diff --git a/SOURCES/0040-sudo-runas-do-not-add-to-external-groups-in-IPA.patch b/SOURCES/0040-sudo-runas-do-not-add-to-external-groups-in-IPA.patch
new file mode 100644
index 0000000..ca3d905
--- /dev/null
+++ b/SOURCES/0040-sudo-runas-do-not-add-to-external-groups-in-IPA.patch
@@ -0,0 +1,40 @@
+From cd48ef5071741443e3b84e100a4d4d28e3578e4f Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Mon, 25 Jan 2021 15:14:05 +0200
+Subject: [PATCH] sudo runas: do not add '%' to external groups in IPA
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When IPA allows to add AD users and groups directly to sudo rules
+(FreeIPA 4.9.1 or later), external groups will already have '%' prefix.
+Thus, we don't need to add additional '%'.
+
+Resolves: https://github.com/SSSD/sssd/issues/5475
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/providers/ipa/ipa_sudo_conversion.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c
+index cfb41d8b0..1bfee096d 100644
+--- a/src/providers/ipa/ipa_sudo_conversion.c
++++ b/src/providers/ipa/ipa_sudo_conversion.c
+@@ -939,6 +939,12 @@ convert_runasextusergroup(TALLOC_CTX *mem_ctx,
+ const char *value,
+ bool *skip_entry)
+ {
++ if (value == NULL)
++ return NULL;
++
++ if (value[0] == '%')
++ return talloc_strdup(mem_ctx, value);
++
+ return talloc_asprintf(mem_ctx, "%%%s", value);
+ }
+
+--
+2.21.3
+
diff --git a/SOURCES/0041-responders-add-callback-to-schedule_get_domains_task.patch b/SOURCES/0041-responders-add-callback-to-schedule_get_domains_task.patch
new file mode 100644
index 0000000..e61ec25
--- /dev/null
+++ b/SOURCES/0041-responders-add-callback-to-schedule_get_domains_task.patch
@@ -0,0 +1,199 @@
+From e07eeea7df55ede36ac0978ac904c1bb11188265 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 20 Jan 2021 17:48:44 +0100
+Subject: [PATCH 41/42] responders: add callback to schedule_get_domains_task()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+To allow responders to run dedicated code at the end of the initial
+getDomains request a callback is added.
+
+Resolves: https://github.com/SSSD/sssd/issues/5469
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/responder/autofs/autofssrv.c | 2 +-
+ src/responder/common/responder.h | 5 ++++-
+ src/responder/common/responder_get_domains.c | 12 +++++++++++-
+ src/responder/ifp/ifpsrv.c | 2 +-
+ src/responder/nss/nsssrv.c | 3 ++-
+ src/responder/pac/pacsrv.c | 2 +-
+ src/responder/pam/pamsrv.c | 3 ++-
+ src/responder/ssh/sshsrv.c | 2 +-
+ src/responder/sudo/sudosrv.c | 2 +-
+ src/tests/cmocka/test_responder_common.c | 2 +-
+ 10 files changed, 25 insertions(+), 10 deletions(-)
+
+diff --git a/src/responder/autofs/autofssrv.c b/src/responder/autofs/autofssrv.c
+index 27de1b44a..130eaf775 100644
+--- a/src/responder/autofs/autofssrv.c
++++ b/src/responder/autofs/autofssrv.c
+@@ -142,7 +142,7 @@ autofs_process_init(TALLOC_CTX *mem_ctx,
+ goto fail;
+ }
+
+- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
++ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
+ goto fail;
+diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
+index f83ba1bc0..ff0559c08 100644
+--- a/src/responder/common/responder.h
++++ b/src/responder/common/responder.h
+@@ -366,10 +366,13 @@ errno_t sss_dp_get_account_domain_recv(TALLOC_CTX *mem_ctx,
+ struct tevent_req *req,
+ char **_domain);
+
++typedef void (get_domains_callback_fn_t)(void *);
+ errno_t schedule_get_domains_task(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct resp_ctx *rctx,
+- struct sss_nc_ctx *optional_ncache);
++ struct sss_nc_ctx *optional_ncache,
++ get_domains_callback_fn_t *callback,
