[sssd] Fix regressions and bugs in sssd upstream 1.12.2
Lukas Slebodnik
lslebodn at fedoraproject.org
Wed Dec 17 21:57:36 UTC 2014
commit ebb3a9f2b4fa79629b5dffa3dec2aaa1895d7adc
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date: Wed Dec 17 22:45:11 2014 +0100
Fix regressions and bugs in sssd upstream 1.12.2
- https://fedorahosted.org/sssd/ticket/{id}
- Regressions: #2471, #2475, #2483, #2487, #2529, #2535
- Bugs: #2287, #2445
0005-GPO-Terminate-request-on-error.patch | 31 +++
0006-nss-group-enumeration-fix.patch | 36 +++
...ail-the-request-when-BE-doesn-t-find-the-.patch | 53 +++++
...-use-ipaUserGroup-object-class-for-groups.patch | 35 +++
...AM-Remove-authtok-from-PAM-stack-with-OTP.patch | 87 +++++++
...-LDAP-Remove-unused-option-ldap_user_uuid.patch | 176 ++++++++++++++
...LDAP-Remove-unused-option-ldap_group_uuid.patch | 176 ++++++++++++++
0012-Fix-uuid-defaults.patch | 102 ++++++++
...-Change-defaults-for-ldap_user-group_obje.patch | 88 +++++++
0014-LDAP-Disable-token-groups-by-default.patch | 55 +++++
...Extract-destroying-of-mmap-cache-to-funct.patch | 72 ++++++
...client-Fix-race-condition-in-memory-cache.patch | 243 ++++++++++++++++++++
...ng-parameter-type-in-sss_parse_name_check.patch | 32 +++
...l-case-PCRE_ERROR_NOMATCH-in-sss_parse_na.patch | 88 +++++++
..._get_domain_name-regex-mismatch-not-fatal.patch | 41 ++++
...SBUS-Initialize-DBusError-before-using-it.patch | 32 +++
...e-KRB5KRB_ERR_GENERIC-as-unspecific-error.patch | 54 +++++
...dle-IPA-groups-returned-from-extop-plugin.patch | 37 +++
...group-memberships-of-trusted-domain-users.patch | 215 +++++++++++++++++
...erly-handle-groups-from-different-domains.patch | 51 ++++
...-IPA-do-not-try-to-add-override-gid-twice.patch | 42 ++++
...-GID-overrides-for-MPG-domains-on-clients.patch | 62 +++++
sssd.spec | 30 +++-
23 files changed, 1837 insertions(+), 1 deletions(-)
---
diff --git a/0005-GPO-Terminate-request-on-error.patch b/0005-GPO-Terminate-request-on-error.patch
new file mode 100644
index 0000000..98284a2
--- /dev/null
+++ b/0005-GPO-Terminate-request-on-error.patch
@@ -0,0 +1,31 @@
+From 08f261acfa442e38ff3d803b2ddeaa2f848b5fb8 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek at redhat.com>
+Date: Tue, 21 Oct 2014 16:18:02 +0200
+Subject: [PATCH 05/26] GPO: Terminate request on error
+
+Reviewed-by: Pavel Reichl <preichl at redhat.com>
+---
+ src/providers/ad/ad_gpo.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
+index 3f5df75c5a9de53eac11ffcf785e929cf9b3165e..4dfbd4b6943b477bd93fdd730dfa5b1c5828a10a 100644
+--- a/src/providers/ad/ad_gpo.c
++++ b/src/providers/ad/ad_gpo.c
+@@ -3954,11 +3954,13 @@ static void gpo_cse_done(struct tevent_req *subreq)
+ "ad_gpo_parse_gpo_child_response failed: [%d][%s]\n",
+ ret, strerror(ret));
+ tevent_req_error(req, ret);
++ return;
+ } else if (child_result != 0){
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Error in gpo_child: [%d][%s]\n",
+ child_result, strerror(child_result));
+ tevent_req_error(req, child_result);
++ return;
+ }
+
+ now = time(NULL);
+--
+2.1.0
+
diff --git a/0006-nss-group-enumeration-fix.patch b/0006-nss-group-enumeration-fix.patch
new file mode 100644
index 0000000..70967df
--- /dev/null
+++ b/0006-nss-group-enumeration-fix.patch
@@ -0,0 +1,36 @@
+From e0f1b42c6b51d10b52749cdc2e1f018762f6004c Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose at redhat.com>
+Date: Fri, 24 Oct 2014 11:28:54 +0200
+Subject: [PATCH 06/26] nss: group enumeration fix
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The view/override patches introduced and issue with group enumeration
+where all groups are returned with the same name. This patch should fix
+it.
+
+Fixes: https://fedorahosted.org/sssd/ticket/2475
+
+Reviewed-by: Lukáš Slebodník <lslebodn at redhat.com>
+---
+ src/responder/nss/nsssrv_cmd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
+index 616f83dda58b11bb7b715e1eb6a2c43e91d2d9da..351ba671b980c589c875876116ed617c039d6000 100644
+--- a/src/responder/nss/nsssrv_cmd.c
++++ b/src/responder/nss/nsssrv_cmd.c
+@@ -2662,6 +2662,9 @@ static int fill_grent(struct sss_packet *packet,
+ rsize = 0;
+
+ /* find group name/gid */
++
++ /* start with an empty name for each iteration */
++ orig_name = NULL;
+ if (DOM_HAS_VIEWS(dom)) {
+ orig_name = ldb_msg_find_attr_as_string(msg,
+ OVERRIDE_PREFIX SYSDB_NAME,
+--
+2.1.0
+
diff --git a/0007-IPA-Don-t-fail-the-request-when-BE-doesn-t-find-the-.patch b/0007-IPA-Don-t-fail-the-request-when-BE-doesn-t-find-the-.patch
new file mode 100644
index 0000000..3c6bc04
--- /dev/null
+++ b/0007-IPA-Don-t-fail-the-request-when-BE-doesn-t-find-the-.patch
@@ -0,0 +1,53 @@
+From 38b81775a27ce2f8a97aaaa18952263d83ad60f9 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek at redhat.com>
+Date: Wed, 29 Oct 2014 20:30:20 +0100
+Subject: [PATCH 07/26] IPA: Don't fail the request when BE doesn't find the
+ object
+
+The IPA subdomain code treated ENOENT as a fatal error, which resulted
+in a loud error message and the whole request being aborted. This patch
+ignores ENOENT.
+
+Reviewed-by: Pavel Reichl <preichl at redhat.com>
+---
+ src/providers/ipa/ipa_subdomains_id.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
+index b67006ce6e0b4bf9c794016c1dfc923ac6da3624..0a1c4c17eed37b2eb12a8c758e49fc17c3b642b5 100644
+--- a/src/providers/ipa/ipa_subdomains_id.c
++++ b/src/providers/ipa/ipa_subdomains_id.c
+@@ -942,7 +942,7 @@ static errno_t get_object_from_cache(TALLOC_CTX *mem_ctx,
+ goto done;
+ }
+
+- if (ret != EOK) {
++ if (ret != EOK && ret != ENOENT) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Failed to make request to our cache: [%d]: [%s]\n",
+ ret, sss_strerror(ret));
+@@ -951,8 +951,6 @@ static errno_t get_object_from_cache(TALLOC_CTX *mem_ctx,
+
+ *_msg = msg;
+
+- ret = EOK;
+-
+ done:
+ return ret;
+ }
+@@ -978,7 +976,11 @@ ipa_get_ad_acct_ad_part_done(struct tevent_req *subreq)
+
+ ret = get_object_from_cache(state, state->user_dom, state->ar,
+ &state->obj_msg);
+- if (ret != EOK) {
++ if (ret == ENOENT) {
++ DEBUG(SSSDBG_MINOR_FAILURE, "Object not found, ending request\n");
++ tevent_req_done(req);
++ return;
++ } else if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "get_object_from_cache failed.\n");
+ goto fail;
+ }
+--
+2.1.0
+
diff --git a/0008-IPA-use-ipaUserGroup-object-class-for-groups.patch b/0008-IPA-use-ipaUserGroup-object-class-for-groups.patch
new file mode 100644
index 0000000..d018fab
--- /dev/null
+++ b/0008-IPA-use-ipaUserGroup-object-class-for-groups.patch
@@ -0,0 +1,35 @@
+From c5228b2d19709d284d1f82204184d98de86643af Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina at redhat.com>
+Date: Fri, 31 Oct 2014 14:26:30 +0100
+Subject: [PATCH 08/26] IPA: use ipaUserGroup object class for groups
+
+dfb34c6c82ed5014599bf70de6791e6d79106fc2 changed object class
+of IPA groups from posixGroups to more general groupOfNames.
