Resolves: rhbz#1561105 - sssd update prevented login using kerberos user

(cherry picked from commit a5e12d6904)

.gitignore

@@ -80,28 +80,4 @@ sssd-1.2.91.tar.gz
 /sssd-1.16.0.tar.gz
 /sssd-1.16.1.tar.gz
 /sssd-1.16.2.tar.gz
-/sssd-2.0.0.tar.gz
+/sssd-1.16.3.tar.gz
-/sssd-2.1.0.tar.gz
-/sssd-2.2.0.tar.gz
-/sssd-2.2.1.tar.gz
-/sssd-2.2.2.tar.gz
-/sssd-2.2.3.tar.gz
-/sssd-2.3.0.tar.gz
-/sssd-2.3.1.tar.gz
-/sssd-2.4.0.tar.gz
-/sssd-2.4.1.tar.gz
-/sssd-2.4.2.tar.gz
-/sssd-2.5.0.tar.gz
-/sssd-2.5.1.tar.gz
-/sssd-2.5.2.tar.gz
-/sssd-2.6.0.tar.gz
-/sssd-2.6.1.tar.gz
-/sssd-2.6.2.tar.gz
-/sssd-2.6.3.tar.gz
-/sssd-2.7.0.tar.gz
-/sssd-2.7.1.tar.gz
-/sssd-2.7.3.tar.gz
-/sssd-2.7.4.tar.gz
-/sssd-2.8.0.tar.gz
-/sssd-2.8.1.tar.gz
-/sssd-2.8.2.tar.gz

0001-man-sss_ssh_knownhostsproxy-fix-typo-pubkeys-pubkey.patch

@@ -0,0 +1,37 @@
+From 62839f9187dde5b46e198f0cb61204a0613d826d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
+Date: Sun, 12 Aug 2018 23:56:21 +0200
+Subject: [PATCH 1/7] man/sss_ssh_knownhostsproxy: fix typo pubkeys -> pubkey
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In commit 36f2fe8f63 a discrepancy between the command line option and
+the manpage has been introduced.
+
+Related:
+https://pagure.io/SSSD/sssd/issue/3542
+
+Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit 2b3b41dad27fcb03478c211ec82d9c2fd9dadcb4)
+---
+ src/man/sss_ssh_knownhostsproxy.1.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/man/sss_ssh_knownhostsproxy.1.xml b/src/man/sss_ssh_knownhostsproxy.1.xml
+index f84732c..58aeb04 100644
+--- a/src/man/sss_ssh_knownhostsproxy.1.xml
++++ b/src/man/sss_ssh_knownhostsproxy.1.xml
+@@ -86,7 +86,7 @@ GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
+             </varlistentry>
+             <varlistentry>
+                 <term>
+-                    <option>-k</option>,<option>--pubkeys</option>
++                    <option>-k</option>,<option>--pubkey</option>
+                 </term>
+                 <listitem>
+                     <para>
+-- 
+2.9.5
+

0002-krb5_locator-Make-debug-function-internal.patch

@@ -0,0 +1,29 @@
+From de33a5c07eb8c9f821e684a49c4ee993c25776b9 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Thu, 19 Jul 2018 09:38:22 +0200
+Subject: [PATCH 2/7] krb5_locator: Make debug function internal
+
+Merges: https://pagure.io/SSSD/sssd/pull-request/3786
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit 86de91f93f51d41d71c504b871c65fea31dd5485)
+---
+ src/krb5_plugin/sssd_krb5_locator_plugin.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c
+index 952d487..7800ab0 100644
+--- a/src/krb5_plugin/sssd_krb5_locator_plugin.c
++++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c
+@@ -82,7 +82,7 @@ struct sssd_ctx {
+     bool disabled;
+ };
+ 
+-void plugin_debug_fn(const char *format, ...)
++static void plugin_debug_fn(const char *format, ...)
+ {
+     va_list ap;
+     char *s = NULL;
+-- 
+2.9.5
+