++ void *callback_pvt);
+
+ errno_t csv_string_to_uid_array(TALLOC_CTX *mem_ctx, const char *csv_string,
+ bool allow_sss_loop,
+diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c
+index e551b0fff..12b6e9028 100644
+--- a/src/responder/common/responder_get_domains.c
++++ b/src/responder/common/responder_get_domains.c
+@@ -430,6 +430,8 @@ static errno_t check_last_request(struct resp_ctx *rctx, const char *hint)
+ struct get_domains_state {
+ struct resp_ctx *rctx;
+ struct sss_nc_ctx *optional_ncache;
++ get_domains_callback_fn_t *callback;
++ void *callback_pvt;
+ };
+
+ static void get_domains_at_startup_done(struct tevent_req *req)
+@@ -462,6 +464,10 @@ static void get_domains_at_startup_done(struct tevent_req *req)
+ }
+ }
+
++ if (state->callback != NULL) {
++ state->callback(state->callback_pvt);
++ }
++
+ talloc_free(state);
+ return;
+ }
+@@ -489,7 +495,9 @@ static void get_domains_at_startup(struct tevent_context *ev,
+ errno_t schedule_get_domains_task(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct resp_ctx *rctx,
+- struct sss_nc_ctx *optional_ncache)
++ struct sss_nc_ctx *optional_ncache,
++ get_domains_callback_fn_t *callback,
++ void *callback_pvt)
+ {
+ struct tevent_immediate *imm;
+ struct get_domains_state *state;
+@@ -500,6 +508,8 @@ errno_t schedule_get_domains_task(TALLOC_CTX *mem_ctx,
+ }
+ state->rctx = rctx;
+ state->optional_ncache = optional_ncache;
++ state->callback = callback;
++ state->callback_pvt = callback_pvt;
+
+ imm = tevent_create_immediate(mem_ctx);
+ if (imm == NULL) {
+diff --git a/src/responder/ifp/ifpsrv.c b/src/responder/ifp/ifpsrv.c
+index 7407ee07b..ee1452728 100644
+--- a/src/responder/ifp/ifpsrv.c
++++ b/src/responder/ifp/ifpsrv.c
+@@ -266,7 +266,7 @@ int ifp_process_init(TALLOC_CTX *mem_ctx,
+ return EIO;
+ }
+
+- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
++ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "schedule_get_domains_tasks failed.\n");
+diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
+index e80104e3d..2b7958e80 100644
+--- a/src/responder/nss/nsssrv.c
++++ b/src/responder/nss/nsssrv.c
+@@ -557,7 +557,8 @@ int nss_process_init(TALLOC_CTX *mem_ctx,
+ }
+ responder_set_fd_limit(fd_limit);
+
+- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, nctx->rctx->ncache);
++ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, nctx->rctx->ncache,
++ NULL, NULL);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
+ goto fail;
+diff --git a/src/responder/pac/pacsrv.c b/src/responder/pac/pacsrv.c
+index 217f83c26..96935150b 100644
+--- a/src/responder/pac/pacsrv.c
++++ b/src/responder/pac/pacsrv.c
+@@ -129,7 +129,7 @@ int pac_process_init(TALLOC_CTX *mem_ctx,
+ goto fail;
+ }
+
+- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
++ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
+ goto fail;
+diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
+index de1620e82..8b1ce2e92 100644
+--- a/src/responder/pam/pamsrv.c
++++ b/src/responder/pam/pamsrv.c
+@@ -246,7 +246,8 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
+ }
+ responder_set_fd_limit(fd_limit);
+
+- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, pctx->rctx->ncache);
++ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, pctx->rctx->ncache,
++ NULL, NULL);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
+ goto done;
+diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c
+index 6072a702c..e79a0438c 100644
+--- a/src/responder/ssh/sshsrv.c
++++ b/src/responder/ssh/sshsrv.c
+@@ -126,7 +126,7 @@ int ssh_process_init(TALLOC_CTX *mem_ctx,
+ goto fail;
+ }
