diff --git a/SOURCES/0211-IPA-do-initgroups-if-extdom-exop-supports-it.patch b/SOURCES/0211-IPA-do-initgroups-if-extdom-exop-supports-it.patch
new file mode 100644
index 0000000..6a61fb4
--- /dev/null
+++ b/SOURCES/0211-IPA-do-initgroups-if-extdom-exop-supports-it.patch
@@ -0,0 +1,100 @@
+From 215f988b07610ae55dfcb67f355bc864ddcbf72d Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 28 Apr 2015 17:18:48 +0200
+Subject: [PATCH 211/214] IPA: do initgroups if extdom exop supports it
+
+Newer versions of the extdom plugin return the full list of
+group-memberships during a user lookup request. With these version there
+is no need to reject a initgroups request for sub/trusted-domain users
+anymore. This is e.g. useful for callers which call getgrouplist()
+directly without calling getpwnam() before. Additionally it helps if for
+some reasons the lifetime of the user entry and the lifetime of the
+initgroups data is different.
+
+Related to https://fedorahosted.org/sssd/ticket/2633
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit e87badc0f6fb20a443cf12bde9582ecbc2aef727)
+(cherry picked from commit 24905d4ecbf210687e385449448f5a5ec97d2833)
+---
+ src/providers/ipa/ipa_s2n_exop.c | 3 ---
+ src/providers/ipa/ipa_subdomains.h | 4 ++++
+ src/providers/ipa/ipa_subdomains_id.c | 24 +++++++++++++++++-------
+ 3 files changed, 21 insertions(+), 10 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
+index 8de46136d0bc9d1c26b44c532d7bd405880aca50..03264fcd7f6f42dfa68db4f331184da32529818f 100644
+--- a/src/providers/ipa/ipa_s2n_exop.c
++++ b/src/providers/ipa/ipa_s2n_exop.c
+@@ -50,9 +50,6 @@ enum response_types {
+ };
+
+ /* ==Sid2Name Extended Operation============================================= */
+-#define EXOP_SID2NAME_OID "2.16.840.1.113730.3.8.10.4"
+-#define EXOP_SID2NAME_V1_OID "2.16.840.1.113730.3.8.10.4.1"
+-
+ struct ipa_s2n_exop_state {
+ struct sdap_handle *sh;
+
+diff --git a/src/providers/ipa/ipa_subdomains.h b/src/providers/ipa/ipa_subdomains.h
+index ceb862226b504bca6c9c596554fb88e6df1d51c3..9b179792dcab7ea935fa7159ca879d12b561a55f 100644
+--- a/src/providers/ipa/ipa_subdomains.h
++++ b/src/providers/ipa/ipa_subdomains.h
+@@ -28,6 +28,10 @@
+ #include "providers/dp_backend.h"
+ #include "providers/ipa/ipa_common.h"
+
++/* ==Sid2Name Extended Operation============================================= */
++#define EXOP_SID2NAME_OID "2.16.840.1.113730.3.8.10.4"
++#define EXOP_SID2NAME_V1_OID "2.16.840.1.113730.3.8.10.4.1"
++
+ struct be_ctx *ipa_get_subdomains_be_ctx(struct be_ctx *be_ctx);
+
+ const char *get_flat_name_from_subdomain_name(struct be_ctx *be_ctx,
+diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
+index 0508e14b690c144f4bace9ed14a326ac724eb910..1020c8a0b9209fc7404c32963ad5622fc6958d6b 100644
+--- a/src/providers/ipa/ipa_subdomains_id.c
++++ b/src/providers/ipa/ipa_subdomains_id.c
+@@ -375,15 +375,9 @@ struct tevent_req *ipa_get_subdom_acct_send(TALLOC_CTX *memctx,
+ case BE_REQ_GROUP:
+ case BE_REQ_BY_SECID:
+ case BE_REQ_USER_AND_GROUP:
++ case BE_REQ_INITGROUPS:
+ ret = EOK;
+ break;
+- case BE_REQ_INITGROUPS:
+- ret = ENOTSUP;
+- DEBUG(SSSDBG_TRACE_FUNC, "Initgroups requests are not handled " \
+- "by the IPA provider but are resolved " \
+- "by the responder directly from the " \
+- "cache.\n");
+- break;
+ default:
+ ret = EINVAL;
+ DEBUG(SSSDBG_OP_FAILURE, "Invalid sub-domain request type.\n");
+@@ -423,6 +417,22 @@ static void ipa_get_subdom_acct_connected(struct tevent_req *subreq)
+ return;
+ }
+
++ if (state->entry_type == BE_REQ_INITGROUPS) {
++ /* With V1 of the extdom plugin a user lookup will resolve the full
