New upstream release 1.9.5

https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.6

.gitignore

@@ -26,3 +26,10 @@ sssd-1.2.91.tar.gz
 /sssd-1.8.0beta3.tar.gz
 /sssd-1.8.0.tar.gz
 /sssd-1.8.1.tar.gz
+/sssd-1.8.2.tar.gz
+/sssd-1.8.3.tar.gz
+/sssd-1.8.4.tar.gz
+/sssd-1.8.5.tar.gz
+/sssd-1.8.6.tar.gz
+/sssd-1.9.4.tar.gz
+/sssd-1.9.5.tar.gz

0001-krb-recreate-ccache-if-it-was-deleted.patch

@@ -0,0 +1,39 @@
+From cae3bf6af22855adc8dd7b270e11207f0a33c385 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Wed, 30 Jan 2013 13:45:27 +0100
+Subject: [PATCH] krb: recreate ccache if it was deleted
+
+https://fedorahosted.org/sssd/ticket/1512
+
+If directory where a ccache file was stored was missing and user
+was still logged in, we erroneously considered the ccache file
+still active. Thus the ccache file was not recreated and user was
+unable to login.
+---
+ src/providers/krb5/krb5_utils.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c
+index b770714be030076203b6578f90ef726226cb72f8..7b56be52497ae66fa536b76ca0561ec3cc3208ce 100644
+--- a/src/providers/krb5/krb5_utils.c
++++ b/src/providers/krb5/krb5_utils.c
+@@ -770,8 +770,15 @@ cc_residual_is_used(uid_t uid, const char *ccname,
+ 
+     ret = lstat(ccname, &stat_buf);
+ 
+-    if (ret == -1 && errno != ENOENT) {
++    if (ret == -1) {
+         ret = errno;
++        if (ret == ENOENT) {
++            DEBUG(SSSDBG_FUNC_DATA, ("Cache file [%s] does not exists, "
++                                     "it will be recreated\n", ccname));
++            *result = false;
++            return EOK;
++        }
++
+         DEBUG(SSSDBG_OP_FAILURE,
+               ("stat failed [%d][%s].\n", ret, strerror(ret)));
+         return ret;
+-- 
+1.7.11.7
+

0002-subdomains-replace-invalid-characters-with-underscor.patch

@@ -0,0 +1,69 @@
+From a0388dc52f5461f72f8221c9bb7c92008e1fe2c5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Fri, 1 Feb 2013 12:17:47 +0100
+Subject: [PATCH] subdomains: replace invalid characters with underscore in
+ krb5 mapping file name
+
+https://fedorahosted.org/sssd/ticket/1795
+
+Only alpha-numeric chars, dashes and underscores are allowed in
+krb5 include directory.
+---
+ src/providers/ipa/ipa_subdomains.c | 26 +++++++++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
+index ef6195d19de72be7fd2b12a309b33fcf20e0e3a1..f959c4e6eb1d830e3990f552c9f4cf962298ef48 100644
+--- a/src/providers/ipa/ipa_subdomains.c
++++ b/src/providers/ipa/ipa_subdomains.c
+@@ -287,22 +287,46 @@ ipa_subdomains_write_mappings(struct sss_domain_info *domain,
+     errno_t err;
+     TALLOC_CTX *tmp_ctx;
+     const char *mapping_file;
++    char *sanitized_domain;
+     char *tmp_file = NULL;
+     int fd = -1;
+     mode_t old_mode;
+     FILE *fstream = NULL;
+     size_t i;
+ 
++    if (domain == NULL || domain->name == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, ("No domain name provided\n"));
++        return EINVAL;
++    }
++
+     tmp_ctx = talloc_new(NULL);
+     if (!tmp_ctx) return ENOMEM;
+ 
++    sanitized_domain = talloc_strdup(tmp_ctx, domain->name);
++    if (sanitized_domain == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_strdup() failed\n"));
++        return ENOMEM;
++    }
++
++    /* only alpha-numeric chars, dashes and underscores are allowed in
++     * krb5 include directory */
++    for (i = 0; sanitized_domain[i] != '\0'; i++) {
++        if (!isalnum(sanitized_domain[i])
++                && sanitized_domain[i] != '-' && sanitized_domain[i] != '_') {
++            sanitized_domain[i] = '_';
++        }
++    }
++
+     mapping_file = talloc_asprintf(tmp_ctx, "%s/domain_realm_%s",
+-                                   IPA_SUBDOMAIN_MAPPING_DIR, domain->name);
++                                   IPA_SUBDOMAIN_MAPPING_DIR, sanitized_domain);
+     if (!mapping_file) {
+         ret = ENOMEM;
+         goto done;
+     }
+ 
++    DEBUG(SSSDBG_FUNC_DATA, ("Mapping file for domain [%s] is [%s]\n",
++                             domain->name, mapping_file));
++
+     tmp_file = talloc_asprintf(tmp_ctx, "%sXXXXXX", mapping_file);
+     if (tmp_file == NULL) {
+         ret = ENOMEM;
+-- 
+1.7.11.7
+

0003-Fix-the-krb5-password-expiration-warning.patch

@@ -0,0 +1,39 @@
+From e354a96bbca5da8525ee51f91907e75af897b856 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Thu, 14 Feb 2013 10:13:59 +0100
+Subject: [PATCH] Fix the krb5 password expiration warning
+
+https://fedorahosted.org/sssd/ticket/1808
+---
+ src/confdb/confdb.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
+index 31efd9443be8490715961c8a45f9352bd1ade653..31c48bd28aee37008687e7e255ebf2ef2d79798a 100644
+--- a/src/confdb/confdb.c
++++ b/src/confdb/confdb.c
+@@ -1020,7 +1020,11 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
+         goto done;
+     }
+ 
+-    /* Set the PAM warning time, if specified */
++    /* Set the PAM warning time, if specified. If not specified, pass on
++     * the "not set" value of "-1" which means "use provider default". The
++     * value 0 means "always display the warning if server sends one" */
++    domain->pwd_expiration_warning = -1;
++
+     val = ldb_msg_find_attr_as_int(res->msgs[0],
+                                    CONFDB_DOMAIN_PWD_EXPIRATION_WARNING,
+                                    -1);
+@@ -1035,6 +1039,8 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
+     }
+ 
+     if (val > 0) {
++        DEBUG(SSSDBG_CONF_SETTINGS,
++              ("Setting domain password expiration warning to %d days\n", val));
+         /* The value is in days, transform it to seconds */
+         domain->pwd_expiration_warning = val * 24 * 3600;
+     }
+-- 
+1.8.1.2
+