+However, this object class is used also for roles, permissions and
+privileges which caused SSSD to consider those objects to be groups as
+well during initgroups.
+
+Resolves:
+https://fedorahosted.org/sssd/ticket/2471
+
+Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
+---
+ src/providers/ipa/ipa_opts.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
+index 4785e0164bf6d9efb574a8703b573f4e8086cab6..0e0eed49cd397fe88ce7bf41579c066088947d04 100644
+--- a/src/providers/ipa/ipa_opts.h
++++ b/src/providers/ipa/ipa_opts.h
+@@ -205,7 +205,7 @@ struct sdap_attr_map ipa_user_map[] = {
+ };
+
+ struct sdap_attr_map ipa_group_map[] = {
+- { "ldap_group_object_class", "groupOfNames", SYSDB_GROUP_CLASS, NULL },
++ { "ldap_group_object_class", "ipaUserGroup", SYSDB_GROUP_CLASS, NULL },
+ { "ldap_group_object_class_alt", "posixGroup", SYSDB_GROUP_CLASS, NULL },
+ { "ldap_group_name", "cn", SYSDB_NAME, NULL },
+ { "ldap_group_pwd", "userPassword", SYSDB_PWD, NULL },
+--
+2.1.0
+
diff --git a/0009-PAM-Remove-authtok-from-PAM-stack-with-OTP.patch b/0009-PAM-Remove-authtok-from-PAM-stack-with-OTP.patch
new file mode 100644
index 0000000..43cd8cc
--- /dev/null
+++ b/0009-PAM-Remove-authtok-from-PAM-stack-with-OTP.patch
@@ -0,0 +1,87 @@
+From 0c58361481982fd356e2282c2640ee55bdf60abb Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn at redhat.com>
+Date: Mon, 20 Oct 2014 22:21:25 +0200
+Subject: [PATCH 09/26] PAM: Remove authtok from PAM stack with OTP
+
+We remove the password from the PAM stack when OTP is used to make sure
+that other pam modules (pam-gnome-keyring, pam_mount) cannot use it anymore
+and have to request a password on their own.
+
+Resolves:
+ https://fedorahosted.org/sssd/ticket/2287
+
+Reviewed-by: Nathaniel McCallum <npmccallum at redhat.com>
+---
+ src/providers/krb5/krb5_auth.c | 14 ++++++++++++++
+ src/sss_client/pam_sss.c | 16 +++++++++++++++-
+ 2 files changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
+index f539d5068ec29f7b06f734a3417864b43122b1b7..c96b7aee99da8c3d43a67a04bb1f67ee048d4705 100644
+--- a/src/providers/krb5/krb5_auth.c
++++ b/src/providers/krb5/krb5_auth.c
+@@ -1161,6 +1161,20 @@ static void krb5_auth_done(struct tevent_req *subreq)
+ krb5_auth_store_creds(state->domain, pd);
+ }
+
++ if (res->otp == true && pd->cmd == SSS_PAM_AUTHENTICATE) {
++ uint32_t otp_flag = 1;
++ ret = pam_add_response(pd, SSS_OTP, sizeof(uint32_t),
++ (const uint8_t *) &otp_flag);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_CRIT_FAILURE,
++ "pam_add_response failed: %d (%s).\n",
++ ret, sss_strerror(ret));
++ state->pam_status = PAM_SYSTEM_ERR;
++ state->dp_err = DP_ERR_OK;
++ goto done;
++ }
++ }
++
+ state->pam_status = PAM_SUCCESS;
+ state->dp_err = DP_ERR_OK;
+ ret = EOK;
+diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
+index abe9b05478cbf480b3430dccd1951e9bfb0e29c1..d64e826daeb80be8998ef3b410047e3a44051b07 100644
+--- a/src/sss_client/pam_sss.c
++++ b/src/sss_client/pam_sss.c
+@@ -206,7 +206,7 @@ static size_t add_string_item(enum pam_item_type type, const char *str,
+ return rp;
+ }
+
+-static void overwrite_and_free_pam_items(struct pam_items *pi)
++static void overwrite_and_free_authtoks(struct pam_items *pi)
+ {
+ if (pi->pam_authtok != NULL) {
+ _pam_overwrite_n((void *)pi->pam_authtok, pi->pam_authtok_size);
+@@ -222,6 +222,11 @@ static void overwrite_and_free_pam_items(struct pam_items *pi)
+
+ pi->pamstack_authtok = NULL;
+ pi->pamstack_oldauthtok = NULL;
++}
++
++static void overwrite_and_free_pam_items(struct pam_items *pi)
++{
++ overwrite_and_free_authtoks(pi);
+
+ free(pi->domain_name);
+ pi->domain_name = NULL;
+@@ -998,6 +1003,15 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
+ D(("do_pam_conversation failed."));
+ }
+ break;
++ case SSS_OTP:
++ D(("OTP was used, removing authtokens."));
++ overwrite_and_free_authtoks(pi);
++ ret = pam_set_item(pamh, PAM_AUTHTOK, NULL);
++ if (ret != PAM_SUCCESS) {
++ D(("Failed to remove PAM_AUTHTOK after using otp [%s]",
++ pam_strerror(pamh,ret)));
++ }
++ break;
+ default:
+ D(("Unknown response type [%d]", type));
+ }
+--
+2.1.0
+
diff --git a/0010-Revert-LDAP-Remove-unused-option-ldap_user_uuid.patch b/0010-Revert-LDAP-Remove-unused-option-ldap_user_uuid.patch
new file mode 100644
index 0000000..1311370
--- /dev/null
+++ b/0010-Revert-LDAP-Remove-unused-option-ldap_user_uuid.patch
@@ -0,0 +1,176 @@
+From e7cffa789d0d41dfbd2f919406217396d004388d Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose at redhat.com>
+Date: Wed, 5 Nov 2014 17:35:45 +0100
+Subject: [PATCH 10/26] Revert "LDAP: Remove unused option ldap_user_uuid"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This reverts commit dfb2960ab251f609466fa660449703835c97f99a.
