diff --git a/SOURCES/0104-nss-idmap-do-not-set-a-limit.patch b/SOURCES/0104-nss-idmap-do-not-set-a-limit.patch
new file mode 100644
index 0000000..894d05e
--- /dev/null
+++ b/SOURCES/0104-nss-idmap-do-not-set-a-limit.patch
@@ -0,0 +1,37 @@
+From 814108dc02a4de5d0333e9c2713f809fc3d2da47 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 18 Apr 2018 10:20:06 +0200
+Subject: [PATCH] nss-idmap: do not set a limit
+
+If the limit is set the needed size to return all groups cannot be
+returned.
+
+Related to https://pagure.io/SSSD/sssd/issue/3715
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit 46a4c265629d9b725c41f22849741ce7342bdd85)
+
+DOWNSTREAM:
+Resolves: rhbz#1570527 - memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash [rhel-7.5.z]
+---
+ src/sss_client/idmap/sss_nss_ex.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/sss_client/idmap/sss_nss_ex.c b/src/sss_client/idmap/sss_nss_ex.c
+index af6a95180656b598bcb94c209dfa821cb0275f02..f56bffcc24a7e2503e23a892541a9242ed4b5069 100644
+--- a/src/sss_client/idmap/sss_nss_ex.c
++++ b/src/sss_client/idmap/sss_nss_ex.c
+@@ -96,7 +96,9 @@ errno_t sss_nss_mc_get(struct nss_input *inp)
+ inp->result.initgrrep.start,
+ inp->result.initgrrep.ngroups,
+ &(inp->result.initgrrep.groups),
+- *(inp->result.initgrrep.ngroups));
++ /* no limit so that needed size can
++ * be returned properly */
++ -1);
+ break;
+ default:
+ return EINVAL;
+--
+2.14.3
+
diff --git a/SOURCES/0105-nss-idmap-use-right-group-list-pointer-after-sss_get.patch b/SOURCES/0105-nss-idmap-use-right-group-list-pointer-after-sss_get.patch
new file mode 100644
index 0000000..5e524cd
--- /dev/null
+++ b/SOURCES/0105-nss-idmap-use-right-group-list-pointer-after-sss_get.patch
@@ -0,0 +1,69 @@
+From c3e0098383fb199d678df54bfd129123a8184e70 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 18 Apr 2018 10:23:22 +0200
+Subject: [PATCH] nss-idmap: use right group list pointer after sss_get_ex()
+
+If the initial array is too small it will be reallocated during
+sss_get_ex() and the pointer might change and the initial memory area
+should not be used anymore.
+
+Related to https://pagure.io/SSSD/sssd/issue/3715
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit 2c4dc7a4d98c439c69625f12ba4c3c8253f4cc5b)
+---
+ src/sss_client/idmap/sss_nss_ex.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/src/sss_client/idmap/sss_nss_ex.c b/src/sss_client/idmap/sss_nss_ex.c
+index f56bffcc24a7e2503e23a892541a9242ed4b5069..5bcfe8850b5355d6cbe0efc5e52fe076737f2a08 100644
+--- a/src/sss_client/idmap/sss_nss_ex.c
++++ b/src/sss_client/idmap/sss_nss_ex.c
+@@ -485,7 +485,6 @@ int sss_nss_getgrouplist_timeout(const char *name, gid_t group,
+ uint32_t flags, unsigned int timeout)
+ {
+ int ret;
+- gid_t *new_groups;
+ long int new_ngroups;
+ long int start = 1;
+ struct nss_input inp = {
+@@ -498,27 +497,28 @@ int sss_nss_getgrouplist_timeout(const char *name, gid_t group,
+ }
+
+ new_ngroups = MAX(1, *ngroups);
+- new_groups = malloc(new_ngroups * sizeof(gid_t));
+- if (new_groups == NULL) {
++ inp.result.initgrrep.groups = malloc(new_ngroups * sizeof(gid_t));
++ if (inp.result.initgrrep.groups == NULL) {
+ free(discard_const(inp.rd.data));
+ return ENOMEM;
+ }
+- new_groups[0] = group;
++ inp.result.initgrrep.groups[0] = group;
+
+- inp.result.initgrrep.groups = new_groups,
+ inp.result.initgrrep.ngroups = &new_ngroups;
+ inp.result.initgrrep.start = &start;
+
+-
++ /* inp.result.initgrrep.groups, inp.result.initgrrep.ngroups and
++ * inp.result.initgrrep.start might be modified by sss_get_ex() */
+ ret = sss_get_ex(&inp, flags, timeout);
+ free(discard_const(inp.rd.data));
+ if (ret != 0) {
+- free(new_groups);
++ free(inp.result.initgrrep.groups);
+ return ret;
+ }
+
+- memcpy(groups, new_groups, MIN(*ngroups, start) * sizeof(gid_t));