++ * group membership of the user. */
++ if (sdap_is_extension_supported(sdap_id_op_handle(state->op),
++ EXOP_SID2NAME_V1_OID)) {
++ state->entry_type = BE_REQ_USER;
++ } else {
++ DEBUG(SSSDBG_TRACE_FUNC, "Initgroups requests are not handled " \
++ "by the IPA provider but are resolved " \
++ "by the responder directly from the " \
++ "cache.\n");
++ tevent_req_error(req, ENOTSUP);
++ return;
++ }
++ }
++
+ req_input = talloc(state, struct req_input);
+ if (req_input == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc failed.\n");
+--
+2.4.3
+
diff --git a/SOURCES/0212-IPA-update-initgr-expire-timestamp-conditionally.patch b/SOURCES/0212-IPA-update-initgr-expire-timestamp-conditionally.patch
new file mode 100644
index 0000000..62b7581
--- /dev/null
+++ b/SOURCES/0212-IPA-update-initgr-expire-timestamp-conditionally.patch
@@ -0,0 +1,105 @@
+From ab9cc3894af6fc0e768c631da23446287cd6e8e2 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 28 Apr 2015 17:20:05 +0200
+Subject: [PATCH 212/214] IPA: update initgr expire timestamp conditionally
+
+Newer versions of the extdom plugin return the full list of
+group-memberships during user lookups. As a result the lifetime of the
+group-membership data is updates in those cases. But if the user is not
+looked up directly but is resolved as a group member during a group
+lookup SSSD does not resolve all group-membership of the user to avoid
+deep recursion and eventually a complete enumeration of the user and
+group base. In this case the lifetime of the group-memberships should
+not be updated because it might be incomplete.
+
+Related to https://fedorahosted.org/sssd/ticket/2633
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit cffe3135f29c737f2598f3c1384bfba1694fb843)
+(cherry picked from commit f643fadbd072a9d3725f5f750340d5b13628ce6a)
+---
+ src/providers/ipa/ipa_s2n_exop.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
+index 03264fcd7f6f42dfa68db4f331184da32529818f..2f1974d2c250ad2f8283659de4ddc319500ac6a5 100644
+--- a/src/providers/ipa/ipa_s2n_exop.c
++++ b/src/providers/ipa/ipa_s2n_exop.c
+@@ -676,7 +676,8 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
+ struct resp_attrs *attrs,
+ struct resp_attrs *simple_attrs,
+ const char *view_name,
+- struct sysdb_attrs *override_attrs);
++ struct sysdb_attrs *override_attrs,
++ bool update_initgr_timeout);
+
+ static errno_t s2n_response_to_attrs(TALLOC_CTX *mem_ctx,
+ char *retoid,
+@@ -1109,7 +1110,7 @@ static errno_t ipa_s2n_get_fqlist_save_step(struct tevent_req *req)
+
+ ret = ipa_s2n_save_objects(state->dom, &state->req_input, state->attrs,
+ NULL, state->ipa_ctx->view_name,
+- state->override_attrs);
++ state->override_attrs, false);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n");
+ return ret;
+@@ -1607,7 +1608,7 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq)
+ || strcmp(state->ipa_ctx->view_name,
+ SYSDB_DEFAULT_VIEW_NAME) == 0) {
+ ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs,
+- state->simple_attrs, NULL, NULL);
++ state->simple_attrs, NULL, NULL, true);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n");
+ goto done;
+@@ -1729,7 +1730,8 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
+ struct resp_attrs *attrs,
+ struct resp_attrs *simple_attrs,
+ const char *view_name,
+- struct sysdb_attrs *override_attrs)
++ struct sysdb_attrs *override_attrs,
++ bool update_initgr_timeout)
+ {
+ int ret;
+ time_t now;
+@@ -1929,7 +1931,8 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
+ }
+ }
+
+- if (attrs->response_type == RESP_USER_GROUPLIST) {
++ if (attrs->response_type == RESP_USER_GROUPLIST
