diff --git a/.gitignore b/.gitignore
index 4d8455e..852b195 100644
--- a/.gitignore
+++ b/.gitignore
@@ -65,3 +65,4 @@ sssd-1.2.91.tar.gz
 /sssd-1.13.0alpha.tar.gz
 /sssd-1.13.0.tar.gz
 /sssd-1.13.1.tar.gz
+/sssd-1.13.2.tar.gz
diff --git a/0001-PAM-only-allow-missing-user-name-for-certificate-aut.patch b/0001-PAM-only-allow-missing-user-name-for-certificate-aut.patch
deleted file mode 100644
index 8de4ed9..0000000
--- a/0001-PAM-only-allow-missing-user-name-for-certificate-aut.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-From c9c1296ae9a7bd75164ccc3a175c2f5d809435f9 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Thu, 1 Oct 2015 10:10:22 +0200
-Subject: [PATCH 1/3] PAM: only allow missing user name for certificate
- authentication
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Resolves:
-https://fedorahosted.org/sssd/ticket/2811
-
-Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-(cherry picked from commit 2e76b32e74abedb23665808bacc73cafd1097c37)
-(cherry picked from commit ba9d5c0456a2fbb9adf9b4b4dffbfb190628a273)
----
- src/responder/pam/pamsrv_cmd.c  | 12 +++++++++---
- src/tests/cmocka/test_pam_srv.c | 38 ++++++++++++++++++++++++++++++++++++++
- 2 files changed, 47 insertions(+), 3 deletions(-)
-
-diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
-index 27dddcf43c1ff6eb465e1cb58d6dddf21413dcc4..2823f8133eb74d245be0750193ed842c0fdb26d3 100644
---- a/src/responder/pam/pamsrv_cmd.c
-+++ b/src/responder/pam/pamsrv_cmd.c
-@@ -957,11 +957,13 @@ static errno_t pam_forwarder_parse_data(struct cli_ctx *cctx, struct pam_data *p
-     } else {
-         /* Only SSS_PAM_PREAUTH request may have a missing name, e.g. if the
-          * name is determined with the help of a certificate */
--        if (pd->cmd == SSS_PAM_PREAUTH) {
-+        if (pd->cmd == SSS_PAM_PREAUTH
-+                && may_do_cert_auth(talloc_get_type(cctx->rctx->pvt_ctx,
-+                                                    struct pam_ctx), pd)) {
-             ret = EOK;
-         } else {
-             DEBUG(SSSDBG_CRIT_FAILURE, "Missing logon name in PAM request.\n");
--            ret = EINVAL;
-+            ret = ERR_NO_CREDS;
-             goto done;
-         }
-     }
-@@ -1104,7 +1106,6 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
-         }
-         goto done;
-     } else if (ret != EOK) {
--        ret = EINVAL;
-         goto done;
-     }
- 
-@@ -1610,6 +1611,11 @@ static int pam_check_user_done(struct pam_auth_req *preq, int ret)
-         pam_reply(preq);
-         break;
- 
-+    case ERR_NO_CREDS:
-+        preq->pd->pam_status = PAM_CRED_INSUFFICIENT;
-+        pam_reply(preq);
-+        break;
-+
-     default:
-         preq->pd->pam_status = PAM_SYSTEM_ERR;
-         pam_reply(preq);
-diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
-index ab33433fdce8d6030331a57e2b7cbd97ce5637df..dbdc4ae08a12914481137fe8fb5a24d242d3032f 100644
---- a/src/tests/cmocka/test_pam_srv.c
-+++ b/src/tests/cmocka/test_pam_srv.c
-@@ -623,6 +623,23 @@ static int test_pam_wrong_pw_offline_auth_check(uint32_t status,
-     return test_pam_simple_check(status, body, blen);
- }
- 
-+static int test_pam_creds_insufficient_check(uint32_t status,
-+                                             uint8_t *body, size_t blen)
-+{
-+    size_t rp = 0;
-+    uint32_t val;
-+
-+    assert_int_equal(status, 0);
-+
-+    SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
-+    assert_int_equal(val, PAM_CRED_INSUFFICIENT);
-+
-+    SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
-+    assert_int_equal(val, 0);
-+
-+    return EOK;
-+}
-+
- static int test_pam_user_unknown_check(uint32_t status,
-                                        uint8_t *body, size_t blen)
- {
-@@ -1127,6 +1144,25 @@ void test_pam_offline_chauthtok(void **state)
-     assert_int_equal(ret, EOK);
- }
- 
-+void test_pam_preauth_no_logon_name(void **state)
-+{
-+    int ret;
-+
-+    mock_input_pam_cert(pam_test_ctx, NULL, NULL);
-+
-+    will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
-+    will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
-+
-+    set_cmd_cb(test_pam_creds_insufficient_check);
-+    ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
-+                          pam_test_ctx->pam_cmds);
-+    assert_int_equal(ret, EOK);
-+
-+    /* Wait until the test finishes with EOK */
-+    ret = test_ev_loop(pam_test_ctx->tctx);
-+    assert_int_equal(ret, EOK);
-+}
-+
- static void set_cert_auth_param(struct pam_ctx *pctx, const char *dbpath)
- {
-     pam_test_ctx->pctx->cert_auth = true;
-@@ -1432,6 +1468,8 @@ int main(int argc, const char *argv[])
-                                         pam_test_setup, pam_test_teardown),
-         cmocka_unit_test_setup_teardown(test_pam_offline_chauthtok,
-                                         pam_test_setup, pam_test_teardown),
-+        cmocka_unit_test_setup_teardown(test_pam_preauth_no_logon_name,
-+                                        pam_test_setup, pam_test_teardown),