0004-Add-unit-tests-for-simple-access-test-by-groups.patch

@@ -0,0 +1,412 @@
+From 754b09b5444e6da88ed58d6deaed8b815e268b6b Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Sun, 3 Mar 2013 21:43:44 +0100
+Subject: [PATCH 2/4] Add unit tests for simple access test by groups
+
+I realized that the current unit tests for the simple access provider
+only tested the user directives. To have a baseline and be able to
+detect new bugs in the upcoming patch, I implemented unit tests for the
+group lists, too.
+---
+ src/tests/simple_access-tests.c | 283 +++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 252 insertions(+), 31 deletions(-)
+
+diff --git a/src/tests/simple_access-tests.c b/src/tests/simple_access-tests.c
+index c61814eb54c1aa5138a1b45653f9384228c5456a..577c6d334edda513fd0f1e42a859ea333ba5ba23 100644
+--- a/src/tests/simple_access-tests.c
++++ b/src/tests/simple_access-tests.c
+@@ -30,39 +30,152 @@
+ #include "providers/simple/simple_access.h"
+ #include "tests/common.h"
+ 
++#define TESTS_PATH "tests_simple_access"
++#define TEST_CONF_FILE "tests_conf.ldb"
++
+ const char *ulist_1[] = {"u1", "u2", NULL};
++const char *glist_1[] = {"g1", "g2", NULL};
+ 
+-struct simple_ctx *ctx = NULL;
++struct simple_test_ctx *test_ctx = NULL;
++
++struct simple_test_ctx {
++    struct sysdb_ctx *sysdb;
++    struct confdb_ctx *confdb;
++
++    struct simple_ctx *ctx;
++};
+ 
+ void setup_simple(void)
+ {
+-    fail_unless(ctx == NULL, "Simple context already initialized.");
+-    ctx = talloc_zero(NULL, struct simple_ctx);
+-    fail_unless(ctx != NULL, "Cannot create simple context.");
++    errno_t ret;
++    char *conf_db;
++    const char *val[2];
++    val[1] = NULL;
+ 
+-    ctx->domain = talloc_zero(ctx, struct sss_domain_info);
+-    fail_unless(ctx != NULL, "Cannot create domain in simple context.");
+-    ctx->domain->case_sensitive = true;
++    /* Create tests directory if it doesn't exist */
++    /* (relative to current dir) */
++    ret = mkdir(TESTS_PATH, 0775);
++    fail_if(ret == -1 && errno != EEXIST,
++            "Could not create %s directory", TESTS_PATH);
++
++    fail_unless(test_ctx == NULL, "Simple context already initialized.");
++    test_ctx = talloc_zero(NULL, struct simple_test_ctx);
++    fail_unless(test_ctx != NULL, "Cannot create simple test context.");
++
++    test_ctx->ctx = talloc_zero(test_ctx, struct simple_ctx);
++    fail_unless(test_ctx->ctx != NULL, "Cannot create simple context.");
++
++    conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE);
++    fail_if(conf_db == NULL, "Out of memory, aborting!");
++    DEBUG(SSSDBG_TRACE_LIBS, ("CONFDB: %s\n", conf_db));
++
++    /* Connect to the conf db */
++    ret = confdb_init(test_ctx, &test_ctx->confdb, conf_db);
++    fail_if(ret != EOK, "Could not initialize connection to the confdb");
++
++    val[0] = "LOCAL";
++    ret = confdb_add_param(test_ctx->confdb, true,
++                           "config/sssd", "domains", val);
++    fail_if(ret != EOK, "Could not initialize domains placeholder");
++
++    val[0] = "local";
++    ret = confdb_add_param(test_ctx->confdb, true,
++                           "config/domain/LOCAL", "id_provider", val);
++    fail_if(ret != EOK, "Could not initialize provider");
++
++    val[0] = "TRUE";
++    ret = confdb_add_param(test_ctx->confdb, true,
++                           "config/domain/LOCAL", "enumerate", val);
++    fail_if(ret != EOK, "Could not initialize LOCAL domain");
++
++    val[0] = "TRUE";
++    ret = confdb_add_param(test_ctx->confdb, true,
++                           "config/domain/LOCAL", "cache_credentials", val);
++    fail_if(ret != EOK, "Could not initialize LOCAL domain");
++
++    ret = sysdb_init_domain_and_sysdb(test_ctx, test_ctx->confdb, "local",
++                                      TESTS_PATH,
++                                      &test_ctx->ctx->domain, &test_ctx->ctx->sysdb);
++    fail_if(ret != EOK, "Could not initialize connection to the sysdb (%d)", ret);
++    test_ctx->ctx->domain->case_sensitive = true;
+ }
+ 
+ void teardown_simple(void)
+ {
+     int ret;
+-    fail_unless(ctx != NULL, "Simple context already freed.");
+-    ret = talloc_free(ctx);
+-    ctx = NULL;
++    fail_unless(test_ctx != NULL, "Simple context already freed.");
++    ret = talloc_free(test_ctx);
++    test_ctx = NULL;
+     fail_unless(ret == 0, "Connot free simple context.");
+ }
+ 
++void setup_simple_group(void)
++{
++    errno_t ret;
++
++    setup_simple();
++
++    /* Add test users u1 and u2 that would be members of test groups
++     * g1 and g2 respectively */
++    ret = sysdb_store_user(test_ctx->ctx->sysdb,
++                           "u1", NULL, 123, 0, "u1", "/home/u1",
++                           "/bin/bash", NULL, NULL, NULL, -1, 0);
++    fail_if(ret != EOK, "Could not add u1");
++
++    ret = sysdb_store_user(test_ctx->ctx->sysdb,
++                           "u2", NULL, 456, 0, "u1", "/home/u1",
++                           "/bin/bash", NULL, NULL, NULL, -1, 0);
++    fail_if(ret != EOK, "Could not add u2");
++
++    ret = sysdb_store_user(test_ctx->ctx->sysdb,
++                           "u3", NULL, 789, 0, "u1", "/home/u1",
++                           "/bin/bash", NULL, NULL, NULL, -1, 0);
++    fail_if(ret != EOK, "Could not add u3");
++
++    ret = sysdb_add_group(test_ctx->ctx->sysdb,
++                          "g1", 321, NULL, 0, 0);
++    fail_if(ret != EOK, "Could not add g1");
++
++    ret = sysdb_add_group(test_ctx->ctx->sysdb,
++                          "g2", 654, NULL, 0, 0);
++    fail_if(ret != EOK, "Could not add g2");
++
++    ret = sysdb_add_group_member(test_ctx->ctx->sysdb,
++                                 "g1", "u1", SYSDB_MEMBER_USER);
++    fail_if(ret != EOK, "Could not add u1 to g1");
++
++    ret = sysdb_add_group_member(test_ctx->ctx->sysdb,
++                                 "g2", "u2", SYSDB_MEMBER_USER);
++    fail_if(ret != EOK, "Could not add u2 to g2");
++}
++
++void teardown_simple_group(void)
++{
++    errno_t ret;
++
++    ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u1", 0);
++    fail_if(ret != EOK, "Could not delete u1");
++    ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u2", 0);
++    fail_if(ret != EOK, "Could not delete u2");
++    ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u3", 0);
++    fail_if(ret != EOK, "Could not delete u3");
++    ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g1", 0);
++    fail_if(ret != EOK, "Could not delete g1");
++    ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g2", 0);
++    fail_if(ret != EOK, "Could not delete g2");
++
++    teardown_simple();
++}
++
+ START_TEST(test_both_empty)
+ {
+     int ret;
+     bool access_granted = false;
+ 
+-    ctx->allow_users = NULL;
+-    ctx->deny_users = NULL;
++    test_ctx->ctx->allow_users = NULL;
++    test_ctx->ctx->deny_users = NULL;
+ 
+-    ret = simple_access_check(ctx, "u1", &access_granted);
++    ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
+     fail_unless(ret == EOK, "access_simple_check failed.");
+     fail_unless(access_granted == true, "Access denied "
+                                         "while both lists are empty.");
+@@ -74,15 +187,15 @@ START_TEST(test_allow_empty)
+     int ret;
+     bool access_granted = true;
+ 
+-    ctx->allow_users = NULL;
+-    ctx->deny_users = discard_const(ulist_1);
++    test_ctx->ctx->allow_users = NULL;
++    test_ctx->ctx->deny_users = discard_const(ulist_1);
+ 
+-    ret = simple_access_check(ctx, "u1", &access_granted);
++    ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
+     fail_unless(ret == EOK, "access_simple_check failed.");
+     fail_unless(access_granted == false, "Access granted "
+                                          "while user is in deny list.");
+ 
+-    ret = simple_access_check(ctx, "u3", &access_granted);
++    ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
+     fail_unless(ret == EOK, "access_simple_check failed.");
+     fail_unless(access_granted == true, "Access denied "
+                                          "while user is not in deny list.");
+@@ -94,15 +207,15 @@ START_TEST(test_deny_empty)
+     int ret;
+     bool access_granted = false;
+ 
+-    ctx->allow_users = discard_const(ulist_1);
+-    ctx->deny_users = NULL;
++    test_ctx->ctx->allow_users = discard_const(ulist_1);
++    test_ctx->ctx->deny_users = NULL;
+ 
+-    ret = simple_access_check(ctx, "u1", &access_granted);
++    ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
+     fail_unless(ret == EOK, "access_simple_check failed.");
+     fail_unless(access_granted == true, "Access denied "
+                                         "while user is in allow list.");
+ 
+-    ret = simple_access_check(ctx, "u3", &access_granted);
++    ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
+     fail_unless(ret == EOK, "access_simple_check failed.");
+     fail_unless(access_granted == false, "Access granted "
+                                         "while user is not in allow list.");
+@@ -114,15 +227,15 @@ START_TEST(test_both_set)
+     int ret;
+     bool access_granted = false;
+ 
+-    ctx->allow_users = discard_const(ulist_1);
+-    ctx->deny_users = discard_const(ulist_1);
++    test_ctx->ctx->allow_users = discard_const(ulist_1);
++    test_ctx->ctx->deny_users = discard_const(ulist_1);
+ 
+-    ret = simple_access_check(ctx, "u1", &access_granted);
++    ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
+     fail_unless(ret == EOK, "access_simple_check failed.");
+     fail_unless(access_granted == false, "Access granted "
+                                          "while user is in deny list.");
+ 
+-    ret = simple_access_check(ctx, "u3", &access_granted);
++    ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
+     fail_unless(ret == EOK, "access_simple_check failed.");
+     fail_unless(access_granted == false, "Access granted "
+                                         "while user is not in allow list.");
+@@ -134,18 +247,18 @@ START_TEST(test_case)
+     int ret;
+     bool access_granted = false;
+ 
+-    ctx->allow_users = discard_const(ulist_1);
+-    ctx->deny_users = NULL;
++    test_ctx->ctx->allow_users = discard_const(ulist_1);
++    test_ctx->ctx->deny_users = NULL;
+ 
+-    ret = simple_access_check(ctx, "U1", &access_granted);
++    ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
+     fail_unless(ret == EOK, "access_simple_check failed.");
+     fail_unless(access_granted == false, "Access granted "
+                                          "for user with different case "
+                                          "in case-sensitive domain");
+ 
+-    ctx->domain->case_sensitive = false;
++    test_ctx->ctx->domain->case_sensitive = false;
+ 
+-    ret = simple_access_check(ctx, "U1", &access_granted);
++    ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
+     fail_unless(ret == EOK, "access_simple_check failed.");
+     fail_unless(access_granted == true, "Access denied "
+                                         "for user with different case "
+@@ -153,11 +266,95 @@ START_TEST(test_case)
+ }
+ END_TEST
+ 
++START_TEST(test_group_allow_empty)
++{
++    int ret;
++    bool access_granted = true;
++
++    test_ctx->ctx->allow_groups = NULL;
++    test_ctx->ctx->deny_groups = discard_const(glist_1);
++
++    ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
++    fail_unless(ret == EOK, "access_simple_check failed.");
++    fail_unless(access_granted == false, "Access granted "
++                                         "while group is in deny list.");
++
++    ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
++    fail_unless(ret == EOK, "access_simple_check failed.");
++    fail_unless(access_granted == true, "Access denied "
++                                         "while group is not in deny list.");
++}
++END_TEST
++
++START_TEST(test_group_deny_empty)
++{
++    int ret;
++    bool access_granted = false;
++
++    test_ctx->ctx->allow_groups = discard_const(glist_1);
++    test_ctx->ctx->deny_groups = NULL;
++
++    ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
++    fail_unless(ret == EOK, "access_simple_check failed.");
++    fail_unless(access_granted == true, "Access denied "
++                                        "while group is in allow list.");
++
++    ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
++    fail_unless(ret == EOK, "access_simple_check failed.");
++    fail_unless(access_granted == false, "Access granted "
++                                        "while group is not in allow list.");
++}
++END_TEST
++
++START_TEST(test_group_both_set)
++{
++    int ret;
++    bool access_granted = false;
++
++    test_ctx->ctx->allow_groups = discard_const(ulist_1);
++    test_ctx->ctx->deny_groups = discard_const(ulist_1);
++
++    ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
++    fail_unless(ret == EOK, "access_simple_check failed.");
++    fail_unless(access_granted == false, "Access granted "
++                                         "while group is in deny list.");
++
++    ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
++    fail_unless(ret == EOK, "access_simple_check failed.");
++    fail_unless(access_granted == false, "Access granted "
++                                        "while group is not in allow list.");
++}
++END_TEST
++
++START_TEST(test_group_case)
++{
++    int ret;
++    bool access_granted = false;
++
++    test_ctx->ctx->allow_groups = discard_const(ulist_1);
++    test_ctx->ctx->deny_groups = NULL;
++
++    ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
++    fail_unless(ret == EOK, "access_simple_check failed.");
++    fail_unless(access_granted == false, "Access granted "
++                                         "for group with different case "
++                                         "in case-sensitive domain");
++
++    test_ctx->ctx->domain->case_sensitive = false;
++
++    ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
++    fail_unless(ret == EOK, "access_simple_check failed.");
++    fail_unless(access_granted == true, "Access denied "
++                                        "for group with different case "
++                                        "in case-insensitive domain");
++}
++END_TEST
++
+ Suite *access_simple_suite (void)
+ {
+     Suite *s = suite_create("access_simple");
+ 
+-    TCase *tc_allow_deny = tcase_create("allow/deny");
++    TCase *tc_allow_deny = tcase_create("user allow/deny");
+     tcase_add_checked_fixture(tc_allow_deny, setup_simple, teardown_simple);
+     tcase_add_test(tc_allow_deny, test_both_empty);
+     tcase_add_test(tc_allow_deny, test_allow_empty);
+@@ -166,6 +363,15 @@ Suite *access_simple_suite (void)
+     tcase_add_test(tc_allow_deny, test_case);
+     suite_add_tcase(s, tc_allow_deny);
+ 
++    TCase *tc_grp_allow_deny = tcase_create("group allow/deny");
++    tcase_add_checked_fixture(tc_grp_allow_deny,
++                              setup_simple_group, teardown_simple_group);
++    tcase_add_test(tc_grp_allow_deny, test_group_allow_empty);
++    tcase_add_test(tc_grp_allow_deny, test_group_deny_empty);
++    tcase_add_test(tc_grp_allow_deny, test_group_both_set);
++    tcase_add_test(tc_grp_allow_deny, test_group_case);
++    suite_add_tcase(s, tc_grp_allow_deny);
++
+     return s;
+ }
+ 
+@@ -174,6 +380,7 @@ int main(int argc, const char *argv[])
+     int opt;
+     poptContext pc;
+     int number_failed;
++    int ret;
+ 
+     struct poptOption long_options[] = {
+         POPT_AUTOHELP
+@@ -205,6 +412,20 @@ int main(int argc, const char *argv[])
+     srunner_run_all(sr, CK_ENV);
+     number_failed = srunner_ntests_failed(sr);
+     srunner_free(sr);
++
++    ret = unlink(TESTS_PATH"/"TEST_CONF_FILE);
++    if (ret != EOK) {
++        fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n",
++                errno, strerror(errno));
++        return EXIT_FAILURE;
++    }
++    ret = unlink(TESTS_PATH"/"LOCAL_SYSDB_FILE);
++    if (ret != EOK) {
++        fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n",
++                errno, strerror(errno));
++        return EXIT_FAILURE;
++    }
++
+     return (number_failed==0 ? EXIT_SUCCESS : EXIT_FAILURE);
+ }
+ 
+-- 
+1.8.1.4
+

0005-Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch

@@ -0,0 +1,40 @@
+From 26590d31f492dbbd36be6d0bde46a4bd3b221edb Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Mon, 4 Mar 2013 16:37:04 +0100
+Subject: [PATCH 3/4] Do not compile main() in DP if UNIT_TESTING is defined
+
+The simple access provider unit tests now need to link against the Data
+Provider when they start using the be_file_account_request() function.
+But then we would start having conflicts as at least the main()
+functions would clash.
+
+If UNIT_TESTING is defined, then the data_provider_be.c module does not
+contain the main() function and can be linked against directly from
+another module that contains its own main() function
+---
+ src/providers/data_provider_be.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
+index f85a04d09b5b41b17be611c333324f7207242979..33590aeef0231427642916c6a2f9bc391c165c21 100644
+--- a/src/providers/data_provider_be.c
++++ b/src/providers/data_provider_be.c
+@@ -2651,6 +2651,7 @@ fail:
+     return ret;
+ }
+ 
++#ifndef UNIT_TESTING
+ int main(int argc, const char *argv[])
+ {
+     int opt;
+@@ -2732,6 +2733,7 @@ int main(int argc, const char *argv[])
+ 
+     return 0;
+ }
++#endif
+ 
+ static int data_provider_res_init(DBusMessage *message,
+                                   struct sbus_connection *conn)
+-- 
+1.8.1.4
+

0006-Provide-a-be_get_account_info_send-function.patch

@@ -0,0 +1,236 @@
+From b63830b142053f99bfe954d4be5a2b0f68ce3a93 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Fri, 22 Feb 2013 11:01:38 +0100
+Subject: [PATCH 1/4] Provide a be_get_account_info_send function
+
+In order to resolve group names in the simple access provider we need to
+contact the Data Provider in a generic fashion from the access provider.
+We can't call any particular implementation (like sdap_generic_send())
+because we have no idea what kind of provider is configured as the
+id_provider.
+
+This patch splits introduces the be_file_account_request() function into
+the data_provider_be module and makes it public.
+
+A future patch should make the be_get_account_info function use the
+be_get_account_info_send function.
+---
+ src/providers/data_provider_be.c | 153 ++++++++++++++++++++++++++++++++++-----
+ src/providers/dp_backend.h       |  15 ++++
+ 2 files changed, 149 insertions(+), 19 deletions(-)
+
+diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
+index b261bf8d456829a513ec352c8290d2011bd3526a..f85a04d09b5b41b17be611c333324f7207242979 100644
+--- a/src/providers/data_provider_be.c
++++ b/src/providers/data_provider_be.c
+@@ -717,6 +717,34 @@ static errno_t be_initgroups_prereq(struct be_req *be_req)
+ }
+ 
+ static errno_t
++be_file_account_request(struct be_req *be_req, struct be_acct_req *ar)
++{
++    errno_t ret;
++    struct be_ctx *be_ctx = be_req->be_ctx;
++
++    be_req->req_data = ar;
++
++    /* see if we need a pre request call, only done for initgroups for now */
++    if ((ar->entry_type & 0xFF) == BE_REQ_INITGROUPS) {
++        ret = be_initgroups_prereq(be_req);
++        if (ret) {
++            DEBUG(SSSDBG_CRIT_FAILURE, ("Prerequest failed"));
++            return ret;
++        }
++    }
++
++    /* process request */
++    ret = be_file_request(be_ctx, be_req,
++                          be_ctx->bet_info[BET_ID].bet_ops->handler);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to file request"));
++        return ret;
++    }
++
++    return EOK;
++}
++
++static errno_t
+ split_name_extended(TALLOC_CTX *mem_ctx,
+                     const char *filter,
+                     char **name,
+@@ -742,6 +770,110 @@ split_name_extended(TALLOC_CTX *mem_ctx,
+     return EOK;
+ }
+ 
++static void
++be_get_account_info_done(struct be_req *be_req,
++                         int dp_err, int dp_ret,
++                         const char *errstr);
++
++struct be_get_account_info_state {
++    int err_maj;
++    int err_min;
++    const char *err_msg;
++};
++
++struct tevent_req *
++be_get_account_info_send(TALLOC_CTX *mem_ctx,
++                         struct tevent_context *ev,
++                         struct be_client *becli,
++                         struct be_ctx *be_ctx,
++                         struct be_acct_req *ar)
++{
++    struct tevent_req *req;
++    struct be_get_account_info_state *state;
++    struct be_req *be_req;
++    errno_t ret;
++
++    req = tevent_req_create(mem_ctx, &state,
++                            struct be_get_account_info_state);
++    if (!req) return NULL;
++
++    be_req = talloc_zero(mem_ctx, struct be_req);
++    if (be_req == NULL) {
++        ret = ENOMEM;
++        goto done;
++    }
++
++    be_req->becli = becli;
++    be_req->be_ctx = be_ctx;
++    be_req->fn = be_get_account_info_done;
++    be_req->pvt = req;
++
++    ret = be_file_account_request(be_req, ar);
++    if (ret != EOK) {
++        goto done;
++    }
++
++    return req;
++
++done:
++    tevent_req_error(req, ret);
++    tevent_req_post(req, ev);
++    return req;
++}
++
++static void
++be_get_account_info_done(struct be_req *be_req,
++                         int dp_err, int dp_ret,
++                         const char *errstr)
++{
++    struct tevent_req *req;
++    struct be_get_account_info_state *state;
++
++    req = talloc_get_type(be_req->pvt, struct tevent_req);
++    state = tevent_req_data(req, struct be_get_account_info_state);
++
++    state->err_maj = dp_err;
++    state->err_min = dp_ret;
++    if (errstr) {
++        state->err_msg = talloc_strdup(state, errstr);
++        if (state->err_msg == NULL) {
++            talloc_free(be_req);
++            tevent_req_error(req, ENOMEM);
++            return;
++        }
++    }
++
++    talloc_free(be_req);
++    tevent_req_done(req);
++}
++
++errno_t be_get_account_info_recv(struct tevent_req *req,
++                                 TALLOC_CTX *mem_ctx,
++                                 int *_err_maj,
++                                 int *_err_min,
++                                 const char **_err_msg)
++{
++    struct be_get_account_info_state *state;
++
++    state = tevent_req_data(req, struct be_get_account_info_state);
++
++    TEVENT_REQ_RETURN_ON_ERROR(req);
++
++    if (_err_maj) {
++        *_err_maj = state->err_maj;
++    }
++
++    if (_err_min) {
++        *_err_min = state->err_min;
++    }
++
++    if (_err_msg) {
++        *_err_msg = talloc_steal(mem_ctx, state->err_msg);
++    }
++
++    return EOK;
++}
++
+ static int be_get_account_info(DBusMessage *message, struct sbus_connection *conn)
+ {
+     struct be_acct_req *req;
+@@ -845,8 +977,6 @@ static int be_get_account_info(DBusMessage *message, struct sbus_connection *con
+         goto done;
+     }
+ 
+-    be_req->req_data = req;
+-
+     if ((attr_type != BE_ATTR_CORE) &&
+         (attr_type != BE_ATTR_MEM) &&
+         (attr_type != BE_ATTR_ALL)) {
+@@ -893,26 +1023,11 @@ static int be_get_account_info(DBusMessage *message, struct sbus_connection *con
+         goto done;
+     }
+ 
+-    /* see if we need a pre request call, only done for initgroups for now */
+-    if ((type & 0xFF) == BE_REQ_INITGROUPS) {
+-        ret = be_initgroups_prereq(be_req);
+-        if (ret) {
+-            err_maj = DP_ERR_FATAL;
+-            err_min = ret;
+-            err_msg = "Prerequest failed";
+-            goto done;
+-        }
+-    }
+-
+-    /* process request */
+-
+-    ret = be_file_request(becli->bectx->bet_info[BET_ID].pvt_bet_data,
+-                          be_req,
+-                          becli->bectx->bet_info[BET_ID].bet_ops->handler);
++    ret = be_file_account_request(be_req, req);
+     if (ret != EOK) {
+         err_maj = DP_ERR_FATAL;
+         err_min = ret;
+-        err_msg = "Failed to file request";
++        err_msg = "Cannot file account request";
+         goto done;
+     }
+ 
+diff --git a/src/providers/dp_backend.h b/src/providers/dp_backend.h
+index 58a9b7490df8aab06a2a15f8c0fed9ac5ed33600..743b6f4ffe73fe9ec7404218184a7133aba054c6 100644
+--- a/src/providers/dp_backend.h
++++ b/src/providers/dp_backend.h
+@@ -258,4 +258,19 @@ int be_fo_run_callbacks_at_next_request(struct be_ctx *ctx,
+                                         const char *service_name);
+ 
+ void reset_fo(struct be_ctx *be_ctx);
++
++/* Request account information */
++struct tevent_req *
++be_get_account_info_send(TALLOC_CTX *mem_ctx,
++                         struct tevent_context *ev,
++                         struct be_client *becli,
++                         struct be_ctx *be_ctx,
++                         struct be_acct_req *ar);
++
++errno_t be_get_account_info_recv(struct tevent_req *req,
++                                 TALLOC_CTX *mem_ctx,
++                                 int *_err_maj,
++                                 int *_err_min,
++                                 const char **_err_msg);
++
+ #endif /* __DP_BACKEND_H___ */
+-- 
+1.8.1.4
+

0008-autofs-fix-invalid-header-number-of-entries-in-packe.patch

@@ -0,0 +1,53 @@
+From cd2327153a9ac55f3cf470c294691506096bd1eb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Wed, 27 Feb 2013 12:12:19 +0100
+Subject: [PATCH] autofs: fix invalid header 'number of entries' in packet
+
+https://fedorahosted.org/sssd/ticket/1739
+
+Pointer to packet body may change while filling packet with autofs
+mount points. As a consequence, we sometimes wrote the number of
+entries into invalid body and we recieved an arbitrary number
+on the client side.
+
+If the number was 0, there were some skipped entries. If the number
+was greater than 0, everything worked correctly, because we iterate
+through the cached entries until we reach packet length - we don't
+compare to the number.
+---
+ src/responder/autofs/autofssrv_cmd.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/responder/autofs/autofssrv_cmd.c b/src/responder/autofs/autofssrv_cmd.c
+index 550c981a73e40804701268d0b34f8d7198f3ecc6..491afbb1de057dae996cfc7d084cdaed0220b8e3 100644
+--- a/src/responder/autofs/autofssrv_cmd.c
++++ b/src/responder/autofs/autofssrv_cmd.c
+@@ -1085,13 +1085,13 @@ getautomntent_process(struct autofs_cmd_ctx *cmdctx,
+         goto done;
+     }
+ 
++    /* allocate memory for number of entries in the packet */
+     ret = sss_packet_grow(client->creq->out, sizeof(uint32_t));
+     if (ret != EOK) {
+         DEBUG(SSSDBG_OP_FAILURE, ("Cannot grow packet\n"));
+         goto done;
+     }
+ 
+-    sss_packet_get_body(client->creq->out, &body, &blen);
+     rp = sizeof(uint32_t);  /* We'll write the number of entries here */
+ 
+     left = map->entry_count - cursor;
+@@ -1111,6 +1111,10 @@ getautomntent_process(struct autofs_cmd_ctx *cmdctx,
+         nentries++;
+     }
+ 
++    /* packet grows in fill_autofs_entry, body pointer may change,
++     * thus we have to obtain it here */
++    sss_packet_get_body(client->creq->out, &body, &blen);
++
+     rp = 0;
+     SAFEALIGN_SET_UINT32(&body[rp], nentries, &rp);
+ 
+-- 
+1.8.1.4
+

FED01-Change-Kerberos-credential-cache-default-loca.patch

@@ -1,53 +0,0 @@
-From 8ae0fc769b419e16ce7804bd516f7c2d03ce8471 Mon Sep 17 00:00:00 2001
-From: Stephen Gallagher <sgallagh@redhat.com>
-Date: Wed, 22 Feb 2012 07:53:56 -0500
-Subject: [PATCH] FEDORA: Change Kerberos credential cache default location
-
-On Fedora, we need to default to using /run/user/%u for credential
-caches for improved security and to simplify rpc.gssd locating the
-cache for use with NFS.
----
- src/man/sssd-krb5.5.xml          |    4 ++--
- src/providers/krb5/krb5_common.c |    4 ++--
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
-index 247337a90a80b078d0395b27a02e5ea2c72a5ce8..cc10dc149c407450a59f39ebc2de0ac95e33028e 100644
---- a/src/man/sssd-krb5.5.xml
-+++ b/src/man/sssd-krb5.5.xml
-@@ -148,7 +148,7 @@
-                             </citerefentry> for details) is created.
-                         </para>
-                         <para>
--                            Default: /tmp
-+                            Default: /run/user/%u
-                         </para>
-                     </listitem>
-                 </varlistentry>
-@@ -206,7 +206,7 @@
-                             used to create a unique filename in a safe way.
-                         </para>
-                         <para>
--                            Default: FILE:%d/krb5cc_%U_XXXXXX
-+                            Default: FILE:%d/krb5cc
-                         </para>
-                     </listitem>
-                 </varlistentry>
-diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
-index c2cb94b61463cbdaf3f4fa5a5cb311af55b4b960..e3a74697249a8dd10907beaeaef415a48c3c30a9 100644
---- a/src/providers/krb5/krb5_common.c
-+++ b/src/providers/krb5/krb5_common.c
-@@ -34,8 +34,8 @@
- struct dp_option default_krb5_opts[] = {
-     { "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
-     { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
--    { "krb5_ccachedir", DP_OPT_STRING, { "/tmp" }, NULL_STRING },
--    { "krb5_ccname_template", DP_OPT_STRING, { "FILE:%d/krb5cc_%U_XXXXXX" }, NULL_STRING},
-+    { "krb5_ccachedir", DP_OPT_STRING, { "/run/user/%u" }, NULL_STRING },
-+    { "krb5_ccname_template", DP_OPT_STRING, { "FILE:%d/krb5cc" }, NULL_STRING},
-     { "krb5_auth_timeout", DP_OPT_NUMBER, { .number = 15 }, NULL_NUMBER },
-     { "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING },
-     { "krb5_validate", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
--- 
-1.7.7.6
-

sources

@@ -1 +1 @@
-8f5e88fbdc8edeba7bc816da3448b726  sssd-1.8.1.tar.gz
+b2c31d92a18037d1ab5151ea920c8881  sssd-1.9.5.tar.gz

sssd.spec

@@ -12,11 +12,11 @@
 
 # Determine the location of the LDB modules directory
 %global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)
-%global ldb_version 1.1.4
+%global ldb_version 1.1.6
 
 Name: sssd
-Version: 1.8.1
-Release: 7%{?dist}
+Version: 1.9.5
+Release: 1%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@@ -26,26 +26,25 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
 ### Patches ###
 
-Patch1001: FED01-Change-Kerberos-credential-cache-default-loca.patch
-
 ### Dependencies ###
 
 Conflicts: selinux-policy < 3.10.0-46
-Requires: libldb = %{ldb_version}
-Requires: libtdb >= 1.1.3
+Requires: libldb%{?_isa} = %{ldb_version}
+Requires: libtdb%{?_isa} >= 1.1.3
 Requires: sssd-client%{?_isa} = %{version}-%{release}
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: libipa_hbac%{?_isa} = %{version}-%{release}
-Requires: krb5-libs >= 1.9
-Requires: keyutils-libs
-Requires(post): systemd-units initscripts chkconfig /sbin/ldconfig
+Requires: libsss_idmap%{?_isa} = %{version}-%{release}
+Requires: krb5-libs%{?_isa} >= 1.10
+Requires(post): systemd-units initscripts chkconfig
 Requires(preun): systemd-units initscripts chkconfig
-Requires(postun): systemd-units initscripts chkconfig /sbin/ldconfig
+Requires(postun): systemd-units initscripts chkconfig
 
 %global servicename sssd
 %global sssdstatedir %{_localstatedir}/lib/sss
 %global dbpath %{sssdstatedir}/db
 %global pipepath %{sssdstatedir}/pipes
+%global mcpath %{sssdstatedir}/mc
 %global pubconfpath %{sssdstatedir}/pubconf
 
 ### Build Dependencies ###
@@ -78,7 +77,7 @@ BuildRequires: pcre-devel
 BuildRequires: libxslt
 BuildRequires: libxml2
 BuildRequires: docbook-style-xsl
-BuildRequires: krb5-devel >= 1.9
+BuildRequires: krb5-devel >= 1.10
 BuildRequires: c-ares-devel
 BuildRequires: python-devel
 BuildRequires: check-devel
@@ -90,8 +89,11 @@ BuildRequires: keyutils-libs-devel
 BuildRequires: libnl-devel
 BuildRequires: gettext-devel
 BuildRequires: pkgconfig
-BuildRequires: libunistring-devel
+BuildRequires: glib2-devel
+BuildRequires: diffstat
 BuildRequires: findutils
+BuildRequires: samba4-devel >= samba4-4.0.0-59beta2
+BuildRequires: selinux-policy-targeted
 
 %description
 Provides a set of daemons to manage access to remote directories and
@@ -104,6 +106,8 @@ services for projects like FreeIPA.
 Summary: SSSD Client libraries for NSS and PAM
 Group: Applications/System
 License: LGPLv3+
+Requires(post): /sbin/ldconfig
+Requires(postun): /sbin/ldconfig
 
 %description client
 Provides the libraries needed by the PAM and NSS stacks to connect to the SSSD
@@ -119,13 +123,37 @@ Requires: sssd = %{version}-%{release}
 Provides userspace tools for manipulating users, groups, and nested groups in
 SSSD when using id_provider = local in /etc/sssd/sssd.conf.
 
-Also provides a userspace tool for generating an obfuscated LDAP password for
-use with ldap_default_authtok_type = obfuscated_password.
+Also provides several other administrative tools:
+    * sss_cache to expire cached entries
+    * sss_debuglevel to change the debug level on the fly
+    * sss_seed which pre-creates a user entry for use in kickstarts
+    * sss_obfuscate for generating an obfuscated LDAP password
+
+%package -n libsss_idmap
+Summary: FreeIPA Idmap library
+Group: Development/Libraries
+License: LGPLv3+
+Requires(post): /sbin/ldconfig
+Requires(postun): /sbin/ldconfig
+
+%description -n libsss_idmap
+Utility library to convert SIDs to Unix uids and gids
+
+%package -n libsss_idmap-devel
+Summary: FreeIPA Idmap library
+Group: Development/Libraries
+License: LGPLv3+
+Requires: libsss_idmap = %{version}-%{release}
+
+%description -n libsss_idmap-devel
+Utility library to SIDs to Unix uids and gids
 
 %package -n libipa_hbac
 Summary: FreeIPA HBAC Evaluator library
 Group: Development/Libraries
 License: LGPLv3+
+Requires(post): /sbin/ldconfig
+Requires(postun): /sbin/ldconfig
 
 %description -n libipa_hbac
 Utility library to validate FreeIPA HBAC rules for authorization requests
@@ -153,6 +181,9 @@ used by Python applications.
 Summary: A library to allow communication between SUDO and SSSD
 Group: Development/Libraries
 License: LGPLv3+
+Requires(post): /sbin/ldconfig
+Requires(postun): /sbin/ldconfig
+Requires: sssd = %{version}-%{release}
 
 %description -n libsss_sudo
 A utility library to allow communication between SUDO and SSSD
@@ -195,6 +226,7 @@ autoreconf -ivf
     --with-db-path=%{dbpath} \
     --with-pipe-path=%{pipepath} \
     --with-pubconf-path=%{pubconfpath} \
+    --with-mcache-path=%{mcpath} \
     --with-init-dir=%{_initrddir} \
     --with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
     --enable-nsslibdir=/%{_lib} \
@@ -202,7 +234,8 @@ autoreconf -ivf
     --disable-static \
     --disable-rpath \
     --with-test-dir=/dev/shm \
-    --enable-all-experimental-features
+    --enable-all-experimental-features \
+    --with-unicode-lib=glib2
 
 make %{?_smp_mflags} all docs
 
@@ -243,7 +276,7 @@ cp src/sysv/systemd/sssd.service $RPM_BUILD_ROOT/%{_unitdir}/
 find $RPM_BUILD_ROOT -name "*.la" -exec rm -f {} \;
 
 # Suppress developer-only documentation
-rm -Rf ${RPM_BUILD_ROOT}/%{_docdir}/%{name}/doc
+rm -Rf ${RPM_BUILD_ROOT}/%{_docdir}/%{name}
 
 # Older versions of rpmbuild can only handle one -f option
 # So we need to append to the sssd.lang file
@@ -253,6 +286,7 @@ do
 done
 
 touch sssd_tools.lang
+touch sssd_client.lang
 for man in `find $RPM_BUILD_ROOT/%{_mandir}/??/man?/ -type f | sed -e "s#$RPM_BUILD_ROOT/%{_mandir}/##"`
 do
     lang=`echo $man | cut -c 1-2`
@@ -260,6 +294,9 @@ do
         sss_*)
             echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_tools.lang
             ;;
+        sssd_krb5_*)
+            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang
+            ;;
         pam_sss*)
             echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang
             ;;
@@ -292,22 +329,47 @@ rm -rf $RPM_BUILD_ROOT
 %doc src/examples/sssd-example.conf
 %{_unitdir}/sssd.service
 %{_sbindir}/sssd
-%{_libexecdir}/%{servicename}/
-%{_libdir}/%{name}/
+
+%dir %{_libexecdir}/%{servicename}
+%{_libexecdir}/%{servicename}/krb5_child
+%{_libexecdir}/%{servicename}/ldap_child
+%{_libexecdir}/%{servicename}/proxy_child
+%{_libexecdir}/%{servicename}/sssd_be
+%{_libexecdir}/%{servicename}/sssd_nss
+%{_libexecdir}/%{servicename}/sssd_pam
+%{_libexecdir}/%{servicename}/sssd_autofs
+%{_libexecdir}/%{servicename}/sssd_ssh
+%{_libexecdir}/%{servicename}/sssd_sudo
+%{_libexecdir}/%{servicename}/sssd_pac
+
+%dir %{_libdir}/%{name}
+%{_libdir}/%{name}/libsss_ipa.so
+%{_libdir}/%{name}/libsss_krb5.so
+%{_libdir}/%{name}/libsss_ldap.so
+%{_libdir}/%{name}/libsss_proxy.so
+%{_libdir}/%{name}/libsss_simple.so
+%{_libdir}/%{name}/libsss_ad.so
+
 %{ldb_modulesdir}/memberof.so
 %{_bindir}/sss_ssh_authorizedkeys
 %{_bindir}/sss_ssh_knownhostsproxy
+
 %dir %{sssdstatedir}
 %dir %{_localstatedir}/cache/krb5rcache
 %attr(700,root,root) %dir %{dbpath}
+%attr(755,root,root) %dir %{mcpath}
+%ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/passwd
+%ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/group
 %attr(755,root,root) %dir %{pipepath}
 %attr(755,root,root) %dir %{pubconfpath}
+%attr(755,root,root) %dir %{pubconfpath}/krb5.include.d
 %attr(700,root,root) %dir %{pipepath}/private
 %attr(750,root,root) %dir %{_var}/log/%{name}
 %attr(700,root,root) %dir %{_sysconfdir}/sssd
 %ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
 %config(noreplace) %{_sysconfdir}/logrotate.d/sssd
 %config(noreplace) %{_sysconfdir}/rwtab.d/sssd
+%dir %{_datadir}/sssd
 %{_datadir}/sssd/sssd.api.conf
 %{_datadir}/sssd/sssd.api.d
 %{_mandir}/man1/sss_ssh_authorizedkeys.1*
@@ -317,9 +379,13 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man5/sssd-krb5.5*
 %{_mandir}/man5/sssd-ldap.5*
 %{_mandir}/man5/sssd-simple.5*
+%{_mandir}/man5/sssd-ad.5*
+%{_mandir}/man5/sssd-sudo.5*
 %{_mandir}/man8/sssd.8*
 %{python_sitearch}/pysss.so
-%{python_sitelib}/*.py*
+%{python_sitearch}/pysss_murmur.so
+%dir %{python_sitelib}/SSSDConfig
+%{python_sitelib}/SSSDConfig/*.py*
 
 %files client -f sssd_client.lang
 %defattr(-,root,root,-)
@@ -327,6 +393,7 @@ rm -rf $RPM_BUILD_ROOT
 /%{_lib}/libnss_sss.so.2
 /%{_lib}/security/pam_sss.so
 %{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
+%{_libdir}/krb5/plugins/authdata/sssd_pac_plugin.so
 %{_mandir}/man8/pam_sss.8*
 %{_mandir}/man8/sssd_krb5_locator_plugin.8*
 
@@ -343,6 +410,7 @@ rm -rf $RPM_BUILD_ROOT
 %{_sbindir}/sss_obfuscate
 %{_sbindir}/sss_cache
 %{_sbindir}/sss_debuglevel
+%{_sbindir}/sss_seed
 %{_mandir}/man8/sss_groupadd.8*
 %{_mandir}/man8/sss_groupdel.8*
 %{_mandir}/man8/sss_groupmod.8*
@@ -353,6 +421,19 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/sss_obfuscate.8*
 %{_mandir}/man8/sss_cache.8*
 %{_mandir}/man8/sss_debuglevel.8*
+%{_mandir}/man8/sss_seed.8*
+
+%files -n libsss_idmap
+%defattr(-,root,root,-)
+%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
+%{_libdir}/libsss_idmap.so.*
+
+%files -n libsss_idmap-devel
+%defattr(-,root,root,-)
+%doc idmap_doc/html
+%{_includedir}/sss_idmap.h
+%{_libdir}/libsss_idmap.so
+%{_libdir}/pkgconfig/sss_idmap.pc
 
 %files -n libipa_hbac
 %defattr(-,root,root,-)
@@ -381,13 +462,11 @@ A utility library to allow communication between Autofs and SSSD
 %files -n libsss_sudo
 %defattr(-,root,root,-)
 %doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
-%{_libdir}/libsss_sudo.so.*
+%{_libdir}/libsss_sudo.so*
 
 %files -n libsss_sudo-devel
 %doc libsss_sudo_doc/html
 %{_includedir}/sss_sudo.h
-%{_libdir}/libsss_sudo.so
-%{_libdir}/pkgconfig/libsss_sudo.pc
 
 %files -n libsss_autofs
 %defattr(-,root,root,-)
@@ -395,15 +474,13 @@ A utility library to allow communication between Autofs and SSSD
 %{_libdir}/sssd/modules/libsss_autofs.so*
 
 %post
-/sbin/ldconfig
-
 if [ $1 -ge 1 ] ; then
     # Initial installation
     /bin/systemctl daemon-reload >/dev/null 2>&1 || :
 fi
 
 %preun
-if [ $1 = 0 ]; then
+if [ $1 -eq 0 ]; then
      # Package removal, not upgrade
     /bin/systemctl --no-reload disable sssd.service > /dev/null 2>&1 || :
     /bin/systemctl stop sssd.service > /dev/null 2>&1 || :
@@ -423,11 +500,8 @@ fi
 
 
 %postun
-/sbin/ldconfig
 /bin/systemctl daemon-reload >/dev/null 2>&1 || :
 if [ $1 -ge 1 ] ; then
-    # On upgrade, reload init system configuration if we changed unit files
-    /bin/systemctl daemon-reload >/dev/null 2>&1 || :
     /bin/systemctl try-restart sssd.service >/dev/null 2>&1 || :
 fi
 
@@ -439,7 +513,91 @@ fi
 
 %postun -n libipa_hbac -p /sbin/ldconfig
 
+%post -n libsss_idmap -p /sbin/ldconfig
+
+%postun -n libsss_idmap -p /sbin/ldconfig
+
+%post -n libsss_sudo -p /sbin/ldconfig
+
+%postun -n libsss_sudo -p /sbin/ldconfig
+
 %changelog
+* Tue Apr 23 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.9.5-1
+- New upstream release 1.9.5
+- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.5
+
+* Thu Mar 28 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.9.4-2
+- autofs: return the correct number of maps to the client
+
+* Mon Mar 25 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.9.4-1
+- New upstream release 1.9.4
+- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.4
+
+* Tue Jan 29 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.8.6-1
+- New upstream release 1.8.6
+- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.6
+
+* Sun Oct 07 2012 Jakub Hrozek <jhrozek@redhat.com> - 1.8.5-3
+- Add autofs related options to the configAPI
+- Resolves: #847845
+
+* Sun Oct 07 2012 Jakub Hrozek <jhrozek@redhat.com> - 1.8.5-2
+- Include the tarball in the sources
+
+* Sun Oct 07 2012 Jakub Hrozek <jhrozek@redhat.com> - 1.8.5-1
+- New upstream release 1.8.5
+
+* Wed Jun 20 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.4-14
+- Switch unicode library from libunistring to Glib
+- Drop unnecessary explicit Requires on keyutils
+- Guarantee that versioned Requires include the correct architecture
+- Rebuild against newer libldb
+
+* Wed Jun 13 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.4-13
+- Fix several issues with the SSH key integration
+- Fix for multilib issuss with libipa_hbac-devel and libsss_sudo-devel
+- Resolves: rhbz#831411 - libipa_hbac-devel and libsss_sudo-devel multilib
+                          conflicts
+
+* Wed May 30 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.4-12
+- New upstream release 1.8.4
+- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.4
+- Fix a bug causing AD servers not to fail over properly when the KDC on the
+  primary server is down
+- Fix an endianness bug on big-endian systems when looking up services
+- Fix a segfault dealing with nested groups
+- Make the nowait cache updates work for netgroups
+- Fix a regression that broke domains with use_fully_qualified_names = True
+- Correct package dependency versions to match installed arch
+
+* Thu May 03 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.3-11
+- New upstream release 1.8.3
+- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3
+- Numerous manpage and translation updates
+- LDAP: Handle situations where the RootDSE isn't available anonymously
+- LDAP: Fix regression for users using non-standard LDAP attributes for user
+  information
+
+* Mon Apr 09 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.2-10
+- New upstream release 1.8.2
+- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2
+- Several fixes to case-insensitive domain functions
+- Fix for GSSAPI binds when the keytab contains unrelated principals
+- Fixed several segfaults
+- Workarounds added for LDAP servers with unreadable RootDSE
+- SSH knownhostproxy will no longer enter an infinite loop preventing login
+- The provided SYSV init script now starts SSSD earlier at startup and stops
+  it later during shutdown
+- Assorted minor fixes for issues discovered by static analysis tools
+
+* Mon Mar 26 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.1-9
+- Don't duplicate libsss_autofs.so in two packages
+- Set explicit package contents instead of globbing
+
+* Wed Mar 21 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.1-8
+- Fix uninitialized value bug causing crashes throughout the code
+- Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup
+
 * Mon Mar 12 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.1-7
 - New upstream release 1.8.1
 - Resolve issue where we could enter an infinite loop trying to connect to an