+
+- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
++ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
+ goto fail;
+diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c
+index 5951b17b1..dc4a44b2f 100644
+--- a/src/responder/sudo/sudosrv.c
++++ b/src/responder/sudo/sudosrv.c
+@@ -102,7 +102,7 @@ int sudo_process_init(TALLOC_CTX *mem_ctx,
+ goto fail;
+ }
+
+- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
++ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
+ goto fail;
+diff --git a/src/tests/cmocka/test_responder_common.c b/src/tests/cmocka/test_responder_common.c
+index 5fc0d712d..29356253b 100644
+--- a/src/tests/cmocka/test_responder_common.c
++++ b/src/tests/cmocka/test_responder_common.c
+@@ -265,7 +265,7 @@ void test_schedule_get_domains_task(void **state)
+ ret = schedule_get_domains_task(dummy_ncache_ptr,
+ parse_inp_ctx->rctx->ev,
+ parse_inp_ctx->rctx,
+- dummy_ncache_ptr);
++ dummy_ncache_ptr, NULL, NULL);
+ assert_int_equal(ret, EOK);
+
+ ret = test_ev_loop(parse_inp_ctx->tctx);
+--
+2.21.3
+
diff --git a/SOURCES/0042-pam-refresh-certificate-maps-at-the-end-of-initial-d.patch b/SOURCES/0042-pam-refresh-certificate-maps-at-the-end-of-initial-d.patch
new file mode 100644
index 0000000..882f567
--- /dev/null
+++ b/SOURCES/0042-pam-refresh-certificate-maps-at-the-end-of-initial-d.patch
@@ -0,0 +1,64 @@
+From cb936e92041d63f79a74c30bae8140c74a18dbc0 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 20 Jan 2021 18:25:04 +0100
+Subject: [PATCH 42/42] pam: refresh certificate maps at the end of initial
+ domains lookup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+During startup SSSD's responders send a getDomains request to all
+backends to refresh some domain related needed by the responders.
+
+The PAM responder specifically needs the certificate mapping and
+matching rules when Smartcard authentication is enable. Currently the
+rules are not refreshed at the end of the initial request but the code
+assumed that the related structures are initialized after the request
+finished.
+
+To avoid a race condition this patch adds a callback to the end of the
+request to make sure the rules are properly refreshed even if they are
+already initialized before.
+
+Resolves: https://github.com/SSSD/sssd/issues/5469
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/responder/pam/pamsrv.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
+index 8b1ce2e92..65370662d 100644
+--- a/src/responder/pam/pamsrv.c
++++ b/src/responder/pam/pamsrv.c
+@@ -154,6 +154,18 @@ static errno_t get_app_services(struct pam_ctx *pctx)
+ return EOK;
+ }
+
++static void pam_get_domains_callback(void *pvt)
++{
++ struct pam_ctx *pctx;
++ int ret;
++
++ pctx = talloc_get_type(pvt, struct pam_ctx);
++ ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_OP_FAILURE, "p11_refresh_certmap_ctx failed.\n");
++ }
++}
++
+ static int pam_process_init(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct confdb_ctx *cdb,
+@@ -247,7 +259,7 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
+ responder_set_fd_limit(fd_limit);
+
+ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, pctx->rctx->ncache,
+- NULL, NULL);
++ pam_get_domains_callback, pctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
+ goto done;
+--
+2.21.3
+
diff --git a/SOURCES/0043-SBUS-set-sbus_name-before-dp_init_send.patch b/SOURCES/0043-SBUS-set-sbus_name-before-dp_init_send.patch
new file mode 100644
index 0000000..eb99c88
--- /dev/null
+++ b/SOURCES/0043-SBUS-set-sbus_name-before-dp_init_send.patch
@@ -0,0 +1,134 @@