- /* p11_child is not built without NSS */
- #ifdef HAVE_NSS
-         cmocka_unit_test_setup_teardown(test_pam_preauth_cert_nocert,
--- 
-2.5.0
-
diff --git a/0002-AD-Provide-common-connection-list-construction-funct.patch b/0002-AD-Provide-common-connection-list-construction-funct.patch
deleted file mode 100644
index a37d903..0000000
--- a/0002-AD-Provide-common-connection-list-construction-funct.patch
+++ /dev/null
@@ -1,240 +0,0 @@
-From dfa6a5468a606df968eff0ae1135f9ebb97ad9dc Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Thu, 1 Oct 2015 13:13:05 +0200
-Subject: [PATCH 2/3] AD: Provide common connection list construction functions
-
-https://fedorahosted.org/sssd/ticket/2810
-
-Provides a new AD common function ad_ldap_conn_list() that creates a
-list of AD connection to use along with properties to avoid mistakes
-when manually constructing these lists.
-
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-(cherry picked from commit 309aa83d16b5919f727af04850bcd0799ba0962f)
-(cherry picked from commit 15a4b34ccfcfbcec2c9ba529d0113adf251abc16)
----
- src/providers/ad/ad_common.c          | 26 +++++++++++++++++++
- src/providers/ad/ad_common.h          |  5 ++++
- src/providers/ad/ad_id.c              | 17 +------------
- src/providers/ipa/ipa_subdomains_id.c | 21 ++++++----------
- src/tests/cmocka/test_ad_common.c     | 47 ++++++++++++++++++++++++++++++-----
- 5 files changed, 81 insertions(+), 35 deletions(-)
-
-diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
-index 130cdeb613aae3843f7453a478815daaae6aab77..df277e55e234d4d4efe34d5f5d8efdfe7267fb60 100644
---- a/src/providers/ad/ad_common.c
-+++ b/src/providers/ad/ad_common.c
-@@ -1236,6 +1236,14 @@ ad_get_dom_ldap_conn(struct ad_id_ctx *ad_ctx, struct sss_domain_info *dom)
-     subdom_id_ctx = talloc_get_type(sdom->pvt, struct ad_id_ctx);
-     conn = subdom_id_ctx->ldap_ctx;
- 
-+    if (IS_SUBDOMAIN(sdom->dom) == true && conn != NULL) {
-+        /* Regardless of connection types, a subdomain error must not be
-+         * allowed to set the whole back end offline, rather report an error
-+         * and let the caller deal with it (normally disable the subdomain
-+         */
-+        conn->ignore_mark_offline = true;
-+    }
-+
-     return conn;
- }
- 
-@@ -1260,3 +1268,21 @@ ad_gc_conn_list(TALLOC_CTX *mem_ctx, struct ad_id_ctx *ad_ctx,
- 
-     return clist;
- }
-+
-+struct sdap_id_conn_ctx **
-+ad_ldap_conn_list(TALLOC_CTX *mem_ctx,
-+                  struct ad_id_ctx *ad_ctx,
-+                  struct sss_domain_info *dom)
-+{
-+    struct sdap_id_conn_ctx **clist;
-+
-+    clist = talloc_zero_array(mem_ctx, struct sdap_id_conn_ctx *, 2);
-+    if (clist == NULL) {
-+        return NULL;
-+    }
-+
-+    clist[0] = ad_get_dom_ldap_conn(ad_ctx, dom);
-+
-+    clist[1] = NULL;
-+    return clist;
-+}
-diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
-index 817f5b42cad7cad6a88244fd43bd91a4358d56c0..701e461987cb286ca7add2766ffb4dc496bde01e 100644
---- a/src/providers/ad/ad_common.h
-+++ b/src/providers/ad/ad_common.h
-@@ -148,6 +148,11 @@ struct sdap_id_conn_ctx **
- ad_gc_conn_list(TALLOC_CTX *mem_ctx, struct ad_id_ctx *ad_ctx,
-                struct sss_domain_info *dom);
- 
-+struct sdap_id_conn_ctx **
-+ad_ldap_conn_list(TALLOC_CTX *mem_ctx,
-+                  struct ad_id_ctx *ad_ctx,
-+                  struct sss_domain_info *dom);
-+
- struct sdap_id_conn_ctx *
- ad_get_dom_ldap_conn(struct ad_id_ctx *ad_ctx, struct sss_domain_info *dom);
- 
-diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c
-index ecaf6c993bf7ddb7ba565d40ef0ad250114f5536..be0cb3b12f2e3a2b53d740ecf3befc07fd853f8b 100644
---- a/src/providers/ad/ad_id.c
-+++ b/src/providers/ad/ad_id.c
-@@ -269,29 +269,14 @@ get_conn_list(struct be_req *breq, struct ad_id_ctx *ad_ctx,
-     case BE_REQ_GROUP: /* group */
-     case BE_REQ_INITGROUPS: /* init groups for user */
-         clist = ad_gc_conn_list(breq, ad_ctx, dom);
--        if (clist == NULL) return NULL;
-         break;
- 
-     default:
-         /* Requests for other object should only contact LDAP by default */
--        clist = talloc_zero_array(breq, struct sdap_id_conn_ctx *, 2);
--        if (clist == NULL) return NULL;
--
--        clist[0] = ad_ctx->ldap_ctx;
--        clist[1] = NULL;
-+        clist = ad_ldap_conn_list(breq, ad_ctx, dom);
-         break;
-     }
- 
--    /* Regardless of connection types, a subdomain error must not be allowed
--     * to set the whole back end offline, rather report an error and let the
--     * caller deal with it (normally disable the subdomain
--     */
--    if (IS_SUBDOMAIN(dom)) {
--        for (cindex = 0; clist[cindex] != NULL; cindex++) {
--            clist[cindex]->ignore_mark_offline = true;
--        }
--    }
--
-     return clist;
- }
- 
-diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
-index 8f13608bcfd2f17c27fcba7f087e1a27086a2a1c..472985d4ab4f785aa9c4af94bf8021829ca1c3c8 100644
---- a/src/providers/ipa/ipa_subdomains_id.c