+- free(new_groups);
++ memcpy(groups, inp.result.initgrrep.groups,
++ MIN(*ngroups, start) * sizeof(gid_t));
++ free(inp.result.initgrrep.groups);
+
+ if (start > *ngroups) {
+ ret = ERANGE;
+--
+2.14.3
+
diff --git a/SOURCES/0106-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch b/SOURCES/0106-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch
new file mode 100644
index 0000000..2611011
--- /dev/null
+++ b/SOURCES/0106-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch
@@ -0,0 +1,119 @@
+From f9859498b52d89bf60dbddd898752f859f4952d3 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 15 Mar 2018 12:50:20 +0100
+Subject: [PATCH] nss: add a netgroup counter to struct nss_enum_index
+
+Netgroups are not looked up with the help of a single request but by
+calling setnetgrent(), getnetgrent() and endnetgrent() where
+getnetgrent() might be called multiple times depending on the number of
+netgroup elements. Since the caller does not provide a state the state
+has to be maintained by the SSSD nss responder. Besides the netgroup
+name this is mainly the number of elements already returned.
+
+This number is used to select the next element to return and currently
+it is assumed that there are not changes to the netgroup while the
+client is requesting the individual elements. But if e.g. the 3 nss
+calls are not used correctly or the netgroup is modified while the
+client is sending getnetgrent() calls the stored number might be out of
+range. To be on the safe side the stored number should be always
+compared with the current number of netgroup elements.
+
+Related to https://pagure.io/SSSD/sssd/issue/3679
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit 08db22b1b1a2e742edbca92e35087294d963adda)
+
+DOWNSTREAM:
+Resolves: rhbz#1579703 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000] [rhel-7.5.z]
+---
+ src/db/sysdb.h | 3 ++-
+ src/db/sysdb_search.c | 5 ++++-
+ src/responder/nss/nss_enum.c | 3 ++-
+ src/responder/nss/nss_private.h | 1 +
+ src/responder/nss/nss_protocol_netgr.c | 7 +++++++
+ 5 files changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/src/db/sysdb.h b/src/db/sysdb.h
+index fd18ecefed2b2c5f35060fa47fd160a8968e073b..2660314a75a574d7f5625c8672e5261587056d1a 100644
+--- a/src/db/sysdb.h
++++ b/src/db/sysdb.h
+@@ -1219,7 +1219,8 @@ errno_t sysdb_attrs_to_list(TALLOC_CTX *mem_ctx,
+
+ errno_t sysdb_netgr_to_entries(TALLOC_CTX *mem_ctx,
+ struct ldb_result *res,
+- struct sysdb_netgroup_ctx ***entries);
++ struct sysdb_netgroup_ctx ***entries,
++ size_t *netgroup_count);
+
+ errno_t sysdb_dn_sanitize(TALLOC_CTX *mem_ctx, const char *input,
+ char **sanitized);
+diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
+index a6a81e23d257331614085403b4dca8ded860600b..9f37cbcd50a778145518c15b6146ad812a5b4fa3 100644
+--- a/src/db/sysdb_search.c
++++ b/src/db/sysdb_search.c
+@@ -1829,7 +1829,8 @@ done:
+
+ errno_t sysdb_netgr_to_entries(TALLOC_CTX *mem_ctx,
+ struct ldb_result *res,
+- struct sysdb_netgroup_ctx ***entries)
++ struct sysdb_netgroup_ctx ***entries,
++ size_t *netgroup_count)
+ {
+ errno_t ret;
+ size_t size = 0;
+@@ -1933,6 +1934,8 @@ errno_t sysdb_netgr_to_entries(TALLOC_CTX *mem_ctx,
+ tmp_entry[c] = NULL;
+
+ *entries = talloc_steal(mem_ctx, tmp_entry);
++ *netgroup_count = c;
++
+ ret = EOK;
+
+ done:
+diff --git a/src/responder/nss/nss_enum.c b/src/responder/nss/nss_enum.c
+index da844fbced529f606a3e98669fb7b95e0696ce00..b2b22bbae8a373ed3abb47381fabd989d4931690 100644
+--- a/src/responder/nss/nss_enum.c
++++ b/src/responder/nss/nss_enum.c
+@@ -144,7 +144,8 @@ static void nss_setent_internal_done(struct tevent_req *subreq)
+ /* We need to expand the netgroup into triples and members. */
+ ret = sysdb_netgr_to_entries(state->enum_ctx,