+
+Reviewed-by: Lukáš Slebodník <lslebodn at redhat.com>
+---
+ src/config/SSSDConfig/__init__.py.in | 1 +
+ src/config/SSSDConfig/sssd_upgrade_config.py | 1 +
+ src/config/etc/sssd.api.d/sssd-ad.conf | 1 +
+ src/config/etc/sssd.api.d/sssd-ipa.conf | 1 +
+ src/config/etc/sssd.api.d/sssd-ldap.conf | 1 +
+ src/man/sssd-ldap.5.xml | 13 +++++++++++++
+ src/providers/ad/ad_opts.h | 1 +
+ src/providers/ipa/ipa_opts.h | 1 +
+ src/providers/ldap/ldap_opts.h | 4 ++++
+ src/providers/ldap/sdap.h | 1 +
+ 10 files changed, 25 insertions(+)
+
+diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
+index 6c95530868d7c078ccf13622f3ba916392b0c732..769a29005c5fa392bcee3e746e7583d2f4ee05f0 100644
+--- a/src/config/SSSDConfig/__init__.py.in
++++ b/src/config/SSSDConfig/__init__.py.in
+@@ -271,6 +271,7 @@ option_strings = {
+ 'ldap_user_gecos' : _('GECOS attribute'),
+ 'ldap_user_home_directory' : _('Home directory attribute'),
+ 'ldap_user_shell' : _('Shell attribute'),
++ 'ldap_user_uuid' : _('UUID attribute'),
+ 'ldap_user_objectsid' : _("objectSID attribute"),
+ 'ldap_user_primary_group' : _('Active Directory primary group attribute for ID-mapping'),
+ 'ldap_user_principal' : _('User principal attribute (for Kerberos)'),
+diff --git a/src/config/SSSDConfig/sssd_upgrade_config.py b/src/config/SSSDConfig/sssd_upgrade_config.py
+index 3d9f788c3b4707a8b6e8958d11d5068437d31156..97be6543f8f86eb0189843003f675d2efcfcc8a5 100644
+--- a/src/config/SSSDConfig/sssd_upgrade_config.py
++++ b/src/config/SSSDConfig/sssd_upgrade_config.py
+@@ -170,6 +170,7 @@ class SSSDConfigFile(SSSDChangeConf):
+ 'ldap_user_gecos' : 'userGecos',
+ 'ldap_user_home_directory' : 'userHomeDirectory',
+ 'ldap_user_shell' : 'userShell',
++ 'ldap_user_uuid' : 'userUUID',
+ 'ldap_user_principal' : 'userPrincipal',
+ 'ldap_force_upper_case_realm' : 'force_upper_case_realm',
+ 'ldap_user_fullname' : 'userFullname',
+diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
+index 5dd4fb43526849e6b74fbe7cd354afda9af695b0..f8b200eaaf2f1b2ee17214faf2df70b14a2ec93c 100644
+--- a/src/config/etc/sssd.api.d/sssd-ad.conf
++++ b/src/config/etc/sssd.api.d/sssd-ad.conf
+@@ -72,6 +72,7 @@ ldap_user_gid_number = str, None, false
+ ldap_user_gecos = str, None, false
+ ldap_user_home_directory = str, None, false
+ ldap_user_shell = str, None, false
++ldap_user_uuid = str, None, false
+ ldap_user_objectsid = str, None, false
+ ldap_user_primary_group = str, None, false
+ ldap_user_principal = str, None, false
+diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
+index 8713385fc2b6d3b03b75cd5c6557968fdcdad892..91dc9ec9d158758be32f8a3eb5d36be2446fc254 100644
+--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
++++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
+@@ -69,6 +69,7 @@ ldap_user_gid_number = str, None, false
+ ldap_user_gecos = str, None, false
+ ldap_user_home_directory = str, None, false
+ ldap_user_shell = str, None, false
++ldap_user_uuid = str, None, false
+ ldap_user_objectsid = str, None, false
+ ldap_user_primary_group = str, None, false
+ ldap_user_principal = str, None, false
+diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
+index 29276bfd74b9fcc67042a138006959896c34fbae..68d5b4953a07398b159f3374ccba7380a642d818 100644
+--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
++++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
+@@ -56,6 +56,7 @@ ldap_user_gid_number = str, None, false
+ ldap_user_gecos = str, None, false
+ ldap_user_home_directory = str, None, false
+ ldap_user_shell = str, None, false
++ldap_user_uuid = str, None, false
+ ldap_user_objectsid = str, None, false
+ ldap_user_primary_group = str, None, false
+ ldap_user_principal = str, None, false
+diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
+index a21ffc12986c4af10f4c0a5950eb43b88dac9d47..a8416d44dfc19c11091c54d847dc27eb66b431f7 100644
+--- a/src/man/sssd-ldap.5.xml
++++ b/src/man/sssd-ldap.5.xml
+@@ -338,6 +338,19 @@
+ </varlistentry>
+
+ <varlistentry>
++ <term>ldap_user_uuid (string)</term>
++ <listitem>
++ <para>
++ The LDAP attribute that contains the UUID/GUID of
++ an LDAP user object.
++ </para>
++ <para>
++ Default: nsUniqueId
++ </para>
++ </listitem>
++ </varlistentry>
++
++ <varlistentry>
+ <term>ldap_user_objectsid (string)</term>
+ <listitem>
+ <para>
+diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
+index 452516cd24aba4dfbf74376767deb8f5f487253d..ee70b3c4b71b87ab31ac07310a448d7960f8e9a8 100644
+--- a/src/providers/ad/ad_opts.h
++++ b/src/providers/ad/ad_opts.h
+@@ -187,6 +187,7 @@ struct sdap_attr_map ad_2008r2_user_map[] = {
+ { "ldap_user_principal", "userPrincipalName", SYSDB_UPN, NULL },
+ { "ldap_user_fullname", "name", SYSDB_FULLNAME, NULL },
+ { "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL },
++ { "ldap_user_uuid", "objectGUID", SYSDB_UUID, NULL },
+ { "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL },
+ { "ldap_user_primary_group", "primaryGroupID", SYSDB_PRIMARY_GROUP, NULL },
+ { "ldap_user_modify_timestamp", "whenChanged", SYSDB_ORIG_MODSTAMP, NULL },
+diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
+index 0e0eed49cd397fe88ce7bf41579c066088947d04..7ecf0ff218aa1767976ccc624d7d9bc2dd96cd41 100644
+--- a/src/providers/ipa/ipa_opts.h
++++ b/src/providers/ipa/ipa_opts.h
+@@ -178,6 +178,7 @@ struct sdap_attr_map ipa_user_map[] = {
+ { "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL },
+ { "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL },
+ { "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL },
++ { "ldap_user_uuid", "nsUniqueId", SYSDB_UUID, NULL },
+ { "ldap_user_objectsid", "ipaNTSecurityIdentifier", SYSDB_SID_STR, NULL },
+ { "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL },
+ { "ldap_user_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
+diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
+index 61e3309fe73e72e82ecb471d9b608db7bea1d2e6..2e937412635e16b4bc541c59055b1c4e7896f045 100644
+--- a/src/providers/ldap/ldap_opts.h
++++ b/src/providers/ldap/ldap_opts.h
+@@ -155,6 +155,7 @@ struct sdap_attr_map rfc2307_user_map[] = {
+ { "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL },
+ { "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL },
+ { "ldap_user_member_of", NULL, SYSDB_MEMBEROF, NULL },
++ { "ldap_user_uuid", NULL, SYSDB_UUID, NULL },
+ { "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL },
+ { "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL },
+ { "ldap_user_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
+@@ -207,6 +208,8 @@ struct sdap_attr_map rfc2307bis_user_map[] = {
+ { "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL },
+ { "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL },
+ { "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL },
++ /* FIXME: this is 389ds specific */
++ { "ldap_user_uuid", "nsUniqueId", SYSDB_UUID, NULL },
+ { "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL },
+ { "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL },
+ { "ldap_user_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
+@@ -259,6 +262,7 @@ struct sdap_attr_map gen_ad2008r2_user_map[] = {
+ { "ldap_user_principal", "userPrincipalName", SYSDB_UPN, NULL },
+ { "ldap_user_fullname", "name", SYSDB_FULLNAME, NULL },
+ { "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL },
++ { "ldap_user_uuid", "objectGUID", SYSDB_UUID, NULL },
+ { "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL },
+ { "ldap_user_primary_group", "primaryGroupID", SYSDB_PRIMARY_GROUP, NULL },
+ { "ldap_user_modify_timestamp", "whenChanged", SYSDB_ORIG_MODSTAMP, NULL },
+diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
+index e9e23561c4c74d3b33ebe35aab86fc257bde6237..906fd74090509802909b300d26234f96d324a769 100644
+--- a/src/providers/ldap/sdap.h
++++ b/src/providers/ldap/sdap.h
+@@ -256,6 +256,7 @@ enum sdap_user_attrs {
+ SDAP_AT_USER_PRINC,
+ SDAP_AT_USER_FULLNAME,
+ SDAP_AT_USER_MEMBEROF,
++ SDAP_AT_USER_UUID,
+ SDAP_AT_USER_OBJECTSID,
+ SDAP_AT_USER_PRIMARY_GROUP,
+ SDAP_AT_USER_MODSTAMP,
+--
+2.1.0
+
diff --git a/0011-Revert-LDAP-Remove-unused-option-ldap_group_uuid.patch b/0011-Revert-LDAP-Remove-unused-option-ldap_group_uuid.patch
new file mode 100644
index 0000000..76bea9e
--- /dev/null
+++ b/0011-Revert-LDAP-Remove-unused-option-ldap_group_uuid.patch
@@ -0,0 +1,176 @@
+From b7ab4232ef04c1aa928284b4aed840f48ce4194b Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose at redhat.com>
+Date: Wed, 5 Nov 2014 17:38:05 +0100
+Subject: [PATCH 11/26] Revert "LDAP: Remove unused option ldap_group_uuid"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This reverts commit b5242c146cc0ca96e2b898a74fb060efda15bc77.