-+++ b/src/providers/ipa/ipa_subdomains_id.c
-@@ -641,21 +641,16 @@ ipa_get_ad_acct_send(TALLOC_CTX *mem_ctx,
-     case BE_REQ_BY_SECID:
-     case BE_REQ_GROUP:
-         clist = ad_gc_conn_list(req, ad_id_ctx, state->obj_dom);
--        if (clist == NULL) {
--            ret = ENOMEM;
--            goto fail;
--        }
--        clist[1]->ignore_mark_offline = true;
-         break;
-     default:
--        clist = talloc_zero_array(req, struct sdap_id_conn_ctx *, 2);
--        if (clist == NULL) {
--            ret = ENOMEM;
--            goto fail;
--        }
--        clist[0] = ad_id_ctx->ldap_ctx;
--        clist[0]->ignore_mark_offline = true;
--        clist[1] = NULL;
-+        clist = ad_ldap_conn_list(req, ad_id_ctx, state->obj_dom);
-+        break;
-+    }
-+
-+    if (clist == NULL) {
-+        DEBUG(SSSDBG_OP_FAILURE, "Cannot generate AD connection list!\n");
-+        ret = ENOMEM;
-+        goto fail;
-     }
- 
-     /* Now we already need ad_id_ctx in particular sdap_id_conn_ctx */
-diff --git a/src/tests/cmocka/test_ad_common.c b/src/tests/cmocka/test_ad_common.c
-index bc9d0940bb22cc4b11f5a5b012ac4ded338714a0..d2b59a23dfbff0bfda8ec7a52a71aec99f56baf3 100644
---- a/src/tests/cmocka/test_ad_common.c
-+++ b/src/tests/cmocka/test_ad_common.c
-@@ -350,7 +350,7 @@ __wrap_sdap_set_sasl_options(struct sdap_options *id_opts,
-     return EOK;
- }
- 
--void test_ldap_conn_list(void **state)
-+void test_ad_get_dom_ldap_conn(void **state)
- {
-     struct sdap_id_conn_ctx *conn;
- 
-@@ -365,7 +365,7 @@ void test_ldap_conn_list(void **state)
-     assert_true(conn == test_ctx->subdom_ad_ctx->ldap_ctx);
- }
- 
--void test_conn_list(void **state)
-+void test_gc_conn_list(void **state)
- {
-     struct sdap_id_conn_ctx **conn_list;
- 
-@@ -392,7 +392,8 @@ void test_conn_list(void **state)
-     assert_true(conn_list[0] == test_ctx->ad_ctx->gc_ctx);
-     assert_true(conn_list[0]->ignore_mark_offline);
-     assert_true(conn_list[1] == test_ctx->subdom_ad_ctx->ldap_ctx);
--    assert_false(conn_list[1]->ignore_mark_offline);
-+    /* Subdomain error should not set the backend offline! */
-+    assert_true(conn_list[1]->ignore_mark_offline);
-     talloc_free(conn_list);
- 
-     dp_opt_set_bool(test_ctx->ad_ctx->ad_options->basic, AD_ENABLE_GC, false);
-@@ -411,6 +412,37 @@ void test_conn_list(void **state)
-     assert_non_null(conn_list);
- 
-     assert_true(conn_list[0] == test_ctx->subdom_ad_ctx->ldap_ctx);
-+    assert_true(conn_list[0]->ignore_mark_offline);
-+    assert_null(conn_list[1]);
-+    talloc_free(conn_list);
-+}
-+
-+void test_ldap_conn_list(void **state)
-+{
-+    struct sdap_id_conn_ctx **conn_list;
-+
-+    struct ad_common_test_ctx *test_ctx = talloc_get_type(*state,
-+                                                     struct ad_common_test_ctx);
-+    assert_non_null(test_ctx);
-+
-+    conn_list = ad_ldap_conn_list(test_ctx,
-+                                  test_ctx->ad_ctx,
-+                                  test_ctx->dom);
-+    assert_non_null(conn_list);
-+
-+    assert_true(conn_list[0] == test_ctx->ad_ctx->ldap_ctx);
-+    assert_false(conn_list[0]->ignore_mark_offline);
-+    assert_null(conn_list[1]);
-+    talloc_free(conn_list);
-+
-+    conn_list = ad_ldap_conn_list(test_ctx,
-+                                  test_ctx->ad_ctx,
-+                                  test_ctx->subdom);
-+    assert_non_null(conn_list);
-+
-+    assert_true(conn_list[0] == test_ctx->subdom_ad_ctx->ldap_ctx);
-+    assert_true(conn_list[0]->ignore_mark_offline);
-+    assert_null(conn_list[1]);
-     talloc_free(conn_list);
- }
- 
-@@ -432,12 +464,15 @@ int main(int argc, const char *argv[])
-         cmocka_unit_test_setup_teardown(test_ad_create_2way_trust_options,
-                                         test_ad_common_setup,
-                                         test_ad_common_teardown),
-+        cmocka_unit_test_setup_teardown(test_ad_get_dom_ldap_conn,
-+                                        test_ldap_conn_setup,
-+                                        test_ldap_conn_teardown),
-+        cmocka_unit_test_setup_teardown(test_gc_conn_list,
-+                                        test_ldap_conn_setup,
-+                                        test_ldap_conn_teardown),
-         cmocka_unit_test_setup_teardown(test_ldap_conn_list,
-                                         test_ldap_conn_setup,
-                                         test_ldap_conn_teardown),
--        cmocka_unit_test_setup_teardown(test_conn_list,
--                                        test_ldap_conn_setup,
--                                        test_ldap_conn_teardown),
-     };
- 
-     /* Set debug level to invalid value so we can deside if -d 0 was used. */
--- 
-2.5.0
-
diff --git a/0003-AD-Consolidate-connection-list-construction-on-ad_co.patch b/0003-AD-Consolidate-connection-list-construction-on-ad_co.patch
deleted file mode 100644
index 4485ec5..0000000
--- a/0003-AD-Consolidate-connection-list-construction-on-ad_co.patch