+ result[0]->ldb_result,
+- &state->enum_ctx->netgroup);
++ &state->enum_ctx->netgroup,
++ &state->enum_ctx->netgroup_count);
+ if (ret != EOK) {
+ goto done;
+ }
+diff --git a/src/responder/nss/nss_private.h b/src/responder/nss/nss_private.h
+index 5fc19d26be9adda4d967086e7b239e49a78866ee..aa8d8e9cde0d73e72d3aa4c186f104d6baae411f 100644
+--- a/src/responder/nss/nss_private.h
++++ b/src/responder/nss/nss_private.h
+@@ -41,6 +41,7 @@ struct nss_enum_index {
+ struct nss_enum_ctx {
+ struct cache_req_result **result;
+ struct sysdb_netgroup_ctx **netgroup;
++ size_t netgroup_count;
+
+ /* Ongoing cache request that is constructing enumeration result. */
+ struct tevent_req *ongoing;
+diff --git a/src/responder/nss/nss_protocol_netgr.c b/src/responder/nss/nss_protocol_netgr.c
+index ed04fd25821031554e20e14afebaca9b828a748b..9f27c6b78d47f188dea99600a634a18be2512bfb 100644
+--- a/src/responder/nss/nss_protocol_netgr.c
++++ b/src/responder/nss/nss_protocol_netgr.c
+@@ -126,6 +126,13 @@ nss_protocol_fill_netgrent(struct nss_ctx *nss_ctx,
+ idx = cmd_ctx->enum_index;
+ entries = cmd_ctx->enum_ctx->netgroup;
+
++ if (idx->result > cmd_ctx->enum_ctx->netgroup_count) {
++ DEBUG(SSSDBG_CRIT_FAILURE,
++ "Unconsistent state while processing netgroups.\n");
++ ret = EINVAL;
++ goto done;
++ }
++
+ /* First two fields (length and reserved), filled up later. */
+ ret = sss_packet_grow(packet, 2 * sizeof(uint32_t));
+ if (ret != EOK) {
+--
+2.17.0
+
diff --git a/SOURCES/0107-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch b/SOURCES/0107-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch
new file mode 100644
index 0000000..3ae5b68
--- /dev/null
+++ b/SOURCES/0107-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch
@@ -0,0 +1,36 @@
+From 1e2f20f89b1b699e569dfecb7cba98ec8f6fc936 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 15 Mar 2018 12:43:34 +0100
+Subject: [PATCH] nss: initialize nss_enum_index in nss_setnetgrent()
+
+setnetgrent() is the first call when looking up a netgroup and sets the
+netgroup name for upcoming getnetgrent() and endnetgrent() calls.
+Currently the state is reset by calling endnetgrent() but it would be
+more robust to unconditionally reset the state in setnetgrent() as well
+in case calling endnetgrent() was forgotten.
+
+Related to https://pagure.io/SSSD/sssd/issue/3679
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit 37a84285aeb497ed4909d16916bbf934af3f68b3)
+---
+ src/responder/nss/nss_cmd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c
+index 956ee53cb88dd24faaa95ac39c8d9540af66cfb2..9f8479b7b350823ee81b5af15199e0dda9acda8b 100644
+--- a/src/responder/nss/nss_cmd.c
++++ b/src/responder/nss/nss_cmd.c
+@@ -756,6 +756,9 @@ static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx,
+ goto done;
+ }
+
++ state_ctx->netgrent.domain = 0;
++ state_ctx->netgrent.result = 0;
++
+ talloc_zfree(state_ctx->netgroup);
+ state_ctx->netgroup = talloc_strdup(state_ctx, netgroup);
+ if (state_ctx->netgroup == NULL) {
+--
+2.17.0
+
diff --git a/SOURCES/0108-NSS-nss_clear_netgroup_hash_table-do-not-free-data.patch b/SOURCES/0108-NSS-nss_clear_netgroup_hash_table-do-not-free-data.patch
new file mode 100644
index 0000000..89c55c3
--- /dev/null
+++ b/SOURCES/0108-NSS-nss_clear_netgroup_hash_table-do-not-free-data.patch
@@ -0,0 +1,52 @@
+From d92cb9cb3860d7ff1b3ab64b459edf6051f69291 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 4 May 2018 17:00:55 +0200
+Subject: [PATCH] NSS: nss_clear_netgroup_hash_table() do not free data
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+nss_clear_netgroup_hash_table() is called during the clearEnumCache SBUS
+request, which is e.g. used during 'sss_cache -E', to remove netgroup
+data cached in the memory of the NSS responder.