0003-krb5_locator-Simplify-usage-of-macro-PLUGIN_DEBUG.patch

@@ -0,0 +1,275 @@
+From 0f44cbdfcbf35278c984a12b22a1c01f38a2c5ab Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Thu, 19 Jul 2018 09:44:33 +0200
+Subject: [PATCH 3/7] krb5_locator: Simplify usage of macro PLUGIN_DEBUG
+
+It should look like real function call
+
+Merges: https://pagure.io/SSSD/sssd/pull-request/3786
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit 276f2e345548947b66f7bd3b984628eaf6f4cbd4)
+---
+ src/krb5_plugin/sssd_krb5_locator_plugin.c | 88 +++++++++++++++---------------
+ 1 file changed, 44 insertions(+), 44 deletions(-)
+
+diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c
+index 7800ab0..61fee6b 100644
+--- a/src/krb5_plugin/sssd_krb5_locator_plugin.c
++++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c
+@@ -63,9 +63,9 @@
+ #define SSSD_KRB5_LOCATOR_DEBUG "SSSD_KRB5_LOCATOR_DEBUG"
+ #define SSSD_KRB5_LOCATOR_DISABLE "SSSD_KRB5_LOCATOR_DISABLE"
+ #define DEBUG_KEY "[sssd_krb5_locator] "
+-#define PLUGIN_DEBUG(body) do { \
++#define PLUGIN_DEBUG(format, ...) do { \
+     if (ctx->debug) { \
+-        plugin_debug_fn body; \
++        plugin_debug_fn(format, ##__VA_ARGS__); \
+     } \
+ } while(0)
+ 
+@@ -236,26 +236,26 @@ static int buf_to_addr_port_list(struct sssd_ctx *ctx,
+                 port = strtol(port_str, &endptr, 10);
+                 if (errno != 0) {
+                     ret = errno;
+-                    PLUGIN_DEBUG(("strtol failed on [%s]: [%d][%s], "
+-                                "assuming default.\n", port_str, ret,
+-                                                       strerror(ret)));
++                    PLUGIN_DEBUG("strtol failed on [%s]: [%d][%s], "
++                                 "assuming default.\n",
++                                 port_str, ret, strerror(ret));
+                     port = 0;
+                 }
+                 if (*endptr != '\0') {
+-                    PLUGIN_DEBUG(("Found additional characters [%s] in port "
+-                                "number [%s], assuming default.\n", endptr,
+-                                                                    port_str));
++                    PLUGIN_DEBUG("Found additional characters [%s] in port "
++                                 "number [%s], assuming default.\n",
++                                 endptr, port_str);
+                     port = 0;
+                 }
+ 
+                 if (port < 0 || port > 65535) {
+-                    PLUGIN_DEBUG(("Illegal port number [%ld], assuming "
+-                                  "default.\n", port));
++                    PLUGIN_DEBUG("Illegal port number [%ld], assuming "
++                                 "default.\n", port);
+                     port = 0;
+                 }
+             } else {
+-                PLUGIN_DEBUG(("Illegal port number [%s], assuming default.\n",
+-                            port_str));
++                PLUGIN_DEBUG("Illegal port number [%s], assuming default.\n",
++                             port_str);
+                 port = 0;
+             }
+         }
+@@ -270,7 +270,7 @@ static int buf_to_addr_port_list(struct sssd_ctx *ctx,
+             addr_str++;
+         }
+ 
+-        PLUGIN_DEBUG(("Found [%s][%d].\n", addr_str, port));
++        PLUGIN_DEBUG("Found [%s][%d].\n", addr_str, port);
+ 
+         l[c].addr = strdup(addr_str);
+         if (l[c].addr == NULL) {
+@@ -314,7 +314,7 @@ static int get_krb5info(const char *realm, struct sssd_ctx *ctx,
+             name_tmpl = KPASSWDINFO_TMPL;
+             break;
+         default:
+-            PLUGIN_DEBUG(("Unsupported service [%d].\n", svc));
++            PLUGIN_DEBUG("Unsupported service [%d].\n", svc);
+             return EINVAL;
+     }
+ 
+@@ -323,13 +323,13 @@ static int get_krb5info(const char *realm, struct sssd_ctx *ctx,
+ 
+     krb5info_name = calloc(1, len + 1);
+     if (krb5info_name == NULL) {
+-        PLUGIN_DEBUG(("malloc failed.\n"));
++        PLUGIN_DEBUG("malloc failed.\n");
+         return ENOMEM;
+     }
+ 
+     ret = snprintf(krb5info_name, len, name_tmpl, realm);
+     if (ret < 0) {
+-        PLUGIN_DEBUG(("snprintf failed.\n"));
++        PLUGIN_DEBUG("snprintf failed.\n");
+         ret = EINVAL;
+         goto done;
+     }
+@@ -337,8 +337,8 @@ static int get_krb5info(const char *realm, struct sssd_ctx *ctx,
+ 
+     fd = open(krb5info_name, O_RDONLY);
+     if (fd == -1) {
+-        PLUGIN_DEBUG(("open failed [%s][%d][%s].\n",
+-                      krb5info_name, errno, strerror(errno)));
++        PLUGIN_DEBUG("open failed [%s][%d][%s].\n",
++                     krb5info_name, errno, strerror(errno));
+         ret = errno;
+         goto done;
+     }
+@@ -349,15 +349,15 @@ static int get_krb5info(const char *realm, struct sssd_ctx *ctx,
+     len = sss_atomic_read_s(fd, buf, BUFSIZE);
+     if (len == -1) {
+         ret = errno;
+-        PLUGIN_DEBUG(("read failed [%d][%s].\n", ret, strerror(ret)));
++        PLUGIN_DEBUG("read failed [%d][%s].\n", ret, strerror(ret));
+         close(fd);
+         goto done;
+     }
+     close(fd);
+ 
+     if (len == BUFSIZE) {
+-        PLUGIN_DEBUG(("Content of krb5info file [%s] is [%d] or larger.\n",
+-                      krb5info_name, BUFSIZE));
++        PLUGIN_DEBUG("Content of krb5info file [%s] is [%d] or larger.\n",
++                     krb5info_name, BUFSIZE);
+     }
+ 
+     switch (svc) {
+@@ -376,7 +376,7 @@ static int get_krb5info(const char *realm, struct sssd_ctx *ctx,
+             }
+             break;
+         default:
+-            PLUGIN_DEBUG(("Unsupported service [%d].\n", svc));