+++ /dev/null
@@ -1,165 +0,0 @@
-From a105c26bcc3ab1bbdbb7e0ffea0f170dd836cf1a Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Mon, 5 Oct 2015 16:11:14 +0200
-Subject: [PATCH 3/3] AD: Consolidate connection list construction on
- ad_common.c
-
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-(cherry picked from commit afb21fd06690a0bec288a7970abf74ed2ea7dfdc)
-(cherry picked from commit f1742784d9b1cffd74f67beeb26375124183428a)
----
- src/providers/ad/ad_common.c      | 31 +++++++++++++++++++++++++++++++
- src/providers/ad/ad_common.h      |  5 +++++
- src/providers/ad/ad_id.c          | 18 +-----------------
- src/tests/cmocka/test_ad_common.c | 34 ++++++++++++++++++++++++++++++++++
- 4 files changed, 71 insertions(+), 17 deletions(-)
-
-diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
-index df277e55e234d4d4efe34d5f5d8efdfe7267fb60..650ec41578297f7b3a59df118b71a6bb8bc6d6ed 100644
---- a/src/providers/ad/ad_common.c
-+++ b/src/providers/ad/ad_common.c
-@@ -1286,3 +1286,34 @@ ad_ldap_conn_list(TALLOC_CTX *mem_ctx,
-     clist[1] = NULL;
-     return clist;
- }
-+
-+struct sdap_id_conn_ctx **
-+ad_user_conn_list(TALLOC_CTX *mem_ctx,
-+                  struct ad_id_ctx *ad_ctx,
-+                  struct sss_domain_info *dom)
-+{
-+    struct sdap_id_conn_ctx **clist;
-+    int cindex = 0;
-+
-+    clist = talloc_zero_array(ad_ctx, struct sdap_id_conn_ctx *, 3);
-+    if (clist == NULL) {
-+        return NULL;
-+    }
-+
-+    /* Try GC first for users from trusted domains, but go to LDAP
-+     * for users from non-trusted domains to get all POSIX attrs
-+     */
-+    if (dp_opt_get_bool(ad_ctx->ad_options->basic, AD_ENABLE_GC)
-+            && IS_SUBDOMAIN(dom)) {
-+        clist[cindex] = ad_ctx->gc_ctx;
-+        clist[cindex]->ignore_mark_offline = true;
-+        cindex++;
-+    }
-+
-+    /* Users from primary domain can be just downloaded from LDAP.
-+     * The domain's LDAP connection also works as a fallback
-+     */
-+    clist[cindex] = ad_get_dom_ldap_conn(ad_ctx, dom);
-+
-+    return clist;
-+}
-diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
-index 701e461987cb286ca7add2766ffb4dc496bde01e..0cefa1859aaa75731267917e66ab9a1905528e91 100644
---- a/src/providers/ad/ad_common.h
-+++ b/src/providers/ad/ad_common.h
-@@ -153,6 +153,11 @@ ad_ldap_conn_list(TALLOC_CTX *mem_ctx,
-                   struct ad_id_ctx *ad_ctx,
-                   struct sss_domain_info *dom);
- 
-+struct sdap_id_conn_ctx **
-+ad_user_conn_list(TALLOC_CTX *mem_ctx,
-+                  struct ad_id_ctx *ad_ctx,
-+                  struct sss_domain_info *dom);
-+
- struct sdap_id_conn_ctx *
- ad_get_dom_ldap_conn(struct ad_id_ctx *ad_ctx, struct sss_domain_info *dom);
- 
-diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c
-index be0cb3b12f2e3a2b53d740ecf3befc07fd853f8b..51d378863a5c7394ca3a2b8bd72f8c131a2b02b1 100644
---- a/src/providers/ad/ad_id.c
-+++ b/src/providers/ad/ad_id.c
-@@ -244,25 +244,10 @@ get_conn_list(struct be_req *breq, struct ad_id_ctx *ad_ctx,
-               struct sss_domain_info *dom, struct be_acct_req *ar)
- {
-     struct sdap_id_conn_ctx **clist;
--    int cindex = 0;
- 
-     switch (ar->entry_type & BE_REQ_TYPE_MASK) {
-     case BE_REQ_USER: /* user */
--        clist = talloc_zero_array(ad_ctx, struct sdap_id_conn_ctx *, 3);
--        if (clist == NULL) return NULL;
--
--        /* Try GC first for users from trusted domains */
--        if (dp_opt_get_bool(ad_ctx->ad_options->basic, AD_ENABLE_GC)
--                && IS_SUBDOMAIN(dom)) {
--            clist[cindex] = ad_ctx->gc_ctx;
--            clist[cindex]->ignore_mark_offline = true;
--            cindex++;
--        }
--
--        /* Users from primary domain can be just downloaded from LDAP.
--         * The domain's LDAP connection also works as a fallback
--         */
--        clist[cindex] = ad_get_dom_ldap_conn(ad_ctx, dom);
-+        clist = ad_user_conn_list(breq, ad_ctx, dom);
-         break;
-     case BE_REQ_BY_SECID:   /* by SID */
-     case BE_REQ_USER_AND_GROUP: /* get SID */
-@@ -270,7 +255,6 @@ get_conn_list(struct be_req *breq, struct ad_id_ctx *ad_ctx,
-     case BE_REQ_INITGROUPS: /* init groups for user */
-         clist = ad_gc_conn_list(breq, ad_ctx, dom);
-         break;
--
-     default:
-         /* Requests for other object should only contact LDAP by default */
-         clist = ad_ldap_conn_list(breq, ad_ctx, dom);
-diff --git a/src/tests/cmocka/test_ad_common.c b/src/tests/cmocka/test_ad_common.c
-index d2b59a23dfbff0bfda8ec7a52a71aec99f56baf3..b0cf4b5e6b0559c2896273bfcfb1af99cad195a3 100644
---- a/src/tests/cmocka/test_ad_common.c
-+++ b/src/tests/cmocka/test_ad_common.c
-@@ -446,6 +446,37 @@ void test_ldap_conn_list(void **state)
-     talloc_free(conn_list);
- }
- 
-+void test_user_conn_list(void **state)
-+{
-+    struct sdap_id_conn_ctx **conn_list;
-+
-+    struct ad_common_test_ctx *test_ctx = talloc_get_type(*state,
-+                                                     struct ad_common_test_ctx);