++ && update_initgr_timeout) {
+ /* Since RESP_USER_GROUPLIST contains all group memberships it
+ * is effectively an initgroups request hence
+ * SYSDB_INITGR_EXPIRE will be set.*/
+@@ -2231,7 +2234,7 @@ static void ipa_s2n_get_fqlist_done(struct tevent_req *subreq)
+ &sid_str);
+ if (ret == ENOENT) {
+ ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs,
+- state->simple_attrs, NULL, NULL);
++ state->simple_attrs, NULL, NULL, true);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n");
+ goto fail;
+@@ -2271,7 +2274,7 @@ static void ipa_s2n_get_fqlist_done(struct tevent_req *subreq)
+ ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs,
+ state->simple_attrs,
+ state->ipa_ctx->view_name,
+- state->override_attrs);
++ state->override_attrs, true);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n");
+ tevent_req_error(req, ret);
+@@ -2307,7 +2310,7 @@ static void ipa_s2n_get_user_get_override_done(struct tevent_req *subreq)
+
+ ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs,
+ state->simple_attrs, state->ipa_ctx->view_name,
+- override_attrs);
++ override_attrs, true);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n");
+ tevent_req_error(req, ret);
+--
+2.4.3
+
diff --git a/SOURCES/0213-IPA-enhance-ipa_initgr_get_overrides_send.patch b/SOURCES/0213-IPA-enhance-ipa_initgr_get_overrides_send.patch
new file mode 100644
index 0000000..49524dc
--- /dev/null
+++ b/SOURCES/0213-IPA-enhance-ipa_initgr_get_overrides_send.patch
@@ -0,0 +1,199 @@
+From 3d9560303f7c96abf36ff93abd85b2319808d3f6 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 28 Apr 2015 20:58:15 +0200
+Subject: [PATCH 213/214] IPA: enhance ipa_initgr_get_overrides_send()
+
+This patch makes ipa_initgr_get_overrides_send() public and add support
+to search overrides by UUID or by SID.
+
+Related to https://fedorahosted.org/sssd/ticket/2633
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit 145578006684481434ced78461ab8d1c3570f478)
+(cherry picked from commit 58a19d50888b1a7da0ee78b49e7d3dcbebc8614d)
+---
+ src/db/sysdb_views.c | 5 ++++
+ src/providers/ipa/ipa_id.c | 63 +++++++++++++++++++++++++++++++++-------------
+ src/providers/ipa/ipa_id.h | 10 ++++++++
+ 3 files changed, 61 insertions(+), 17 deletions(-)
+
+diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c
+index 717edf20a447003568060cf4d32bf8d47bd93e63..58cad5426109f0fb37ef16fd1304b50a702cf44a 100644
+--- a/src/db/sysdb_views.c
++++ b/src/db/sysdb_views.c
+@@ -733,6 +733,11 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain,
+ NULL };
+ bool override_attrs_found = false;
+
++ if (override_attrs == NULL) {
++ /* nothing to do */
++ return EOK;
++ }
++
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
+diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c
+index cc6abcf8721e3f05526bf62063f0cbdc7c1c257b..02b59ab77a7408012efdd9a1538287e08de0af1e 100644
+--- a/src/providers/ipa/ipa_id.c
++++ b/src/providers/ipa/ipa_id.c
+@@ -294,6 +294,7 @@ struct ipa_initgr_get_overrides_state {
+
+ struct ldb_message **groups;
+ size_t group_count;
++ const char *groups_id_attr;
+ size_t group_idx;
+ struct be_acct_req *ar;
+
+@@ -302,13 +303,14 @@ struct ipa_initgr_get_overrides_state {
+
+ static int ipa_initgr_get_overrides_step(struct tevent_req *req);
+
+-static struct tevent_req *
++struct tevent_req *
+ ipa_initgr_get_overrides_send(TALLOC_CTX *memctx,
+ struct tevent_context *ev,
+ struct ipa_id_ctx *ipa_ctx,
+ struct sss_domain_info *user_dom,
+ size_t groups_count,
+- struct ldb_message **groups)
++ struct ldb_message **groups,
++ const char *groups_id_attr)
+ {
+ int ret;