+
+Currently nss_clear_netgroup_hash_table() calls
+'sss_ptr_hash_delete_all(nss_ctx->netgrent, true);' which not only
+removes all entries in the 'netgerent' hash table but frees them as
+well.
+
+The second step is not needed because nss_setnetgrent_set_timeout()
+takes care that the data is freed after a timeout. Additionally freeing
+the data in nss_clear_netgroup_hash_table() can even do harm when the
+request is received by the NSS responder while waiting for the backend
+to acquire the netgroup data. Because if the backend is done the NSS
+responder tries do use enum_ctx which might have been freed in the
+meantime.
+
+Because of this nss_clear_netgroup_hash_table() should only remove the
+data from the hash table but not free it.
+
+Related to https://pagure.io/SSSD/sssd/issue/3731
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit b13cc2d1413a0d5bbe36e06e5ffd87dbf5c0cb9f)
+---
+ src/responder/nss/nsssrv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
+index 11d19fd30c86283d537623db12e52caa6cc4dcd3..123a2d73ce93a025c789524fa90b41d9a0afb58b 100644
+--- a/src/responder/nss/nsssrv.c
++++ b/src/responder/nss/nsssrv.c
+@@ -142,7 +142,7 @@ static int nss_clear_netgroup_hash_table(struct sbus_request *dbus_req, void *da
+
+ DEBUG(SSSDBG_TRACE_FUNC, "Invalidating netgroup hash table\n");
+
+- sss_ptr_hash_delete_all(nss_ctx->netgrent, true);
++ sss_ptr_hash_delete_all(nss_ctx->netgrent, false);
+
+ return sbus_request_return_and_finish(dbus_req, DBUS_TYPE_INVALID);
+ }
+--
+2.17.0
+
diff --git a/SOURCES/0109-winbind-idmap-plugin-support-inferface-version-6.patch b/SOURCES/0109-winbind-idmap-plugin-support-inferface-version-6.patch
new file mode 100644
index 0000000..a2b93a0
--- /dev/null
+++ b/SOURCES/0109-winbind-idmap-plugin-support-inferface-version-6.patch
@@ -0,0 +1,236 @@
+From 9ae62c07c579fa9b3f0804c12cc0715f5f2524d4 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 15 May 2018 11:55:35 +0200
+Subject: [PATCH] winbind idmap plugin: support inferface version 6
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+With Samba 4.7 the interface version of the idmap plugin was updated to
+6. The patch adds support for this new version but can be complied with
+the older version as well.
+
+A configure option is added to select the version, if no version is
+given configure tries to detect the version with the help of an internal
+Samba library libidmap-samba4.so.
+
+To make sure that always the right version is used configure will fail
+if Samba is used (--with-samba, default) and no version can be
+determined.