-+    assert_non_null(test_ctx);
-+
-+    conn_list = ad_user_conn_list(test_ctx,
-+                                  test_ctx->ad_ctx,
-+                                  test_ctx->dom);
-+    assert_non_null(conn_list);
-+
-+    assert_true(conn_list[0] == test_ctx->ad_ctx->ldap_ctx);
-+    assert_false(conn_list[0]->ignore_mark_offline);
-+    assert_null(conn_list[1]);
-+    talloc_free(conn_list);
-+
-+    conn_list = ad_user_conn_list(test_ctx,
-+                                  test_ctx->ad_ctx,
-+                                  test_ctx->subdom);
-+    assert_non_null(conn_list);
-+
-+    assert_true(conn_list[0] == test_ctx->ad_ctx->gc_ctx);
-+    assert_true(conn_list[0]->ignore_mark_offline);
-+    assert_true(conn_list[1] == test_ctx->subdom_ad_ctx->ldap_ctx);
-+    /* Subdomain error should not set the backend offline! */
-+    assert_true(conn_list[1]->ignore_mark_offline);
-+    talloc_free(conn_list);
-+}
-+
- int main(int argc, const char *argv[])
- {
-     poptContext pc;
-@@ -473,6 +504,9 @@ int main(int argc, const char *argv[])
-         cmocka_unit_test_setup_teardown(test_ldap_conn_list,
-                                         test_ldap_conn_setup,
-                                         test_ldap_conn_teardown),
-+        cmocka_unit_test_setup_teardown(test_user_conn_list,
-+                                        test_ldap_conn_setup,
-+                                        test_ldap_conn_teardown),
-     };
- 
-     /* Set debug level to invalid value so we can deside if -d 0 was used. */
--- 
-2.5.0
-
diff --git a/0004-SSSDConfig-Do-not-raise-exception-if-config_file_ver.patch b/0004-SSSDConfig-Do-not-raise-exception-if-config_file_ver.patch
deleted file mode 100644
index 5da1626..0000000
--- a/0004-SSSDConfig-Do-not-raise-exception-if-config_file_ver.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From c540338b798a15b736770a51f87eb13606faa544 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
-Date: Thu, 15 Oct 2015 18:53:37 +0200
-Subject: [PATCH 4/6] SSSDConfig: Do not raise exception if config_file_version
- is missing
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Ticket:
-https://fedorahosted.org/sssd/ticket/2837
-
-Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-(cherry picked from commit 6a044fa43d53638c1d0b874d43f58c0428820362)
-(cherry picked from commit a2363aa5984a707b8834816ea8538fe7de250a63)
----
- src/config/SSSDConfig/__init__.py.in | 8 ++++----
- src/config/SSSDConfigTest.py         | 5 -----
- 2 files changed, 4 insertions(+), 9 deletions(-)
-
-diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
-index 038de16d55423a73c0bed6a0e27d99e1ab46a90f..bf61c402796122050fa43cf41128faec4771c5d2 100644
---- a/src/config/SSSDConfig/__init__.py.in
-+++ b/src/config/SSSDConfig/__init__.py.in
-@@ -1405,10 +1405,10 @@ class SSSDConfig(SSSDChangeConf):
-         try:
-             if int(self.get('sssd', 'config_file_version')) != self.API_VERSION:
-                 raise ParsingError("Wrong config_file_version")
--        except:
--            # Either the 'sssd' section or the 'config_file_version' was not
--            # present in the config file
--            raise ParsingError("File contains no config_file_version")
-+        except TypeError:
-+            # This happens when config_file_version is missing. We
-+            # can assume it is the default version and continue.
-+            pass
- 
-     def new_config(self):
-         """
-diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
-index 5047bd7237188be4df83f76054afe6b43ceeec1d..a850b8d2c5933c4c08b5b0e8f4db79f3c88fc5ee 100755
---- a/src/config/SSSDConfigTest.py
-+++ b/src/config/SSSDConfigTest.py
-@@ -1226,11 +1226,6 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
-                                            srcdir + "/etc/sssd.api.d")
-         self.assertRaises(SSSDConfig.ParsingError, sssdconfig.import_config, srcdir + "/testconfigs/sssd-badversion.conf")
- 
--        # Negative Test - No config file version
--        sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
--                                           srcdir + "/etc/sssd.api.d")
--        self.assertRaises(SSSDConfig.ParsingError, sssdconfig.import_config, srcdir + "/testconfigs/sssd-noversion.conf")
--
-         # Negative Test - Already initialized
-         sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
-                                            srcdir + "/etc/sssd.api.d")
--- 
-2.5.0
-
diff --git a/0005-SSSDConfigTest-Try-load-saved-config.patch b/0005-SSSDConfigTest-Try-load-saved-config.patch
deleted file mode 100644
index e7f7373..0000000
--- a/0005-SSSDConfigTest-Try-load-saved-config.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From dab0d1655f5e2451fc8ded804763ac4549ffd978 Mon Sep 17 00:00:00 2001
-From: Lukas Slebodnik <lslebodn@redhat.com>
-Date: Thu, 15 Oct 2015 10:32:09 +0200
-Subject: [PATCH 5/6] SSSDConfigTest: Try load saved config