+ struct tevent_req *req;
+@@ -334,6 +336,12 @@ ipa_initgr_get_overrides_send(TALLOC_CTX *memctx,
+ ret = EINVAL;
+ goto done;
+ }
++ state->groups_id_attr = talloc_strdup(state, groups_id_attr);
++ if (state->groups_id_attr == NULL) {
++ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
++ ret = ENOMEM;
++ goto done;
++ }
+
+ ret = ipa_initgr_get_overrides_step(req);
+ done:
+@@ -366,7 +374,7 @@ static int ipa_initgr_get_overrides_step(struct tevent_req *req)
+ }
+
+ ipa_uuid = ldb_msg_find_attr_as_string(state->groups[state->group_idx],
+- SYSDB_UUID, NULL);
++ state->groups_id_attr, NULL);
+ if (ipa_uuid == NULL) {
+ /* This should never happen, the search filter used to get the list
+ * of groups includes "uuid=*"
+@@ -377,11 +385,24 @@ static int ipa_initgr_get_overrides_step(struct tevent_req *req)
+
+ talloc_free(state->ar); /* Avoid spiking memory with many groups */
+
+- ret = get_be_acct_req_for_uuid(state, ipa_uuid,
+- state->user_dom->name, &state->ar);
+- if (ret != EOK) {
+- DEBUG(SSSDBG_OP_FAILURE, "get_be_acct_req_for_sid failed.\n");
+- return ret;
++ if (strcmp(state->groups_id_attr, SYSDB_UUID) == 0) {
++ ret = get_be_acct_req_for_uuid(state, ipa_uuid,
++ state->user_dom->name, &state->ar);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_OP_FAILURE, "get_be_acct_req_for_sid failed.\n");
++ return ret;
++ }
++ } else if (strcmp(state->groups_id_attr, SYSDB_SID_STR) == 0) {
++ ret = get_be_acct_req_for_sid(state, ipa_uuid,
++ state->user_dom->name, &state->ar);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_OP_FAILURE, "get_be_acct_req_for_sid failed.\n");
++ return ret;
++ }
++ } else {
++ DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported groups ID type [%s].\n",
++ state->groups_id_attr);
++ return EINVAL;
+ }
+
+ DEBUG(SSSDBG_TRACE_LIBS, "Fetching group %s\n", ipa_uuid);
+@@ -408,7 +429,7 @@ static void ipa_initgr_get_overrides_override_done(struct tevent_req *subreq)
+ struct ipa_initgr_get_overrides_state *state = tevent_req_data(req,
+ struct ipa_initgr_get_overrides_state);
+ int ret;
+- struct sysdb_attrs *override_attrs;
++ struct sysdb_attrs *override_attrs = NULL;
+
+ ret = ipa_get_ad_override_recv(subreq, &state->dp_error, state,
+ &override_attrs);
+@@ -419,10 +440,16 @@ static void ipa_initgr_get_overrides_override_done(struct tevent_req *subreq)
+ return;
+ }
+
+- ret = sysdb_store_override(state->user_dom, state->ipa_ctx->view_name,
+- SYSDB_MEMBER_GROUP,
+- override_attrs,
+- state->groups[state->group_idx]->dn);
++ if (strcmp(state->ipa_ctx->view_name, SYSDB_DEFAULT_VIEW_NAME) == 0) {
++ ret = sysdb_apply_default_override(state->user_dom, override_attrs,
++ state->groups[state->group_idx]->dn);
++ } else {
++ ret = sysdb_store_override(state->user_dom,
++ state->ipa_ctx->view_name,
++ SYSDB_MEMBER_GROUP,
++ override_attrs,
++ state->groups[state->group_idx]->dn);
++ }
+ talloc_free(override_attrs);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_override failed.\n");
+@@ -443,7 +470,7 @@ static void ipa_initgr_get_overrides_override_done(struct tevent_req *subreq)
+ tevent_req_done(req);
+ }
+
+-static int ipa_initgr_get_overrides_recv(struct tevent_req *req, int *dp_error)
++int ipa_initgr_get_overrides_recv(struct tevent_req *req, int *dp_error)
+ {
+ struct ipa_initgr_get_overrides_state *state = tevent_req_data(req,
+ struct ipa_initgr_get_overrides_state);
+@@ -881,7 +908,8 @@ static void ipa_id_get_account_info_orig_done(struct tevent_req *subreq)
+ if (state->user_groups != NULL) {
+ subreq = ipa_initgr_get_overrides_send(state, state->ev, state->ipa_ctx,
+ state->domain, state->group_cnt,
