
Version: 1.11.2
-Release: 68%{?dist}.5
+Release: 68%{?dist}.6
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@@ -143,6 +143,10 @@ Patch0123: 0123-AD-Provider-bug-fix-uninitialized-variable.patch
Patch0124: 0124-AD-Provider-bugfix-use-after-free.patch
Patch0125: 0125-ipa-subdomains-provider-make-sure-search-by-SID-work.patch
Patch0126: 0126-tests-Remove-tests-that-check-creating-public-direct.patch
+Patch0127: 0127-IPA-handle-searches-by-SID-in-apply_subdomain_homedi.patch
+Patch0128: 0128-LDAP-Ignore-returned-referrals-if-referral-support-i.patch
+Patch0129: 0129-Ignore-referrals-in-deref-and-ASQ-too.patch
+Patch0130: 0130-IPA-Use-GC-for-group-lookups-in-server-mode.patch
### Dependencies ###
@@ -826,6 +830,10 @@ fi
%postun -n libsss_idmap -p /sbin/ldconfig
%changelog
+* Tue Oct 14 2014 Jakub Hrozek <jhrozek@redhat.com> - 1.11.2-68.6
+- Resolves: rhbz#1152200 - Error processing universal groups with
+ cross-domain membership in SSSD server mode
+
* Wed May 21 2014 Jakub Hrozek <jhrozek@redhat.com> - 1.11.2-68.5
- Rebuild for a proper dist tag, yet again, now using the correct build
options