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Python module SSSDConfig should be able to save configuration file
-and later load the same configuration file without problem.
-
-Unit test for:
-https://fedorahosted.org/sssd/ticket/2837
-
-Reviewed-by: Michal Židek <mzidek@redhat.com>
-(cherry picked from commit 87ef67286b64af98d32a3a5abcd28a9c2886f751)
-(cherry picked from commit 69612bc5d0a9219ecccf3e8c6410059322aeecc6)
----
- src/config/SSSDConfigTest.py | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
-index a850b8d2c5933c4c08b5b0e8f4db79f3c88fc5ee..8a4a2b30a8a5b2422075fd614626d14e6f803a18 100755
---- a/src/config/SSSDConfigTest.py
-+++ b/src/config/SSSDConfigTest.py
-@@ -157,10 +157,14 @@ class SSSDConfigTestValid(unittest.TestCase):
-         #non-owners, and should not be executable by anyone
-         self.assertFalse(S_IMODE(mode) & 0o177)
- 
-+        # try to import saved configuration file
-+        config = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
-+                                       srcdir + "/etc/sssd.api.d")
-+        config.import_config(configfile=of)
-+
-         #Remove the output file
-         os.unlink(of)
- 
--
-     def testCreateNewLDAPConfig(self):
-         sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
-                                 srcdir + "/etc/sssd.api.d")
-@@ -191,9 +195,15 @@ class SSSDConfigTestValid(unittest.TestCase):
-         #non-owners, and should not be executable by anyone
-         self.assertFalse(S_IMODE(mode) & 0o177)
- 
-+        # try to import saved configuration file
-+        config = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
-+                                       srcdir + "/etc/sssd.api.d")
-+        config.import_config(configfile=of)
-+
-         #Remove the output file
-         os.unlink(of)
- 
-+
-     def testModifyExistingConfig(self):
-         sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
-                                 srcdir + "/etc/sssd.api.d")
--- 
-2.5.0
-
diff --git a/0006-SSSDConfigTest-Test-real-config-without-config_file_.patch b/0006-SSSDConfigTest-Test-real-config-without-config_file_.patch
deleted file mode 100644
index 1cbd0f7..0000000
--- a/0006-SSSDConfigTest-Test-real-config-without-config_file_.patch
+++ /dev/null
@@ -1,151 +0,0 @@
-From abbb16532a5336cf5c75228c2adc56601c828f9a Mon Sep 17 00:00:00 2001
-From: Lukas Slebodnik <lslebodn@redhat.com>
-Date: Thu, 15 Oct 2015 11:04:06 +0200
-Subject: [PATCH 6/6] SSSDConfigTest: Test real config without
- config_file_version
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-src/config/testconfigs/sssd-valid.conf explicitly contains
-config_file_version. Recently we changed the default value to 2
-and therefore it needn't be listed in configuration file.
-This patch test real sssd.conf without config_file_version.
-
-Reviewed-by: Michal Židek <mzidek@redhat.com>
-(cherry picked from commit 7388fc91bd6c22705e60632346ec815f4a4963f1)
-(cherry picked from commit b1c6767617c082de2521976175bc2f499ec295e9)
----
- src/config/SSSDConfigTest.py               | 85 ++++++++++++++++++++++++++++++
- src/config/testconfigs/sssd-noversion.conf | 22 ++++++++
- 2 files changed, 107 insertions(+)
-
-diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
-index 8a4a2b30a8a5b2422075fd614626d14e6f803a18..45562214da5d227b45914abbcb298e043048adf5 100755
---- a/src/config/SSSDConfigTest.py
-+++ b/src/config/SSSDConfigTest.py
-@@ -1243,6 +1243,91 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
-         self.assertRaises(SSSDConfig.AlreadyInitializedError,
-                           sssdconfig.import_config, srcdir + "/testconfigs/sssd-valid.conf")
- 
-+    def testImportConfigNoVersion(self):
-+        # Positive Test
-+        sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
-+                                           srcdir + "/etc/sssd.api.d")
-+        sssdconfig.import_config(
-+            srcdir + "/testconfigs/sssd-noversion.conf"
-+        )
-+
-+        # Validate services
-+        services = sssdconfig.list_services()
-+        self.assertTrue('sssd' in services)
-+        self.assertTrue('nss' in services)
-+        self.assertTrue('pam' in services)
-+        self.assertTrue('dp' in services)
-+
-+        #Verify service attributes
-+        sssd_service = sssdconfig.get_service('sssd')
-+        service_opts = sssd_service.list_options()
-+
-+        self.assertTrue('services' in service_opts.keys())
-+        service_list = sssd_service.get_option('services')
-+        self.assertTrue('nss' in service_list)
-+        self.assertTrue('pam' in service_list)
-+        self.assertTrue('reconnection_retries' in service_opts)
-+
-+        #Validate domain list
-+        domains = sssdconfig.list_domains()
-+        self.assertTrue('LOCAL' in domains)
-+        self.assertTrue('LDAP' in domains)
-+        self.assertTrue('PROXY' in domains)
-+        self.assertTrue('IPA' in domains)
-+
-+        # Verify domain attributes
-+        ipa_domain = sssdconfig.get_domain('IPA')