+- state->user_groups);
++ state->user_groups,
++ SYSDB_UUID);
+ if (subreq == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "ipa_resolve_user_list_send failed.\n");
+ ret = ENOMEM;
+@@ -959,8 +987,9 @@ static void ipa_id_get_account_info_done(struct tevent_req *subreq)
+
+ if (state->user_groups != NULL) {
+ subreq = ipa_initgr_get_overrides_send(state, state->ev, state->ipa_ctx,
+- state->domain, state->group_cnt,
+- state->user_groups);
++ state->domain, state->group_cnt,
++ state->user_groups,
++ SYSDB_UUID);
+ if (subreq == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "ipa_resolve_user_list_send failed.\n");
+ ret = ENOMEM;
+diff --git a/src/providers/ipa/ipa_id.h b/src/providers/ipa/ipa_id.h
+index 2bb5e0d38f42d4bbb04854dfb04804fecf6257e8..c03ca037a2850478a8f4933bac4fcf8bd70ada04 100644
+--- a/src/providers/ipa/ipa_id.h
++++ b/src/providers/ipa/ipa_id.h
+@@ -119,4 +119,14 @@ errno_t get_object_from_cache(TALLOC_CTX *mem_ctx,
+ struct sss_domain_info *dom,
+ struct be_acct_req *ar,
+ struct ldb_message **_msg);
++
++struct tevent_req *
++ipa_initgr_get_overrides_send(TALLOC_CTX *memctx,
++ struct tevent_context *ev,
++ struct ipa_id_ctx *ipa_ctx,
++ struct sss_domain_info *user_dom,
++ size_t groups_count,
++ struct ldb_message **groups,
++ const char *groups_id_attr);
++int ipa_initgr_get_overrides_recv(struct tevent_req *req, int *dp_error);
+ #endif
+--
+2.4.3
+
diff --git a/SOURCES/0214-IPA-search-for-overrides-during-initgroups-in-sever-.patch b/SOURCES/0214-IPA-search-for-overrides-during-initgroups-in-sever-.patch
new file mode 100644
index 0000000..c7ceb75
--- /dev/null
+++ b/SOURCES/0214-IPA-search-for-overrides-during-initgroups-in-sever-.patch
@@ -0,0 +1,116 @@
+From 61964561654d86e1ba2179fc0afd7f93cafbc6ab Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 28 Apr 2015 20:59:43 +0200
+Subject: [PATCH 214/214] IPA: search for overrides during initgroups in sever
+ mode
+
+After the group memberships of a user from a trusted domain are read it
+must be checked if there are overrides for the discovered groups to be
+able to return the right gid or name to the caller.
+
+Related to https://fedorahosted.org/sssd/ticket/2633
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit 2263c6dd1242c92253240f4998c86a04b6a0ca3a)
+(cherry picked from commit eaf656843831d579f30f94154d88aba2201c1712)
+---
+ src/providers/ipa/ipa_subdomains_id.c | 69 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 69 insertions(+)
+
+diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
+index 1020c8a0b9209fc7404c32963ad5622fc6958d6b..ffe2b18e8dda2137d2ebbfdb780c908eabcd4708 100644
+--- a/src/providers/ipa/ipa_subdomains_id.c
++++ b/src/providers/ipa/ipa_subdomains_id.c
+@@ -558,6 +558,8 @@ struct ipa_get_ad_acct_state {
+ static void ipa_get_ad_acct_ad_part_done(struct tevent_req *subreq);
+ static void ipa_get_ad_override_done(struct tevent_req *subreq);
+ static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req);
++static errno_t ipa_get_ad_ipa_membership_step(struct tevent_req *req);
++static void ipa_id_get_groups_overrides_done(struct tevent_req *subreq);
+ static void ipa_get_ad_acct_done(struct tevent_req *subreq);
+ static struct ad_id_ctx *ipa_get_ad_id_ctx(struct ipa_id_ctx *ipa_ctx,
+ struct sss_domain_info *dom);
+@@ -1112,6 +1114,9 @@ static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req)
+ struct tevent_req *subreq;
+ const char *obj_name;
+ int entry_type;
++ size_t groups_count = 0;
++ struct ldb_message **groups = NULL;
++ const char *attrs[] = SYSDB_INITGR_ATTRS;
+
+ if (state->override_attrs != NULL) {
+ /* We are in ipa-server-mode, so the view is the default view by
+@@ -1166,6 +1171,70 @@ static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req)
+ state->ar->entry_type = BE_REQ_USER;
+ }
+
++ /* Lookup all groups the user is a member of which do not have ORIGINALAD
++ * attributes set, i.e. where overrides might not have been applied. */
++ ret = sysdb_asq_search(state, state->obj_dom, state->obj_msg->dn,
++ "(&("SYSDB_GC")("SYSDB_GIDNUM"=*)" \
++ "(!("ORIGINALAD_PREFIX SYSDB_GIDNUM"=*))" \
++ "(!("ORIGINALAD_PREFIX SYSDB_NAME"=*)))",
++ SYSDB_INITGR_ATTR,
++ attrs, &groups_count, &groups);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_groups_without_orig failed.\n");
++ return ret;
++ }
++
++ if (groups != NULL) {
++ subreq = ipa_initgr_get_overrides_send(state, state->ev, state->ipa_ctx,
++ state->obj_dom, groups_count,
++ groups, SYSDB_SID_STR);
++ if (subreq == NULL) {
++ DEBUG(SSSDBG_OP_FAILURE, "ipa_initgr_get_overrides_send failed.\n");
++ return ENOMEM;
++ }
++ tevent_req_set_callback(subreq, ipa_id_get_groups_overrides_done, req);
++ return EOK;
++ }
++
++ ret = ipa_get_ad_ipa_membership_step(req);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_ipa_membership_step failed.\n");
++ return ret;
++ }
++
++ return EOK;
++}
++
++static void ipa_id_get_groups_overrides_done(struct tevent_req *subreq)
++{
++ struct tevent_req *req = tevent_req_callback_data(subreq,
++ struct tevent_req);
++ errno_t ret;
++
++ ret = ipa_initgr_get_overrides_recv(subreq, NULL);
++ talloc_zfree(subreq);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_OP_FAILURE,
++ "IPA resolve user groups overrides failed [%d].\n", ret);
++ tevent_req_error(req, ret);
++ return;
++ }
++
++ ret = ipa_get_ad_ipa_membership_step(req);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_ipa_membership_step failed.\n");
++ tevent_req_error(req, ret);
++ return;
++ }
++
++ return;
++}
++
++static errno_t ipa_get_ad_ipa_membership_step(struct tevent_req *req)
++{
++ struct ipa_get_ad_acct_state *state = tevent_req_data(req,
++ struct ipa_get_ad_acct_state);
++ struct tevent_req *subreq;
+
+ /* For initgroups request we have to check IPA group memberships of AD
+ * users. This has to be done for other user-request as well to make sure
+--
+2.4.3
+
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index 4eb7589..25a1229 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -23,7 +23,7 @@
Name: sssd
Version: 1.12.2
-Release: 58%{?dist}.17
+Release: 58%{?dist}.18
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@@ -242,7 +242,10 @@ Patch0207: 0207-subdomains-Inherit-cleanup-period-and-tokengroup-set.patch
Patch0208: 0208-sudo-sanitize-filter-values.patch
Patch0209: 0209-SYSDB-Index-the-objectSIDString-attribute.patch
Patch0210: 0210-IPA-Remove-MPG-groups-if-getgrgid-was-called-before-.patch
-
+Patch0211: 0211-IPA-do-initgroups-if-extdom-exop-supports-it.patch
+Patch0212: 0212-IPA-update-initgr-expire-timestamp-conditionally.patch
+Patch0213: 0213-IPA-enhance-ipa_initgr_get_overrides_send.patch
+Patch0214: 0214-IPA-search-for-overrides-during-initgroups-in-sever-.patch
### Dependencies ###
Requires: sssd-common = %{version}-%{release}
@@ -1106,6 +1109,10 @@ fi
/usr/bin/rm -f /var/tmp/sssd.upgrade || :
%changelog
+* Fri Oct 2 2015 Jakub Hrozek <jhrozek@redhat.com> - 1.12.2-58.18
+- Resolves: rhbz#1268205 - SSSD intermittently fails to resolve external
+ IPA group membership.
+
* Thu Sep 3 2015 Jakub Hrozek <jhrozek@redhat.com> - 1.12.2-58.17
- Actually apply the patch for rhbz#1255442
- Resolves: rhbz#1255442 - getgrgid for user's UID on a trust client