++            PLUGIN_DEBUG("Unsupported service [%d].\n", svc);
+             ret = EINVAL;
+             goto done;
+     }
+@@ -401,7 +401,7 @@ krb5_error_code sssd_krb5_locator_init(krb5_context context,
+         ctx->debug = false;
+     } else {
+         ctx->debug = true;
+-        PLUGIN_DEBUG(("sssd_krb5_locator_init called\n"));
++        PLUGIN_DEBUG("sssd_krb5_locator_init called\n");
+     }
+ 
+     dummy = getenv(SSSD_KRB5_LOCATOR_DISABLE);
+@@ -409,7 +409,7 @@ krb5_error_code sssd_krb5_locator_init(krb5_context context,
+         ctx->disabled = false;
+     } else {
+         ctx->disabled = true;
+-        PLUGIN_DEBUG(("SSSD KRB5 locator plugin is disabled.\n"));
++        PLUGIN_DEBUG("SSSD KRB5 locator plugin is disabled.\n");
+     }
+ 
+     *private_data = ctx;
+@@ -424,7 +424,7 @@ void sssd_krb5_locator_close(void *private_data)
+     if (private_data == NULL) return;
+ 
+     ctx = (struct sssd_ctx *) private_data;
+-    PLUGIN_DEBUG(("sssd_krb5_locator_close called\n"));
++    PLUGIN_DEBUG("sssd_krb5_locator_close called\n");
+ 
+     free_addr_port_list(&(ctx->kdc_addr));
+     free_addr_port_list(&(ctx->kpasswd_addr));
+@@ -460,7 +460,7 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
+     }
+ 
+     if (ctx->disabled) {
+-        PLUGIN_DEBUG(("Plugin disabled, nothing to do.\n"));
++        PLUGIN_DEBUG("Plugin disabled, nothing to do.\n");
+         return KRB5_PLUGIN_NO_HANDLE;
+     }
+ 
+@@ -468,13 +468,13 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
+         free(ctx->sssd_realm);
+         ctx->sssd_realm = strdup(realm);
+         if (ctx->sssd_realm == NULL) {
+-            PLUGIN_DEBUG(("strdup failed.\n"));
++            PLUGIN_DEBUG("strdup failed.\n");
+             return KRB5_PLUGIN_NO_HANDLE;
+         }
+ 
+         ret = get_krb5info(realm, ctx, locate_service_kdc);
+         if (ret != EOK) {
+-            PLUGIN_DEBUG(("get_krb5info failed.\n"));
++            PLUGIN_DEBUG("get_krb5info failed.\n");
+             return KRB5_PLUGIN_NO_HANDLE;
+         }
+ 
+@@ -482,22 +482,22 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
+             svc == locate_service_master_kdc) {
+             ret = get_krb5info(realm, ctx, locate_service_kpasswd);
+             if (ret != EOK) {
+-                PLUGIN_DEBUG(("reading kpasswd address failed, "
+-                              "using kdc address.\n"));
++                PLUGIN_DEBUG("reading kpasswd address failed, "
++                             "using kdc address.\n");
+                 free_addr_port_list(&(ctx->kpasswd_addr));
+                 ret = copy_addr_port_list(ctx->kdc_addr, true,
+                                           &(ctx->kpasswd_addr));
+                 if (ret != EOK) {
+-                    PLUGIN_DEBUG(("copying address list failed.\n"));
++                    PLUGIN_DEBUG("copying address list failed.\n");
+                     return KRB5_PLUGIN_NO_HANDLE;
+                 }
+             }
+         }
+     }
+ 
+-    PLUGIN_DEBUG(("sssd_realm[%s] requested realm[%s] family[%d] socktype[%d] "
+-                  "locate_service[%d]\n", ctx->sssd_realm, realm, family,
+-                                          socktype, svc));
++    PLUGIN_DEBUG("sssd_realm[%s] requested realm[%s] family[%d] socktype[%d] "
++                 "locate_service[%d]\n",
++                 ctx->sssd_realm, realm, family, socktype, svc);
+ 
+     switch (svc) {
+         case locate_service_kdc:
+@@ -547,7 +547,7 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
+         memset(port_str, 0, PORT_STR_SIZE);
+         ret = snprintf(port_str, PORT_STR_SIZE-1, "%u", port);
+         if (ret < 0 || ret >= (PORT_STR_SIZE-1)) {
+-            PLUGIN_DEBUG(("snprintf failed.\n"));
++            PLUGIN_DEBUG("snprintf failed.\n");
+             return KRB5_PLUGIN_NO_HANDLE;
+         }
+ 
+@@ -557,31 +557,31 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
+ 
+         ret = getaddrinfo(addr[c].addr, port_str, &ai_hints, &ai);
+         if (ret != 0) {
+-            PLUGIN_DEBUG(("getaddrinfo failed [%d][%s].\n", ret,
+-                                                            gai_strerror(ret)));
++            PLUGIN_DEBUG("getaddrinfo failed [%d][%s].\n",
++                         ret, gai_strerror(ret));
+             if (ret == EAI_SYSTEM) {
+-                PLUGIN_DEBUG(("getaddrinfo failed [%d][%s].\n",
+-                              errno, strerror(errno)));
++                PLUGIN_DEBUG("getaddrinfo failed [%d][%s].\n",
++                             errno, strerror(errno));
+             }
+             return KRB5_PLUGIN_NO_HANDLE;
+         }
+ 
+-        PLUGIN_DEBUG(("addr[%s:%s] family[%d] socktype[%d]\n", addr[c].addr,
+-                     port_str, ai->ai_family, ai->ai_socktype));
++        PLUGIN_DEBUG("addr[%s:%s] family[%d] socktype[%d]\n",
++                     addr[c].addr, port_str, ai->ai_family, ai->ai_socktype);
+ 
+         if ((family == AF_UNSPEC || ai->ai_family == family) &&
+             ai->ai_socktype == socktype) {
+ 
+             ret = cbfunc(cbdata, socktype, ai->ai_addr);
+             if (ret != 0) {
+-                PLUGIN_DEBUG(("cbfunc failed\n"));
++                PLUGIN_DEBUG("cbfunc failed\n");
+                 freeaddrinfo(ai);
+                 return ret;
+             } else {
+-                PLUGIN_DEBUG(("[%s] used\n", addr[c].addr));
++                PLUGIN_DEBUG("[%s] used\n", addr[c].addr);
+             }
+         } else {
+-            PLUGIN_DEBUG(("[%s] NOT used\n", addr[c].addr));
++            PLUGIN_DEBUG("[%s] NOT used\n", addr[c].addr);
+         }
+         freeaddrinfo(ai);
+     }
+-- 
+2.9.5
+