+
+Reviewed-by: Lukáš Slebodník <lslebodn at redhat.com>
+---
+ src/config/SSSDConfig/__init__.py.in | 1 +
+ src/config/SSSDConfig/sssd_upgrade_config.py | 1 +
+ src/config/etc/sssd.api.d/sssd-ad.conf | 1 +
+ src/config/etc/sssd.api.d/sssd-ipa.conf | 1 +
+ src/config/etc/sssd.api.d/sssd-ldap.conf | 1 +
+ src/man/sssd-ldap.5.xml | 13 +++++++++++++
+ src/providers/ad/ad_opts.h | 1 +
+ src/providers/ipa/ipa_opts.h | 1 +
+ src/providers/ldap/ldap_opts.h | 4 ++++
+ src/providers/ldap/sdap.h | 1 +
+ 10 files changed, 25 insertions(+)
+
+diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
+index 769a29005c5fa392bcee3e746e7583d2f4ee05f0..491112ae772d2da74da14f62ba1ff8fffb4c7778 100644
+--- a/src/config/SSSDConfig/__init__.py.in
++++ b/src/config/SSSDConfig/__init__.py.in
+@@ -308,6 +308,7 @@ option_strings = {
+ 'ldap_group_pwd' : _('Group password'),
+ 'ldap_group_gid_number' : _('GID attribute'),
+ 'ldap_group_member' : _('Group member attribute'),
++ 'ldap_group_uuid' : _('Group UUID attribute'),
+ 'ldap_group_objectsid' : _("objectSID attribute"),
+ 'ldap_group_modify_timestamp' : _('Modification time attribute for groups'),
+ 'ldap_group_type' : _('Type of the group and other flags'),
+diff --git a/src/config/SSSDConfig/sssd_upgrade_config.py b/src/config/SSSDConfig/sssd_upgrade_config.py
+index 97be6543f8f86eb0189843003f675d2efcfcc8a5..33d9fed74424a7d3ee28e888aaed724d0a8a94ff 100644
+--- a/src/config/SSSDConfig/sssd_upgrade_config.py
++++ b/src/config/SSSDConfig/sssd_upgrade_config.py
+@@ -184,6 +184,7 @@ class SSSDConfigFile(SSSDChangeConf):
+ 'ldap_group_pwd' : 'userPassword',
+ 'ldap_group_gid_number' : 'groupGidNumber',
+ 'ldap_group_member' : 'groupMember',
++ 'ldap_group_uuid' : 'groupUUID',
+ 'ldap_group_modify_timestamp' : 'modifyTimestamp',
+ 'ldap_network_timeout' : 'network_timeout',
+ 'ldap_offline_timeout' : 'offline_timeout',
+diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
+index f8b200eaaf2f1b2ee17214faf2df70b14a2ec93c..3daa2560b14d74f7686ed47cf1b09e2005eb8917 100644
+--- a/src/config/etc/sssd.api.d/sssd-ad.conf
++++ b/src/config/etc/sssd.api.d/sssd-ad.conf
+@@ -98,6 +98,7 @@ ldap_group_object_class = str, None, false
+ ldap_group_name = str, None, false
+ ldap_group_gid_number = str, None, false
+ ldap_group_member = str, None, false
++ldap_group_uuid = str, None, false
+ ldap_group_objectsid = str, None, false
+ ldap_group_modify_timestamp = str, None, false
+ ldap_group_entry_usn = str, None, false
+diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
+index 91dc9ec9d158758be32f8a3eb5d36be2446fc254..5df52581e67657e41e2f08820b885f100ccd7ca9 100644
+--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
++++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
+@@ -95,6 +95,7 @@ ldap_group_object_class = str, None, false
+ ldap_group_name = str, None, false
+ ldap_group_gid_number = str, None, false
+ ldap_group_member = str, None, false
++ldap_group_uuid = str, None, false
+ ldap_group_objectsid = str, None, false
+ ldap_group_modify_timestamp = str, None, false
+ ldap_group_entry_usn = str, None, false
+diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
+index 68d5b4953a07398b159f3374ccba7380a642d818..ba5f56f1942da552fc6ab8f82851714756683a8f 100644
+--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
++++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
+@@ -90,6 +90,7 @@ ldap_group_object_class = str, None, false
+ ldap_group_name = str, None, false
+ ldap_group_gid_number = str, None, false
+ ldap_group_member = str, None, false
++ldap_group_uuid = str, None, false
+ ldap_group_objectsid = str, None, false
+ ldap_group_modify_timestamp = str, None, false
+ ldap_group_entry_usn = str, None, false
+diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
+index a8416d44dfc19c11091c54d847dc27eb66b431f7..b8b6f2abe5bb79a055c02bd2abac72ee79266f09 100644
+--- a/src/man/sssd-ldap.5.xml
++++ b/src/man/sssd-ldap.5.xml
+@@ -859,6 +859,19 @@
+ </varlistentry>
+
+ <varlistentry>
++ <term>ldap_group_uuid (string)</term>
++ <listitem>
++ <para>
++ The LDAP attribute that contains the UUID/GUID of
++ an LDAP group object.
++ </para>
++ <para>
++ Default: nsUniqueId
++ </para>
++ </listitem>
++ </varlistentry>
++
++ <varlistentry>
+ <term>ldap_group_objectsid (string)</term>
+ <listitem>
+ <para>
+diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
+index ee70b3c4b71b87ab31ac07310a448d7960f8e9a8..ac6006c9200464956ccedb17ff53050fed5fc6ea 100644
+--- a/src/providers/ad/ad_opts.h
++++ b/src/providers/ad/ad_opts.h
+@@ -221,6 +221,7 @@ struct sdap_attr_map ad_2008r2_group_map[] = {
+ { "ldap_group_pwd", NULL, SYSDB_PWD, NULL },
+ { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL },
+ { "ldap_group_member", "member", SYSDB_MEMBER, NULL },
++ { "ldap_group_uuid", "objectGUID", SYSDB_UUID, NULL },
+ { "ldap_group_objectsid", "objectSID", SYSDB_SID, NULL },
+ { "ldap_group_modify_timestamp", "whenChanged", SYSDB_ORIG_MODSTAMP, NULL },
+ { "ldap_group_entry_usn", SDAP_AD_USN, SYSDB_USN, NULL },
+diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
+index 7ecf0ff218aa1767976ccc624d7d9bc2dd96cd41..890a0437ae2fa81d111dcf0eba941786b2b83a1a 100644
+--- a/src/providers/ipa/ipa_opts.h
++++ b/src/providers/ipa/ipa_opts.h
+@@ -212,6 +212,7 @@ struct sdap_attr_map ipa_group_map[] = {
+ { "ldap_group_pwd", "userPassword", SYSDB_PWD, NULL },
+ { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL },
+ { "ldap_group_member", "member", SYSDB_MEMBER, NULL },
++ { "ldap_group_uuid", "nsUniqueId", SYSDB_UUID, NULL },
+ { "ldap_group_objectsid", "ipaNTSecurityIdentifier", SYSDB_SID_STR, NULL },
+ { "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
+ { "ldap_group_entry_usn", NULL, SYSDB_USN, NULL },
+diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
+index 2e937412635e16b4bc541c59055b1c4e7896f045..096a63bd53918ba79378c01257a18e543597209a 100644
+--- a/src/providers/ldap/ldap_opts.h
++++ b/src/providers/ldap/ldap_opts.h
+@@ -189,6 +189,7 @@ struct sdap_attr_map rfc2307_group_map[] = {
+ { "ldap_group_pwd", "userPassword", SYSDB_PWD, NULL },
+ { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL },
+ { "ldap_group_member", "memberuid", SYSDB_MEMBER, NULL },
++ { "ldap_group_uuid", NULL, SYSDB_UUID, NULL },
+ { "ldap_group_objectsid", "objectSID", SYSDB_SID, NULL },
+ { "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
+ { "ldap_group_entry_usn", NULL, SYSDB_USN, NULL },
+@@ -243,6 +244,8 @@ struct sdap_attr_map rfc2307bis_group_map[] = {
+ { "ldap_group_pwd", "userPassword", SYSDB_PWD, NULL },
+ { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL },
+ { "ldap_group_member", "member", SYSDB_MEMBER, NULL },
++ /* FIXME: this is 389ds specific */
++ { "ldap_group_uuid", "nsUniqueId", SYSDB_UUID, NULL },
+ { "ldap_group_objectsid", "objectSID", SYSDB_SID, NULL },
+ { "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
+ { "ldap_group_entry_usn", NULL, SYSDB_USN, NULL },
+@@ -296,6 +299,7 @@ struct sdap_attr_map gen_ad2008r2_group_map[] = {
+ { "ldap_group_pwd", NULL, SYSDB_PWD, NULL },
+ { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL },
+ { "ldap_group_member", "member", SYSDB_MEMBER, NULL },
++ { "ldap_group_uuid", "objectGUID", SYSDB_UUID, NULL },
+ { "ldap_group_objectsid", "objectSID", SYSDB_SID, NULL },
+ { "ldap_group_modify_timestamp", "whenChanged", SYSDB_ORIG_MODSTAMP, NULL },
+ { "ldap_group_entry_usn", SDAP_AD_USN, SYSDB_USN, NULL },
+diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
+index 906fd74090509802909b300d26234f96d324a769..aa10623a58d7d667205b09e744dc2b924ca821ed 100644
+--- a/src/providers/ldap/sdap.h
++++ b/src/providers/ldap/sdap.h
+@@ -295,6 +295,7 @@ enum sdap_group_attrs {
+ SDAP_AT_GROUP_PWD,
+ SDAP_AT_GROUP_GID,
+ SDAP_AT_GROUP_MEMBER,
++ SDAP_AT_GROUP_UUID,
+ SDAP_AT_GROUP_OBJECTSID,
+ SDAP_AT_GROUP_MODSTAMP,
+ SDAP_AT_GROUP_USN,
+--
+2.1.0
+
diff --git a/0012-Fix-uuid-defaults.patch b/0012-Fix-uuid-defaults.patch
new file mode 100644
index 0000000..9cd9d64
--- /dev/null
+++ b/0012-Fix-uuid-defaults.patch
@@ -0,0 +1,102 @@
+From da75b87ffc1ff98d8a3685a6ccbf00265838cf7a Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose at redhat.com>
+Date: Wed, 5 Nov 2014 18:01:07 +0100
+Subject: [PATCH 12/26] Fix uuid defaults
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Recently the uuid attributes for user and groups were removed because
+it was found that there are not used at all and that some of them where
+causing issues (https://fedorahosted.org/sssd/ticket/2383).