-+        domain_opts = ipa_domain.list_options()
-+        self.assertTrue('debug_level' in domain_opts.keys())
-+        self.assertTrue('id_provider' in domain_opts.keys())
-+        self.assertTrue('auth_provider' in domain_opts.keys())
-+
-+        # Verify domain attributes
-+        proxy_domain = sssdconfig.get_domain('PROXY')
-+        domain_opts = proxy_domain.list_options()
-+        self.assertTrue('debug_level' in domain_opts.keys())
-+        self.assertTrue('id_provider' in domain_opts.keys())
-+        self.assertTrue('auth_provider' in domain_opts.keys())
-+
-+        # Verify domain attributes
-+        local_domain = sssdconfig.get_domain('LOCAL')
-+        domain_opts = local_domain.list_options()
-+        self.assertTrue('debug_level' in domain_opts.keys())
-+        self.assertTrue('id_provider' in domain_opts.keys())
-+        self.assertTrue('auth_provider' in domain_opts.keys())
-+
-+        # Verify domain attributes
-+        ldap_domain = sssdconfig.get_domain('LDAP')
-+        domain_opts = ldap_domain.list_options()
-+        self.assertTrue('debug_level' in domain_opts.keys())
-+        self.assertTrue('id_provider' in domain_opts.keys())
-+        self.assertTrue('auth_provider' in domain_opts.keys())
-+
-+        domain_control_list = [
-+            'cache_credentials',
-+            'id_provider',
-+            'auth_provider',
-+            'access_provider',
-+            'default_shell',
-+            'fallback_homedir',
-+            'cache_credentials',
-+            'use_fully_qualified_names',
-+        ]
-+
-+        ad_domain = sssdconfig.get_domain("ad.example.com")
-+
-+        for option in ad_domain.get_all_options():
-+            self.assertTrue(option in domain_control_list)
-+
-+        negative_domain_control_list = [
-+            'ad_server',
-+            'ldap_id_mapping',
-+            'ldap_sasl_authid',
-+        ]
-+
-+        for option in ad_domain.get_all_options():
-+            self.assertFalse(option in negative_domain_control_list)
-+
-     def testNewConfig(self):
-         # Positive Test
-         sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
-diff --git a/src/config/testconfigs/sssd-noversion.conf b/src/config/testconfigs/sssd-noversion.conf
-index 71af85cc07e87ab96372fb91ea52ce36faf21a1e..d5f524d268dd43825364a4b464909cf1b9441646 100644
---- a/src/config/testconfigs/sssd-noversion.conf
-+++ b/src/config/testconfigs/sssd-noversion.conf
-@@ -39,3 +39,25 @@ debug_level = 0
- [dp]
- debug_level = 0
- 
-+[domain/ad.example.com]
-+cache_credentials = true
-+
-+id_provider = ad
-+auth_provider = ad
-+access_provider = ad
-+
-+# Uncomment if service discovery is not working
-+# ad_server = server.ad.example.com
-+
-+# Uncomment if you want to use POSIX UIDs and GIDs set on the AD side
-+# ldap_id_mapping = False
-+
-+# Comment out if the users have the shell and home dir set on the AD side
-+default_shell = /bin/bash
-+fallback_homedir = /home/%d/%u
-+
-+# Uncomment and adjust if the default principal SHORTNAME$@REALM is not available
-+# ldap_sasl_authid = host/client.ad.example.com@AD.EXAMPLE.COM
-+
-+# Comment out if you prefer to user shortnames.
-+use_fully_qualified_names = True
--- 
-2.5.0
-
diff --git a/0007-BUILD-Accept-krb5-1.14-for-building-the-PAC-plugin.patch b/0007-BUILD-Accept-krb5-1.14-for-building-the-PAC-plugin.patch
deleted file mode 100644
index aff582b..0000000
--- a/0007-BUILD-Accept-krb5-1.14-for-building-the-PAC-plugin.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From c36f343f88f65a9765085f1346da6d6591ef86a5 Mon Sep 17 00:00:00 2001
-From: Lukas Slebodnik <lslebodn@redhat.com>
-Date: Mon, 26 Oct 2015 07:00:50 +0100
-Subject: [PATCH 7/7] BUILD: Accept krb5 1.14 for building the PAC plugin
-
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-(cherry picked from commit 8fe87c3d35bf301cbb6ed7d441b588327d831924)
-(cherry picked from commit 3dd118ee870d4370e8bfff8bd71d7e9954ccac06)
----
- src/external/pac_responder.m4 | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4
-index 2941d63ab5bc9f2c993cabf1080a04f812611751..a9e142dc945e157d87ab8478fa63b261415a7e8d 100644
---- a/src/external/pac_responder.m4
-+++ b/src/external/pac_responder.m4
-@@ -22,7 +22,8 @@ then
-         Kerberos\ 5\ release\ 1.10* | \
-         Kerberos\ 5\ release\ 1.11* | \
-         Kerberos\ 5\ release\ 1.12* | \
--        Kerberos\ 5\ release\ 1.13*)
-+        Kerberos\ 5\ release\ 1.13* | \
-+        Kerberos\ 5\ release\ 1.14*)
-             krb5_version_ok=yes
-             AC_MSG_RESULT([yes])
-             ;;
--- 
-2.5.0
-
diff --git a/sources b/sources
index 6ee4e27..3b25ab3 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-56623de935ab1c8e7a2535528f4b95b2  sssd-1.13.1.tar.gz
+e3c72e6585492f194f38e6e48b3ddae1  sssd-1.13.2.tar.gz
diff --git a/sssd.spec b/sssd.spec
index e9af536..f0a819a 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -9,15 +9,9 @@
 %global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)
 %global ldb_version 1.1.20
 