+
+Resolves https://pagure.io/SSSD/sssd/issue/3741
+
+Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
+(cherry picked from commit c6b99b070268c3807833e9f894d9a36304014417)
+
+DOWNSTREAM:
+Resolves: rhbz#1580281 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION [rhel-7.5.z]
+---
+ contrib/ci/configure.sh | 9 ++
+ contrib/sssd.spec.in | 12 +++
+ src/external/samba.m4 | 82 +++++++++++++++++++
+ src/lib/winbind_idmap_sss/winbind_idmap_sss.c | 6 ++
+ src/lib/winbind_idmap_sss/winbind_idmap_sss.h | 6 +-
+ 5 files changed, 114 insertions(+), 1 deletion(-)
+
+diff --git a/contrib/ci/configure.sh b/contrib/ci/configure.sh
+index 9d18d0c187561a2dc3bc47d3e8913626e7ff3046..09da5b4e7b0b4a7859bcf81db987394ac91f4fa2 100644
+--- a/contrib/ci/configure.sh
++++ b/contrib/ci/configure.sh
+@@ -35,6 +35,7 @@ declare -a CONFIGURE_ARG_LIST=(
+ if [[ "$DISTRO_BRANCH" == -redhat-redhatenterprise*-6.*- ||
+ "$DISTRO_BRANCH" == -redhat-centos-6.*- ]]; then
+ CONFIGURE_ARG_LIST+=(
++ "--with-smb-idmap-interface-version=5"
+ "--disable-cifs-idmap-plugin"
+ "--with-syslog=syslog"
+ "--without-python3-bindings"
+@@ -56,6 +57,14 @@ if [[ "$DISTRO_BRANCH" == -redhat-redhatenterprise*-7.*- ||
+ )
+ fi
+
++# Different versions of Debian might need different versions here but this is
++# sufficient to make the CI work
++if [[ "$DISTRO_BRANCH" == -debian-* ]]; then
++ CONFIGURE_ARG_LIST+=(
++ "--with-smb-idmap-interface-version=5"
++ )
++fi
++
+ declare -r -a CONFIGURE_ARG_LIST
+
+ fi # _CONFIGURE_SH
+diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
+index d9323bf1a2d84f4219f8ab11886e5ce87b401c15..3ddd054dea8a4b5dd46457acf9aaabed29ab754e 100644
+--- a/contrib/sssd.spec.in
++++ b/contrib/sssd.spec.in
+@@ -127,6 +127,14 @@
+ %global with_gdm_pam_extensions 0
+ %endif
+
++# Do not try to detect the idmap version on RHEL6 to avoid conflicts between
++# samba and samba4 package
++%if (0%{?fedora} || 0%{?rhel} >= 7)
++ %global detect_idmap_version 1
++%else
++ %global with_idmap_version --with-smb-idmap-interface-version=5
++%endif
++
+ Name: @PACKAGE_NAME@
+ Version: @PACKAGE_VERSION@
+ Release: 0@PRERELEASE_VERSION@%{?dist}
+@@ -225,6 +233,9 @@ BuildRequires: nfs-utils-lib-devel
+
+ BuildRequires: samba4-devel
+ BuildRequires: libsmbclient-devel
++%if (0%{?detect_idmap_version} == 1)
++BuildRequires: samba-winbind
++%endif
+
+ %if (0%{?enable_systemtap} == 1)
+ BuildRequires: systemtap-sdt-devel
+@@ -747,6 +758,7 @@ autoreconf -ivf
+ %{?enable_systemtap_opt} \
+ %{?with_secret_responder} \
+ %{?with_kcm_option} \
++ %{?with_idmap_version} \
+ %{?experimental}
+
+ make %{?_smp_mflags} all
+diff --git a/src/external/samba.m4 b/src/external/samba.m4
+index 91a583a0d0f514dab40d4f65cc32b17d0368f540..610831bf054e3687eb13025e954acf345fca1a00 100644
+--- a/src/external/samba.m4
++++ b/src/external/samba.m4
+@@ -39,4 +39,86 @@ them. In this case, you will need to execute configure script with argument
+ --without-samba
+ ]])
+ fi
++
++ AC_ARG_WITH([smb-idmap-interface-version],
++ [AC_HELP_STRING([--with-smb-idmap-interface-version=[5|6]],
++ [Idmap interface version of installed Samba]
++ )
++ ]
++ )
++
++ if test x"$with_smb_idmap_interface_version" != x; then
++ if test x"$with_smb_idmap_interface_version" = x5 -o x"$with_smb_idmap_interface_version" = x6; then
++ idmap_test_result=$with_smb_idmap_interface_version
++ else
++ AC_MSG_ERROR([Illegal value -$with_smb_idmap_interface_version- for option --with-smb-idmap-interface-version])
++ fi
++ else
++
++ AC_MSG_CHECKING([Samba's idmap plugin interface version])
++ sambalibdir="`$PKG_CONFIG --variable=libdir smbclient`"/samba
++ SAVE_CFLAGS=$CFLAGS
++ SAVE_LIBS=$LIBS
++ CFLAGS="$CFLAGS $SMBCLIENT_CFLAGS -I/usr/include/samba-4.0"
++ LIBS="$LIBS -L${sambalibdir} -lidmap-samba4 -Wl,-rpath ${sambalibdir}"
++ AC_RUN_IFELSE(
++ [AC_LANG_SOURCE([
++#include <stdlib.h>
++#include <stdint.h>
++#include <stdbool.h>
++#include <tevent.h>