+
+The new views/overrides feature of FreeIPA uses the ipaUniqueID attribute
+to relate overrides with the original IPA objects. The previous two
+patches revert the removal of the uuid attributes from users and groups
+with this patch set the default value of these attributes to
+ipaUniqueID from the IPA provider, to objectGUID for the AD provider and
+leaves them unset for the general LDAP case to avoid issues like the one
+from ticket #2383.
+
+Related to https://fedorahosted.org/sssd/ticket/2481
+
+Reviewed-by: Lukáš Slebodník <lslebodn at redhat.com>
+---
+ src/man/sssd-ldap.5.xml | 6 ++++--
+ src/providers/ipa/ipa_opts.h | 4 ++--
+ src/providers/ldap/ldap_opts.h | 6 ++----
+ 3 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
+index b8b6f2abe5bb79a055c02bd2abac72ee79266f09..aa47ed7a6dd41f7f82ea80e1deb34f9ccc894dc9 100644
+--- a/src/man/sssd-ldap.5.xml
++++ b/src/man/sssd-ldap.5.xml
+@@ -345,7 +345,8 @@
+ an LDAP user object.
+ </para>
+ <para>
+- Default: nsUniqueId
++ Default: not set in the general case, objectGUID for
++ AD and ipaUniqueID for IPA
+ </para>
+ </listitem>
+ </varlistentry>
+@@ -866,7 +867,8 @@
+ an LDAP group object.
+ </para>
+ <para>
+- Default: nsUniqueId
++ Default: not set in the general case, objectGUID for
++ AD and ipaUniqueID for IPA
+ </para>
+ </listitem>
+ </varlistentry>
+diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
+index 890a0437ae2fa81d111dcf0eba941786b2b83a1a..3cde1a4362c1fa81259d7764e182a9163d272577 100644
+--- a/src/providers/ipa/ipa_opts.h
++++ b/src/providers/ipa/ipa_opts.h
+@@ -178,7 +178,7 @@ struct sdap_attr_map ipa_user_map[] = {
+ { "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL },
+ { "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL },
+ { "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL },
+- { "ldap_user_uuid", "nsUniqueId", SYSDB_UUID, NULL },
++ { "ldap_user_uuid", "ipaUniqueID", SYSDB_UUID, NULL },
+ { "ldap_user_objectsid", "ipaNTSecurityIdentifier", SYSDB_SID_STR, NULL },
+ { "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL },
+ { "ldap_user_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
+@@ -212,7 +212,7 @@ struct sdap_attr_map ipa_group_map[] = {
+ { "ldap_group_pwd", "userPassword", SYSDB_PWD, NULL },
+ { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL },
+ { "ldap_group_member", "member", SYSDB_MEMBER, NULL },
+- { "ldap_group_uuid", "nsUniqueId", SYSDB_UUID, NULL },
++ { "ldap_group_uuid", "ipaUniqueID", SYSDB_UUID, NULL },
+ { "ldap_group_objectsid", "ipaNTSecurityIdentifier", SYSDB_SID_STR, NULL },
+ { "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
+ { "ldap_group_entry_usn", NULL, SYSDB_USN, NULL },
+diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
+index 096a63bd53918ba79378c01257a18e543597209a..29d9faf99784bfc3526398488be837a2716ee11d 100644
+--- a/src/providers/ldap/ldap_opts.h
++++ b/src/providers/ldap/ldap_opts.h
+@@ -209,8 +209,7 @@ struct sdap_attr_map rfc2307bis_user_map[] = {
+ { "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL },
+ { "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL },
+ { "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL },
+- /* FIXME: this is 389ds specific */
+- { "ldap_user_uuid", "nsUniqueId", SYSDB_UUID, NULL },
++ { "ldap_user_uuid", NULL, SYSDB_UUID, NULL },
+ { "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL },
+ { "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL },
+ { "ldap_user_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
+@@ -244,8 +243,7 @@ struct sdap_attr_map rfc2307bis_group_map[] = {
+ { "ldap_group_pwd", "userPassword", SYSDB_PWD, NULL },
+ { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL },
+ { "ldap_group_member", "member", SYSDB_MEMBER, NULL },
+- /* FIXME: this is 389ds specific */
+- { "ldap_group_uuid", "nsUniqueId", SYSDB_UUID, NULL },
++ { "ldap_group_uuid", NULL, SYSDB_UUID, NULL },
+ { "ldap_group_objectsid", "objectSID", SYSDB_SID, NULL },
+ { "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
+ { "ldap_group_entry_usn", NULL, SYSDB_USN, NULL },
+--
+2.1.0
+
diff --git a/0013-Revert-LDAP-Change-defaults-for-ldap_user-group_obje.patch b/0013-Revert-LDAP-Change-defaults-for-ldap_user-group_obje.patch
new file mode 100644
index 0000000..59b8483
--- /dev/null
+++ b/0013-Revert-LDAP-Change-defaults-for-ldap_user-group_obje.patch
@@ -0,0 +1,88 @@
+From 395daba605dd4fb4134db1a2e6883125a3d83f29 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn at redhat.com>
+Date: Fri, 7 Nov 2014 13:27:53 +0100
+Subject: [PATCH 13/26] Revert "LDAP: Change defaults for
+ ldap_user/group_objectsid"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This reverts commit f834f712548db811695ea0fd6d6b31d3bd03e2a3.
+
+OpenLDAP server cannot dereference unknown attributes. The attribute objectSID
+isn't in any standard objectclass on OpenLDAP server. This is a reason why
+objectSID cannot be set by default in rfc2307 map and rfc2307bis map.
+It is the same problem as using non standard attribute "nsUniqueId"
+in ticket https://fedorahosted.org/sssd/ticket/2383
+
+Reviewed-by: Michal Židek <mzidek at redhat.com>
+---
+ src/man/sssd-ldap.5.xml | 4 ++--
+ src/providers/ldap/ldap_opts.h | 8 ++++----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
+index aa47ed7a6dd41f7f82ea80e1deb34f9ccc894dc9..815b06250e826a36ef023e8a43a8925df89d2bbf 100644
+--- a/src/man/sssd-ldap.5.xml
++++ b/src/man/sssd-ldap.5.xml
+@@ -360,7 +360,7 @@
+ necessary for ActiveDirectory servers.
+ </para>
+ <para>
+- Default: ipaNTSecurityIdentifier for IPA, objectSID
++ Default: objectSid for ActiveDirectory, not set
+ for other servers.
+ </para>
+ </listitem>
+@@ -882,7 +882,7 @@
+ necessary for ActiveDirectory servers.
+ </para>
+ <para>
+- Default: ipaNTSecurityIdentifier for IPA, objectSID
++ Default: objectSid for ActiveDirectory, not set
+ for other servers.