+From 0c6924b8d474daf35ee30d74e5496957e503b206 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Wed, 20 Jan 2021 15:40:34 +0100
+Subject: [PATCH] SBUS: set sbus_name before dp_init_send()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some async task might access sbus_name before dp_initialized() was executed
+
+Resolves: https://github.com/SSSD/sssd/issues/5466
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/providers/data_provider/dp.c | 21 ++++-----------------
+ src/providers/data_provider/dp.h | 6 +++---
+ src/providers/data_provider_be.c | 12 ++++++++++--
+ 3 files changed, 17 insertions(+), 22 deletions(-)
+
+diff --git a/src/providers/data_provider/dp.c b/src/providers/data_provider/dp.c
+index 90324d74d..64fe847b2 100644
+--- a/src/providers/data_provider/dp.c
++++ b/src/providers/data_provider/dp.c
+@@ -134,7 +134,6 @@ static int dp_destructor(struct data_provider *provider)
+ struct dp_init_state {
+ struct be_ctx *be_ctx;
+ struct data_provider *provider;
+- char *sbus_name;
+ };
+
+ static void dp_init_done(struct tevent_req *subreq);
+@@ -144,7 +143,8 @@ dp_init_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct be_ctx *be_ctx,
+ uid_t uid,
+- gid_t gid)
++ gid_t gid,
++ const char *sbus_name)
+ {
+ struct dp_init_state *state;
+ struct tevent_req *subreq;
+@@ -177,13 +177,6 @@ dp_init_send(TALLOC_CTX *mem_ctx,
+ state->provider->gid = gid;
+ state->provider->be_ctx = be_ctx;
+
+- state->sbus_name = sss_iface_domain_bus(state, be_ctx->domain);
+- if (state->sbus_name == NULL) {
+- DEBUG(SSSDBG_FATAL_FAILURE, "Could not get sbus backend name.\n");
+- ret = ENOMEM;
+- goto done;
+- }
+-
+ /* Initialize data provider bus. Data provider can receive client
+ * registration and other D-Bus methods. However no data provider
+ * request will be executed as long as the modules and targets
+@@ -192,7 +185,7 @@ dp_init_send(TALLOC_CTX *mem_ctx,
+ talloc_set_destructor(state->provider, dp_destructor);
+
+ subreq = sbus_server_create_and_connect_send(state->provider, ev,
+- state->sbus_name, NULL, sbus_address, true, 1000, uid, gid,
++ sbus_name, NULL, sbus_address, true, 1000, uid, gid,
+ (sbus_server_on_connection_cb)dp_client_init,
+ (sbus_server_on_connection_data)state->provider);
+ if (subreq == NULL) {
+@@ -270,16 +263,10 @@ done:
+ }
+
+ errno_t dp_init_recv(TALLOC_CTX *mem_ctx,
+- struct tevent_req *req,
+- const char **_sbus_name)
++ struct tevent_req *req)
+ {
+- struct dp_init_state *state;
+- state = tevent_req_data(req, struct dp_init_state);
+-
+ TEVENT_REQ_RETURN_ON_ERROR(req);
+
+- *_sbus_name = talloc_steal(mem_ctx, state->sbus_name);
+-
+ return EOK;
+ }
+
+diff --git a/src/providers/data_provider/dp.h b/src/providers/data_provider/dp.h
+index a8b6e9f3a..95c6588ad 100644
+--- a/src/providers/data_provider/dp.h
++++ b/src/providers/data_provider/dp.h
+@@ -122,11 +122,11 @@ dp_init_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct be_ctx *be_ctx,
+ uid_t uid,
+- gid_t gid);
++ gid_t gid,
++ const char *sbus_name);
+
+ errno_t dp_init_recv(TALLOC_CTX *mem_ctx,
+- struct tevent_req *req,
+- const char **_sbus_name);
++ struct tevent_req *req);
+
+ bool _dp_target_enabled(struct data_provider *provider,
+ const char *module_name,
+diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
+index f059a3f96..8458146ea 100644
+--- a/src/providers/data_provider_be.c
++++ b/src/providers/data_provider_be.c
+@@ -565,7 +565,15 @@ errno_t be_process_init(TALLOC_CTX *mem_ctx,
+ goto done;
+ }
+
+- req = dp_init_send(be_ctx, be_ctx->ev, be_ctx, be_ctx->uid, be_ctx->gid);
++ be_ctx->sbus_name = sss_iface_domain_bus(be_ctx, be_ctx->domain);