0004-krb5_locator-Fix-typo-in-debug-message.patch

@@ -0,0 +1,29 @@
+From f748abb7b773a09c7be279b42774a5692fcb1fbb Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Thu, 19 Jul 2018 09:50:12 +0200
+Subject: [PATCH 4/7] krb5_locator: Fix typo in debug message
+
+Merges: https://pagure.io/SSSD/sssd/pull-request/3786
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit 09dc1d9dc10780d126d477c394ae2ef4c0d0cff3)
+---
+ src/krb5_plugin/sssd_krb5_locator_plugin.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c
+index 61fee6b..acb20f2 100644
+--- a/src/krb5_plugin/sssd_krb5_locator_plugin.c
++++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c
+@@ -323,7 +323,7 @@ static int get_krb5info(const char *realm, struct sssd_ctx *ctx,
+ 
+     krb5info_name = calloc(1, len + 1);
+     if (krb5info_name == NULL) {
+-        PLUGIN_DEBUG("malloc failed.\n");
++        PLUGIN_DEBUG("calloc failed.\n");
+         return ENOMEM;
+     }
+ 
+-- 
+2.9.5
+

0005-krb5_locator-Fix-formatting-of-the-variable-port.patch

@@ -0,0 +1,29 @@
+From 5c90d3a2890eb121ff6cb5e972b69bb118cbac39 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Sat, 21 Jul 2018 23:50:11 +0200
+Subject: [PATCH 5/7] krb5_locator: Fix formatting of the variable port
+
+Merges: https://pagure.io/SSSD/sssd/pull-request/3786
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit aefdf70351d01d1dcfe3ebb2769fbd3bb1bd0441)
+---
+ src/krb5_plugin/sssd_krb5_locator_plugin.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c
+index acb20f2..4b0b6a1 100644
+--- a/src/krb5_plugin/sssd_krb5_locator_plugin.c
++++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c
+@@ -270,7 +270,7 @@ static int buf_to_addr_port_list(struct sssd_ctx *ctx,
+             addr_str++;
+         }
+ 
+-        PLUGIN_DEBUG("Found [%s][%d].\n", addr_str, port);
++        PLUGIN_DEBUG("Found [%s][%ld].\n", addr_str, port);
+ 
+         l[c].addr = strdup(addr_str);
+         if (l[c].addr == NULL) {
+-- 
+2.9.5
+