-%if (0%{?fedora} || 0%{?rhel} >= 7)
     %global with_cifs_utils_plugin 1
-%else
-    %global with_cifs_utils_plugin_option --disable-cifs-idmap-plugin
-%endif
 
-%if (0%{?fedora} >= 21 || (0%{?rhel} == 7 &&  0%{?rhel7_minor} >= 1))
     %global with_krb5_localauth_plugin 1
-%endif
 
 
 %global libwbc_alternatives_version 0.12
@@ -28,8 +22,8 @@
 %endif
 
 Name: sssd
-Version: 1.13.1
-Release: 5%{?dist}
+Version: 1.13.2
+Release: 1%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@@ -38,15 +32,9 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
 BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
 ### Patches ###
-Patch0001: 0001-PAM-only-allow-missing-user-name-for-certificate-aut.patch
-Patch0002: 0002-AD-Provide-common-connection-list-construction-funct.patch
-Patch0003: 0003-AD-Consolidate-connection-list-construction-on-ad_co.patch
-Patch0004: 0004-SSSDConfig-Do-not-raise-exception-if-config_file_ver.patch
-Patch0005: 0005-SSSDConfigTest-Try-load-saved-config.patch
-Patch0006: 0006-SSSDConfigTest-Test-real-config-without-config_file_.patch
-patch0007: 0007-BUILD-Accept-krb5-1.14-for-building-the-PAC-plugin.patch
 
 ### Dependencies ###
+
 Requires: sssd-common = %{version}-%{release}
 Requires: sssd-ldap = %{version}-%{release}
 Requires: sssd-krb5 = %{version}-%{release}
@@ -110,17 +98,14 @@ BuildRequires: findutils
 BuildRequires: glib2-devel
 BuildRequires: selinux-policy-targeted
 BuildRequires: libcmocka-devel >= 1.0.0
-%if (0%{?fedora} >= 20)
 BuildRequires: uid_wrapper
 BuildRequires: nss_wrapper
-%endif
 BuildRequires: libnl3-devel
 BuildRequires: systemd-devel
 %if (0%{?with_cifs_utils_plugin} == 1)
 BuildRequires: cifs-utils-devel
 %endif
 BuildRequires: libnfsidmap-devel
-
 BuildRequires: samba4-devel >= 4.0.0-59beta2
 BuildRequires: libsmbclient-devel
 
@@ -540,8 +525,9 @@ autoreconf -ivf
     --disable-rpath \
     --with-initscript=systemd \
     --with-syslog=journald \
+    --enable-sss-default-nss-plugin \
     %{?with_cifs_utils_plugin_option} \
-    --enable-sss-default-nss-plugin
+
 
 make %{?_smp_mflags} all docs
 
@@ -707,6 +693,7 @@ rm -rf $RPM_BUILD_ROOT
 %attr(755,root,root) %dir %{mcpath}
 %ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/passwd
 %ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/group
+%ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/initgroups
 %attr(755,root,root) %dir %{pipepath}
 %attr(755,root,root) %dir %{pubconfpath}
 %attr(755,root,root) %dir %{gpocachepath}
@@ -854,22 +841,18 @@ rm -rf $RPM_BUILD_ROOT
 %files -n python-sss
 %defattr(-,root,root,-)
 %{python2_sitearch}/pysss.so
-%{python2_sitearch}/_py2sss.so
 
 %files -n python3-sss
 %defattr(-,root,root,-)
 %{python3_sitearch}/pysss.so
-%{python3_sitearch}/_py3sss.so
 
 %files -n python-sss-murmur
 %defattr(-,root,root,-)
 %{python2_sitearch}/pysss_murmur.so
-%{python2_sitearch}/_py2sss_murmur.so
 
 %files -n python3-sss-murmur
 %defattr(-,root,root,-)
 %{python3_sitearch}/pysss_murmur.so
-%{python3_sitearch}/_py3sss_murmur.so
 
 %files -n libsss_idmap
 %defattr(-,root,root,-)
@@ -910,22 +893,18 @@ rm -rf $RPM_BUILD_ROOT
 %files -n python-libsss_nss_idmap
 %defattr(-,root,root,-)
 %{python2_sitearch}/pysss_nss_idmap.so
-%{python2_sitearch}/_py2sss_nss_idmap.so
 
 %files -n python3-libsss_nss_idmap
 %defattr(-,root,root,-)
 %{python3_sitearch}/pysss_nss_idmap.so
-%{python3_sitearch}/_py3sss_nss_idmap.so
 
 %files -n python-libipa_hbac
 %defattr(-,root,root,-)
 %{python2_sitearch}/pyhbac.so
-%{python2_sitearch}/_py2hbac.so
 
 %files -n python3-libipa_hbac
 %defattr(-,root,root,-)
 %{python3_sitearch}/pyhbac.so
-%{python3_sitearch}/_py3hbac.so
 
 %files libwbclient
 %defattr(-,root,root,-)
@@ -1016,6 +995,10 @@ fi
                                 %{_libdir}/%{name}/modules/libwbclient.so
 
 %changelog
+* Fri Nov 20 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.13.2-1
+- New upstream release 1.13.2
+- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.2
+
 * Fri Nov 06 2015 Robert Kuska <rkuska@redhat.com> - 1.13.1-5
 - Rebuilt for Python3.5 rebuild