++#include <core/ntstatus.h>
++
++struct winbindd_domain;
++
++/* overwrite some winbind internal functions */
++struct winbindd_domain *find_domain_from_name(const char *domain_name)
++{
++ return NULL;
++}
++
++bool get_global_winbindd_state_offline(void) {
++ return false;
++}
++
++struct tevent_context *winbind_event_context(void)
++{
++ return NULL;
++}
++
++struct idmap_methods;
++
++NTSTATUS smb_register_idmap(int version, const char *name, struct idmap_methods *methods);
++
++int main(void)
++{
++ int v;
++ NTSTATUS ret;
++
++ /* Check the versions we know about */
++ for (v = 5; v <= 6; v++) {
++ ret = smb_register_idmap(v, NULL, NULL);
++ if (ret != NT_STATUS_OBJECT_TYPE_MISMATCH) {
++ return v;
++ }
++ }
++
++ return -1;
++}])],
++ [AC_MSG_ERROR([idmap version test program is not expected to return 0])],
++ [idmap_test_result=$?; AC_MSG_RESULT([idmap test result is: $idmap_test_result])]
++ )
++ fi
++
++ CFLAGS=$SAVE_CFLAGS
++ LIBS=$SAVE_LIBS
++
++ if test $idmap_test_result -eq 5 -o $idmap_test_result -eq 6 ; then
++ idmap_version=$idmap_test_result
++ else
++ AC_MSG_ERROR([Cannot determine Samba's idmap interface version, please use --with-smb-idmap-interface-version])
++ fi
++ AC_MSG_NOTICE([Samba's idmap interface version: $idmap_version])
++ AC_DEFINE_UNQUOTED(SMB_IDMAP_INTERFACE_VERSION, $idmap_version,
++ [Detected version of Samba's idmap plugin interface])
+ fi
+diff --git a/src/lib/winbind_idmap_sss/winbind_idmap_sss.c b/src/lib/winbind_idmap_sss/winbind_idmap_sss.c
+index 26f753708303f513e265de465e4d888f84e22b6a..ea5e727c3461524c3af84ea35c6ee032a5948ddf 100644
+--- a/src/lib/winbind_idmap_sss/winbind_idmap_sss.c
++++ b/src/lib/winbind_idmap_sss/winbind_idmap_sss.c
+@@ -190,7 +190,13 @@ static struct idmap_methods sss_methods = {
+ .sids_to_unixids = idmap_sss_sids_to_unixids,
+ };
+
++#if SMB_IDMAP_INTERFACE_VERSION == 5
+ NTSTATUS idmap_sss_init(void)
++#elif SMB_IDMAP_INTERFACE_VERSION == 6
++NTSTATUS idmap_sss_init(TALLOC_CTX *ctx)
++#else
++#error Unexpected Samba idmpa inferface version
++#endif
+ {
+ return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "sss", &sss_methods);
+ }
+diff --git a/src/lib/winbind_idmap_sss/winbind_idmap_sss.h b/src/lib/winbind_idmap_sss/winbind_idmap_sss.h
+index 0f27c8561a540b63fb365edb79867eb4eb8d6e21..868049ffff7bd788507bf02d61245ff254aca465 100644
+--- a/src/lib/winbind_idmap_sss/winbind_idmap_sss.h
++++ b/src/lib/winbind_idmap_sss/winbind_idmap_sss.h
+@@ -32,6 +32,8 @@
+ #include <ndr.h>
+ #include <gen_ndr/security.h>
+
++#include "config.h"
++
+ /* The following definitions are taken from the Samba header files
+ * - winbindd/idmap_proto.h
+ * - idmap.d
+@@ -64,7 +66,9 @@ struct id_map {
+ enum id_mapping status;
+ };
+
+-#define SMB_IDMAP_INTERFACE_VERSION 5
++#ifndef SMB_IDMAP_INTERFACE_VERSION
++#error Missing Samba idmap interface version
++#endif
+
+ struct idmap_domain {
+ const char *name;
+--
+2.17.0
+
diff --git a/SOURCES/0110-winbind-idmap-plugin-fix-detection.patch b/SOURCES/0110-winbind-idmap-plugin-fix-detection.patch
new file mode 100644
index 0000000..ad6b2e6
--- /dev/null
+++ b/SOURCES/0110-winbind-idmap-plugin-fix-detection.patch
@@ -0,0 +1,49 @@
+From f2a1f317dfa76ec7b5ff7a218b82f92e2de5f30d Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 18 May 2018 21:34:44 +0200
+Subject: [PATCH] winbind idmap plugin: fix detection
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Currently when compiling the detection code for the idmap interface
+version only SMBCLIENT_CFLAGS are used. Since libsmbclient does not use
+NTSTATUS the cflags do not contain '-DHAVE_IMMEDIATE_STRUCTURES=1' which
+make NTSTATUS to a struct instead of an integer. Since Samba itself
+might be complied with this define (it typically is) we have to make
+sure we use it as well. Otherwise the test program might crash on
+platforms where this change changes the calling convention as well.