++ if (be_ctx->sbus_name == NULL) {
++ DEBUG(SSSDBG_FATAL_FAILURE, "Could not get sbus backend name.\n");
++ ret = ENOMEM;
++ goto done;
++ }
++
++ req = dp_init_send(be_ctx, be_ctx->ev, be_ctx, be_ctx->uid, be_ctx->gid,
++ be_ctx->sbus_name);
+ if (req == NULL) {
+ ret = ENOMEM;
+ goto done;
+@@ -612,7 +620,7 @@ static void dp_initialized(struct tevent_req *req)
+
+ be_ctx = tevent_req_callback_data(req, struct be_ctx);
+
+- ret = dp_init_recv(be_ctx, req, &be_ctx->sbus_name);
++ ret = dp_init_recv(be_ctx, req);
+ talloc_zfree(req);
+ if (ret != EOK) {
+ goto done;
+--
+2.21.3
+
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index ebb7edc..0bc7768 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -26,7 +26,7 @@
Name: sssd
Version: 2.4.0
-Release: 6%{?dist}
+Release: 7%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@@ -73,6 +73,10 @@ Patch0036: 0036-SBUS-do-not-try-to-del-non-existing-sender.patch
Patch0037: 0037-pamsrv_gssapi-fix-implicit-conversion-warning.patch
Patch0038: 0038-gssapi-default-pam_gssapi_services-to-NULL-in-domain.patch
Patch0039: 0039-pam_sss_gssapi-fix-coverity-issues.patch
+Patch0040: 0040-sudo-runas-do-not-add-to-external-groups-in-IPA.patch
+Patch0041: 0041-responders-add-callback-to-schedule_get_domains_task.patch
+Patch0042: 0042-pam-refresh-certificate-maps-at-the-end-of-initial-d.patch
+Patch0043: 0043-SBUS-set-sbus_name-before-dp_init_send.patch
### Downstream Patches ###
@@ -197,6 +201,7 @@ Recommends: libsss_sudo = %{version}-%{release}
Recommends: libsss_autofs%{?_isa} = %{version}-%{release}
Recommends: sssd-nfs-idmap = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
+Requires: libsss_certmap = %{version}-%{release}
Requires(pre): shadow-utils
%{?systemd_requires}
@@ -253,6 +258,7 @@ Requires: libsss_simpleifp = %{version}-%{release}
# required by sss_obfuscate
Requires: python3-sss = %{version}-%{release}
Requires: python3-sssdconfig = %{version}-%{release}
+Requires: libsss_certmap = %{version}-%{release}
Recommends: sssd-dbus
%description tools
@@ -307,6 +313,7 @@ Conflicts: sssd < 1.10.0-8.beta2
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
+Requires: libsss_certmap = %{version}-%{release}
%description ldap
Provides the LDAP back end that the SSSD can utilize to fetch identity data
@@ -357,6 +364,7 @@ Requires: samba-client-libs >= %{samba_package_version}
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
Requires: libipa_hbac%{?_isa} = %{version}-%{release}
+Requires: libsss_certmap = %{version}-%{release}
Recommends: bind-utils
Requires: sssd-common-pac = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
@@ -376,6 +384,7 @@ Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
Requires: sssd-common-pac = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
+Requires: libsss_certmap = %{version}-%{release}
Recommends: bind-utils
Recommends: adcli
Suggests: sssd-libwbclient = %{version}-%{release}
@@ -1248,6 +1257,11 @@ fi
%{_libdir}/%{name}/modules/libwbclient.so
%changelog
+* Tue Jan 26 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-7
+- Resolves: rhbz#1920001 - Do not add '%' to group names already prefixed with '%' in IPA sudo rules
+- Resolves: rhbz#1918433 - sssd unable to lookup certmap rules
+- Resolves: rhbz#1917382 - [abrt] [faf] sssd: dp_client_handshake_timeout(): /usr/libexec/sssd/sssd_be killed by 11
+
* Mon Jan 18 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.4.0-6
- Resolves: rhbz#1113639 - autofs: return a connection failure until maps have been fetched
- Resolves: rhbz#1915395 - Memory leak in the simple access provider