Backport fixes from upstream 1.12

- Resolves: rhbz#1268807 (CVE-2015-5292)

.gitignore

@@ -57,3 +57,8 @@ sssd-1.2.91.tar.gz
 /sssd-1.12.0beta1.tar.gz
 /sssd-1.12.0beta2.tar.gz
 /sssd-1.12.0.tar.gz
+/sssd-1.12.1.tar.gz
+/sssd-1.12.2.tar.gz
+/sssd-1.12.3.tar.gz
+/sssd-1.12.4.tar.gz
+/sssd-1.12.5.tar.gz

0001-SDAP-Remove-user-from-cache-for-missing-user-in-LDAP.patch

@@ -0,0 +1,88 @@
+From 4cb5ab77926503943a9dc7bd1d47bcfb6ed6da68 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Wed, 17 Jun 2015 21:35:22 +0200
+Subject: [PATCH 01/21] SDAP: Remove user from cache for missing user in LDAP
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Function sysdb_get_real_name overrode reurned code LDAP
+and thus user was not removed from cache after removing it from LDAP.
+This patch also do not try to set initgroups flag if user
+does not exist. It reduce some error message.
+
+Resolves:
+https://fedorahosted.org/sssd/ticket/2681
+
+Reviewed-by: Michal Židek <mzidek@redhat.com>
+(cherry picked from commit 9fc96a4a2b07b92585b02dba161ab1eb2dbdad98)
+---
+ src/providers/ldap/ldap_id.c | 47 ++++++++++++++++++++++++--------------------
+ 1 file changed, 26 insertions(+), 21 deletions(-)
+
+diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
+index a53a7d7..4ebcd51 100644
+--- a/src/providers/ldap/ldap_id.c
++++ b/src/providers/ldap/ldap_id.c
+@@ -1142,32 +1142,37 @@ static void groups_by_user_done(struct tevent_req *subreq)
+     }
+     state->sdap_ret = ret;
+ 
+-    if (ret && ret != ENOENT) {
+-        state->dp_error = dp_error;
+-        tevent_req_error(req, ret);
+-        return;
+-    }
+-
+-    /* state->name is still the name used for the original request. The cached
+-     * object might have a different name, e.g. a fully-qualified name. */
+-    ret = sysdb_get_real_name(state, state->domain, state->name, &cname);
+-    if (ret != EOK) {
+-        cname = state->name;
+-        DEBUG(SSSDBG_OP_FAILURE, "Failed to canonicalize name, using [%s].\n",
+-                                 cname);
++    if (ret == EOK || ret == ENOENT) {
++        /* state->name is still the name used for the original req. The cached
++         * object might have a different name, e.g. a fully-qualified name. */
++        ret = sysdb_get_real_name(state, state->domain, state->name, &cname);
++        if (ret != EOK) {
++            cname = state->name;
++            DEBUG(SSSDBG_OP_FAILURE,
++                  "Failed to canonicalize name, using [%s].\n", cname);
++        }
+     }
+ 
+-    if (ret == ENOENT && state->noexist_delete == true) {
+-        ret = sysdb_delete_user(state->domain, cname, 0);
+-        if (ret != EOK && ret != ENOENT) {
++    switch (state->sdap_ret) {
++    case ENOENT:
++        if (state->noexist_delete == true) {
++            ret = sysdb_delete_user(state->domain, cname, 0);
++            if (ret != EOK && ret != ENOENT) {
++                tevent_req_error(req, ret);
++                return;
++            }
++        }
++        break;
++    case EOK:
++        ret = set_initgroups_expire_attribute(state->domain, cname);
++        if (ret != EOK) {
++            state->dp_error = DP_ERR_FATAL;
+             tevent_req_error(req, ret);
+             return;
+         }
+-    }
+-
+-    ret = set_initgroups_expire_attribute(state->domain, cname);
+-    if (ret != EOK) {
+-        state->dp_error = DP_ERR_FATAL;
++        break;
++    default:
++        state->dp_error = dp_error;
+         tevent_req_error(req, ret);
+         return;
+     }
+-- 
+2.5.0
+

0002-sss_client-Update-integrity-check-of-records-in-mmap.patch

@@ -0,0 +1,161 @@
+From 0cd0887dc253527f51ed9b2eabe6229e9eb64705 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Thu, 30 Jul 2015 10:50:47 +0200
+Subject: [PATCH 02/21] sss_client: Update integrity check of records in mmap
+ cache
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The function sss_nss_mc_get_record return copy of record from memory
+cache in last argument. Because we should not access data directly
+to avoid problems with consistency of record.
+The function sss_nss_mc_get_record also check whether length of record
+is within data area (with macro MC_CHECK_RECORD_LENGTH)
+
+However we also tried to do the same check in functions sss_nss_mc_get{gr, pw}*
+Pointer to end of strings in record was compared to pointer to the end
+of data table. But these two pointers are not within the same allocated area
+and does not make sense to compare them. Sometimes record can be allocated
+before mmaped area and sometime after. Sometimes it will return cached data
+and other time will fall back to responder.
+
+Resolves:
+https://fedorahosted.org/sssd/ticket/2743
+
+Reviewed-by: Michal Židek <mzidek@redhat.com>
+---
+ src/sss_client/nss_mc_group.c  | 19 ++++++++++---------
+ src/sss_client/nss_mc_passwd.c | 20 ++++++++++----------
+ 2 files changed, 20 insertions(+), 19 deletions(-)
+
+diff --git a/src/sss_client/nss_mc_group.c b/src/sss_client/nss_mc_group.c
+index e0fdb97..aacf59d 100644
+--- a/src/sss_client/nss_mc_group.c
++++ b/src/sss_client/nss_mc_group.c
+@@ -112,16 +112,16 @@ errno_t sss_nss_mc_getgrnam(const char *name, size_t name_len,
+     uint32_t hash;
+     uint32_t slot;
+     int ret;
+-    size_t strs_offset;
+-    uint8_t *max_addr;
++    const size_t strs_offset = offsetof(struct sss_mc_grp_data, strs);
++    size_t data_size;
+ 
+     ret = sss_nss_mc_get_ctx("group", &gr_mc_ctx);
+     if (ret) {
+         return ret;
+     }
+ 
+-    /* Get max address of data table. */
+-    max_addr = gr_mc_ctx.data_table + gr_mc_ctx.dt_size;
++    /* Get max size of data table. */
++    data_size = gr_mc_ctx.dt_size;
+ 
+     /* hashes are calculated including the NULL terminator */
+     hash = sss_nss_mc_hash(&gr_mc_ctx, name, name_len + 1);
+@@ -130,7 +130,7 @@ errno_t sss_nss_mc_getgrnam(const char *name, size_t name_len,
+     /* If slot is not within the bounds of mmaped region and
+      * it's value is not MC_INVALID_VAL, then the cache is
+      * probbably corrupted. */
+-    while (MC_SLOT_WITHIN_BOUNDS(slot, gr_mc_ctx.dt_size)) {
++    while (MC_SLOT_WITHIN_BOUNDS(slot, data_size)) {
+         /* free record from previous iteration */
+         free(rec);
+         rec = NULL;
+@@ -147,15 +147,16 @@ errno_t sss_nss_mc_getgrnam(const char *name, size_t name_len,
+             continue;
+         }
+ 
+-        strs_offset = offsetof(struct sss_mc_grp_data, strs);
+         data = (struct sss_mc_grp_data *)rec->data;
+         /* Integrity check
+          * - name_len cannot be longer than all strings
+          * - data->name cannot point outside strings
+-         * - all strings must be within data_table */
++         * - all strings must be within copy of record
++         * - size of record must be lower that data table size */
+         if (name_len > data->strs_len
+             || (data->name + name_len) > (strs_offset + data->strs_len)
+-            || (uint8_t *)data->strs + data->strs_len > max_addr) {
++            || data->strs_len > rec->len
++            || rec->len > data_size) {
+             ret = ENOENT;
+             goto done;
+         }
+@@ -168,7 +169,7 @@ errno_t sss_nss_mc_getgrnam(const char *name, size_t name_len,
+         slot = sss_nss_mc_next_slot_with_hash(rec, hash);
+     }
+ 
+-    if (!MC_SLOT_WITHIN_BOUNDS(slot, gr_mc_ctx.dt_size)) {
++    if (!MC_SLOT_WITHIN_BOUNDS(slot, data_size)) {
+         ret = ENOENT;
+         goto done;
+     }
+diff --git a/src/sss_client/nss_mc_passwd.c b/src/sss_client/nss_mc_passwd.c
+index 10e43e2..0da7ad0 100644
+--- a/src/sss_client/nss_mc_passwd.c
++++ b/src/sss_client/nss_mc_passwd.c
+@@ -105,16 +105,16 @@ errno_t sss_nss_mc_getpwnam(const char *name, size_t name_len,
+     uint32_t hash;
+     uint32_t slot;
+     int ret;
+-    size_t strs_offset;
+-    uint8_t *max_addr;
++    const size_t strs_offset = offsetof(struct sss_mc_pwd_data, strs);
++    size_t data_size;
+ 
+     ret = sss_nss_mc_get_ctx("passwd", &pw_mc_ctx);
+     if (ret) {
+         return ret;
+     }
+ 
+-    /* Get max address of data table. */
+-    max_addr = pw_mc_ctx.data_table + pw_mc_ctx.dt_size;
++    /* Get max size of data table. */
++    data_size = pw_mc_ctx.dt_size;
+ 
+     /* hashes are calculated including the NULL terminator */
+     hash = sss_nss_mc_hash(&pw_mc_ctx, name, name_len + 1);
+@@ -123,7 +123,7 @@ errno_t sss_nss_mc_getpwnam(const char *name, size_t name_len,
+     /* If slot is not within the bounds of mmaped region and
+      * it's value is not MC_INVALID_VAL, then the cache is
+      * probbably corrupted. */
+-    while (MC_SLOT_WITHIN_BOUNDS(slot, pw_mc_ctx.dt_size)) {
++    while (MC_SLOT_WITHIN_BOUNDS(slot, data_size)) {
+         /* free record from previous iteration */
+         free(rec);
+         rec = NULL;
+@@ -140,16 +140,16 @@ errno_t sss_nss_mc_getpwnam(const char *name, size_t name_len,
+             continue;
+         }
+ 
+-        strs_offset = offsetof(struct sss_mc_pwd_data, strs);
+-
+         data = (struct sss_mc_pwd_data *)rec->data;
+         /* Integrity check
+          * - name_len cannot be longer than all strings
+          * - data->name cannot point outside strings
+-         * - all strings must be within data_table */
++         * - all strings must be within copy of record
++         * - size of record must be lower that data table size */
+         if (name_len > data->strs_len
+             || (data->name + name_len) > (strs_offset + data->strs_len)
+-            || (uint8_t *)data->strs + data->strs_len > max_addr) {
++            || data->strs_len > rec->len
++            || rec->len > data_size) {
+             ret = ENOENT;
+             goto done;
+         }
+@@ -162,7 +162,7 @@ errno_t sss_nss_mc_getpwnam(const char *name, size_t name_len,
+         slot = sss_nss_mc_next_slot_with_hash(rec, hash);
+     }
+ 
+-    if (!MC_SLOT_WITHIN_BOUNDS(slot, pw_mc_ctx.dt_size)) {
++    if (!MC_SLOT_WITHIN_BOUNDS(slot, data_size)) {
+         ret = ENOENT;
+         goto done;
+     }
+-- 
+2.5.0
+

0003-BUILD-Repair-dependecies-on-deprecated-libraries.patch

@@ -0,0 +1,95 @@
+From 51a1e04122fda73847dc368b11b4e8b78335cc78 Mon Sep 17 00:00:00 2001
+From: Petr Cech <pcech@redhat.com>
+Date: Mon, 27 Jul 2015 12:52:49 -0400
+Subject: [PATCH 03/21] BUILD: Repair dependecies on deprecated libraries
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Modules libsystemd-journal and libsystemd-login are
+deprecated and "libsystemd" should be used instead
+of them.
+
+Resolves:
+https://fedorahosted.org/sssd/ticket/2733
+
+Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
+---
+ contrib/ci/deps.sh      |  2 +-
+ src/external/systemd.m4 | 40 ++++++++++++++++++++++++++++------------
+ 2 files changed, 29 insertions(+), 13 deletions(-)
+
+diff --git a/contrib/ci/deps.sh b/contrib/ci/deps.sh
+index 0cdb996..50e4f44 100644
+--- a/contrib/ci/deps.sh
++++ b/contrib/ci/deps.sh
+@@ -84,7 +84,7 @@ if [[ "$DISTRO_BRANCH" == -debian-* ]]; then
+         libselinux1-dev
+         libsemanage1-dev
+         libsmbclient-dev
+-        libsystemd-journal-dev
++        libsystemd-dev
+         libtalloc-dev
+         libtdb-dev
+         libtevent-dev
+diff --git a/src/external/systemd.m4 b/src/external/systemd.m4
+index dbced0d..4c28445 100644
+--- a/src/external/systemd.m4
++++ b/src/external/systemd.m4
+@@ -1,25 +1,41 @@
++dnl There are no module libsystemd-journal and libsystem-login
++dnl up systemd version 209
++PKG_CHECK_EXISTS([libsystemd],
++                 [HAVE_LIBSYSTEMD=yes],
++                 [HAVE_LIBSYSTEMD=no])
++
+ dnl A macro to check presence of systemd on the system
+ AC_DEFUN([AM_CHECK_SYSTEMD],
+ [
+     PKG_CHECK_EXISTS(systemd,
+                      [ HAVE_SYSTEMD=1, AC_SUBST(HAVE_SYSTEMD) ],
+-                     [AC_MSG_ERROR([Could not detect systemd presence])]
+-                    )
++                     [AC_MSG_ERROR([Could not detect systemd presence])])
+ ])
+ 
++AS_IF([test x$HAVE_LIBSYSTEMD = xyes],
++      [login_lib_name=libsystemd],
++      [login_lib_name=libsystemd-login])
++
+ AM_COND_IF([HAVE_SYSTEMD],
+-           [PKG_CHECK_MODULES([SYSTEMD_LOGIN], [libsystemd-login],
+-            [AC_DEFINE_UNQUOTED(HAVE_SYSTEMD_LOGIN, 1, [Build with libsystemdlogin support])],
+-            [AC_MSG_NOTICE([Build without libsystemd-login support])])])
++           [PKG_CHECK_MODULES([SYSTEMD_LOGIN],
++                              [$login_lib_name],
++                              [AC_DEFINE_UNQUOTED([HAVE_SYSTEMD_LOGIN], 1,
++                                          [Build with libsystemdlogin support])
++                              ],
++           [AC_MSG_NOTICE([Build without libsystemd-login support])])])
+ 
+ dnl A macro to check presence of journald on the system
+ AC_DEFUN([AM_CHECK_JOURNALD],
+ [
+-       PKG_CHECK_MODULES(JOURNALD,
+-                         libsystemd-journal,
+-                         [AC_DEFINE_UNQUOTED([WITH_JOURNALD], 1, [journald is available])])
+-       dnl Some older versions of pkg-config might not set these automatically
+-       dnl while setting CFLAGS and LIBS manually twice doesn't hurt.
+-       AC_SUBST([JOURNALD_CFLAGS])
+-       AC_SUBST([JOURNALD_LIBS])
++    AS_IF([test x$HAVE_LIBSYSTEMD = xyes],
++          [journal_lib_name=libsystemd],
++          [journal_lib_name=libsystemd-journal])
++
++    PKG_CHECK_MODULES(JOURNALD, [$journal_lib_name],
++                      [AC_DEFINE_UNQUOTED([WITH_JOURNALD], 1,
++                                          [journald is available])])
++    dnl Some older versions of pkg-config might not set these automatically
++    dnl while setting CFLAGS and LIBS manually twice doesn't hurt.
++    AC_SUBST([JOURNALD_CFLAGS])
++    AC_SUBST([JOURNALD_LIBS])
+ ])
+-- 
+2.5.0
+

0004-SPEC-Workaround-for-build-with-rpm-4.13.patch

@@ -0,0 +1,36 @@
+From 5ad471f3523acc995f54a1058f4e99c8fc3cb8fa Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Fri, 31 Jul 2015 14:09:25 +0200
+Subject: [PATCH 04/21] SPEC: Workaround for build with rpm 4.13
+
+If the tarball is generated with minimal dependencies extracted from spec file
+then translated manual pages are not generated due to missing script po4a.
+This step is not necessary for regular nightly/developer builds.
+The tarball is created faster without such step. However rpm >= 4.13
+will fail due to empty manifest file.
+
+Resolves:
+https://fedorahosted.org/sssd/ticket/2738
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+---
+ contrib/sssd.spec.in | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
+index 2600438..0828bb8 100644
+--- a/contrib/sssd.spec.in
++++ b/contrib/sssd.spec.in
+@@ -4,6 +4,9 @@
+ # we don't want to provide private python extension libs
+ %define __provides_exclude_from %{python_sitearch}/.*\.so$
+ 
++# workaround for rpm 4.13
++%define _empty_manifest_terminate_build 0
++
+ %if (0%{?fedora} || 0%{?rhel} >= 7)
+     %global use_systemd 1
+ %endif
+-- 
+2.5.0
+

0005-CONFDB-Assume-config-file-version-2-if-missing.patch

@@ -0,0 +1,163 @@
+From 5249f1273a52040d30e3c7725a2ea84fdd158a4b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
+Date: Tue, 7 Jul 2015 15:15:32 +0200
+Subject: [PATCH 05/21] CONFDB: Assume config file version 2 if missing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Default to config file version 2 if the version
+is not specified explicitly.
+
+Ticket:
+https://fedorahosted.org/sssd/ticket/2688
+
+Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
+---
+ src/confdb/confdb.h                          |  1 +
+ src/confdb/confdb_setup.c                    | 48 ++++++++++++++--------------
+ src/config/SSSDConfig/__init__.py.in         |  5 ---
+ src/config/SSSDConfig/sssd_upgrade_config.py |  3 +-
+ src/config/SSSDConfigTest.py                 | 11 ++-----
+ 5 files changed, 29 insertions(+), 39 deletions(-)
+
+diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
+index e97c46b..68009fa 100644
+--- a/src/confdb/confdb.h
++++ b/src/confdb/confdb.h
+@@ -38,6 +38,7 @@
+  * @{
+  */
+ 
++#define CONFDB_DEFAULT_CFG_FILE_VER 2
+ #define CONFDB_FILE "config.ldb"
+ #define CONFDB_DEFAULT_CONFIG_FILE SSSD_CONF_DIR"/sssd.conf"
+ #define SSSD_MIN_ID 1
+diff --git a/src/confdb/confdb_setup.c b/src/confdb/confdb_setup.c
+index 93a1a1b..694a7f0 100644
+--- a/src/confdb/confdb_setup.c
++++ b/src/confdb/confdb_setup.c
+@@ -224,30 +224,30 @@ int confdb_init_db(const char *config_file, struct confdb_ctx *cdb)
+ 
+     ret = sss_ini_check_config_obj(init_data);
+     if (ret != EOK) {
+-        /* No known version. Assumed to be version 1 */
+-        DEBUG(SSSDBG_FATAL_FAILURE,
+-              "Config file is an old version. "
+-               "Please run configuration upgrade script.\n");
+-        ret = EINVAL;
+-        goto done;
+-    }
+-
+-    version = sss_ini_get_int_config_value(init_data, 1, -1, &ret);
+-    if (ret != EOK) {
+-        DEBUG(SSSDBG_FATAL_FAILURE,
+-                "Config file version could not be determined\n");
+-        goto done;
+-    } else if (version < CONFDB_VERSION_INT) {
+-        DEBUG(SSSDBG_FATAL_FAILURE,
+-                "Config file is an old version. "
+-                 "Please run configuration upgrade script.\n");
+-        ret = EINVAL;
+-        goto done;
+-    } else if (version > CONFDB_VERSION_INT) {
+-        DEBUG(SSSDBG_FATAL_FAILURE,
+-                "Config file version is newer than confdb\n");
+-        ret = EINVAL;
+-        goto done;
++        /* No known version. Use default. */
++        DEBUG(SSSDBG_CONF_SETTINGS,
++              "Value of config_file_version option not found. "
++              "Assumed to be version %d.\n", CONFDB_DEFAULT_CFG_FILE_VER);
++    } else {
++        version = sss_ini_get_int_config_value(init_data,
++                                               CONFDB_DEFAULT_CFG_FILE_VER,
++                                               -1, &ret);
++        if (ret != EOK) {
++            DEBUG(SSSDBG_FATAL_FAILURE,
++                  "Config file version could not be determined\n");
++            goto done;
++        } else if (version < CONFDB_VERSION_INT) {
++            DEBUG(SSSDBG_FATAL_FAILURE,
++                  "Config file is an old version. "
++                  "Please run configuration upgrade script.\n");
++            ret = EINVAL;
++            goto done;
++        } else if (version > CONFDB_VERSION_INT) {
++            DEBUG(SSSDBG_FATAL_FAILURE,
++                  "Config file version is newer than confdb\n");
++            ret = EINVAL;
++            goto done;
++        }
+     }
+ 
+     /* Set up a transaction to replace the configuration */
+diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
+index d72b892..fc87a2b 100644
+--- a/src/config/SSSDConfig/__init__.py.in
++++ b/src/config/SSSDConfig/__init__.py.in
+@@ -731,11 +731,6 @@ class SSSDService(SSSDConfigObject):
+         # Set up default options for this service
+         self.options.update(self.schema.get_defaults(self.name))
+ 
+-        # For the [sssd] service, force the config file version
+-        if servicename == 'sssd':
+-            self.options['config_file_version'] = 2
+-            self.hidden_options.append('config_file_version')
+-
+     def list_options_with_mandatory(self):
+         """
+         List options for the service, including the mandatory flag.
+diff --git a/src/config/SSSDConfig/sssd_upgrade_config.py b/src/config/SSSDConfig/sssd_upgrade_config.py
+index 282d6c4..767d06d 100644
+--- a/src/config/SSSDConfig/sssd_upgrade_config.py
++++ b/src/config/SSSDConfig/sssd_upgrade_config.py
+@@ -47,7 +47,8 @@ class SSSDConfigFile(SSSDChangeConf):
+     def get_version(self):
+         ver = self.get_option_index('sssd', 'config_file_version')[1]
+         if not ver:
+-            return 1
++            # config_file_version not found -> default to version 2
++            return 2
+         try:
+             return int(ver['value'])
+         except ValueError:
+diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
+index aed76e5..868d1a5 100755
+--- a/src/config/SSSDConfigTest.py
++++ b/src/config/SSSDConfigTest.py
+@@ -396,9 +396,6 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
+     def testGetOption(self):
+         service = SSSDConfig.SSSDService('sssd', self.schema)
+ 
+-        # Positive test - Single-valued
+-        self.assertEqual(service.get_option('config_file_version'), 2)
+-
+         # Positive test - List of values
+         self.assertEqual(service.get_option('services'), ['nss', 'pam'])
+ 
+@@ -410,9 +407,7 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
+ 
+         #Positive test
+         options = service.get_all_options()
+-        control_list = [
+-            'config_file_version',
+-            'services']
++        control_list = ['services']
+ 
+         self.assertTrue(type(options) == dict,
+                         "Options should be a dictionary")
+@@ -1253,9 +1248,7 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
+         for section in sssdconfig.sections():
+             self.assertTrue(section['name'] in control_list)
+ 
+-        control_list = [
+-            'config_file_version',
+-            'services']
++        control_list = ['services']
+         for option in control_list:
+             self.assertTrue(sssdconfig.has_option('sssd', option),
+                             "Option [%s] missing from [sssd]" %
+-- 
+2.5.0
+

0006-SYSDB-Index-the-objectSIDString-attribute.patch

@@ -0,0 +1,134 @@
+From dab2f25c94a0f7509c10b42cfb98700c449e709c Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Thu, 25 Jun 2015 17:33:47 +0200
+Subject: [PATCH 06/21] SYSDB: Index the objectSIDString attribute
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Michal Židek <mzidek@redhat.com>
+---
+ src/db/sysdb.c         |  7 +++++++
+ src/db/sysdb_private.h |  5 ++++-
+ src/db/sysdb_upgrade.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 61 insertions(+), 1 deletion(-)
+
+diff --git a/src/db/sysdb.c b/src/db/sysdb.c
+index 9da6557..07a83a8 100644
+--- a/src/db/sysdb.c
++++ b/src/db/sysdb.c
+@@ -1265,6 +1265,13 @@ int sysdb_domain_init_internal(TALLOC_CTX *mem_ctx,
+             }
+         }
+ 
++        if (strcmp(version, SYSDB_VERSION_0_16) == 0) {
++            ret = sysdb_upgrade_16(sysdb, &version);
++            if (ret != EOK) {
++                goto done;
++            }
++        }
++
+         /* The version should now match SYSDB_VERSION.
+          * If not, it means we didn't match any of the
+          * known older versions. The DB might be
+diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h
+index 8a5b8be..9788206 100644
+--- a/src/db/sysdb_private.h
++++ b/src/db/sysdb_private.h
+@@ -23,6 +23,7 @@
+ #ifndef __INT_SYS_DB_H__
+ #define __INT_SYS_DB_H__
+ 
++#define SYSDB_VERSION_0_17 "0.17"
+ #define SYSDB_VERSION_0_16 "0.16"
+ #define SYSDB_VERSION_0_15 "0.15"
+ #define SYSDB_VERSION_0_14 "0.14"
+@@ -40,7 +41,7 @@
+ #define SYSDB_VERSION_0_2 "0.2"
+ #define SYSDB_VERSION_0_1 "0.1"
+ 
+-#define SYSDB_VERSION SYSDB_VERSION_0_16
++#define SYSDB_VERSION SYSDB_VERSION_0_17
+ 
+ #define SYSDB_BASE_LDIF \
+      "dn: @ATTRIBUTES\n" \
+@@ -68,6 +69,7 @@
+      "@IDXATTR: serviceProtocol\n" \
+      "@IDXATTR: sudoUser\n" \
+      "@IDXATTR: sshKnownHostsExpire\n" \
++     "@IDXATTR: objectSIDString\n" \
+      "@IDXONE: 1\n" \
+      "\n" \
+      "dn: @MODULES\n" \
+@@ -120,6 +122,7 @@ int sysdb_upgrade_12(struct sysdb_ctx *sysdb, const char **ver);
+ int sysdb_upgrade_13(struct sysdb_ctx *sysdb, const char **ver);
+ int sysdb_upgrade_14(struct sysdb_ctx *sysdb, const char **ver);
+ int sysdb_upgrade_15(struct sysdb_ctx *sysdb, const char **ver);
++int sysdb_upgrade_16(struct sysdb_ctx *sysdb, const char **ver);
+ 
+ int add_string(struct ldb_message *msg, int flags,
+                const char *attr, const char *value);
+diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c
+index 558b4f5..1c90e7a 100644
+--- a/src/db/sysdb_upgrade.c
++++ b/src/db/sysdb_upgrade.c
+@@ -1587,6 +1587,56 @@ done:
+     return ret;
+ }
+ 
++int sysdb_upgrade_16(struct sysdb_ctx *sysdb, const char **ver)
++{
++    struct ldb_message *msg;
++    struct upgrade_ctx *ctx;
++    errno_t ret;
++
++    ret = commence_upgrade(sysdb, sysdb->ldb, SYSDB_VERSION_0_17, &ctx);
++    if (ret) {
++        return ret;
++    }
++
++    msg = ldb_msg_new(ctx);
++    if (msg == NULL) {
++        ret = ENOMEM;
++        goto done;
++    }
++
++    msg->dn = ldb_dn_new(msg, sysdb->ldb, "@INDEXLIST");
++    if (msg->dn == NULL) {
++        ret = ENOMEM;
++        goto done;
++    }
++
++    /* add index for objectSIDString */
++    ret = ldb_msg_add_empty(msg, "@IDXATTR", LDB_FLAG_MOD_ADD, NULL);
++    if (ret != LDB_SUCCESS) {
++        ret = ENOMEM;
++        goto done;
++    }
++
++    ret = ldb_msg_add_string(msg, "@IDXATTR", "objectSIDString");
++    if (ret != LDB_SUCCESS) {
++        ret = ENOMEM;
++        goto done;
++    }
++
++    ret = ldb_modify(sysdb->ldb, msg);
++    if (ret != LDB_SUCCESS) {
++        ret = sysdb_error_to_errno(ret);
++        goto done;
++    }
++
++    /* conversion done, update version number */
++    ret = update_version(ctx);
++
++done:
++    ret = finish_upgrade(ret, &ctx, ver);
++    return ret;
++}
++
+ /*
+  * Example template for future upgrades.
+  * Copy and change version numbers as appropriate.
+-- 
+2.5.0
+

0007-IPA-Remove-MPG-groups-if-getgrgid-was-called-before-.patch

@@ -0,0 +1,89 @@
+From b93b4ac9b0d9f7900ffffe67765613e2057ac63a Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Tue, 21 Jul 2015 11:44:03 +0200
+Subject: [PATCH 07/21] IPA: Remove MPG groups if getgrgid was called before
+ getpw()
+
+https://fedorahosted.org/sssd/ticket/2724
+
+This bug only affects IPA clients that are connected to IPA servers with
+AD trust and ID mapping in effect.
+
+If an IPA client calls getgrgid() for an ID that matches a user, the
+user's private group would be returned and stored as a group entry.
+
+Subsequent queries for that user would fail, because MPG domains impose
+uniqueness restriction for both the ID and name space across groups and
+users.
+
+To work around that, we remove the UPG groups in MPG domains during a
+group lookup.
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 6fe057efb981ee4b45dcadf131c03f8501fce28d)
+---
+ src/providers/ipa/ipa_s2n_exop.c | 41 ++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 39 insertions(+), 2 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
+index fa00691..08d8263 100644
+--- a/src/providers/ipa/ipa_s2n_exop.c
++++ b/src/providers/ipa/ipa_s2n_exop.c
+@@ -1768,6 +1768,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
+     int tret;
+     struct sysdb_attrs *gid_override_attrs = NULL;
+     char ** exop_grouplist;
++    struct ldb_message *msg;
+ 
+     tmp_ctx = talloc_new(NULL);
+     if (tmp_ctx == NULL) {
+@@ -2009,8 +2010,44 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
+                                    attrs->a.user.pw_dir, attrs->a.user.pw_shell,
+                                    NULL, attrs->sysdb_attrs, NULL,
+                                    timeout, now);
+-            if (ret != EOK) {
+-                DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_user failed.\n");
++            if (ret == EEXIST && dom->mpg == true) {
++                /* This handles the case where getgrgid() was called for
++                 * this user, so a group was created in the cache
++                 */
++                ret = sysdb_search_group_by_name(tmp_ctx, dom, name, NULL, &msg);
++                if (ret != EOK) {
++                    /* Fail even on ENOENT, the group must be around */
++                    DEBUG(SSSDBG_OP_FAILURE,
++                          "Could not delete MPG group [%d]: %s\n",
++                          ret, sss_strerror(ret));
++                    goto done;
++                }
++
++                ret = sysdb_delete_group(dom, NULL, attrs->a.user.pw_uid);
++                if (ret != EOK) {
++                    DEBUG(SSSDBG_OP_FAILURE,
++                          "sysdb_delete_group failed for MPG group [%d]: %s\n",
++                          ret, sss_strerror(ret));
++                    goto done;
++                }
++
++                ret = sysdb_store_user(dom, name, NULL,
++                                       attrs->a.user.pw_uid,
++                                       gid, attrs->a.user.pw_gecos,
++                                       attrs->a.user.pw_dir,
++                                       attrs->a.user.pw_shell,
++                                       NULL, attrs->sysdb_attrs, NULL,
++                                       timeout, now);
++                if (ret != EOK) {
++                    DEBUG(SSSDBG_OP_FAILURE,
++                          "sysdb_store_user failed for MPG user [%d]: %s\n",
++                          ret, sss_strerror(ret));
++                    goto done;
++                }
++            } else if (ret != EOK) {
++                DEBUG(SSSDBG_OP_FAILURE,
++                      "sysdb_store_user failed [%d]: %s\n",
++                      ret, sss_strerror(ret));
+                 goto done;
+             }
+ 
+-- 
+2.5.0
+

0008-SPEC-Update-spec-file-for-krb5_local_auth_plugin.patch

@@ -0,0 +1,56 @@
+From ec0696be5f28804fefe61f8cfaf5d82e8d72f8a6 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Fri, 24 Jul 2015 09:24:31 +0200
+Subject: [PATCH 08/21] SPEC: Update spec file for krb5_local_auth_plugin
+
+krb5_localauth_plugin could be build only with MIT kerberos >= 1.12.
+However, this feature was backported in downstream to older version
+of kerberos. So there were packaging failures
+
+error: Installed (but unpackaged) file(s) found:
+   /usr/lib/sssd/modules/sssd_krb5_localauth_plugin.so
+RPM build errors:
+    Installed (but unpackaged) file(s) found:
+   /usr/lib/sssd/modules/sssd_krb5_localauth_plugin.so
+Child returncode was: 1
+EXCEPTION: Command failed. See logs for output.
+
+Reviewed-by: Petr Cech <pcech@redhat.com>
+(cherry picked from commit b0ee27fd94f1d20d9c220754ae008a3189752287)
+---
+ contrib/sssd.spec.in | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
+index 0828bb8..bad078a 100644
+--- a/contrib/sssd.spec.in
++++ b/contrib/sssd.spec.in
+@@ -1,3 +1,4 @@
++%global rhel6_minor %(%{__grep} -o "6.[0-9]*" /etc/redhat-release |%{__sed} -s 's/6.//')
+ %global rhel7_minor %(%{__grep} -o "7.[0-9]*" /etc/redhat-release |%{__sed} -s 's/7.//')
+ 
+ # Fedora and RHEL 6+
+@@ -37,7 +38,7 @@
+     %global with_cifs_utils_plugin_option --disable-cifs-idmap-plugin
+ %endif
+ 
+-%if (0%{?fedora} >= 21 || (0%{?rhel} == 7 &&  0%{?rhel7_minor} >= 1))
++%if (0%{?fedora} || (0%{?rhel} == 7 &&  0%{?rhel7_minor} >= 1) || (0%{?rhel} == 6 &&  0%{?rhel6_minor} >= 7))
+     %global with_krb5_localauth_plugin 1
+ %endif
+ 
+@@ -96,11 +97,7 @@ BuildRequires: pcre-devel
+ BuildRequires: libxslt
+ BuildRequires: libxml2
+ BuildRequires: docbook-style-xsl
+-%if (0%{?with_krb5_localauth_plugin} == 1)
+-BuildRequires: krb5-devel >= 1.12
+-%else
+ BuildRequires: krb5-devel
+-%endif
+ BuildRequires: c-ares-devel
+ BuildRequires: python-devel
+ BuildRequires: check-devel
+-- 
+2.5.0
+

0009-LDAP-Sanitize-group-dn-before-using-in-filter.patch

@@ -0,0 +1,69 @@
+From 4cbf713b41ae368bc03c1b469e2bb0f568545c82 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Tue, 1 Sep 2015 06:58:50 +0200
+Subject: [PATCH 09/21] LDAP: Sanitize group dn before using in filter
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Each string should be sanitized(rfc4515) before using ldbsearch.
+A group dn was not sanitized in the function cleanup_groups.
+
+Resolves:
+https://fedorahosted.org/sssd/ticket/2744
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit 6cb5bad3c8e2f35ca9dce1800a506d626f90c079)
+---
+ src/providers/ldap/ldap_id_cleanup.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/src/providers/ldap/ldap_id_cleanup.c b/src/providers/ldap/ldap_id_cleanup.c
+index 171c9b0..73e5e6f 100644
+--- a/src/providers/ldap/ldap_id_cleanup.c
++++ b/src/providers/ldap/ldap_id_cleanup.c
+@@ -359,6 +359,8 @@ static int cleanup_groups(TALLOC_CTX *memctx,
+     }
+ 
+     for (i = 0; i < count; i++) {
++        char *sanitized_dn;
++
+         dn = ldb_dn_get_linearized(msgs[i]->dn);
+         if (!dn) {
+             DEBUG(SSSDBG_CRIT_FAILURE, "Cannot linearize DN!\n");
+@@ -366,6 +368,15 @@ static int cleanup_groups(TALLOC_CTX *memctx,
+             goto done;
+         }
+ 
++        /* sanitize dn */
++        ret = sss_filter_sanitize(tmpctx, dn, &sanitized_dn);
++        if (ret != EOK) {
++            DEBUG(SSSDBG_MINOR_FAILURE,
++                  "sss_filter_sanitize failed: %s:[%d]\n",
++                  sss_strerror(ret), ret);
++            goto done;
++        }
++
+         posix = ldb_msg_find_attr_as_string(msgs[i], SYSDB_POSIX, NULL);
+         if (!posix || strcmp(posix, "TRUE") == 0) {
+             /* Search for users that are members of this group, or
+@@ -375,11 +386,14 @@ static int cleanup_groups(TALLOC_CTX *memctx,
+             gid = (gid_t) ldb_msg_find_attr_as_uint(msgs[i], SYSDB_GIDNUM, 0);
+             subfilter = talloc_asprintf(tmpctx, "(&(%s=%s)(|(%s=%s)(%s=%lu)))",
+                                         SYSDB_OBJECTCLASS, SYSDB_USER_CLASS,
+-                                        SYSDB_MEMBEROF, dn,
++                                        SYSDB_MEMBEROF, sanitized_dn,
+                                         SYSDB_GIDNUM, (long unsigned) gid);
+         } else {
+-            subfilter = talloc_asprintf(tmpctx, "(%s=%s)", SYSDB_MEMBEROF, dn);
++            subfilter = talloc_asprintf(tmpctx, "(%s=%s)", SYSDB_MEMBEROF,
++                                        sanitized_dn);
+         }
++        talloc_zfree(sanitized_dn);
++
+         if (!subfilter) {
+             DEBUG(SSSDBG_OP_FAILURE, "Failed to build filter\n");
+             ret = ENOMEM;
+-- 
+2.5.0
+

0010-tests-check-special-characters-in-cleanup_groups.patch

@@ -0,0 +1,380 @@
+From 562ee3c30bcb7d1997889c38f15eb2ef889ba7b1 Mon Sep 17 00:00:00 2001
+From: Pavel Reichl <preichl@redhat.com>
+Date: Tue, 4 Aug 2015 09:25:08 -0400
+Subject: [PATCH 10/21] tests: check special characters in cleanup_groups
+
+Based on commits:
+e2e334b2f51118cb14c7391c4e4e44ff247ef638
+f02b62138466c876f6e8d6382769105f2e920d96
+e0f2a783439fb7d3b85469f34ad6d672abf7e1fa
+2cec08a3174bff951c048c57b4b0e4517ad6b7b1
+---
+ Makefile.am                             |  22 +++
+ src/tests/cmocka/test_ldap_id_cleanup.c | 315 ++++++++++++++++++++++++++++++++
+ 2 files changed, 337 insertions(+)
+ create mode 100644 src/tests/cmocka/test_ldap_id_cleanup.c
+
+diff --git a/Makefile.am b/Makefile.am
+index ac6a358..91ad413 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -212,6 +212,7 @@ if HAVE_CMOCKA
+         sbus-internal-tests \
+         sss_sifp-tests \
+         test_search_bases \
++        test_ldap_id_cleanup \
+         sdap-tests \
+         test_sysdb_views \
+         test_sysdb_utils \
+@@ -1969,6 +1970,27 @@ test_search_bases_LDADD = \
+     libsss_krb5_common.la \
+     libsss_test_common.la
+ 
++test_ldap_id_cleanup_SOURCES = \
++    $(sssd_be_SOURCES) \
++    src/tests/cmocka/test_ldap_id_cleanup.c \
++    src/providers/ldap/ldap_id_cleanup.c \
++    $(NULL)
++test_ldap_id_cleanup_CFLAGS = \
++    $(AM_CFLAGS) \
++    -DUNIT_TESTING
++    $(NULL)
++test_ldap_id_cleanup_LDADD = \
++    $(PAM_LIBS) \
++    $(CMOCKA_LIBS) \
++    $(POPT_LIBS) \
++    $(SSSD_LIBS) \
++    $(CARES_LIBS) \
++    $(KRB5_LIBS) \
++    $(SSSD_INTERNAL_LTLIBS) \
++    libsss_ldap_common.la \
++    libsss_test_common.la \
++    $(NULL)
++
+ ad_access_filter_tests_SOURCES = \
+     $(sssd_be_SOURCES) \
+     src/providers/ad/ad_common.c \
+diff --git a/src/tests/cmocka/test_ldap_id_cleanup.c b/src/tests/cmocka/test_ldap_id_cleanup.c
+new file mode 100644
+index 0000000..9578bb7
+--- /dev/null
++++ b/src/tests/cmocka/test_ldap_id_cleanup.c
+@@ -0,0 +1,315 @@
++/*
++    Authors:
++        Pavel Reichl <preichl@redhat.com>
++
++    Copyright (C) 2015 Red Hat
++
++    SSSD tests - id cleanup
++
++    This program is free software; you can redistribute it and/or modify
++    it under the terms of the GNU General Public License as published by
++    the Free Software Foundation; either version 3 of the License, or
++    (at your option) any later version.
++
++    This program is distributed in the hope that it will be useful,
++    but WITHOUT ANY WARRANTY; without even the implied warranty of
++    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++    GNU General Public License for more details.
++
++    You should have received a copy of the GNU General Public License
++    along with this program.  If not, see <http://www.gnu.org/licenses/>.
++*/
++
++#include <stdarg.h>
++#include <stdlib.h>
++#include <stddef.h>
++#include <setjmp.h>
++#include <unistd.h>
++#include <sys/types.h>
++#include <cmocka.h>
++#include <popt.h>
++
++#include "tests/cmocka/common_mock.h"
++#include "providers/ldap/ldap_auth.h"
++#include "providers/ldap/ldap_common.h"
++#include "providers/ldap/ldap_opts.h"
++#include "providers/ipa/ipa_opts.h"
++
++#define TESTS_PATH "tests_ldap_id_cleanup"
++#define TEST_CONF_FILE "tests_conf.ldb"
++
++struct sysdb_test_ctx {
++    struct sysdb_ctx *sysdb;
++    struct confdb_ctx *confdb;
++    struct tevent_context *ev;
++    struct sss_domain_info *domain;
++    struct sdap_options *opts;
++};
++
++static int _setup_sysdb_tests(struct sysdb_test_ctx **ctx, bool enumerate)
++{
++    struct sysdb_test_ctx *test_ctx;
++    char *conf_db;
++    int ret;
++
++    const char *val[2];
++    val[1] = NULL;
++
++    /* Create tests directory if it doesn't exist */
++    /* (relative to current dir) */
++    ret = mkdir(TESTS_PATH, 0775);
++    assert_true(ret == 0 || errno == EEXIST);
++
++    test_ctx = talloc_zero(global_talloc_context, struct sysdb_test_ctx);
++    assert_non_null(test_ctx);
++
++    /* Create an event context
++     * It will not be used except in confdb_init and sysdb_init
++     */
++    test_ctx->ev = tevent_context_init(test_ctx);
++    assert_non_null(test_ctx->ev);
++
++    conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE);
++    assert_non_null(conf_db);
++    DEBUG(SSSDBG_MINOR_FAILURE, "CONFDB: %s\n", conf_db);
++
++    /* Connect to the conf db */
++    ret = confdb_init(test_ctx, &test_ctx->confdb, conf_db);
++    assert_int_equal(ret, EOK);
++
++    val[0] = "LOCAL";
++    ret = confdb_add_param(test_ctx->confdb, true,
++                           "config/sssd", "domains", val);
++    assert_int_equal(ret, EOK);
++
++    val[0] = "local";
++    ret = confdb_add_param(test_ctx->confdb, true,
++                           "config/domain/LOCAL", "id_provider", val);
++    assert_int_equal(ret, EOK);
++
++    val[0] = enumerate ? "TRUE" : "FALSE";
++    ret = confdb_add_param(test_ctx->confdb, true,
++                           "config/domain/LOCAL", "enumerate", val);
++    assert_int_equal(ret, EOK);
++
++    val[0] = "TRUE";
++    ret = confdb_add_param(test_ctx->confdb, true,
++                           "config/domain/LOCAL", "cache_credentials", val);
++    assert_int_equal(ret, EOK);
++
++    ret = sssd_domain_init(test_ctx, test_ctx->confdb, "local",
++                           TESTS_PATH, &test_ctx->domain);
++    assert_int_equal(ret, EOK);
++
++    test_ctx->domain->has_views = true;
++    test_ctx->sysdb = test_ctx->domain->sysdb;
++
++    *ctx = test_ctx;
++    return EOK;
++}
++
++#define setup_sysdb_tests(ctx) _setup_sysdb_tests((ctx), false)
++
++static int test_sysdb_setup(void **state)
++{
++    int ret;
++    struct sysdb_test_ctx *test_ctx;
++
++    assert_true(leak_check_setup());
++
++    ret = setup_sysdb_tests(&test_ctx);
++    assert_int_equal(ret, EOK);
++
++    test_ctx->domain->mpg = false;
++
++    /* set options */
++    test_ctx->opts = talloc_zero(test_ctx, struct sdap_options);
++    assert_non_null(test_ctx->opts);
++
++    ret = sdap_copy_map(test_ctx->opts, rfc2307_user_map,
++                        SDAP_OPTS_USER, &test_ctx->opts->user_map);
++    assert_int_equal(ret, ERR_OK);
++
++    ret = dp_copy_defaults(test_ctx->opts, default_basic_opts,
++                           SDAP_OPTS_BASIC, &test_ctx->opts->basic);
++    assert_int_equal(ret, ERR_OK);
++
++    dp_opt_set_int(test_ctx->opts->basic, SDAP_ACCOUNT_CACHE_EXPIRATION, 1);
++
++    *state = (void *) test_ctx;
++    return 0;
++}
++
++static int test_sysdb_teardown(void **state)
++{
++    struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state,
++                                                         struct sysdb_test_ctx);
++
++    talloc_free(test_ctx);
++    assert_true(leak_check_teardown());
++    return 0;
++}
++
++static errno_t invalidate_group(TALLOC_CTX *ctx,
++                                struct sss_domain_info *domain,
++                                const char *name)
++{
++    struct sysdb_attrs *sys_attrs = NULL;
++    errno_t ret;
++
++    sys_attrs = sysdb_new_attrs(ctx);
++    if (sys_attrs) {
++        ret = sysdb_attrs_add_time_t(sys_attrs,
++                                     SYSDB_CACHE_EXPIRE, 1);
++        if (ret == EOK) {
++            ret = sysdb_set_group_attr(domain, name, sys_attrs,
++                                       SYSDB_MOD_REP);
++        } else {
++            DEBUG(SSSDBG_MINOR_FAILURE,
++                  "Could not add expiration time to attributes\n");
++        }
++        talloc_zfree(sys_attrs);
++    } else {
++        DEBUG(SSSDBG_MINOR_FAILURE, "Could not create sysdb attributes\n");
++        ret = ENOMEM;
++    }
++    return ret;
++}
++
++static void test_id_cleanup_exp_group(void **state)
++{
++    errno_t ret;
++    struct ldb_message *msg;
++    struct sdap_domain sdom;
++    const char *special_grp = "special_gr*o/u\\p(2016)";
++    const char *empty_special_grp = "empty_gr*o/u\\p(2016)";
++    const char *empty_grp = "empty_grp";
++    const char *grp = "grp";
++    /* This timeout can be bigger because we will call invalidate_group
++     * to expire entries without waiting. */
++    const uint64_t CACHE_TIMEOUT = 30;
++    struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state,
++                                                            struct sysdb_test_ctx);
++
++    ret = sysdb_store_group(test_ctx->domain, special_grp,
++                            10002, NULL, CACHE_TIMEOUT, 0);
++    assert_int_equal(ret, EOK);
++
++    ret = sysdb_store_group(test_ctx->domain, empty_special_grp,
++                            10003, NULL, CACHE_TIMEOUT, 0);
++    assert_int_equal(ret, EOK);
++
++    ret = sysdb_store_group(test_ctx->domain, grp,
++                            10004, NULL, CACHE_TIMEOUT, 0);
++    assert_int_equal(ret, EOK);
++
++    ret = sysdb_store_group(test_ctx->domain, empty_grp,
++                            10005, NULL, CACHE_TIMEOUT, 0);
++    assert_int_equal(ret, EOK);
++
++    ret = sysdb_store_user(test_ctx->domain, "test_user", NULL,
++                           10001, 10002, "Test user",
++                           NULL, NULL, NULL, NULL, NULL,
++                           0, 0);
++    assert_int_equal(ret, EOK);
++
++    ret = sysdb_store_user(test_ctx->domain, "test_user2", NULL,
++                           10002, 10004, "Test user",
++                           NULL, NULL, NULL, NULL, NULL,
++                           0, 0);
++    assert_int_equal(ret, EOK);
++
++    sdom.dom = test_ctx->domain;
++
++    /* not expired */
++    ret = ldap_id_cleanup(test_ctx->opts, &sdom);
++    assert_int_equal(ret, EOK);
++
++    ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain,
++                                     special_grp, NULL, &msg);
++    assert_int_equal(ret, EOK);
++
++    ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain,
++                                     empty_special_grp, NULL, &msg);
++    assert_int_equal(ret, EOK);
++
++    ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain,
++                                     grp, NULL, &msg);
++    assert_int_equal(ret, EOK);
++
++    ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain,
++                                     empty_grp, NULL, &msg);
++    assert_int_equal(ret, EOK);
++
++    /* let records to expire */
++    invalidate_group(test_ctx, test_ctx->domain, special_grp);
++    invalidate_group(test_ctx, test_ctx->domain, empty_special_grp);
++    invalidate_group(test_ctx, test_ctx->domain, grp);
++    invalidate_group(test_ctx, test_ctx->domain, empty_grp);
++
++    ret = ldap_id_cleanup(test_ctx->opts, &sdom);
++    assert_int_equal(ret, EOK);
++
++    ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain,
++                                     special_grp, NULL, &msg);
++    assert_int_equal(ret, EOK);
++
++    ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain,
++                                     empty_special_grp, NULL, &msg);
++    assert_int_equal(ret, ENOENT);
++
++    ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain,
++                                     grp, NULL, &msg);
++    assert_int_equal(ret, EOK);
++
++    ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain,
++                                     empty_grp, NULL, &msg);
++    assert_int_equal(ret, ENOENT);
++}
++
++int main(int argc, const char *argv[])
++{
++    int rv;
++    int no_cleanup = 0;
++    poptContext pc;
++    int opt;
++    struct poptOption long_options[] = {
++        POPT_AUTOHELP
++        SSSD_DEBUG_OPTS
++        { "no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0,
++          _("Do not delete the test database after a test run"), NULL },
++        POPT_TABLEEND
++    };
++
++    const struct CMUnitTest tests[] = {
++        cmocka_unit_test_setup_teardown(test_id_cleanup_exp_group,
++                                        test_sysdb_setup, test_sysdb_teardown),
++    };
++
++    /* Set debug level to invalid value so we can deside if -d 0 was used. */
++    debug_level = SSSDBG_INVALID;
++
++    pc = poptGetContext(argv[0], argc, argv, long_options, 0);
++    while ((opt = poptGetNextOpt(pc)) != -1) {
++        switch (opt) {
++        default:
++            fprintf(stderr, "\nInvalid option %s: %s\n\n",
++                    poptBadOption(pc, 0), poptStrerror(opt));
++            poptPrintUsage(pc, stderr, 0);
++            return 1;
++        }
++    }
++    poptFreeContext(pc);
++
++    DEBUG_CLI_INIT(debug_level);
++
++    tests_set_cwd();
++    test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_FILE, LOCAL_SYSDB_FILE);
++    test_dom_suite_setup(TESTS_PATH);
++    rv = cmocka_run_group_tests(tests, NULL, NULL);
++
++    if (rv == 0 && no_cleanup == 0) {
++        test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_FILE, LOCAL_SYSDB_FILE);
++    }
++    return rv;
++}
+-- 
+2.5.0
+

0011-Fix-memory-leak-in-sssdpac_verify.patch

@@ -0,0 +1,30 @@
+From 41a77e02689b48d0a3627b3fae97741ff49fa06f Mon Sep 17 00:00:00 2001
+From: Thomas Oulevey <thomas.oulevey@cern.ch>
+Date: Wed, 23 Sep 2015 10:55:59 +0200
+Subject: [PATCH 11/21] Fix memory leak in sssdpac_verify()
+
+Resolves https://fedorahosted.org/sssd/ticket/2803
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit b4c44ebb8997d3debb33607c123ccfd9926e0cba)
+---
+ src/sss_client/sssd_pac.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/sss_client/sssd_pac.c b/src/sss_client/sssd_pac.c
+index d1790df..8b5bb32 100644
+--- a/src/sss_client/sssd_pac.c
++++ b/src/sss_client/sssd_pac.c
+@@ -150,6 +150,9 @@ static krb5_error_code sssdpac_verify(krb5_context kcontext,
+     kerr = krb5_pac_verify(kcontext, pac,
+                            req->ticket->enc_part2->times.authtime,
+                            req->ticket->enc_part2->client, key, NULL);
++    /* deallocate pac */
++    krb5_pac_free(kcontext, pac);
++    pac = NULL;
+     if (kerr != 0) {
+         /* The krb5 documentation says:
+          * A checksum mismatch can occur if the PAC was copied from a
+-- 
+2.5.0
+

0012-SDAP-Relax-POSIX-check.patch

@@ -0,0 +1,57 @@
+From b87a8ad335503759f1542d3e1466476860c85a19 Mon Sep 17 00:00:00 2001
+From: Pavel Reichl <preichl@redhat.com>
+Date: Tue, 22 Sep 2015 04:41:18 -0400
+Subject: [PATCH 12/21] SDAP: Relax POSIX check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Relax the check on UID or GID just to check if at least one of them is
+present but do not require them to be positive numbers.
+
+Add requirement on objectclass attributes to be user or group to make
+check more reliable.
+
+Resolves:
+https://fedorahosted.org/sssd/ticket/2800
+(cherry picked from commit 6735c0451d4e80d7cd4b480a8c1f7dafb2b536ea)
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit cc04876ec64b338f61ca275386f70baf91ce700f)
+---
+ src/providers/ldap/sdap_async.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
+index c30a457..006aa49 100644
+--- a/src/providers/ldap/sdap_async.c
++++ b/src/providers/ldap/sdap_async.c
+@@ -2373,9 +2373,12 @@ sdap_posix_check_send(TALLOC_CTX *memctx, struct tevent_context *ev,
+     state->attrs[2] = opts->group_map[SDAP_AT_GROUP_GID].name;
+     state->attrs[3] = NULL;
+ 
+-    state->filter = talloc_asprintf(state, "(|(%s=*)(%s=*))",
++    state->filter = talloc_asprintf(state,
++        "(|(&(%s=*)(objectclass=%s))(&(%s=*)(objectclass=%s)))",
+                                     opts->user_map[SDAP_AT_USER_UID].name,
+-                                    opts->group_map[SDAP_AT_GROUP_GID].name);
++                                    opts->user_map[SDAP_OC_USER].name,
++                                    opts->group_map[SDAP_AT_GROUP_GID].name,
++                                    opts->group_map[SDAP_OC_GROUP].name);
+     if (state->filter == NULL) {
+         ret = ENOMEM;
+         goto fail;
+@@ -2458,9 +2461,8 @@ static errno_t sdap_posix_check_parse(struct sdap_handle *sh,
+     errno = 0;
+     strtouint32(vals[0]->bv_val, &endptr, 10);
+     if (errno || *endptr || (vals[0]->bv_val == endptr)) {
+-        DEBUG(SSSDBG_OP_FAILURE,
++        DEBUG(SSSDBG_MINOR_FAILURE,
+               "POSIX attribute is not a number: %s\n", vals[0]->bv_val);
+-        goto done;
+     }
+ 
+     state->has_posix = true;
+-- 
+2.5.0
+

0013-GPO-fix-memory-leak.patch

@@ -0,0 +1,50 @@
+From 6765f6226d293c30aa798ecb64c5d4826d7dfb2f Mon Sep 17 00:00:00 2001
+From: Pavel Reichl <preichl@redhat.com>
+Date: Thu, 3 Sep 2015 04:46:50 -0400
+Subject: [PATCH 13/21] GPO: fix memory leak
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Resolves:
+https://fedorahosted.org/sssd/ticket/2777
+
+Reviewed-by: Michal Židek <mzidek@redhat.com>
+(cherry picked from commit 5dbdcc2c7210a0e3eb60ad1e85ba33f27d7faeda)
+---
+ src/providers/ad/ad_gpo.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
+index af864df..bde810a 100644
+--- a/src/providers/ad/ad_gpo.c
++++ b/src/providers/ad/ad_gpo.c
+@@ -557,14 +557,14 @@ ad_gpo_get_sids(TALLOC_CTX *mem_ctx,
+         DEBUG(SSSDBG_OP_FAILURE,
+               "sysdb_initgroups failed: [%d](%s)\n",
+               ret, sss_strerror(ret));
+-        return ret;
++        goto done;
+     }
+ 
+     if (res->count == 0) {
+         ret = ENOENT;
+         DEBUG(SSSDBG_OP_FAILURE,
+               "sysdb_initgroups returned empty result\n");
+-        return ret;
++        goto done;
+     }
+ 
+     user_sid = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_SID_STR, NULL);
+@@ -599,7 +599,7 @@ ad_gpo_get_sids(TALLOC_CTX *mem_ctx,
+     *_group_size = num_group_sids + 1;
+     *_group_sids = talloc_steal(mem_ctx, group_sids);
+     *_user_sid = talloc_steal(mem_ctx, user_sid);
+-    return EOK;
++    ret = EOK;
+ 
+  done:
+     talloc_free(tmp_ctx);
+-- 
+2.5.0
+

0014-nss-fix-UPN-lookups-for-sub-domain-users.patch

@@ -0,0 +1,63 @@
+From 72315a4706e32001b9034b95ab7359a5ae92bc70 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 7 Oct 2015 15:22:34 +0200
+Subject: [PATCH 14/21] nss: fix UPN lookups for sub-domain users
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Resolves https://fedorahosted.org/sssd/ticket/2827
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/db/sysdb_ops.c             |  3 +--
+ src/responder/nss/nsssrv_cmd.c | 12 ++++++++++--
+ 2 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
+index ea786d5..34f1832 100644
+--- a/src/db/sysdb_ops.c
++++ b/src/db/sysdb_ops.c
+@@ -494,8 +494,7 @@ int sysdb_search_user_by_upn(TALLOC_CTX *mem_ctx,
+         return ENOMEM;
+     }
+ 
+-    basedn = ldb_dn_new_fmt(tmp_ctx, domain->sysdb->ldb,
+-                            SYSDB_TMPL_USER_BASE, domain->name);
++    basedn = sysdb_base_dn(domain->sysdb, tmp_ctx);
+     if (basedn == NULL) {
+         ret = ENOMEM;
+         goto done;
+diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
+index 12134ce..4285473 100644
+--- a/src/responder/nss/nsssrv_cmd.c
++++ b/src/responder/nss/nsssrv_cmd.c
+@@ -849,7 +849,11 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx)
+                    name, dom->name);
+             /* if a multidomain search, try with next */
+             if (cmdctx->check_next) {
+-                dom = get_next_domain(dom, false);
++                if (cmdctx->name_is_upn) {
++                    dom = get_next_domain(dom, true);
++                } else {
++                    dom = get_next_domain(dom, false);
++                }
+                 continue;
+             }
+             /* There are no further domains or this was a
+@@ -924,7 +928,11 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx)
+ 
+             /* if a multidomain search, try with next */
+             if (cmdctx->check_next) {
+-                dom = get_next_domain(dom, false);
++                if (cmdctx->name_is_upn) {
++                    dom = get_next_domain(dom, true);
++                } else {
++                    dom = get_next_domain(dom, false);
++                }
+                 if (dom) continue;
+             }
+ 
+-- 
+2.5.0
+

0015-SSSDConfig-Do-not-raise-exception-if-config_file_ver.patch

@@ -0,0 +1,58 @@
+From d1047cceb993b1e4c0ae3901f709ac17819423cf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
+Date: Thu, 15 Oct 2015 18:53:37 +0200
+Subject: [PATCH 15/21] SSSDConfig: Do not raise exception if
+ config_file_version is missing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Ticket:
+https://fedorahosted.org/sssd/ticket/2837
+
+Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
+(cherry picked from commit 6a044fa43d53638c1d0b874d43f58c0428820362)
+(cherry picked from commit a2363aa5984a707b8834816ea8538fe7de250a63)
+---
+ src/config/SSSDConfig/__init__.py.in | 8 ++++----
+ src/config/SSSDConfigTest.py         | 5 -----
+ 2 files changed, 4 insertions(+), 9 deletions(-)
+
+diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
+index fc87a2b..626d0c7 100644
+--- a/src/config/SSSDConfig/__init__.py.in
++++ b/src/config/SSSDConfig/__init__.py.in
+@@ -1397,10 +1397,10 @@ class SSSDConfig(SSSDChangeConf):
+         try:
+             if int(self.get('sssd', 'config_file_version')) != self.API_VERSION:
+                 raise ParsingError("Wrong config_file_version")
+-        except:
+-            # Either the 'sssd' section or the 'config_file_version' was not
+-            # present in the config file
+-            raise ParsingError("File contains no config_file_version")
++        except TypeError:
++            # This happens when config_file_version is missing. We
++            # can assume it is the default version and continue.
++            pass
+ 
+     def new_config(self):
+         """
+diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
+index 868d1a5..d303312 100755
+--- a/src/config/SSSDConfigTest.py
++++ b/src/config/SSSDConfigTest.py
+@@ -1213,11 +1213,6 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
+                                            srcdir + "/etc/sssd.api.d")
+         self.assertRaises(SSSDConfig.ParsingError, sssdconfig.import_config, srcdir + "/testconfigs/sssd-badversion.conf")
+ 
+-        # Negative Test - No config file version
+-        sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
+-                                           srcdir + "/etc/sssd.api.d")
+-        self.assertRaises(SSSDConfig.ParsingError, sssdconfig.import_config, srcdir + "/testconfigs/sssd-noversion.conf")
+-
+         # Negative Test - Already initialized
+         sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
+                                            srcdir + "/etc/sssd.api.d")
+-- 
+2.5.0
+

0016-SSSDConfigTest-Try-load-saved-config.patch

@@ -0,0 +1,60 @@
+From 4e0a4a355c4f158f9e7b8e7cbac2f7d0378650a4 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Thu, 15 Oct 2015 10:32:09 +0200
+Subject: [PATCH 16/21] SSSDConfigTest: Try load saved config
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Python module SSSDConfig should be able to save configuration file
+and later load the same configuration file without problem.
+
+Unit test for:
+https://fedorahosted.org/sssd/ticket/2837
+
+Reviewed-by: Michal Židek <mzidek@redhat.com>
+(cherry picked from commit 87ef67286b64af98d32a3a5abcd28a9c2886f751)
+(cherry picked from commit 69612bc5d0a9219ecccf3e8c6410059322aeecc6)
+---
+ src/config/SSSDConfigTest.py | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
+index d303312..7bad874 100755
+--- a/src/config/SSSDConfigTest.py
++++ b/src/config/SSSDConfigTest.py
+@@ -150,10 +150,14 @@ class SSSDConfigTestValid(unittest.TestCase):
+         #non-owners, and should not be executable by anyone
+         self.assertFalse(S_IMODE(mode) & 0o177)
+ 
++        # try to import saved configuration file
++        config = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
++                                       srcdir + "/etc/sssd.api.d")
++        config.import_config(configfile=of)
++
+         #Remove the output file
+         os.unlink(of)
+ 
+-
+     def testCreateNewLDAPConfig(self):
+         sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
+                                 srcdir + "/etc/sssd.api.d")
+@@ -184,9 +188,15 @@ class SSSDConfigTestValid(unittest.TestCase):
+         #non-owners, and should not be executable by anyone
+         self.assertFalse(S_IMODE(mode) & 0o177)
+ 
++        # try to import saved configuration file
++        config = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
++                                       srcdir + "/etc/sssd.api.d")
++        config.import_config(configfile=of)
++
+         #Remove the output file
+         os.unlink(of)
+ 
++
+     def testModifyExistingConfig(self):
+         sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
+                                 srcdir + "/etc/sssd.api.d")
+-- 
+2.5.0
+

0017-SSSDConfigTest-Test-real-config-without-config_file_.patch

@@ -0,0 +1,151 @@
+From 523ed0ff50c2832e046fc87789561149e701e262 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Thu, 15 Oct 2015 11:04:06 +0200
+Subject: [PATCH 17/21] SSSDConfigTest: Test real config without
+ config_file_version
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+src/config/testconfigs/sssd-valid.conf explicitly contains
+config_file_version. Recently we changed the default value to 2
+and therefore it needn't be listed in configuration file.
+This patch test real sssd.conf without config_file_version.
+
+Reviewed-by: Michal Židek <mzidek@redhat.com>
+(cherry picked from commit 7388fc91bd6c22705e60632346ec815f4a4963f1)
+(cherry picked from commit b1c6767617c082de2521976175bc2f499ec295e9)
+---
+ src/config/SSSDConfigTest.py               | 85 ++++++++++++++++++++++++++++++
+ src/config/testconfigs/sssd-noversion.conf | 22 ++++++++
+ 2 files changed, 107 insertions(+)
+
+diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
+index 7bad874..98101f6 100755
+--- a/src/config/SSSDConfigTest.py
++++ b/src/config/SSSDConfigTest.py
+@@ -1230,6 +1230,91 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
+         self.assertRaises(SSSDConfig.AlreadyInitializedError,
+                           sssdconfig.import_config, srcdir + "/testconfigs/sssd-valid.conf")
+ 
++    def testImportConfigNoVersion(self):
++        # Positive Test
++        sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
++                                           srcdir + "/etc/sssd.api.d")
++        sssdconfig.import_config(
++            srcdir + "/testconfigs/sssd-noversion.conf"
++        )
++
++        # Validate services
++        services = sssdconfig.list_services()
++        self.assertTrue('sssd' in services)
++        self.assertTrue('nss' in services)
++        self.assertTrue('pam' in services)
++        self.assertTrue('dp' in services)
++
++        #Verify service attributes
++        sssd_service = sssdconfig.get_service('sssd')
++        service_opts = sssd_service.list_options()
++
++        self.assertTrue('services' in service_opts.keys())
++        service_list = sssd_service.get_option('services')
++        self.assertTrue('nss' in service_list)
++        self.assertTrue('pam' in service_list)
++        self.assertTrue('reconnection_retries' in service_opts)
++
++        #Validate domain list
++        domains = sssdconfig.list_domains()
++        self.assertTrue('LOCAL' in domains)
++        self.assertTrue('LDAP' in domains)
++        self.assertTrue('PROXY' in domains)
++        self.assertTrue('IPA' in domains)
++
++        # Verify domain attributes
++        ipa_domain = sssdconfig.get_domain('IPA')
++        domain_opts = ipa_domain.list_options()
++        self.assertTrue('debug_level' in domain_opts.keys())
++        self.assertTrue('id_provider' in domain_opts.keys())
++        self.assertTrue('auth_provider' in domain_opts.keys())
++
++        # Verify domain attributes
++        proxy_domain = sssdconfig.get_domain('PROXY')
++        domain_opts = proxy_domain.list_options()
++        self.assertTrue('debug_level' in domain_opts.keys())
++        self.assertTrue('id_provider' in domain_opts.keys())
++        self.assertTrue('auth_provider' in domain_opts.keys())
++
++        # Verify domain attributes
++        local_domain = sssdconfig.get_domain('LOCAL')
++        domain_opts = local_domain.list_options()
++        self.assertTrue('debug_level' in domain_opts.keys())
++        self.assertTrue('id_provider' in domain_opts.keys())
++        self.assertTrue('auth_provider' in domain_opts.keys())
++
++        # Verify domain attributes
++        ldap_domain = sssdconfig.get_domain('LDAP')
++        domain_opts = ldap_domain.list_options()
++        self.assertTrue('debug_level' in domain_opts.keys())
++        self.assertTrue('id_provider' in domain_opts.keys())
++        self.assertTrue('auth_provider' in domain_opts.keys())
++
++        domain_control_list = [
++            'cache_credentials',
++            'id_provider',
++            'auth_provider',
++            'access_provider',
++            'default_shell',
++            'fallback_homedir',
++            'cache_credentials',
++            'use_fully_qualified_names',
++        ]
++
++        ad_domain = sssdconfig.get_domain("ad.example.com")
++
++        for option in ad_domain.get_all_options():
++            self.assertTrue(option in domain_control_list)
++
++        negative_domain_control_list = [
++            'ad_server',
++            'ldap_id_mapping',
++            'ldap_sasl_authid',
++        ]
++
++        for option in ad_domain.get_all_options():
++            self.assertFalse(option in negative_domain_control_list)
++
+     def testNewConfig(self):
+         # Positive Test
+         sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
+diff --git a/src/config/testconfigs/sssd-noversion.conf b/src/config/testconfigs/sssd-noversion.conf
+index 71af85c..d5f524d 100644
+--- a/src/config/testconfigs/sssd-noversion.conf
++++ b/src/config/testconfigs/sssd-noversion.conf
+@@ -39,3 +39,25 @@ debug_level = 0
+ [dp]
+ debug_level = 0
+ 
++[domain/ad.example.com]
++cache_credentials = true
++
++id_provider = ad
++auth_provider = ad
++access_provider = ad
++
++# Uncomment if service discovery is not working
++# ad_server = server.ad.example.com
++
++# Uncomment if you want to use POSIX UIDs and GIDs set on the AD side
++# ldap_id_mapping = False
++
++# Comment out if the users have the shell and home dir set on the AD side
++default_shell = /bin/bash
++fallback_homedir = /home/%d/%u
++
++# Uncomment and adjust if the default principal SHORTNAME$@REALM is not available
++# ldap_sasl_authid = host/client.ad.example.com@AD.EXAMPLE.COM
++
++# Comment out if you prefer to user shortnames.
++use_fully_qualified_names = True
+-- 
+2.5.0
+

0018-BUILD-Accept-krb5-1.14-for-building-the-PAC-plugin.patch

@@ -0,0 +1,29 @@
+From 16e6d7ffedb52030f0301590f8c63beef44d7e96 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Mon, 26 Oct 2015 07:00:50 +0100
+Subject: [PATCH 18/21] BUILD: Accept krb5 1.14 for building the PAC plugin
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 8fe87c3d35bf301cbb6ed7d441b588327d831924)
+(cherry picked from commit 3dd118ee870d4370e8bfff8bd71d7e9954ccac06)
+---
+ src/external/pac_responder.m4 | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4
+index b57305c..5c4239a 100644
+--- a/src/external/pac_responder.m4
++++ b/src/external/pac_responder.m4
+@@ -22,7 +22,8 @@ then
+         Kerberos\ 5\ release\ 1.10* | \
+         Kerberos\ 5\ release\ 1.11* | \
+         Kerberos\ 5\ release\ 1.12* | \
+-        Kerberos\ 5\ release\ 1.13*)
++        Kerberos\ 5\ release\ 1.13* | \
++        Kerberos\ 5\ release\ 1.14*)
+             krb5_version_ok=yes
+             AC_MSG_RESULT([yes])
+             ;;
+-- 
+2.5.0
+

0019-LDAP-Fix-leak-of-file-descriptors.patch

@@ -0,0 +1,112 @@
+From d453aacfbc937ceb87b9fd73c72d0bfe6699c005 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Thu, 22 Oct 2015 10:30:12 +0200
+Subject: [PATCH 19/21] LDAP: Fix leak of file descriptors
+
+The state "struct sss_ldap_init_state" contains socket
+created in function sss_ldap_init_send. We register callback
+sdap_async_sys_connect_timeout for handling issue with connection
+
+The tevent request "sss_ldap_init_send" is usually (nested) subrequest
+of "struct resolve_service_state" related request created in fucntion
+fo_resolve_service_send. Function fo_resolve_service_send also register
+timeout callback fo_resolve_service_timeout to state "struct
+resolve_service_state".
+
+It might happen that fo_resolve_service_timeout will be called before
+sss_ldap_init_send timeout and we could not handle tiemout error
+for state "struct sss_ldap_init_state" and therefore created socket
+was not closed.
+
+We tried to release resources in function sdap_handle_release.
+But the structure "struct sdap_handle" had not been initialized yet
+with LDAP handle and therefore associated file descriptor could not be closed.
+
+[fo_resolve_service_timeout] (0x0080): Service resolving timeout reached
+[fo_resolve_service_recv] (0x0020): TEVENT_REQ_RETURN_ON_ERROR ret[110]
+[sdap_handle_release] (0x2000): Trace: sh[0x7f6713410270], connected[0], ops[(nil)], ldap[(nil)], destructor_lock[0], release_memory
+[be_resolve_server_done] (0x1000): Server resolution failed: 14
+[be_resolve_server_recv] (0x0020): TEVENT_REQ_RETURN_ON_ERROR ret[14]
+[check_online_callback] (0x0100): Backend returned: (1, 0, <NULL>) [Provider is Offline (Success)]
+
+Resolves:
+https://fedorahosted.org/sssd/ticket/2792
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit a10f67d4c64f3b1243de5d86a996475361adf0ac)
+(cherry picked from commit db2fdba6f3cecd0612439988e61be60d5d8576bf)
+---
+ src/util/sss_ldap.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+diff --git a/src/util/sss_ldap.c b/src/util/sss_ldap.c
+index dd63b4b..f42f940 100644
+--- a/src/util/sss_ldap.c
++++ b/src/util/sss_ldap.c
+@@ -304,6 +304,22 @@ struct sss_ldap_init_state {
+ #endif
+ };
+ 
++static int sss_ldap_init_state_destructor(void *data)
++{
++    struct sss_ldap_init_state *state = (struct sss_ldap_init_state *)data;
++
++    if (state->ldap) {
++        DEBUG(SSSDBG_TRACE_FUNC,
++              "calling ldap_unbind_ext for ldap:[%p] sd:[%d]\n",
++              state->ldap, state->sd);
++        ldap_unbind_ext(state->ldap, NULL, NULL);
++    } else if (state->sd != -1) {
++        DEBUG(SSSDBG_TRACE_FUNC, "closing socket [%d]\n", state->sd);
++        close(state->sd);
++    }
++
++    return 0;
++}
+ 
+ struct tevent_req *sss_ldap_init_send(TALLOC_CTX *mem_ctx,
+                                       struct tevent_context *ev,
+@@ -321,6 +337,8 @@ struct tevent_req *sss_ldap_init_send(TALLOC_CTX *mem_ctx,
+         return NULL;
+     }
+ 
++    talloc_set_destructor((TALLOC_CTX *)state, sss_ldap_init_state_destructor);
++
+     state->ldap = NULL;
+     state->uri = uri;
+ 
+@@ -370,9 +388,6 @@ struct tevent_req *sss_ldap_init_send(TALLOC_CTX *mem_ctx,
+     return req;
+ 
+ fail:
+-    if(state->sd >= 0) {
+-        close(state->sd);
+-    }
+     tevent_req_error(req, ret);
+ #else
+     DEBUG(SSSDBG_MINOR_FAILURE, "ldap_init_fd not available, "
+@@ -455,11 +470,6 @@ static void sss_ldap_init_sys_connect_done(struct tevent_req *subreq)
+     return;
+ 
+ fail:
+-    if (state->ldap) {
+-        ldap_unbind_ext(state->ldap, NULL, NULL);
+-    } else {
+-        close(state->sd);
+-    }
+     tevent_req_error(req, ret);
+ }
+ #endif
+@@ -470,6 +480,9 @@ int sss_ldap_init_recv(struct tevent_req *req, LDAP **ldap, int *sd)
+                                                     struct sss_ldap_init_state);
+     TEVENT_REQ_RETURN_ON_ERROR(req);
+ 
++    /* Everything went well therefore we do not want to release resources */
++    talloc_set_destructor(state, NULL);
++
+     *ldap = state->ldap;
+     *sd = state->sd;
+ 
+-- 
+2.5.0
+

0020-sss_client-Fix-underflow-of-active_threads.patch

@@ -0,0 +1,57 @@
+From 11b7c82c2283993cc3fef0abeb598ee9f48eb310 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Fri, 6 Nov 2015 08:48:05 +0100
+Subject: [PATCH 20/21] sss_client: Fix underflow of active_threads
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If the memory cache was not initialized and there was a failure in
+initialisation of memory cache context (e.g. memory cache file
+does not exist) then mc_context had to be destroyed to release
+resources.
+
+However the count of active threads in sss_cli_mc_ctx is already higher
+than zero because current thread is working wih the mc_context.
+But this counter was zero-ed with memset in sss_nss_mc_destroy_ctx
+due to issue with initialisation of memory cache.
+Then we have to decrease counter of active thread in function
+sss_nss_mc_get_ctx because initialisation of mc failed.
+And the result of this decrement is underflow of counter.
+
+Related to:
+https://fedorahosted.org/sssd/ticket/2726
+
+Reviewed-by: Michal Židek <mzidek@redhat.com>
+(cherry picked from commit d4ff84434265dc959098ccfd4e8cd5d61d9052c9)
+(cherry picked from commit 01c888be345ed8e77d97a83ed0bf4f57b3e5c740)
+---
+ src/sss_client/nss_mc_common.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c
+index 89ff6b4..182cc6d 100644
+--- a/src/sss_client/nss_mc_common.c
++++ b/src/sss_client/nss_mc_common.c
+@@ -104,6 +104,8 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx)
+ 
+ static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx)
+ {
++    uint32_t active_threads = ctx->active_threads;
++
+     if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) {
+         munmap(ctx->mmap_base, ctx->mmap_size);
+     }
+@@ -112,6 +114,9 @@ static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx)
+     }
+     memset(ctx, 0, sizeof(struct sss_cli_mc_ctx));
+     ctx->fd = -1;
++
++    /* restore count of active threads */
++    ctx->active_threads = active_threads;
+ }
+ 
+ static errno_t sss_nss_mc_init_ctx(const char *name,
+-- 
+2.5.0
+

0021-sssd_client-Do-not-use-removed-memory-cache.patch

@@ -0,0 +1,51 @@
+From 356f7e9ad047f66af55c7a1d783b98118fddbb92 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Fri, 6 Nov 2015 09:39:05 +0100
+Subject: [PATCH 21/21] sssd_client: Do not use removed memory cache
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Resolves:
+https://fedorahosted.org/sssd/ticket/2726
+
+Reviewed-by: Michal Židek <mzidek@redhat.com>
+(cherry picked from commit c269ca2669706bddb25c5938b50277b0c0a94ea4)
+(cherry picked from commit e360fa6e91ee3500435e85b9c51c4932d2b99f33)
+---
+ src/sss_client/nss_mc_common.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c
+index 182cc6d..b56ab8f 100644
+--- a/src/sss_client/nss_mc_common.c
++++ b/src/sss_client/nss_mc_common.c
+@@ -60,6 +60,8 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx)
+     struct sss_mc_header h;
+     bool copy_ok;
+     int count;
++    int ret;
++    struct stat fdstat;
+ 
+     /* retry barrier protected reading max 5 times then give up */
+     for (count = 5; count > 0; count--) {
+@@ -99,6 +101,16 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx)
+         }
+     }
+ 
++    ret = fstat(ctx->fd, &fdstat);
++    if (ret == -1) {
++        return EIO;
++    }
++
++    if (fdstat.st_nlink == 0) {
++        /* memory cache was removed; we need to reinitialize it. */
++        return EINVAL;
++    }
++
+     return 0;
+ }
+ 
+-- 
+2.5.0
+

sources

@@ -1 +1 @@
-f313613db186d478e9b40e10506c8838  sssd-1.12.0.tar.gz
+4439852e76e221c9bcd60a8586c136e2  sssd-1.12.5.tar.gz

sssd.spec

@@ -1,19 +1,34 @@
+%global rhel7_minor %(%{__grep} -o "7.[0-9]*" /etc/redhat-release |%{__sed} -s 's/7.//')
+
 # we don't want to provide private python extension libs
-%define __provides_exclude_from %{python_sitearch}/.*\.so$
+%define __provides_exclude_from %{python_sitearch}/.*\.so$|%{_libdir}/%{name}/modules/libwbclient.so.*$
 %define _hardened_build 1
 
-%if (0%{?fedora} >= 17 || 0%{?rhel} >= 7)
-    %global with_cifs_utils_plugin 1
-%else
-    %global with_cifs_utils_plugin_option --disable-cifs-idmap-plugin
-%endif
 
 # Determine the location of the LDB modules directory
 %global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)
 %global ldb_version 1.1.17
 
+%if (0%{?fedora} || 0%{?rhel} >= 7)
+    %global with_cifs_utils_plugin 1
+%else
+    %global with_cifs_utils_plugin_option --disable-cifs-idmap-plugin
+%endif
+
+%if (0%{?fedora} >= 21 || (0%{?rhel} == 7 &&  0%{?rhel7_minor} >= 1))
+    %global with_krb5_localauth_plugin 1
+%endif
+
+
+%global libwbc_alternatives_version 0.11
+%global libwbc_lib_version 0.12.0
+%global libwbc_alternatives_suffix %nil
+%if 0%{?__isa_bits} == 64
+%global libwbc_alternatives_suffix -64
+%endif
+
 Name: sssd
-Version: 1.12.0
+Version: 1.12.5
 Release: 5%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
@@ -23,6 +38,27 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
 BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
 ### Patches ###
+Patch0001: 0001-SDAP-Remove-user-from-cache-for-missing-user-in-LDAP.patch
+Patch0002: 0002-sss_client-Update-integrity-check-of-records-in-mmap.patch
+Patch0003: 0003-BUILD-Repair-dependecies-on-deprecated-libraries.patch
+Patch0004: 0004-SPEC-Workaround-for-build-with-rpm-4.13.patch
+Patch0005: 0005-CONFDB-Assume-config-file-version-2-if-missing.patch
+Patch0006: 0006-SYSDB-Index-the-objectSIDString-attribute.patch
+Patch0007: 0007-IPA-Remove-MPG-groups-if-getgrgid-was-called-before-.patch
+Patch0008: 0008-SPEC-Update-spec-file-for-krb5_local_auth_plugin.patch
+Patch0009: 0009-LDAP-Sanitize-group-dn-before-using-in-filter.patch
+Patch0010: 0010-tests-check-special-characters-in-cleanup_groups.patch
+Patch0011: 0011-Fix-memory-leak-in-sssdpac_verify.patch
+Patch0012: 0012-SDAP-Relax-POSIX-check.patch
+Patch0013: 0013-GPO-fix-memory-leak.patch
+Patch0014: 0014-nss-fix-UPN-lookups-for-sub-domain-users.patch
+Patch0015: 0015-SSSDConfig-Do-not-raise-exception-if-config_file_ver.patch
+Patch0016: 0016-SSSDConfigTest-Try-load-saved-config.patch
+Patch0017: 0017-SSSDConfigTest-Test-real-config-without-config_file_.patch
+Patch0018: 0018-BUILD-Accept-krb5-1.14-for-building-the-PAC-plugin.patch
+Patch0019: 0019-LDAP-Fix-leak-of-file-descriptors.patch
+Patch0020: 0020-sss_client-Fix-underflow-of-active_threads.patch
+Patch0021: 0021-sssd_client-Do-not-use-removed-memory-cache.patch
 
 ### Dependencies ###
 Requires: sssd-common = %{version}-%{release}
@@ -40,6 +76,7 @@ Requires: python-sssdconfig = %{version}-%{release}
 %global pipepath %{sssdstatedir}/pipes
 %global mcpath %{sssdstatedir}/mc
 %global pubconfpath %{sssdstatedir}/pubconf
+%global gpocachepath %{sssdstatedir}/gpo_cache
 
 ### Build Dependencies ###
 
@@ -56,7 +93,7 @@ BuildRequires: libtdb-devel
 BuildRequires: libldb-devel = %{ldb_version}
 BuildRequires: libdhash-devel >= 0.4.2
 BuildRequires: libcollection-devel
-BuildRequires: libini_config-devel >= 1.0.0.1
+BuildRequires: libini_config-devel >= 1.1
 BuildRequires: dbus-devel
 BuildRequires: dbus-libs
 BuildRequires: openldap-devel
@@ -67,7 +104,11 @@ BuildRequires: pcre-devel
 BuildRequires: libxslt
 BuildRequires: libxml2
 BuildRequires: docbook-style-xsl
-BuildRequires: krb5-devel >= 1.10
+%if (0%{?with_krb5_localauth_plugin} == 1)
+BuildRequires: krb5-devel >= 1.12
+%else
+BuildRequires: krb5-devel
+%endif
 BuildRequires: c-ares-devel
 BuildRequires: python-devel
 BuildRequires: check-devel
@@ -76,31 +117,37 @@ BuildRequires: libselinux-devel
 BuildRequires: libsemanage-devel
 BuildRequires: bind-utils
 BuildRequires: keyutils-libs-devel
-BuildRequires: libnl3-devel
 BuildRequires: gettext-devel
 BuildRequires: pkgconfig
-BuildRequires: glib2-devel
 BuildRequires: diffstat
 BuildRequires: findutils
-BuildRequires: samba4-devel >= 4.0.0-59beta2
+BuildRequires: glib2-devel
 BuildRequires: selinux-policy-targeted
-BuildRequires: systemd-devel
-BuildRequires: libsmbclient-devel
 %ifarch %{ix86} x86_64 %{arm}
 BuildRequires: libcmocka-devel
 %endif
+%if (0%{?fedora} >= 20)
+BuildRequires: uid_wrapper
+BuildRequires: nss_wrapper
+%endif
+BuildRequires: libnl3-devel
+BuildRequires: systemd-devel
 %if (0%{?with_cifs_utils_plugin} == 1)
 BuildRequires: cifs-utils-devel
 %endif
+BuildRequires: libnfsidmap-devel
+
+BuildRequires: samba4-devel >= 4.0.0-59beta2
+BuildRequires: libsmbclient-devel
 
 %description
 Provides a set of daemons to manage access to remote directories and
 authentication mechanisms. It provides an NSS and PAM interface toward
-the system and a pluggable backend system to connect to multiple different
+the system and a plug-gable back-end system to connect to multiple different
 account sources. It is also the basis to provide client auditing and policy
 services for projects like FreeIPA.
 
-The sssd subpackage is a meta-package that contains the deamon as well as all
+The sssd sub-package is a meta-package that contains the daemon as well as all
 the existing back ends.
 
 %package common
@@ -137,7 +184,7 @@ Obsoletes: libsss_autofs <= 1.10.0-7%{?dist}.beta1
 %description common
 Common files for the SSSD. The common package includes all the files needed
 to run a particular back end, however, the back ends are packaged in separate
-subpackages such as sssd-ldap.
+sub-packages such as sssd-ldap.
 
 %package client
 Summary: SSSD Client libraries for NSS and PAM
@@ -212,8 +259,6 @@ Requires: sssd-krb5-common = %{version}-%{release}
 Provides the Kerberos back end that the SSSD can utilize authenticate
 against a Kerberos server.
 
-# RHEL 5 is too old to support the PAC responder
-%if !0%{?is_rhel5}
 %package common-pac
 Summary: Common files needed for supporting PAC processing
 Group: Applications/System
@@ -223,7 +268,6 @@ Requires: sssd-common = %{version}-%{release}
 %description common-pac
 Provides common files needed by SSSD providers such as IPA and Active Directory
 for handling Kerberos PACs.
-%endif #is_rhel5
 
 %package ipa
 Summary: The IPA back end of the SSSD
@@ -234,10 +278,7 @@ Requires: sssd-common = %{version}-%{release}
 Requires: sssd-krb5-common = %{version}-%{release}
 Requires: libipa_hbac%{?_isa} = %{version}-%{release}
 Requires: bind-utils
-# RHEL 5 is too old to support the PAC responder
-%if !0%{?is_rhel5}
 Requires: sssd-common-pac = %{version}-%{release}
-%endif
 
 %description ipa
 Provides the IPA back end that the SSSD can utilize to fetch identity data
@@ -251,10 +292,7 @@ Conflicts: sssd < 1.10.0-8.beta2
 Requires: sssd-common = %{version}-%{release}
 Requires: sssd-krb5-common = %{version}-%{release}
 Requires: bind-utils
-# RHEL 5 is too old to support the PAC responder
-%if !0%{?is_rhel5}
 Requires: sssd-common-pac = %{version}-%{release}
-%endif
 
 %description ad
 Provides the Active Directory back end that the SSSD can utilize to fetch
@@ -364,6 +402,7 @@ Summary: The SSSD D-Bus responder helper library
 Group: Development/Libraries
 License: GPLv3+
 Requires: dbus-libs
+Requires: sssd-dbus = %{version}-%{release}
 Requires(post): /sbin/ldconfig
 Requires(postun): /sbin/ldconfig
 
@@ -380,6 +419,25 @@ Requires: libsss_simpleifp = %{version}-%{release}
 %description -n libsss_simpleifp-devel
 Provides library that simplifies D-Bus API for the SSSD InfoPipe responder.
 
+%package libwbclient
+Summary: The SSSD libwbclient implementation
+Group: Applications/System
+License: GPLv3+ and LGPLv3+
+Conflicts: libwbclient < 4.1.12
+
+%description libwbclient
+The SSSD libwbclient implementation.
+
+%package libwbclient-devel
+Summary: Development libraries for the SSSD libwbclient implementation
+Group:  Development/Libraries
+License: GPLv3+ and LGPLv3+
+Requires: sssd-libwbclient = %{version}-%{release}
+Conflicts: libwbclient < 4.1.12
+
+%description libwbclient-devel
+Development libraries for the SSSD libwbclient implementation.
+
 %prep
 # Update timestamps on the files touched by a patch, to avoid non-equal
 # .pyc/.pyo files across the multilib peers within a build, where "Level"
@@ -405,28 +463,32 @@ done
 
 %build
 autoreconf -ivf
+
 %configure \
+    --with-test-dir=/dev/shm \
     --with-db-path=%{dbpath} \
+    --with-mcache-path=%{mcpath} \
     --with-pipe-path=%{pipepath} \
     --with-pubconf-path=%{pubconfpath} \
-    --with-mcache-path=%{mcpath} \
+    --with-gpo-cache-path=%{gpocachepath} \
     --with-init-dir=%{_initrddir} \
     --with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
     --enable-nsslibdir=%{_libdir} \
     --enable-pammoddir=%{_libdir}/security \
-    --enable-ldb-version-check \
+    --enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \
     --disable-static \
     --disable-rpath \
     --with-initscript=systemd \
     --with-syslog=journald \
-    --with-test-dir=/dev/shm \
-    %{?with_cifs_utils_plugin_option}
+    %{?with_cifs_utils_plugin_option} \
+    --enable-ldb-version-check \
+    --enable-sss-default-nss-plugin
 
 make %{?_smp_mflags} all docs
 
 %check
 export CK_TIMEOUT_MULTIPLIER=10
-make %{?_smp_mflags} check
+make %{?_smp_mflags} check VERBOSE=yes
 unset CK_TIMEOUT_MULTIPLIER
 
 %install
@@ -434,6 +496,12 @@ rm -rf $RPM_BUILD_ROOT
 
 make install DESTDIR=$RPM_BUILD_ROOT
 
+if [ ! -f %{buildroot}/%{_libdir}/%{name}/modules/libwbclient.so.%{libwbc_lib_version} ]
+then
+    echo "Expected libwbclient version not found, please check if version has changed."
+    exit -1
+fi
+
 # Prepare language files
 /usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sssd
 
@@ -539,8 +607,8 @@ rm -rf $RPM_BUILD_ROOT
 %defattr(-,root,root,-)
 %doc COPYING
 %doc src/examples/sssd-example.conf
-%{_unitdir}/sssd.service
 %{_sbindir}/sssd
+%{_unitdir}/sssd.service
 
 %dir %{_libexecdir}/%{servicename}
 %{_libexecdir}/%{servicename}/sssd_be
@@ -559,10 +627,12 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/%{name}/libsss_debug.so
 %{_libdir}/%{name}/libsss_ldap_common.so
 %{_libdir}/%{name}/libsss_util.so
+%{_libdir}/%{name}/libsss_semanage.so
 
 # 3rd party application libraries
 %{_libdir}/sssd/modules/libsss_autofs.so
 %{_libdir}/libsss_sudo.so
+%{_libdir}/libnfsidmap/sss.so
 
 %{ldb_modulesdir}/memberof.so
 %{_bindir}/sss_ssh_authorizedkeys
@@ -578,6 +648,7 @@ rm -rf $RPM_BUILD_ROOT
 %ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/group
 %attr(755,root,root) %dir %{pipepath}
 %attr(755,root,root) %dir %{pubconfpath}
+%attr(755,root,root) %dir %{gpocachepath}
 %attr(700,root,root) %dir %{pipepath}/private
 %attr(750,root,root) %dir %{_var}/log/%{name}
 %attr(700,root,root) %dir %{_sysconfdir}/sssd
@@ -594,6 +665,7 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man5/sssd.conf.5*
 %{_mandir}/man5/sssd-simple.5*
 %{_mandir}/man5/sssd-sudo.5*
+%{_mandir}/man5/sss_rpcidmapd.5*
 %{_mandir}/man8/sssd.8*
 %{_mandir}/man8/sss_cache.8*
 %{python_sitearch}/pysss.so
@@ -618,19 +690,17 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/%{name}/libsss_krb5.so
 %{_mandir}/man5/sssd-krb5.5*
 
-# RHEL 5 is too old to support the PAC responder
-%if !0%{?is_rhel5}
 %files common-pac
 %defattr(-,root,root,-)
 %doc COPYING
 %{_libexecdir}/%{servicename}/sssd_pac
-%endif
 
 %files ipa -f sssd_ipa.lang
 %defattr(-,root,root,-)
 %doc COPYING
 %attr(755,root,root) %dir %{pubconfpath}/krb5.include.d
 %{_libdir}/%{name}/libsss_ipa.so
+%{_libexecdir}/%{servicename}/selinux_child
 %{_mandir}/man5/sssd-ipa.5*
 
 %files ad -f sssd_ad.lang
@@ -663,12 +733,7 @@ rm -rf $RPM_BUILD_ROOT
 
 %files -n libsss_simpleifp-devel
 %defattr(-,root,root,-)
-%if 0%{?fedora}
 %doc sss_simpleifp_doc/html
-%endif
-%if 0%{?rhel} >= 6
-%doc sss_simpleifp_doc/html
-%endif
 %{_includedir}/sss_sifp.h
 %{_includedir}/sss_sifp_dbus.h
 %{_libdir}/libsss_simpleifp.so
@@ -685,6 +750,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/cifs-utils/cifs_idmap_sss.so
 %ghost %{_sysconfdir}/cifs-utils/idmap-plugin
 %endif
+%if (0%{?with_krb5_localauth_plugin} == 1)
+%{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so
+%endif
 %{_mandir}/man8/pam_sss.8*
 %{_mandir}/man8/sssd_krb5_locator_plugin.8*
 
@@ -741,10 +809,6 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/libipa_hbac.so
 %{_libdir}/pkgconfig/ipa_hbac.pc
 
-%files -n libipa_hbac-python
-%defattr(-,root,root,-)
-%{python_sitearch}/pyhbac.so
-
 %files -n libsss_nss_idmap
 %defattr(-,root,root,-)
 %doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
@@ -761,6 +825,20 @@ rm -rf $RPM_BUILD_ROOT
 %defattr(-,root,root,-)
 %{python_sitearch}/pysss_nss_idmap.so
 
+%files -n libipa_hbac-python
+%defattr(-,root,root,-)
+%{python_sitearch}/pyhbac.so
+
+%files libwbclient
+%defattr(-,root,root,-)
+%{_libdir}/%{name}/modules/libwbclient.so.*
+
+%files libwbclient-devel
+%defattr(-,root,root,-)
+%{_includedir}/wbclient_sssd.h
+%{_libdir}/%{name}/modules/libwbclient.so
+%{_libdir}/pkgconfig/wbclient_sssd.pc
+
 %post common
 if [ $1 -ge 1 ] ; then
     # Initial installation
@@ -769,7 +847,7 @@ fi
 
 %preun common
 if [ $1 -eq 0 ]; then
-     # Package removal, not upgrade
+    # Package removal, not upgrade
     /bin/systemctl --no-reload disable sssd.service > /dev/null 2>&1 || :
     /bin/systemctl stop sssd.service > /dev/null 2>&1 || :
 fi
@@ -777,6 +855,7 @@ fi
 %postun common
 /bin/systemctl daemon-reload >/dev/null 2>&1 || :
 if [ $1 -ge 1 ] ; then
+    # Package upgrade, not uninstall
     /bin/systemctl try-restart sssd.service >/dev/null 2>&1 || :
 fi
 
@@ -803,7 +882,153 @@ fi
 
 %postun -n libsss_idmap -p /sbin/ldconfig
 
+%post -n libsss_nss_idmap -p /sbin/ldconfig
+
+%postun -n libsss_nss_idmap -p /sbin/ldconfig
+
+%posttrans libwbclient
+# Alternatives was removed only if package was uninstalled
+# However in cease of package upgrade and soname bump the
+# the old alternative was not removed.
+# This is a workaround/fix for unused alternative
+%{_sbindir}/update-alternatives \
+    --remove libwbclient.so.0.11%{libwbc_alternatives_suffix} \
+             %{_libdir}/%{name}/modules/libwbclient.so.0.11.0
+
+%{_sbindir}/update-alternatives \
+    --install %{_libdir}/libwbclient.so.%{libwbc_alternatives_version} \
+              libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \
+              %{_libdir}/%{name}/modules/libwbclient.so.%{libwbc_lib_version} 5
+/sbin/ldconfig
+
+%preun libwbclient
+%{_sbindir}/update-alternatives \
+    --remove libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \
+             %{_libdir}/%{name}/modules/libwbclient.so.%{libwbc_lib_version}
+/sbin/ldconfig
+
+%posttrans libwbclient-devel
+update-alternatives --display libwbclient.so%{libwbc_alternatives_suffix} | grep auto
+if [ $? -eq 0 ]; then
+    # alternative is in auto mode.
+    # it need to be removed before changing priority (20 -> 5) sssd-1.12.3-4
+    %{_sbindir}/update-alternatives --remove \
+                                libwbclient.so%{libwbc_alternatives_suffix} \
+                                %{_libdir}/%{name}/modules/libwbclient.so 5
+fi
+
+%{_sbindir}/update-alternatives --install %{_libdir}/libwbclient.so \
+                                libwbclient.so%{libwbc_alternatives_suffix} \
+                                %{_libdir}/%{name}/modules/libwbclient.so 5
+
+%preun libwbclient-devel
+%{_sbindir}/update-alternatives --remove \
+                                libwbclient.so%{libwbc_alternatives_suffix} \
+                                %{_libdir}/%{name}/modules/libwbclient.so
+
 %changelog
+* Fri Nov 20 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.5-5
+- Backport fixes from upstream 1.12
+
+* Wed Oct 07 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.5-4
+- Fix memory leaks (GPO; PAC client)
+- Resolves: rhbz#1268807 (CVE-2015-5292)
+
+* Tue Jul 21 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.5-3
+- Fix known bug in 1.12.5
+- Resolves: upstream #2681 - SSSD cache is not updated after user is deleted
+                             from ldap server
+
+* Fri Jun 12 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.5-2
+- Fix libwbclient alternatives
+
+* Fri Jun 12 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.5-1
+- New upstream release 1.12.5
+- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.5
+
+* Wed Apr 15 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.4-3
+- Fix slow login with ipa and SELinux
+- Resolves: upstream #2624 - Only set the selinux context if the context
+                             differs from the local one
+
+* Mon Mar 23 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.4-2
+- Fix regressions with ipa and SELinux
+- Resolves: upstream #2587 - With empty ipaselinuxusermapdefault security
+                             context on client is staff_u
+- Additional fix for rhbz#1175511
+
+* Wed Feb 18 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.4-1
+- New upstream release 1.12.4
+- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.4
+
+* Thu Feb 12 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.3-5
+- Fix double free in monitor
+- Resolves: rhbz#1186887 [abrt] sssd-common: talloc_abort():
+                        sssd killed by SIGABRT
+
+* Thu Jan 22 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.3-4
+- Decrease priority of sssd-libwbclient 20 -> 5
+- It should be lower than priority of samba veriosn of libwbclient.
+- https://bugzilla.redhat.com/show_bug.cgi?id=1175511#c18
+
+* Mon Jan 19 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.3-3
+- Apply a number of patches from upstream to fix issues found 1.12.3
+- Resolves: rhbz#1176373 - dyndns_iface does not accept multiple
+                           interfaces, or isn't documented to be able to
+- Resolves: rhbz#988068 - getpwnam_r fails for non-existing users when sssd is
+                          not running
+- Resolves: upstream #2557  authentication failure with user from AD
+
+* Fri Jan 09 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.3-2
+- Resolves: rhbz#1164156 - libsss_simpleifp should pull sssd-dbus
+- Resolves: rhbz#1179379 - gzip: stdin: file size changed while
+                           zipping when rotating logfile
+
+* Thu Jan 08 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.3-1
+- New upstream release 1.12.3
+- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.3
+- Fix spelling errors in description (fedpkg lint)
+
+* Fri Dec 19 2014 Sumit Bose <sbose@redhat.com> - 1.12.2-6
+- Resolves: rhbz#1175511 - sssd-libwbclient conflicts with Samba's and causes
+                           crash in wbinfo
+                           - in addition to the patch libwbclient.so is
+                             filtered out of the Provides list of the package
+
+* Wed Dec 17 2014 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.2-5
+- Fix regressions and bugs in sssd upstream 1.12.2
+- https://fedorahosted.org/sssd/ticket/{id}
+- Regressions: #2471, #2475, #2483, #2487, #2529, #2535
+- Bugs: #2287, #2445
+
+* Wed Nov 26 2014 Jakub Hrozek <jhrozek@redhat.com> - 1.12.2-4
+- Fix typo in libwbclient-devel %preun
+
+* Tue Nov 25 2014 Jakub Hrozek <jhrozek@redhat.com> - 1.12.2-3
+- Use alternatives for libwbclient
+
+* Wed Oct 22 2014 Jakub Hrozek <jhrozek@redhat.com> - 1.12.2-2
+- Backport several patches from upstream.
+- Fix a potential crash against old (pre-4.0) IPA servers
+
+* Mon Oct 20 2014 Jakub Hrozek <jhrozek@redhat.com> - 1.12.2-1
+- New upstream release 1.12.2
+- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.2
+
+* Mon Sep 15 2014 Jakub Hrozek <jhrozek@redhat.com> - 1.12.1-2
+- Resolves: rhbz#1139962 - Fedora 21, FreeIPA 4.0.2: sssd does not find user
+                           private group from server
+
+* Mon Sep  8 2014 Jakub Hrozek <jhrozek@redhat.com> - 1.12.1-1
+- New upstream release 1.12.1
+- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.1
+
+* Fri Aug 22 2014 Jakub Hrozek <jhrozek@redhat.com> - 1.12.0-7
+- Do not crash on resolving a group SID in IPA server mode
+
+* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.12.0-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
 * Thu Jul 10 2014 Stephen Gallagher <sgallagh@redhat.com> 1.12.0-5
 - Fix release version for upgrades