+
+Related to https://pagure.io/SSSD/sssd/issue/3741
+
+Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
+(cherry picked from commit 095bbe17b25369b967e97162d945cb001a13029e)
+---
+ src/external/samba.m4 | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/external/samba.m4 b/src/external/samba.m4
+index 610831bf054e3687eb13025e954acf345fca1a00..794cac2461d7fbd5e690ea105cd346cbe6fcce9a 100644
+--- a/src/external/samba.m4
++++ b/src/external/samba.m4
+@@ -59,7 +59,7 @@ them. In this case, you will need to execute configure script with argument
+ sambalibdir="`$PKG_CONFIG --variable=libdir smbclient`"/samba
+ SAVE_CFLAGS=$CFLAGS
+ SAVE_LIBS=$LIBS
+- CFLAGS="$CFLAGS $SMBCLIENT_CFLAGS -I/usr/include/samba-4.0"
++ CFLAGS="$CFLAGS $SMBCLIENT_CFLAGS $NDR_NBT_CFLAGS $NDR_KRB5PAC_CFLAGS -I/usr/include/samba-4.0"
+ LIBS="$LIBS -L${sambalibdir} -lidmap-samba4 -Wl,-rpath ${sambalibdir}"
+ AC_RUN_IFELSE(
+ [AC_LANG_SOURCE([
+@@ -98,7 +98,7 @@ int main(void)
+ /* Check the versions we know about */
+ for (v = 5; v <= 6; v++) {
+ ret = smb_register_idmap(v, NULL, NULL);
+- if (ret != NT_STATUS_OBJECT_TYPE_MISMATCH) {
++ if (!NT_STATUS_EQUAL(ret, NT_STATUS_OBJECT_TYPE_MISMATCH)) {
+ return v;
+ }
+ }
+--
+2.17.0
+
diff --git a/SOURCES/0111-Do-not-keep-allocating-external-groups-on-a-long-liv.patch b/SOURCES/0111-Do-not-keep-allocating-external-groups-on-a-long-liv.patch
new file mode 100644
index 0000000..825aa79
--- /dev/null
+++ b/SOURCES/0111-Do-not-keep-allocating-external-groups-on-a-long-liv.patch
@@ -0,0 +1,59 @@
+From d2e17974c6bcb3ae2fc8a2cde696d387385c7d61 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Tue, 3 Apr 2018 21:48:37 +0200
+Subject: [PATCH] Do not keep allocating external groups on a long-lived
+ context
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The hash table with the external groups was never freed, so the
+server_mode->ext_groups context was growing over time.
+
+This patch keeps the new hash on the state if something failed, then
+frees the previous hash and finally steals the new hash onto the server
+mode.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/3719
+
+Signed-off-by: Sumit Bose <sbose@redhat.com>
+Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
+(cherry picked from commit 10213efaf1f9f587b47a82778a252d79863f665e)
+
+DOWNSTREAM:
+Resolves: rhbz#1583746 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process [rhel-7.5.z]
+---
+ src/providers/ipa/ipa_subdomains_ext_groups.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_subdomains_ext_groups.c b/src/providers/ipa/ipa_subdomains_ext_groups.c
+index 9e1d6c3a9bdeda56b421a2dc9198dff0b84c54ce..63ff7c7d7373a4e6a18fc914eff7ca00d477bca6 100644
+--- a/src/providers/ipa/ipa_subdomains_ext_groups.c
++++ b/src/providers/ipa/ipa_subdomains_ext_groups.c
+@@ -583,14 +583,19 @@ static void ipa_get_ext_groups_done(struct tevent_req *subreq)
+ DEBUG(SSSDBG_TRACE_FUNC, "[%zu] external groups found.\n",
+ state->reply_count);
+
+- ret = process_ext_groups(state->server_mode->ext_groups,
+- state->reply_count, state->reply, &ext_group_hash);
++ ret = process_ext_groups(state,
++ state->reply_count,
++ state->reply,
++ &ext_group_hash);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "process_ext_groups failed.\n");
+ goto fail;
+ }
+
+- state->server_mode->ext_groups->ext_groups = ext_group_hash;
++ talloc_free(state->server_mode->ext_groups->ext_groups);
++ state->server_mode->ext_groups->ext_groups = talloc_steal(
++ state->server_mode->ext_groups,
++ ext_group_hash);
+ /* Do we have to make the update timeout configurable? */
