diff --git a/SOURCES/0187-RESPONDERS-Fix-terminating-idle-connections.patch b/SOURCES/0187-RESPONDERS-Fix-terminating-idle-connections.patch
new file mode 100644
index 0000000..724b886
--- /dev/null
+++ b/SOURCES/0187-RESPONDERS-Fix-terminating-idle-connections.patch
@@ -0,0 +1,84 @@
+From d6c7d35fdb4d416360a855a37b8c2164f053b470 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Tue, 11 Jul 2017 18:26:01 +0200
+Subject: [PATCH 187/190] RESPONDERS: Fix terminating idle connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The client_idle_handler() function tried to schedule another tevent
+timer to check for idle client connections in case the current
+connection was still valid, but in doing so, it also stored the current
+time into the last_request_time field of the client context.
+
+This kept the connection always alive, because the last_request_time
+could then never be older than the timeout.
+
+This patch changes the setup_client_idle_timer() function to only do
+what the synopsis says and set the idle timer. The caller (usually the
+function that accepts the connection) is supposed to store the request
+time itself.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/3448
+
+Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
+Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
+---
+ src/responder/common/responder_common.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
+index 9d4889be652c6d6fb974b59001a9ac77b496e9ab..9d706f9799ef1b31122d8380fbf9c53ba0cc9e68 100644
+--- a/src/responder/common/responder_common.c
++++ b/src/responder/common/responder_common.c
+@@ -607,7 +607,15 @@ static void accept_fd_handler(struct tevent_context *ev,
+ cctx->ev = ev;
+ cctx->rctx = rctx;
+
+- /* Set up the idle timer */
++ /* Record the new time and set up the idle timer */
++ ret = reset_client_idle_timer(cctx);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_MINOR_FAILURE,
++ "Could not create idle timer for client. "
++ "This connection may not auto-terminate\n");
++ /* Non-fatal, continue */
++ }
++
+ ret = setup_client_idle_timer(cctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+@@ -634,7 +642,7 @@ static void client_idle_handler(struct tevent_context *ev,
+ if (cctx->last_request_time > now) {
+ DEBUG(SSSDBG_IMPORTANT_INFO,
+ "Time shift detected, re-scheduling the client timeout\n");
+- goto end;
++ goto done;
+ }
+
+ if ((now - cctx->last_request_time) > cctx->rctx->client_idle_timeout) {
+@@ -648,7 +656,7 @@ static void client_idle_handler(struct tevent_context *ev,
+ return;
+ }
+
+-end:
++done:
+ setup_client_idle_timer(cctx);
+ }
+
+@@ -661,11 +669,9 @@ errno_t reset_client_idle_timer(struct cli_ctx *cctx)
+
+ static errno_t setup_client_idle_timer(struct cli_ctx *cctx)
+ {
+- time_t now = time(NULL);
+ struct timeval tv =
+ tevent_timeval_current_ofs(cctx->rctx->client_idle_timeout/2, 0);
+
+- cctx->last_request_time = now;
+ talloc_zfree(cctx->idle);
+
+ cctx->idle = tevent_add_timer(cctx->ev, cctx, tv, client_idle_handler, cctx);
+--
+2.9.4
+
diff --git a/SOURCES/0188-TESTS-Integration-test-for-idle-timeout.patch b/SOURCES/0188-TESTS-Integration-test-for-idle-timeout.patch
new file mode 100644
index 0000000..c587a0f
--- /dev/null
+++ b/SOURCES/0188-TESTS-Integration-test-for-idle-timeout.patch
@@ -0,0 +1,135 @@
+From fd008eddbf069014d8f17944d018ad3d85d5679f Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Wed, 19 Jul 2017 14:22:17 +0200
+Subject: [PATCH 188/190] TESTS: Integration test for idle timeout
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The secrets responder test was chosen even though the bug was in the generic
+responder code b/c it runs a single responder process, so it's trivial to
+read the PID of the responder under test.
+
+Changes subprocess.call() for os.execv() so that the setup function can
+return the secret responder PID right away.
+
+The client timeout in the test has to be at least 10 seconds because
+internally, the responders don't allow a shorter timeout.
+
+Regression test for https://pagure.io/SSSD/sssd/issue/3448
+
+Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
+Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
+---
+ src/tests/intg/test_secrets.py | 75 ++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 62 insertions(+), 13 deletions(-)
+
+diff --git a/src/tests/intg/test_secrets.py b/src/tests/intg/test_secrets.py
+index 202f43e61cb0e4986394ad2b32da5abdcb0be3e9..1be31318b194de1550bc84af16260bf1503567dc 100644
+--- a/src/tests/intg/test_secrets.py
++++ b/src/tests/intg/test_secrets.py
+@@ -55,9 +55,9 @@ def create_sssd_secrets_fixture(request):
+ assert secpid >= 0
+
+ if secpid == 0:
+- if subprocess.call([resp_path, "--uid=0", "--gid=0"]) != 0:
+- print("sssd_secrets failed to start")
+- sys.exit(99)
++ os.execv(resp_path, ("--uid=0", "--gid=0"))
++ print("sssd_secrets failed to start")
++ sys.exit(99)
+ else:
+ sock_path = os.path.join(config.RUNSTATEDIR, "secrets.socket")
+ sck = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+@@ -83,13 +83,8 @@ def create_sssd_secrets_fixture(request):
+ return secpid
+
+
+-@pytest.fixture
+-def setup_for_secrets(request):
+- """
+- Just set up the local provider for tests and enable the secrets
+- responder
+- """
+- conf = unindent("""\
++def generate_sec_config():
++ return unindent("""\
+ [sssd]
+ domains = local
+ services = nss
+@@ -100,11 +95,19 @@ def setup_for_secrets(request):
+ [secrets]
+ max_secrets = 10
+ max_payload_size = 2
+- """).format(**locals())
++ """)
++
++
++@pytest.fixture
++def setup_for_secrets(request):
++ """
++ Just set up the local provider for tests and enable the secrets
++ responder
++ """
++ conf = generate_sec_config()
+
+ create_conf_fixture(request, conf)
+- create_sssd_secrets_fixture(request)
+- return None
++ return create_sssd_secrets_fixture(request)
+
+
+ def get_secrets_socket():
+@@ -386,3 +389,49 @@ def test_containers(setup_for_secrets, secrets_cli):
+ with pytest.raises(HTTPError) as err406:
+ cli.create_container(container)
+ assert str(err406.value).startswith("406")
++
++
++def get_num_fds(pid):
++ procpath = os.path.join("/proc/", str(pid), "fd")
++ return len([fdname for fdname in os.listdir(procpath)])
++
++
++@pytest.fixture
++def setup_for_cli_timeout_test(request):
++ """
++ Same as the generic setup, except a short client_idle_timeout so that
++ the test_idle_timeout() test closes the fd towards the client.
++ """
++ conf = generate_sec_config() + \
++ unindent("""
++ client_idle_timeout = 10
++ """).format()
++
++ create_conf_fixture(request, conf)
++ return create_sssd_secrets_fixture(request)
++
++
++def test_idle_timeout(setup_for_cli_timeout_test):
++ """
++ Test that idle file descriptors are reaped after the idle timeout
++ passes
++ """
++ secpid = setup_for_cli_timeout_test
++ sock_path = get_secrets_socket()
++
++ nfds_pre = get_num_fds(secpid)
++
++ sock = socket.socket(family=socket.AF_UNIX)
++ sock.connect(sock_path)
++ time.sleep(1)
++ nfds_conn = get_num_fds(secpid)
++ assert nfds_pre + 1 == nfds_conn
++ # With the idle timeout set to 10 seconds, we need to sleep at least 15,
++ # because the internal timer ticks every timeout/2 seconds, so it would
++ # tick at 5, 10 and 15 seconds and the client timeout check uses a
++ # greater-than comparison, so the 10-seconds tick wouldn't yet trigger
++ # disconnect
++ time.sleep(15)
++
++ nfds_post = get_num_fds(secpid)
++ assert nfds_pre == nfds_post
+--
+2.9.4
+
diff --git a/SOURCES/0189-MAN-Document-that-client_idle_timeout-can-t-be-short.patch b/SOURCES/0189-MAN-Document-that-client_idle_timeout-can-t-be-short.patch
new file mode 100644
index 0000000..e353c96
--- /dev/null
+++ b/SOURCES/0189-MAN-Document-that-client_idle_timeout-can-t-be-short.patch
@@ -0,0 +1,36 @@
+From 0442102b2e5c6f1bc331ca2078baff8a7b4a50cb Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Thu, 20 Jul 2017 10:10:58 +0200
+Subject: [PATCH 189/190] MAN: Document that client_idle_timeout can't be
+ shorter than 10 seconds
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+To ensure the client timeout is not too low and clients do not reconnect
+too often, the client_idle_timeout is forced to be 10 seconds minimum.
+
+Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
+Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
+---
+ src/man/sssd.conf.5.xml | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
+index a35f2807eac8bb89d6cb1dd0a48f738d71a7578f..89729575c724622af817f1c05a94d4ae8f1ece2d 100644
+--- a/src/man/sssd.conf.5.xml
++++ b/src/man/sssd.conf.5.xml
+@@ -621,7 +621,9 @@
+ a client of an SSSD process can hold onto a file
+ descriptor without communicating on it. This value
+ is limited in order to avoid resource exhaustion
+- on the system.
++ on the system. The timeout can't be shorter than
++ 10 seconds. If a lower value is configured, it
++ will be adjusted to 10 seconds.
+ </para>
+ <para>
+ Default: 60
+--
+2.9.4
+
diff --git a/SOURCES/0190-ad_account_can_shortcut-shortcut-if-ID-is-unknown.patch b/SOURCES/0190-ad_account_can_shortcut-shortcut-if-ID-is-unknown.patch
new file mode 100644
index 0000000..c652a4d
--- /dev/null
+++ b/SOURCES/0190-ad_account_can_shortcut-shortcut-if-ID-is-unknown.patch
@@ -0,0 +1,38 @@
+From 55e8b436443cfae1c3b2155be7325d53760f7271 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 20 Jul 2017 20:01:14 +0200
+Subject: [PATCH 190/190] ad_account_can_shortcut: shortcut if ID is unknown
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If sss_idmap_unix_to_sid() returns an error we can assume that the given
+POSIX ID is not from the current domain and can be skipped. This is e.g.
+the case in the IPA provider if a POSIX ID used in the IPA domain is
+checked in a trusted id-mapped AD domain before the IPA domain is
+checked.
+
+Resolves https://pagure.io/SSSD/sssd/issue/3452
+
+Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+---
+ src/providers/ad/ad_id.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c
+index d1f6c444f5ddbcbbac6ff7f41fb6c8bf9ca976cb..e14ada386f16851a65097952c85e57b7acda14aa 100644
+--- a/src/providers/ad/ad_id.c
++++ b/src/providers/ad/ad_id.c
+@@ -86,6 +86,8 @@ static bool ad_account_can_shortcut(struct sdap_idmap_ctx *idmap_ctx,
+ if (err != IDMAP_SUCCESS) {
+ DEBUG(SSSDBG_MINOR_FAILURE, "Mapping ID [%s] to SID failed: "
+ "[%s]\n", filter_value, idmap_error_string(err));
++ /* assume id is from a different domain */
++ shortcut = true;
+ goto done;
+ }
+ /* fall through */
+--
+2.9.4
+
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index 533bdf8..8dfde90 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -40,7 +40,7 @@
Name: sssd
Version: 1.15.2
-Release: 50%{?dist}
+Release: 50%{?dist}.2
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@@ -235,6 +235,10 @@ Patch0183: 0183-RESPONDER-Use-fqnames-as-output-when-needed.patch
Patch0184: 0184-DOMAIN-Add-sss_domain_info_-get-set-_output_fqnames.patch
Patch0185: 0185-GPO-Fix-typo-in-DEBUG-message.patch
Patch0186: 0186-SDAP-Update-parent-sdap_list.patch
+Patch0187: 0187-RESPONDERS-Fix-terminating-idle-connections.patch
+Patch0188: 0188-TESTS-Integration-test-for-idle-timeout.patch
+Patch0189: 0189-MAN-Document-that-client_idle_timeout-can-t-be-short.patch
+Patch0190: 0190-ad_account_can_shortcut-shortcut-if-ID-is-unknown.patch
#This patch should not be removed in RHEL-7
Patch999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec
@@ -1371,6 +1375,14 @@ fi
}
%changelog
+* Sun Aug 6 2017 Jakub Hrozek <jhrozek@redhat.com> - 1.15.2-50.2
+- Resolves: rhbz#1478252 - Querying the AD domain for external domain's
+ ID can mark the AD domain offline [rhel-7.4.z]
+
+* Sun Aug 6 2017 Jakub Hrozek <jhrozek@redhat.com> - 1.15.2-50.1
+- Resolves: rhbz#1478250 - Idle nss file descriptors should be closed
+ [rhel-7.4.z]
+
* Wed Jun 21 2017 Jakub Hrozek <jhrozek@redhat.com> - 1.15.2-50
- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly
connected to AD child domain