0006-krb5_locator-Use-format-string-checking-for-debug-fu.patch

@@ -0,0 +1,31 @@
+From d5f87b392f8cefbf37674f410087c8cbe4a50dcd Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Thu, 19 Jul 2018 09:53:13 +0200
+Subject: [PATCH 6/7] krb5_locator: Use format string checking for debug
+ function
+
+Merges: https://pagure.io/SSSD/sssd/pull-request/3786
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit 9680ac9ce20511b3f34dc1c8635d0c4435006ce3)
+---
+ src/krb5_plugin/sssd_krb5_locator_plugin.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c
+index 4b0b6a1..720878e 100644
+--- a/src/krb5_plugin/sssd_krb5_locator_plugin.c
++++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c
+@@ -82,6 +82,9 @@ struct sssd_ctx {
+     bool disabled;
+ };
+ 
++#ifdef HAVE_FUNCTION_ATTRIBUTE_FORMAT
++__attribute__((format(printf, 1, 2)))
++#endif
+ static void plugin_debug_fn(const char *format, ...)
+ {
+     va_list ap;
+-- 
+2.9.5
+

0007-PAM-Allow-to-configure-pam-services-for-Smartcards.patch

@@ -0,0 +1,363 @@
+From 9f5fbbdac3658f5f1695fbf3cf89544b4b578b92 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Wed, 20 Jan 2016 13:15:11 +0100
+Subject: [PATCH 7/7] PAM: Allow to configure pam services for Smartcards
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/2926
+
+Merges: https://pagure.io/SSSD/sssd/pull-request/3799
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 93caaf294cfd85b4e0d7faa2fc5c2298d6b13020)
+---
+ src/confdb/confdb.h                  |   1 +
+ src/config/SSSDConfig/__init__.py.in |   1 +
+ src/config/cfg_rules.ini             |   1 +
+ src/config/etc/sssd.api.conf         |   1 +
+ src/man/sssd.conf.5.xml              |  76 +++++++++++++++-
+ src/responder/pam/pamsrv.h           |   1 +
+ src/responder/pam/pamsrv_p11.c       | 164 +++++++++++++++++++++++++++++++++--
+ 7 files changed, 237 insertions(+), 8 deletions(-)
+
+diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
+index 8af625f..700ab76 100644
+--- a/src/confdb/confdb.h
++++ b/src/confdb/confdb.h
+@@ -131,6 +131,7 @@
+ #define CONFDB_PAM_CERT_DB_PATH "pam_cert_db_path"
+ #define CONFDB_PAM_P11_CHILD_TIMEOUT "p11_child_timeout"
+ #define CONFDB_PAM_APP_SERVICES "pam_app_services"
++#define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services"
+ 
+ /* SUDO */
+ #define CONFDB_SUDO_CONF_ENTRY "config/sudo"
+diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
+index 32b74e4..2846ea2 100644
+--- a/src/config/SSSDConfig/__init__.py.in
++++ b/src/config/SSSDConfig/__init__.py.in
+@@ -103,6 +103,7 @@ option_strings = {
+     'pam_cert_db_path' : _('Path to certificate database with PKCS#11 modules.'),
+     'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'),
+     'pam_app_services' : _('Which PAM services are permitted to contact application domains'),
++    'pam_p11_allowed_services' : _('Allowed services for using smartcards'),
+ 
+     # [sudo]
+     'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
+diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
+index 5513227..c18fcbd 100644
+--- a/src/config/cfg_rules.ini
++++ b/src/config/cfg_rules.ini
+@@ -126,6 +126,7 @@ option = pam_cert_auth
+ option = pam_cert_db_path
+ option = p11_child_timeout
+ option = pam_app_services
++option = pam_p11_allowed_services
+ 
+ [rule/allowed_sudo_options]
+ validator = ini_allowed_options
+diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
+index 2be2e3e..7156142 100644
+--- a/src/config/etc/sssd.api.conf
++++ b/src/config/etc/sssd.api.conf
+@@ -75,6 +75,7 @@ pam_cert_auth = bool, None, false
+ pam_cert_db_path = str, None, false
+ p11_child_timeout = int, None, false
+ pam_app_services = str, None, false
++pam_p11_allowed_services = str, None, false
+ 
+ [sudo]
+ # sudo service
+diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
+index ed3c100..881ffc6 100644
+--- a/src/man/sssd.conf.5.xml
++++ b/src/man/sssd.conf.5.xml
+@@ -1389,7 +1389,81 @@ pam_account_locked_message = Account locked, please contact help desk.
+                         </para>
+                     </listitem>
+                 </varlistentry>
+-
++                <varlistentry>
++                    <term>pam_p11_allowed_services (integer)</term>
++                    <listitem>
++                        <para>
++                            A comma-separated list of PAM service names for
++                            which it will be allowed to use Smartcards.
++                        </para>
++                        <para>
++                            It is possible to add another PAM service name to
++                            the default set by using
++                            <quote>+service_name</quote> or to explicitly
++                            remove a PAM service name from the default set by
++                            using <quote>-service_name</quote>. For example,
++                            in order to replace a default PAM service name for
++                            authentication with Smartcards
++                            (e.g. <quote>login</quote>) with a custom PAM
++                            service name (e.g. <quote>my_pam_service</quote>),
++                            you would use the following configuration:
++                            <programlisting>
++pam_p11_allowed_services = +my_pam_service, -login
++                            </programlisting>
++                        </para>
++                        <para>
++                            Default: the default set of PAM service names
++                            includes:
++                            <itemizedlist>
++                                <listitem>
++                                    <para>
++                                        login
++                                    </para>
++                                </listitem>
++                                <listitem>
++                                    <para>
++                                        su
++                                    </para>
++                                </listitem>
++                                <listitem>
++                                    <para>
++                                        su-l
++                                    </para>
++                                </listitem>
++                                <listitem>
++                                    <para>
++                                        gdm-smartcard
++                                    </para>
++                                </listitem>
++                                <listitem>
++                                    <para>
++                                        gdm-password
++                                    </para>
++                                </listitem>
++                                <listitem>
++                                    <para>
++                                        kdm
++                                    </para>
++                                </listitem>
++                                <listitem>
++                                    <para>
++                                        sudo
++                                    </para>
++                                </listitem>
++                                <listitem>
++                                    <para>
++                                        sudo-i
++                                    </para>
++                                </listitem>
++                                <listitem>
++                                    <para>
++                                        gnome-screensaver
++                                    </para>
++                                </listitem>
++                            </itemizedlist>
++                        </para>
++                    </listitem>
++                </varlistentry>
+             </variablelist>
+         </refsect2>
+ 
+diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
+index dfd9821..3325d9b 100644
+--- a/src/responder/pam/pamsrv.h
++++ b/src/responder/pam/pamsrv.h
+@@ -51,6 +51,7 @@ struct pam_ctx {
+     int p11_child_debug_fd;
+     char *nss_db;
+     struct sss_certmap_ctx *sss_certmap_ctx;
++    char **smartcard_services;
+ };
+ 
+ struct pam_auth_dp_req {
+diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
+index 0b6a162..ddb2def 100644
+--- a/src/responder/pam/pamsrv_p11.c
++++ b/src/responder/pam/pamsrv_p11.c
+@@ -224,12 +224,148 @@ errno_t p11_child_init(struct pam_ctx *pctx)
+     return child_debug_init(P11_CHILD_LOG_FILE, &pctx->p11_child_debug_fd);
+ }
+ 
++static inline bool
++service_in_list(char **list, size_t nlist, const char *str)
++{
++    size_t i;
++
++    for (i = 0; i < nlist; i++) {
++        if (strcasecmp(list[i], str) == 0) {
++            break;
++        }
++    }
++
++    return (i < nlist) ? true : false;
++}
++
++static errno_t get_sc_services(TALLOC_CTX *mem_ctx, struct pam_ctx *pctx,
++                               char ***_sc_list)
++{
++    TALLOC_CTX *tmp_ctx;
++    errno_t ret;
++    char *conf_str;
++    char **conf_list;
++    int conf_list_size;
++    char **add_list;
++    char **remove_list;
++    int ai = 0;
++    int ri = 0;
++    int j = 0;
++    char **sc_list;
++    int expected_sc_list_size;
++
++    const char *default_sc_services[] = {
++        "login", "su", "su-l", "gdm-smartcard", "gdm-password", "kdm", "sudo",
++        "sudo-i", "gnome-screensaver", NULL,
++    };
++    const int default_sc_services_size =
++        sizeof(default_sc_services) / sizeof(default_sc_services[0]);
++
++    tmp_ctx = talloc_new(mem_ctx);
++    if (tmp_ctx == NULL) {
++        return ENOMEM;
++    }
++
++    ret = confdb_get_string(pctx->rctx->cdb, tmp_ctx, CONFDB_PAM_CONF_ENTRY,
++                            CONFDB_PAM_P11_ALLOWED_SERVICES, NULL,
++                            &conf_str);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_CRIT_FAILURE,
++              "confdb_get_string failed %d [%s]\n", ret, sss_strerror(ret));
++        goto done;
++    }
++
++    if (conf_str != NULL) {
++        ret = split_on_separator(tmp_ctx, conf_str, ',', true, true,
++                                 &conf_list, &conf_list_size);
++        if (ret != EOK) {
++            DEBUG(SSSDBG_CRIT_FAILURE,
++                  "Cannot parse list of service names '%s': %d [%s]\n",
++                  conf_str, ret, sss_strerror(ret));
++            goto done;
++        }
++    } else {
++        conf_list = talloc_zero_array(tmp_ctx, char *, 1);
++        conf_list_size = 0;
++    }
++
++    add_list = talloc_zero_array(tmp_ctx, char *, conf_list_size + 1);
++    remove_list = talloc_zero_array(tmp_ctx, char *, conf_list_size + 1);
++
++    if (add_list == NULL || remove_list == NULL) {
++        ret = ENOMEM;
++        goto done;
++    }
++
++    for (int i = 0; conf_list[i] != NULL; ++i) {
++        switch (conf_list[i][0]) {
++        case '+':
++            add_list[ai] = conf_list[i] + 1;
++            ++ai;
++            break;
++        case '-':
++            remove_list[ri] = conf_list[i] + 1;
++            ++ri;
++            break;
++        default:
++            DEBUG(SSSDBG_OP_FAILURE,
++                  "The option "CONFDB_PAM_P11_ALLOWED_SERVICES" must start"
++                  "with either '+' (for adding service) or '-' (for "
++                  "removing service) got '%s'\n", conf_list[i]);
++            ret = EINVAL;
++            goto done;
++        }
++    }
++
++    expected_sc_list_size = default_sc_services_size + ai + 1;
++
++    sc_list = talloc_zero_array(tmp_ctx, char *, expected_sc_list_size);
++    if (sc_list == NULL) {
++        ret = ENOMEM;
++        goto done;
++    }
++
++    for (int i = 0; add_list[i] != NULL; ++i) {
++        if (service_in_list(remove_list, ri, add_list[i])) {
++            continue;
++        }
++
++        sc_list[j] = talloc_strdup(sc_list, add_list[i]);
++        if (sc_list[j] == NULL) {
++            ret = ENOMEM;
++            goto done;
++        }
++        ++j;
++    }
++
++    for (int i = 0; default_sc_services[i] != NULL; ++i) {
++        if (service_in_list(remove_list, ri, default_sc_services[i])) {
++            continue;
++        }
++
++        sc_list[j] = talloc_strdup(sc_list, default_sc_services[i]);
++        if (sc_list[j] == NULL) {
++            ret = ENOMEM;
++            goto done;
++        }
++        ++j;
++    }
++
++    if (_sc_list != NULL) {
++        *_sc_list = talloc_steal(mem_ctx, sc_list);
++    }
++
++done:
++    talloc_zfree(tmp_ctx);
++
++    return ret;
++}
++
+ bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd)
+ {
+     size_t c;
+-    const char *sc_services[] = { "login", "su", "su-l", "gdm-smartcard",
+-                                  "gdm-password", "kdm", "sudo", "sudo-i",
+-                                  "gnome-screensaver", NULL };
++    errno_t ret;
++
+     if (!pctx->cert_auth) {
+         return false;
+     }
+@@ -244,16 +380,30 @@ bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd)
+         return false;
+     }
+ 
+-    /* TODO: make services configurable */
+     if (pd->service == NULL || *pd->service == '\0') {
+         return false;
+     }
+-    for (c = 0; sc_services[c] != NULL; c++) {
+-        if (strcmp(pd->service, sc_services[c]) == 0) {
++
++    /* Initialize smartcard allowed services just once */
++    if (pctx->smartcard_services == NULL) {
++        ret = get_sc_services(pctx, pctx, &pctx->smartcard_services);
++        if (ret != EOK) {
++            DEBUG(SSSDBG_CRIT_FAILURE,
++                  "Failed to get p11 allowed services %d[%s]",
++                  ret, sss_strerror(ret));
++            sss_log(SSS_LOG_ERR,
++                    "Failed to evaluate pam_p11_allowed_services option, "
++                    "please check for typos in the SSSD configuration");
++            return false;
++        }
++    }
++
++    for (c = 0; pctx->smartcard_services[c] != NULL; c++) {
++        if (strcmp(pd->service, pctx->smartcard_services[c]) == 0) {
+             break;
+         }
+     }
+-    if  (sc_services[c] == NULL) {
++    if (pctx->smartcard_services[c] == NULL) {
+         DEBUG(SSSDBG_CRIT_FAILURE,
+               "Smartcard authentication for service [%s] not supported.\n",
+               pd->service);
+-- 
+2.9.5
+

0502-SYSTEMD-Use-capabilities.patch

@@ -0,0 +1,25 @@
+From 565ef3ffcaaef69a768b6a341777c339217bbbab Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@fedoraproject.org>
+Date: Mon, 12 Dec 2016 21:56:16 +0100
+Subject: [PATCH] SYSTEMD: Use capabilities
+
+copied from selinux policy
+---
+ src/sysv/systemd/sssd.service.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in
+index 0c515d34caaa3ea397c4c7e95eef0188df170840..252889dbb2b7b1e651966258e7b76eab38357e76 100644
+--- a/src/sysv/systemd/sssd.service.in
++++ b/src/sysv/systemd/sssd.service.in
+@@ -11,6 +11,7 @@ ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
+ Type=notify
+ NotifyAccess=main
+ PIDFile=@localstatedir@/run/sssd.pid
++CapabilityBoundingSet=CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_FOWNER CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND
+ 
+ [Install]
+ WantedBy=multi-user.target
+-- 
+2.15.1
+

0503-Disable-stopping-idle-socket-activated-responders.patch

@@ -0,0 +1,39 @@
+From 232305dd10b81955a3ee9dfc6d56c2d76ad5706f Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@fedoraproject.org>
+Date: Fri, 3 Nov 2017 16:18:14 +0100
+Subject: [PATCH] Disable stopping idle socket activated responders
+
+---
+ src/confdb/confdb.h     | 2 +-
+ src/man/sssd.conf.5.xml | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
+index 1471949623e9dd7a8536e3ac3048a10227a5d857..e30e77bf50b7312b3f660241c92a1b3c03e88259 100644
+--- a/src/confdb/confdb.h
++++ b/src/confdb/confdb.h
+@@ -85,7 +85,7 @@
+ /* Responders */
+ #define CONFDB_RESPONDER_GET_DOMAINS_TIMEOUT "get_domains_timeout"
+ #define CONFDB_RESPONDER_CLI_IDLE_TIMEOUT "client_idle_timeout"
+-#define CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT 60
++#define CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT 0
+ #define CONFDB_RESPONDER_LOCAL_NEG_TIMEOUT "local_negative_timeout"
+ #define CONFDB_RESPONDER_IDLE_TIMEOUT "responder_idle_timeout"
+ #define CONFDB_RESPONDER_IDLE_DEFAULT_TIMEOUT 300
+diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
+index 6be3cd47463ec054276a0b6b2be7ec03eef1f0be..d362ba71cfbeb6271fc87abd9743ca7a77f9f3ec 100644
+--- a/src/man/sssd.conf.5.xml
++++ b/src/man/sssd.conf.5.xml
+@@ -706,7 +706,7 @@
+                             or dbus activated.
+                         </para>
+                         <para>
+-                            Default: 300
++                            Default: 0
+                         </para>
+                     </listitem>
+                 </varlistentry>
+-- 
+2.14.3
+

1000-SYSDB-Prepend-cached-hash-with-the-salt-identifier-i.patch

@@ -0,0 +1,44 @@
+From ae98cc4985bd3a19bbcadb5c4b77c5e01819e8ac Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Tue, 21 Aug 2018 13:59:33 +0200
+Subject: [PATCH] SYSDB: Prepend cached hash with the salt identifier if it's
+ not there
+
+This is a downstream-only patch for
+https://bugzilla.redhat.com/show_bug.cgi?id=1561105#c13
+
+Reviewed-by: Michal Židek <mzidek@redhat.com>
+---
+ src/db/sysdb_ops.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
+index df0fb83c5546809a2d643e2e585153ad61a6a334..3a7e8fed507e9d96301f97112f9230e031cb5896 100644
+--- a/src/db/sysdb_ops.c
++++ b/src/db/sysdb_ops.c
+@@ -4516,6 +4516,7 @@ int sysdb_cache_auth(struct sss_domain_info *domain,
+     time_t expire_date = -1;
+     time_t delayed_until = -1;
+     int ret;
++    const char *salt_prefix = "$6$";
+ 
+     if (name == NULL || *name == '\0') {
+         DEBUG(SSSDBG_CRIT_FAILURE, "Missing user name.\n");
+@@ -4601,6 +4602,14 @@ int sysdb_cache_auth(struct sss_domain_info *domain,
+         goto done;
+     }
+ 
++    if (strncmp(userhash, salt_prefix, strlen(salt_prefix)) != 0) {
++        userhash = talloc_asprintf(tmp_ctx, "%s%s", salt_prefix, userhash);
++        if (userhash == NULL) {
++            ret = ENOMEM;
++            goto done;
++        }
++    }
++
+     ret = s3crypt_sha512(tmp_ctx, password, userhash, &comphash);
+     if (ret) {
+         DEBUG(SSSDBG_CONF_SETTINGS, "Failed to create password hash.\n");
+-- 
+2.14.4
+

sources

@@ -1 +1 @@
-SHA512 (sssd-2.8.2.tar.gz) = 10b7a641823aefb43e30bff9e5f309a1f48446ffff421a06f86496db24ba1fbd384733b5690864507ef9b2f04c91e563fe9820536031f83f1bd6e93edfedee55
+SHA512 (sssd-1.16.3.tar.gz) = 6165923f652f624bbe3ddc625ae682c4867eb7a20652d0cf74bbb8dda2307c917d3189ede26fd21a4fb5fd5926149271a65fa09f3affe928029ed99e6422b728