+ state->server_mode->ext_groups->next_update = time(NULL) + 10;
+
+--
+2.17.0
+
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index f4ef270..197046c 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -38,9 +38,17 @@
%global with_kcm_option --without-kcm
%endif
+# Do not try to detect the idmap version on RHEL6 to avoid conflicts between
+# samba and samba4 package
+%if (0%{?fedora} || 0%{?rhel} >= 7)
+ %global detect_idmap_version 1
+%else
+ %global with_idmap_version --with-smb-idmap-interface-version=5
+%endif
+
Name: sssd
Version: 1.16.0
-Release: 19%{?dist}
+Release: 19%{?dist}.5
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@@ -154,6 +162,14 @@ Patch0100: 0100-MAN-Explain-how-does-auto_private_groups-affect-subd.patch
Patch0101: 0101-AD-Use-the-right-sdap_domain-for-the-forest-root.patch
Patch0102: 0102-AD-sdap_get_ad_tokengroups_done-allocate-temporary-d.patch
Patch0103: 0103-AD-do-not-allocate-temporary-data-on-long-living-con.patch
+Patch0104: 0104-nss-idmap-do-not-set-a-limit.patch
+Patch0105: 0105-nss-idmap-use-right-group-list-pointer-after-sss_get.patch
+Patch0106: 0106-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch
+Patch0107: 0107-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch
+Patch0108: 0108-NSS-nss_clear_netgroup_hash_table-do-not-free-data.patch
+Patch0109: 0109-winbind-idmap-plugin-support-inferface-version-6.patch
+Patch0110: 0110-winbind-idmap-plugin-fix-detection.patch
+Patch0111: 0111-Do-not-keep-allocating-external-groups-on-a-long-liv.patch
#This patch should not be removed in RHEL-7
Patch999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec
@@ -227,6 +243,9 @@ BuildRequires: cifs-utils-devel
%endif
BuildRequires: libnfsidmap-devel
BuildRequires: samba4-devel >= 4.0.0-59beta2
+%if (0%{?detect_idmap_version} == 1)
+BuildRequires: samba-winbind
+%endif
BuildRequires: libsmbclient-devel
BuildRequires: systemtap-sdt-devel
BuildRequires: jansson-devel
@@ -677,7 +696,8 @@ autoreconf -ivf
--with-ad-gpo-default=permissive \
%{?enable_polkit_rules_option} \
%{?enable_systemtap_opt} \
- %{?with_kcm_option}
+ %{?with_kcm_option} \
+ %{?with_idmap_version}
make %{?_smp_mflags} all docs
@@ -1285,7 +1305,7 @@ if [ $1 -eq 0 ]; then
fi
%posttrans common
-%systemd_postun_with_restart sssd.service
+systemctl try-restart sssd >/dev/null 2>&1 || :
# After changing order of sssd-common and *libwbclient,
# older version of sssd will restart sssd.service in postun scriptlet
# It failed due to missing alternative to libwbclient. Start it again.
@@ -1297,6 +1317,21 @@ fi
}
%changelog
+* Thu May 31 2018 Fabiano Fidêncio <fidencio@redhat.com> - 1.16.0-19.5
+- Resolves: rhbz#1583746 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process [rhel-7.5.z]
+
+* Mon May 21 2018 Fabiano Fidêncio <fidencio@redhat.com> - 1.16.0-19.4
+- Resolves: rhbz#1580281 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION [rhel-7.5.z]
+
+* Fri May 18 2018 Fabiano Fidêncio <fidencio@redhat.com> - 1.16.0-19.3
+- Resolves: rhbz#1579780 - After updating to RHEL 7.5 failing to clear the sssd cache [rhel-7.5.z]
+
+* Fri May 18 2018 Fabiano Fidêncio <fidencio@redhat.com> - 1.16.0-19.2
+- Resolves: rhbz#1579703 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000] [rhel-7.5.z]
+
+* Mon Apr 23 2018 Fabiano Fidêncio <fidencio@redhat.com> - 1.16.0-19.1
+- Resolves: rhbz#1570527 - memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash [rhel-7.5.z]
+
* Wed Feb 21 2018 Fabiano Fidêncio <fidencio@redhat.com> - 1.16.0-19
- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket