diff --git a/SOURCES/0034-TESTS-Add-a-unit-test-for-UPNs-stored-by-sss_ncache_.patch b/SOURCES/0034-TESTS-Add-a-unit-test-for-UPNs-stored-by-sss_ncache_.patch
new file mode 100644
index 0000000..54e2e7a
--- /dev/null
+++ b/SOURCES/0034-TESTS-Add-a-unit-test-for-UPNs-stored-by-sss_ncache_.patch
@@ -0,0 +1,207 @@
+From 05b37ac18ed8da00ce560ed52244c6ad7abfa6a9 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Wed, 13 Mar 2019 17:41:29 +0100
+Subject: [PATCH 34/35] TESTS: Add a unit test for UPNs stored by
+ sss_ncache_prepopulate
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 48c1e3ac34ec5b2d7cf27d7393d049c880bca319)
+---
+ src/tests/cmocka/test_negcache.c | 111 +++++++++++++++++++++++++------
+ 1 file changed, 92 insertions(+), 19 deletions(-)
+
+diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c
+index a0210928b..9bddddd8d 100644
+--- a/src/tests/cmocka/test_negcache.c
++++ b/src/tests/cmocka/test_negcache.c
+@@ -39,6 +39,7 @@
+ #include "lib/idmap/sss_idmap.h"
+ #include "util/util.h"
+ #include "util/util_sss_idmap.h"
++#include "db/sysdb_private.h"
+ #include "responder/common/responder.h"
+ #include "responder/common/negcache.h"
+
+@@ -52,6 +53,7 @@
+ #define TEST_CONF_DB "test_nss_conf.ldb"
+ #define TEST_DOM_NAME "nss_test"
+ #define TEST_ID_PROVIDER "ldap"
++#define TEST_SUBDOM_NAME "test.subdomain"
+
+ /* register_cli_protocol_version is required in test since it links with
+ * responder_common.c module
+@@ -582,6 +584,29 @@ static int check_gid_in_ncache(struct sss_nc_ctx *ctx,
+ return ret;
+ }
+
++static int add_confdb_params(struct sss_test_conf_param params[],
++ struct confdb_ctx *cdb, const char *section)
++{
++ const char *val[2];
++ int ret;
++
++ val[1] = NULL;
++
++ for (int i = 0; params[i].key; i++) {
++ val[0] = params[i].value;
++ ret = confdb_add_param(cdb, true, section, params[i].key, val);
++ assert_int_equal(ret, EOK);
++ }
++
++ return EOK;
++}
++
++static int add_nss_params(struct sss_test_conf_param nss_params[],
++ struct confdb_ctx *cdb)
++{
++ return add_confdb_params(nss_params, cdb, CONFDB_NSS_CONF_ENTRY);
++}
++
+ static void test_sss_ncache_prepopulate(void **state)
+ {
+ int ret;
+@@ -589,9 +614,14 @@ static void test_sss_ncache_prepopulate(void **state)
+ struct tevent_context *ev;
+ struct sss_nc_ctx *ncache;
+ struct sss_test_ctx *tc;
+- struct sss_domain_info *dom;
++ const char *const testdom[4] = { TEST_SUBDOM_NAME, "TEST.SUB", "test", "S-3" };
++ struct sss_domain_info *subdomain;
+
+- struct sss_test_conf_param params[] = {
++ struct sss_test_conf_param nss_params[] = {
++ { "filter_users", "testuser_nss@UPN.REALM, testuser_nss_short" },
++ { NULL, NULL },
++ };
++ struct sss_test_conf_param dom_params[] = {
+ { "filter_users", "testuser1, testuser2@"TEST_DOM_NAME", testuser3@somedomain" },
+ { "filter_groups", "testgroup1, testgroup2@"TEST_DOM_NAME", testgroup3@somedomain" },
+ { NULL, NULL },
+@@ -602,22 +632,35 @@ static void test_sss_ncache_prepopulate(void **state)
+ ev = tevent_context_init(ts);
+ assert_non_null(ev);
+
+- dom = talloc_zero(ts, struct sss_domain_info);
+- assert_non_null(dom);
+- dom->name = discard_const_p(char, TEST_DOM_NAME);
+-
+ ts->nctx = mock_nctx(ts);
+ assert_non_null(ts->nctx);
+
+ tc = create_dom_test_ctx(ts, TESTS_PATH, TEST_CONF_DB,
+- TEST_DOM_NAME, TEST_ID_PROVIDER, params);
++ TEST_DOM_NAME, TEST_ID_PROVIDER, dom_params);
+ assert_non_null(tc);
+
++ ret = add_nss_params(nss_params, tc->confdb);
++ assert_int_equal(ret, EOK);
++
++ subdomain = new_subdomain(tc, tc->dom,
++ testdom[0], testdom[1], testdom[2], testdom[3],
++ false, false, NULL, NULL, 0,
++ tc->confdb);
++ assert_non_null(subdomain);
++
++ ret = sysdb_subdomain_store(tc->sysdb,
++ testdom[0], testdom[1], testdom[2], testdom[3],
++ false, false, NULL, 0, NULL);
++ assert_int_equal(ret, EOK);
++
++ ret = sysdb_update_subdomains(tc->dom, tc->confdb);
++ assert_int_equal(ret, EOK);
++
+ ncache = ts->ctx;
+- ts->rctx = mock_rctx(ts, ev, dom, ts->nctx);
++ ts->rctx = mock_rctx(ts, ev, tc->dom, ts->nctx);
+ assert_non_null(ts->rctx);
+
+- ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &dom->names);
++ ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &tc->dom->names);
+ assert_int_equal(ret, EOK);
+
+ ret = sss_ncache_prepopulate(ncache, tc->confdb, ts->rctx);
+@@ -625,34 +668,37 @@ static void test_sss_ncache_prepopulate(void **state)
+
+ sleep(SHORTSPAN);
+
+- ret = check_user_in_ncache(ncache, dom, "testuser1");
++ ret = check_user_in_ncache(ncache, tc->dom, "testuser1");
+ assert_int_equal(ret, EEXIST);
+
+- ret = check_group_in_ncache(ncache, dom, "testgroup1");
++ ret = check_group_in_ncache(ncache, tc->dom, "testgroup1");
+ assert_int_equal(ret, EEXIST);
+
+- ret = check_user_in_ncache(ncache, dom, "testuser2");
++ ret = check_user_in_ncache(ncache, tc->dom, "testuser2");
+ assert_int_equal(ret, EEXIST);
+
+- ret = check_group_in_ncache(ncache, dom, "testgroup2");
++ ret = check_group_in_ncache(ncache, tc->dom, "testgroup2");
+ assert_int_equal(ret, EEXIST);
+
+- ret = check_user_in_ncache(ncache, dom, "testuser3");
++ ret = check_user_in_ncache(ncache, tc->dom, "testuser3");
+ assert_int_equal(ret, ENOENT);
+
+- ret = check_group_in_ncache(ncache, dom, "testgroup3");
++ ret = check_group_in_ncache(ncache, tc->dom, "testgroup3");
+ assert_int_equal(ret, ENOENT);
+
+- ret = check_user_in_ncache(ncache, dom, "testuser3@somedomain");
++ ret = check_user_in_ncache(ncache, tc->dom, "testuser3@somedomain");
+ assert_int_equal(ret, ENOENT);
+
+- ret = check_group_in_ncache(ncache, dom, "testgroup3@somedomain");
++ ret = sss_ncache_check_upn(ncache, tc->dom, "testuser3@somedomain");
++ assert_int_equal(ret, EEXIST);
++
++ ret = check_group_in_ncache(ncache, tc->dom, "testgroup3@somedomain");
+ assert_int_equal(ret, ENOENT);
+
+- ret = check_user_in_ncache(ncache, dom, "root");
++ ret = check_user_in_ncache(ncache, tc->dom, "root");
+ assert_int_equal(ret, EEXIST);
+
+- ret = check_group_in_ncache(ncache, dom, "root");
++ ret = check_group_in_ncache(ncache, tc->dom, "root");
+ assert_int_equal(ret, EEXIST);
+
+ ret = check_uid_in_ncache(ncache, 0);
+@@ -660,6 +706,33 @@ static void test_sss_ncache_prepopulate(void **state)
+
+ ret = check_gid_in_ncache(ncache, 0);
+ assert_int_equal(ret, EEXIST);
++
++ ret = sss_ncache_check_upn(ncache, tc->dom, "testuser_nss@UPN.REALM");
++ assert_int_equal(ret, EEXIST);
++
++ ret = sss_ncache_check_upn(ncache, tc->dom->subdomains, "testuser_nss@UPN.REALM");
++ assert_int_equal(ret, EEXIST);
++
++ ret = sss_ncache_check_upn(ncache, tc->dom, "testuser_nss_short@" TEST_DOM_NAME);
++ assert_int_equal(ret, EEXIST);
++
++ ret = sss_ncache_check_upn(ncache, tc->dom->subdomains, "testuser_nss_short@" TEST_SUBDOM_NAME);
++ assert_int_equal(ret, EEXIST);
++
++ ret = check_user_in_ncache(ncache, tc->dom, "testuser_nss_short");
++ assert_int_equal(ret, EEXIST);
++
++ ret = check_user_in_ncache(ncache, tc->dom->subdomains, "testuser_nss_short");
++ assert_int_equal(ret, EEXIST);
++
++ ret = sss_ncache_check_upn(ncache, tc->dom, "testuser1@" TEST_DOM_NAME);
++ assert_int_equal(ret, EEXIST);
++
++ ret = sss_ncache_check_upn(ncache, tc->dom, "testuser2@" TEST_DOM_NAME);
++ assert_int_equal(ret, EEXIST);
++
++ ret = sss_ncache_check_upn(ncache, tc->dom, "testuser3@somedomain");
++ assert_int_equal(ret, EEXIST);
+ }
+
+ static void test_sss_ncache_default_domain_suffix(void **state)
+--
+2.20.1
+
diff --git a/SOURCES/0035-negcache-add-fq-usernames-of-know-domains-to-all-UPN.patch b/SOURCES/0035-negcache-add-fq-usernames-of-know-domains-to-all-UPN.patch
new file mode 100644
index 0000000..fefd20d
--- /dev/null
+++ b/SOURCES/0035-negcache-add-fq-usernames-of-know-domains-to-all-UPN.patch
@@ -0,0 +1,127 @@
+From 934341e1ef7cf2a763b604dd1fd347aa5aae7f60 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 24 Jun 2019 14:01:02 +0200
+Subject: [PATCH 35/35] negcache: add fq-usernames of know domains to all UPN
+ neg-caches
+
+The previous patch for this issue did not handle user with
+fully-qualified names from known domains correctly. Here the user was
+only added to the negative cache of the known domain but not to the
+negative UPN caches for all domains. This patch fixes this.
+
+Related to https://pagure.io/SSSD/sssd/issue/3978
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit e7e212b49bbd357129aab410cbbd5c7b1b0965a2)
+---
+ src/responder/common/negcache.c | 54 ++++++++++++++++----------------
+ src/tests/cmocka/test_negcache.c | 17 +++++++++-
+ 2 files changed, 43 insertions(+), 28 deletions(-)
+
+diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
+index d6f72d816..d9bf1417e 100644
+--- a/src/responder/common/negcache.c
++++ b/src/responder/common/negcache.c
+@@ -1070,37 +1070,37 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
+ continue;
+ }
+ if (domainname) {
+- dom = responder_get_domain(rctx, domainname);
+- if (!dom) {
+- DEBUG(SSSDBG_CRIT_FAILURE,
+- "Unknown domain name [%s], assuming [%s] is UPN\n",
+- domainname, filter_list[i]);
+- for (dom = domain_list;
+- dom != NULL;
+- dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) {
+- ret = sss_ncache_set_upn(ncache, true, dom, filter_list[i]);
+- if (ret != EOK) {
+- DEBUG(SSSDBG_OP_FAILURE,
+- "sss_ncache_set_upn failed (%d [%s]), ignored\n",
+- ret, sss_strerror(ret));
+- }
++ DEBUG(SSSDBG_TRACE_ALL,
++ "Adding [%s] to UPN negative cache of all domains.\n",
++ filter_list[i]);
++ for (dom = domain_list;
++ dom != NULL;
++ dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) {
++ ret = sss_ncache_set_upn(ncache, true, dom, filter_list[i]);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_OP_FAILURE,
++ "sss_ncache_set_upn failed (%d [%s]), ignored\n",
++ ret, sss_strerror(ret));
+ }
+- continue;
+ }
+
+- fqname = sss_create_internal_fqname(tmpctx, name, dom->name);
+- if (fqname == NULL) {
+- continue;
+- }
++ /* Add name to domain specific cache for known domain names */
++ dom = responder_get_domain(rctx, domainname);
++ if (dom != NULL) {
++ fqname = sss_create_internal_fqname(tmpctx, name, dom->name);
++ if (fqname == NULL) {
++ continue;
++ }
+
+- ret = sss_ncache_set_user(ncache, true, dom, fqname);
+- talloc_zfree(fqname);
+- if (ret != EOK) {
+- DEBUG(SSSDBG_CRIT_FAILURE,
+- "Failed to store permanent user filter for [%s]"
+- " (%d [%s])\n", filter_list[i],
+- ret, strerror(ret));
+- continue;
++ ret = sss_ncache_set_user(ncache, true, dom, fqname);
++ talloc_zfree(fqname);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_CRIT_FAILURE,
++ "Failed to store permanent user filter for [%s]"
++ " (%d [%s])\n", filter_list[i],
++ ret, strerror(ret));
++ continue;
++ }
+ }
+ } else {
+ for (dom = domain_list;
+diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c
+index 9bddddd8d..0a7e563e0 100644
+--- a/src/tests/cmocka/test_negcache.c
++++ b/src/tests/cmocka/test_negcache.c
+@@ -618,7 +618,7 @@ static void test_sss_ncache_prepopulate(void **state)
+ struct sss_domain_info *subdomain;
+
+ struct sss_test_conf_param nss_params[] = {
+- { "filter_users", "testuser_nss@UPN.REALM, testuser_nss_short" },
++ { "filter_users", "testuser_nss@UPN.REALM, testuser_nss_short, all_dom_upn@"TEST_DOM_NAME },
+ { NULL, NULL },
+ };
+ struct sss_test_conf_param dom_params[] = {
+@@ -733,6 +733,21 @@ static void test_sss_ncache_prepopulate(void **state)
+
+ ret = sss_ncache_check_upn(ncache, tc->dom, "testuser3@somedomain");
+ assert_int_equal(ret, EEXIST);
++
++ /* Fully qualified names with a known domain part should be added to all
++ * negative UPN caches and to the negative cache of the know domain. */
++ ret = sss_ncache_check_upn(ncache, tc->dom, "all_dom_upn@"TEST_DOM_NAME);
++ assert_int_equal(ret, EEXIST);
++
++ ret = sss_ncache_check_upn(ncache, tc->dom->subdomains,
++ "all_dom_upn@"TEST_DOM_NAME);
++ assert_int_equal(ret, EEXIST);
++
++ ret = check_user_in_ncache(ncache, tc->dom, "all_dom_upn");
++ assert_int_equal(ret, EEXIST);
++
++ ret = check_user_in_ncache(ncache, tc->dom->subdomains, "all_dom_upn");
++ assert_int_equal(ret, ENOENT);
+ }
+
+ static void test_sss_ncache_default_domain_suffix(void **state)
+--
+2.20.1
+
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index 1db58d0..5dba468 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -48,7 +48,7 @@
Name: sssd
Version: 1.16.4
-Release: 21%{?dist}
+Release: 21%{?dist}.1
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@@ -90,6 +90,8 @@ Patch0030: 0030-SDAP-allow-GSS-SPNEGO-for-LDAP-SASL-bind-as-well.patch
Patch0031: 0031-sdap-inherit-SDAP_SASL_MECH-if-not-set-explicitly.patch
Patch0032: 0032-Translation-Update-japanese-translation.patch
Patch0033: 0033-Translation-Add-missing-newlines-in-the-ja-po-file.patch
+Patch0034: 0034-TESTS-Add-a-unit-test-for-UPNs-stored-by-sss_ncache_.patch
+Patch0035: 0035-negcache-add-fq-usernames-of-know-domains-to-all-UPN.patch
#This patch should not be removed in RHEL-7
Patch999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec
@@ -1247,6 +1249,10 @@ systemctl try-restart sssd >/dev/null 2>&1 || :
}
%changelog
+* Wed Oct 09 2019 Michal Židek <mzidek@redhat.com> - 1.16.4-21.1
+- Resolves: rhbz#1758566 - negative cache does not use values from 'filter_users'
+ config option for known domains [rhel-7.7.z]
+
* Fri Jun 07 2019 Michal Židek <mzidek@redhat.com> - 1.16.4-21
- Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization
- Rebuild japanese gmo file explicitly