+ </para>
+ </listitem>
+diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
+index 29d9faf99784bfc3526398488be837a2716ee11d..dedbdac0bcf647337d4c00b1fbb82d6b46be5b54 100644
+--- a/src/providers/ldap/ldap_opts.h
++++ b/src/providers/ldap/ldap_opts.h
+@@ -156,7 +156,7 @@ struct sdap_attr_map rfc2307_user_map[] = {
+ { "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL },
+ { "ldap_user_member_of", NULL, SYSDB_MEMBEROF, NULL },
+ { "ldap_user_uuid", NULL, SYSDB_UUID, NULL },
+- { "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL },
++ { "ldap_user_objectsid", NULL, SYSDB_SID, NULL },
+ { "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL },
+ { "ldap_user_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
+ { "ldap_user_entry_usn", NULL, SYSDB_USN, NULL },
+@@ -190,7 +190,7 @@ struct sdap_attr_map rfc2307_group_map[] = {
+ { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL },
+ { "ldap_group_member", "memberuid", SYSDB_MEMBER, NULL },
+ { "ldap_group_uuid", NULL, SYSDB_UUID, NULL },
+- { "ldap_group_objectsid", "objectSID", SYSDB_SID, NULL },
++ { "ldap_group_objectsid", NULL, SYSDB_SID, NULL },
+ { "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
+ { "ldap_group_entry_usn", NULL, SYSDB_USN, NULL },
+ { "ldap_group_type", NULL, SYSDB_GROUP_TYPE, NULL },
+@@ -210,7 +210,7 @@ struct sdap_attr_map rfc2307bis_user_map[] = {
+ { "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL },
+ { "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL },
+ { "ldap_user_uuid", NULL, SYSDB_UUID, NULL },
+- { "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL },
++ { "ldap_user_objectsid", NULL, SYSDB_SID, NULL },
+ { "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL },
+ { "ldap_user_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
+ { "ldap_user_entry_usn", NULL, SYSDB_USN, NULL },
+@@ -244,7 +244,7 @@ struct sdap_attr_map rfc2307bis_group_map[] = {
+ { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL },
+ { "ldap_group_member", "member", SYSDB_MEMBER, NULL },
+ { "ldap_group_uuid", NULL, SYSDB_UUID, NULL },
+- { "ldap_group_objectsid", "objectSID", SYSDB_SID, NULL },
++ { "ldap_group_objectsid", NULL, SYSDB_SID, NULL },
+ { "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
+ { "ldap_group_entry_usn", NULL, SYSDB_USN, NULL },
+ { "ldap_group_type", NULL, SYSDB_GROUP_TYPE, NULL },
+--
+2.1.0
+
diff --git a/0014-LDAP-Disable-token-groups-by-default.patch b/0014-LDAP-Disable-token-groups-by-default.patch
new file mode 100644
index 0000000..e483114
--- /dev/null
+++ b/0014-LDAP-Disable-token-groups-by-default.patch
@@ -0,0 +1,55 @@
+From c28482b2d23865e3d068e4b9fb39c363c0d18b19 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn at redhat.com>
+Date: Fri, 7 Nov 2014 13:58:17 +0100
+Subject: [PATCH 14/26] LDAP: Disable token groups by default
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We tried to speed up processing of initgroup lookups with tokenGroups even for
+the LDAP provider (if remote server is Active Directory), but it turns out that
+there are too many corner cases that we didn't catch during development that
+break. For instance, groups from other trusted domains might appear in TG and
+the LDAP provider isn't equipped to handle them.
+
+Overall, users who wish to use the added speed benefits of tokenGroups are
+advised to use the AD provider.
+
+Resolves:
+https://fedorahosted.org/sssd/ticket/2483
+
+Reviewed-by: Michal Židek <mzidek at redhat.com>
+---
+ src/man/sssd-ldap.5.xml | 2 +-
+ src/providers/ldap/ldap_opts.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
+index 815b06250e826a36ef023e8a43a8925df89d2bbf..47d05a736403859325e61a9ebebe78df0601917a 100644
+--- a/src/man/sssd-ldap.5.xml
++++ b/src/man/sssd-ldap.5.xml
+@@ -1022,7 +1022,7 @@
+ Active Directory Server 2008 and later.
+ </para>
+ <para>
+- Default: True
++ Default: True for AD and IPA otherwise False.
+ </para>
+ </listitem>
+ </varlistentry>
+diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
+index dedbdac0bcf647337d4c00b1fbb82d6b46be5b54..f46381e9fac7b93730ce0767154989f2e3b7ebbf 100644
+--- a/src/providers/ldap/ldap_opts.h
++++ b/src/providers/ldap/ldap_opts.h
+@@ -116,7 +116,7 @@ struct dp_option default_basic_opts[] = {
+ { "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "ldap_groups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+ { "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+- { "ldap_use_tokengroups", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE},
++ { "ldap_use_tokengroups", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE},
+ { "ldap_rfc2307_fallback_to_local_users", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+ { "ldap_disable_range_retrieval", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+ { "ldap_min_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER},
+--
+2.1.0
+
diff --git a/0015-sss_client-Extract-destroying-of-mmap-cache-to-funct.patch b/0015-sss_client-Extract-destroying-of-mmap-cache-to-funct.patch
new file mode 100644
index 0000000..833fbac
--- /dev/null
+++ b/0015-sss_client-Extract-destroying-of-mmap-cache-to-funct.patch
@@ -0,0 +1,72 @@
+From 730dc6fc96bd1903e4fdae5c2a040034c187558d Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn at redhat.com>
+Date: Fri, 21 Nov 2014 14:00:23 +0100
+Subject: [PATCH 15/26] sss_client: Extract destroying of mmap cache to
+ function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Michal Židek <mzidek at redhat.com>
+---
+ src/sss_client/nss_mc_common.c | 30 ++++++++++++++----------------
+ 1 file changed, 14 insertions(+), 16 deletions(-)
+
+diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c
+index 6c9b35de280c637bf957207993e539c889b16c23..9c6e1af1642275fc7738b51d7ca80d712d49b2ac 100644
+--- a/src/sss_client/nss_mc_common.c
++++ b/src/sss_client/nss_mc_common.c
+@@ -102,6 +102,18 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx)
+ return 0;
+ }
+
++static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx)
++{
++ if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) {
++ munmap(ctx->mmap_base, ctx->mmap_size);
++ }
++ if (ctx->fd != -1) {
++ close(ctx->fd);
++ }
++ memset(ctx, 0, sizeof(struct sss_cli_mc_ctx));
++ ctx->fd = -1;
++}
++
+ static errno_t sss_nss_mc_init_ctx(const char *name,
+ struct sss_cli_mc_ctx *ctx)
+ {
+@@ -157,14 +169,7 @@ static errno_t sss_nss_mc_init_ctx(const char *name,
+
+ done:
+ if (ret) {
+- if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) {
+- munmap(ctx->mmap_base, ctx->mmap_size);
+- }
+- if (ctx->fd != -1) {
+- close(ctx->fd);
+- }
+- memset(ctx, 0, sizeof(struct sss_cli_mc_ctx));
+- ctx->fd = -1;
++ sss_nss_mc_destroy_ctx(ctx);
+ }
+ free(file);
+ sss_nss_unlock();
+@@ -191,14 +196,7 @@ errno_t sss_nss_mc_get_ctx(const char *name, struct sss_cli_mc_ctx *ctx)
+
+ done:
+ if (ret) {
+- if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) {
+- munmap(ctx->mmap_base, ctx->mmap_size);
+- }
+- if (ctx->fd != -1) {
+- close(ctx->fd);
+- }
+- memset(ctx, 0, sizeof(struct sss_cli_mc_ctx));
+- ctx->fd = -1;
++ sss_nss_mc_destroy_ctx(ctx);
+ }
+ return ret;
+ }
+--
+2.1.0
+
diff --git a/0016-sss_client-Fix-race-condition-in-memory-cache.patch b/0016-sss_client-Fix-race-condition-in-memory-cache.patch
new file mode 100644
index 0000000..f38531f
--- /dev/null
+++ b/0016-sss_client-Fix-race-condition-in-memory-cache.patch
@@ -0,0 +1,243 @@
+From d1d01b99e0388e5c2fadb10db8e73917669a3383 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn at redhat.com>
+Date: Fri, 21 Nov 2014 11:28:36 +0100
+Subject: [PATCH 16/26] sss_client: Fix race condition in memory cache
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Thread safe initialisation was fixed in ticket #2380, but there is
+still race condition in reinitialisation.
+
+If caches is invalidated with command sss_cache -U (-G or -E) then
+client code will need to reinitialize fast memory cache.
+Let say we have two threads. The 1st thread find out that memory cache
+should be reinitialized; therefore the fast memory cached is unmapped
+and context destroyed. In the same time, 2nd thread tried to check
+header of memory cache whether it is initialized and valid. As a result
+of previously unmapped memory the 2nd thread access
+out of bound memory (SEGFAULT).
+
+The destroying of fast memory cache cannot be done any time. We need
+to be sure that there isn't any other thread which uses mmaped memory.
+The new counter of active threads was added for this purpose. The state
+of fast memory cache was converted from boolean to three value state
+(UNINITIALIZED, INITIALIZED, RECYCLED)
+UNINITIALIZED
+ - the fast memory cache need to be initialized.
+ - if there is a problem with initialisation the state will not change
+ - after successful initialisation, the state will change to INITIALIZED
+INITIALIZED
+ - if the cahe was invalidated or there is any other problem was
+ detected in memory cache header the state will change to RECYCLED
+ and memory cache IS NOT destroyed.
+RECYCLED
+ - nothing will be done is there are any active threads which may use
+ the data from mmaped memory
+ - if there aren't active threads the fast memory cahe is destroyed and
+ state is changed to UNINITIALIZED.
+
+https://fedorahosted.org/sssd/ticket/2445
+
+Reviewed-by: Michal Židek <mzidek at redhat.com>
+---
+ src/sss_client/nss_mc.h | 10 ++++++++-
+ src/sss_client/nss_mc_common.c | 46 ++++++++++++++++++++++++++++++++++--------
+ src/sss_client/nss_mc_group.c | 8 ++++++--
+ src/sss_client/nss_mc_passwd.c | 8 ++++++--
+ 4 files changed, 59 insertions(+), 13 deletions(-)
+
+diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h
+index 685cc41c0530750d890050f0917dc88be14d96ea..050bd4100dec091cb096a7d97bfe6615b12654da 100644
+--- a/src/sss_client/nss_mc.h
++++ b/src/sss_client/nss_mc.h
+@@ -33,9 +33,15 @@
+ typedef int errno_t;
+ #endif
+
++enum sss_mc_state {
++ UNINITIALIZED = 0,
++ INITIALIZED,
++ RECYCLED,
++};
++
+ /* common stuff */
+ struct sss_cli_mc_ctx {
+- bool initialized;
++ enum sss_mc_state initialized;
+ int fd;
+
+ uint32_t seed; /* seed from the tables header */
+@@ -48,6 +54,8 @@ struct sss_cli_mc_ctx {
+
+ uint32_t *hash_table; /* hash table address (in mmap) */
+ uint32_t ht_size; /* size of hash table */
++
++ uint32_t active_threads; /* count of threads which use memory cache */
+ };
+
+ errno_t sss_nss_mc_get_ctx(const char *name, struct sss_cli_mc_ctx *ctx);
+diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c
+index 9c6e1af1642275fc7738b51d7ca80d712d49b2ac..89ff6b46e2abee03039cfd632ef50231eab92eec 100644
+--- a/src/sss_client/nss_mc_common.c
++++ b/src/sss_client/nss_mc_common.c
+@@ -123,7 +123,7 @@ static errno_t sss_nss_mc_init_ctx(const char *name,
+
+ sss_nss_lock();
+ /* check if ctx is initialised by previous thread. */
+- if (ctx->initialized) {
++ if (ctx->initialized != UNINITIALIZED) {
+ ret = sss_nss_check_header(ctx);
+ goto done;
+ }
+@@ -163,7 +163,7 @@ static errno_t sss_nss_mc_init_ctx(const char *name,
+ goto done;
+ }
+
+- ctx->initialized = true;
++ ctx->initialized = INITIALIZED;
+
+ ret = 0;
+
+@@ -181,22 +181,52 @@ errno_t sss_nss_mc_get_ctx(const char *name, struct sss_cli_mc_ctx *ctx)
+ {
+ char *envval;
+ int ret;
++ bool need_decrement = false;
+
+ envval = getenv("SSS_NSS_USE_MEMCACHE");
+ if (envval && strcasecmp(envval, "NO") == 0) {
+ return EPERM;
+ }
+
+- if (ctx->initialized) {
++ switch (ctx->initialized) {
++ case UNINITIALIZED:
++ __sync_add_and_fetch(&ctx->active_threads, 1);
++ ret = sss_nss_mc_init_ctx(name, ctx);
++ if (ret) {
++ need_decrement = true;
++ }
++ break;
++ case INITIALIZED:
++ __sync_add_and_fetch(&ctx->active_threads, 1);
+ ret = sss_nss_check_header(ctx);
+- goto done;
++ if (ret) {
++ need_decrement = true;
++ }
++ break;
++ case RECYCLED:
++ /* we need to safely destroy memory cache */
++ ret = EAGAIN;
++ break;
++ default:
++ ret = EFAULT;
+ }
+
+- ret = sss_nss_mc_init_ctx(name, ctx);
+-
+-done:
+ if (ret) {
+- sss_nss_mc_destroy_ctx(ctx);
++ if (ctx->initialized == INITIALIZED) {
++ ctx->initialized = RECYCLED;
++ }
++ if (ctx->initialized == RECYCLED && ctx->active_threads == 0) {
++ /* just one thread should call munmap */
++ sss_nss_lock();
++ if (ctx->initialized == RECYCLED) {
++ sss_nss_mc_destroy_ctx(ctx);
++ }
++ sss_nss_unlock();
++ }
++ if (need_decrement) {
++ /* In case of error, we will not touch mmapped area => decrement */
++ __sync_sub_and_fetch(&ctx->active_threads, 1);
++ }
+ }
+ return ret;
+ }
+diff --git a/src/sss_client/nss_mc_group.c b/src/sss_client/nss_mc_group.c
+index 268b40ef02f2a621c4f61755ce4dfe2c3786bfa6..e0fdb97f628ac19741409be29566e4af5a391f74 100644
+--- a/src/sss_client/nss_mc_group.c
++++ b/src/sss_client/nss_mc_group.c
+@@ -29,7 +29,8 @@
+ #include "nss_mc.h"
+ #include "util/util_safealign.h"
+
+-struct sss_cli_mc_ctx gr_mc_ctx = { false, -1, 0, NULL, 0, NULL, 0, NULL, 0 };
++struct sss_cli_mc_ctx gr_mc_ctx = { UNINITIALIZED, -1, 0, NULL, 0, NULL, 0,
++ NULL, 0, 0 };
+
+ static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec,
+ struct group *result,
+@@ -176,6 +177,7 @@ errno_t sss_nss_mc_getgrnam(const char *name, size_t name_len,
+
+ done:
+ free(rec);
++ __sync_sub_and_fetch(&gr_mc_ctx.active_threads, 1);
+ return ret;
+ }
+
+@@ -198,7 +200,8 @@ errno_t sss_nss_mc_getgrgid(gid_t gid,
+
+ len = snprintf(gidstr, 11, "%ld", (long)gid);
+ if (len > 10) {
+- return EINVAL;
++ ret = EINVAL;
++ goto done;
+ }
+
+ /* hashes are calculated including the NULL terminator */
+@@ -242,6 +245,7 @@ errno_t sss_nss_mc_getgrgid(gid_t gid,
+
+ done:
+ free(rec);
++ __sync_sub_and_fetch(&gr_mc_ctx.active_threads, 1);
+ return ret;
+ }
+
+diff --git a/src/sss_client/nss_mc_passwd.c b/src/sss_client/nss_mc_passwd.c
+index fa19afc3c0e468430183ed3f13b80e086251ee01..10e43e2af43c5e7f1738e281b3ed260d89f3a004 100644
+--- a/src/sss_client/nss_mc_passwd.c
++++ b/src/sss_client/nss_mc_passwd.c
+@@ -28,7 +28,8 @@
+ #include <time.h>
+ #include "nss_mc.h"
+
+-struct sss_cli_mc_ctx pw_mc_ctx = { false, -1, 0, NULL, 0, NULL, 0, NULL, 0 };
++struct sss_cli_mc_ctx pw_mc_ctx = { UNINITIALIZED, -1, 0, NULL, 0, NULL, 0,
++ NULL, 0, 0 };
+
+ static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec,
+ struct passwd *result,
+@@ -170,6 +171,7 @@ errno_t sss_nss_mc_getpwnam(const char *name, size_t name_len,
+
+ done:
+ free(rec);
++ __sync_sub_and_fetch(&pw_mc_ctx.active_threads, 1);
+ return ret;
+ }
+
+@@ -192,7 +194,8 @@ errno_t sss_nss_mc_getpwuid(uid_t uid,
+
+ len = snprintf(uidstr, 11, "%ld", (long)uid);
+ if (len > 10) {
+- return EINVAL;
++ ret = EINVAL;
++ goto done;
+ }
+
+ /* hashes are calculated including the NULL terminator */
+@@ -236,6 +239,7 @@ errno_t sss_nss_mc_getpwuid(uid_t uid,
+
+ done:
+ free(rec);
++ __sync_sub_and_fetch(&pw_mc_ctx.active_threads, 1);
+ return ret;
+ }
+
+--
+2.1.0
+
diff --git a/0017-test-Wrong-parameter-type-in-sss_parse_name_check.patch b/0017-test-Wrong-parameter-type-in-sss_parse_name_check.patch
new file mode 100644
index 0000000..9dff73f
--- /dev/null
+++ b/0017-test-Wrong-parameter-type-in-sss_parse_name_check.patch
@@ -0,0 +1,32 @@
+From 0942d9245ed1a7de573e3af17deac2332a52b58a Mon Sep 17 00:00:00 2001
+From: Michal Zidek <mzidek at redhat.com>
+Date: Mon, 24 Nov 2014 19:10:01 +0100
+Subject: [PATCH 17/26] test: Wrong parameter type in sss_parse_name_check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This caused aritmetic overflow when SSSD specific error
+codes where used.
+
+Reviewed-by: Lukáš Slebodník <lslebodn at redhat.com>
+---
+ src/tests/cmocka/test_fqnames.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tests/cmocka/test_fqnames.c b/src/tests/cmocka/test_fqnames.c
+index 71429c8773ef199c72163837d4b313660cf813c2..de208437d3d11429ebb4fd92ac6b1469564d9174 100644
+--- a/src/tests/cmocka/test_fqnames.c
++++ b/src/tests/cmocka/test_fqnames.c
+@@ -326,7 +326,7 @@ void parse_name_test_teardown(void **state)
+
+ void sss_parse_name_check(struct parse_name_test_ctx *test_ctx,
+ const char *input_name,
+- const char exp_ret,
++ const int exp_ret,
+ const char *exp_name,
+ const char *exp_domain)
+ {
+--
+2.1.0
+
diff --git a/0018-util-Special-case-PCRE_ERROR_NOMATCH-in-sss_parse_na.patch b/0018-util-Special-case-PCRE_ERROR_NOMATCH-in-sss_parse_na.patch
new file mode 100644
index 0000000..c574e99
--- /dev/null
+++ b/0018-util-Special-case-PCRE_ERROR_NOMATCH-in-sss_parse_na.patch
@@ -0,0 +1,88 @@
+From 0370ef147287888604147bea95153795ffed318f Mon Sep 17 00:00:00 2001
+From: Michal Zidek <mzidek at redhat.com>
+Date: Mon, 24 Nov 2014 19:50:14 +0100
+Subject: [PATCH 18/26] util: Special-case PCRE_ERROR_NOMATCH in sss_parse_name
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add new SSSD specific error code for the case when
+pcre_exec returns PCRE_ERROR_NOMATCH.
+
+Reviewed-by: Lukáš Slebodník <lslebodn at redhat.com>
+
+Conflicts:
+ src/util/util_errors.c
+ src/util/util_errors.h
+---
+ src/tests/cmocka/test_fqnames.c | 14 +++++++-------
+ src/util/usertools.c | 2 +-
+ src/util/util_errors.c | 1 +
+ src/util/util_errors.h | 1 +
+ 4 files changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/src/tests/cmocka/test_fqnames.c b/src/tests/cmocka/test_fqnames.c
+index de208437d3d11429ebb4fd92ac6b1469564d9174..b9b6230b9e2c86dafae159630d5202e46992f5f3 100644
+--- a/src/tests/cmocka/test_fqnames.c
++++ b/src/tests/cmocka/test_fqnames.c
+@@ -471,13 +471,13 @@ void sss_parse_name_fail(void **state)
+ struct parse_name_test_ctx *test_ctx = talloc_get_type(*state,
+ struct parse_name_test_ctx);
+
+- sss_parse_name_check(test_ctx, "", EINVAL, NULL, NULL);
+- sss_parse_name_check(test_ctx, "@", EINVAL, NULL, NULL);
+- sss_parse_name_check(test_ctx, "\\", EINVAL, NULL, NULL);
+- sss_parse_name_check(test_ctx, "\\"NAME, EINVAL, NULL, NULL);
+- sss_parse_name_check(test_ctx, "@"NAME, EINVAL, NULL, NULL);
+- sss_parse_name_check(test_ctx, NAME"@", EINVAL, NULL, NULL);
+- sss_parse_name_check(test_ctx, NAME"\\", EINVAL, NULL, NULL);
++ sss_parse_name_check(test_ctx, "", ERR_REGEX_NOMATCH, NULL, NULL);
++ sss_parse_name_check(test_ctx, "@", ERR_REGEX_NOMATCH, NULL, NULL);
++ sss_parse_name_check(test_ctx, "\\", ERR_REGEX_NOMATCH, NULL, NULL);
++ sss_parse_name_check(test_ctx, "\\"NAME, ERR_REGEX_NOMATCH, NULL, NULL);
++ sss_parse_name_check(test_ctx, "@"NAME, ERR_REGEX_NOMATCH, NULL, NULL);
++ sss_parse_name_check(test_ctx, NAME"@", ERR_REGEX_NOMATCH, NULL, NULL);
++ sss_parse_name_check(test_ctx, NAME"\\", ERR_REGEX_NOMATCH, NULL, NULL);
+ }
+
+ void test_sss_get_domain_name(void **state)
+diff --git a/src/util/usertools.c b/src/util/usertools.c
+index 809b42d67c7b1cdfa0729c3a7e835fab37297596..16478998d8936cd2e260c1e53db6b68f1563b0f8 100644
+--- a/src/util/usertools.c
++++ b/src/util/usertools.c
+@@ -306,7 +306,7 @@ int sss_parse_name(TALLOC_CTX *memctx,
+
+ ret = pcre_exec(re, NULL, orig, origlen, 0, PCRE_NOTEMPTY, ovec, 30);
+ if (ret == PCRE_ERROR_NOMATCH) {
+- return EINVAL;
++ return ERR_REGEX_NOMATCH;
+ } else if (ret < 0) {
+ DEBUG(SSSDBG_MINOR_FAILURE, "PCRE Matching error, %d\n", ret);
+ return EINVAL;
+diff --git a/src/util/util_errors.c b/src/util/util_errors.c
+index 5b36780ffcdc6733241cdb942865ecdf38da3bca..c1ac45ac5f8a53871d548bb0d218eabb03c69aa9 100644
+--- a/src/util/util_errors.c
++++ b/src/util/util_errors.c
+@@ -62,6 +62,7 @@ struct err_string error_to_str[] = {
+ { "Bus method not supported" }, /* ERR_SBUS_NOSUP */
+ { "Cannot connect to system bus" }, /* ERR_NO_SYSBUS */
+ { "LDAP search returned a referral" }, /* ERR_REFERRAL */
++ { "Username format not allowed by re_expression" }, /* ERR_REGEX_NOMATCH */
+ };
+
+
+diff --git a/src/util/util_errors.h b/src/util/util_errors.h
+index e040ba903b27d06ec75cea31485d2f3111ca5302..8609dca22dcef33641efd0d717085d77c10224f8 100644
+--- a/src/util/util_errors.h
++++ b/src/util/util_errors.h
+@@ -84,6 +84,7 @@ enum sssd_errors {
+ ERR_SBUS_NOSUP,
+ ERR_NO_SYSBUS,
+ ERR_REFERRAL,
++ ERR_REGEX_NOMATCH,
+ ERR_LAST /* ALWAYS LAST */
+ };
+
+--
+2.1.0
+
diff --git a/0019-util-sss_get_domain_name-regex-mismatch-not-fatal.patch b/0019-util-sss_get_domain_name-regex-mismatch-not-fatal.patch
new file mode 100644
index 0000000..0f617a1
--- /dev/null
+++ b/0019-util-sss_get_domain_name-regex-mismatch-not-fatal.patch
@@ -0,0 +1,41 @@
+From 01a4b2b31d5279c90e7c596f9321eb0e9ec38d69 Mon Sep 17 00:00:00 2001
+From: Michal Zidek <mzidek at redhat.com>
+Date: Fri, 21 Nov 2014 20:06:32 +0100
+Subject: [PATCH 19/26] util: sss_get_domain_name regex mismatch not fatal
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Assume name is not FQDN if sss_parse_name fails to
+match domain with regular expression.
+
+Fixes:
+https://fedorahosted.org/sssd/ticket/2487
+
+Reviewed-by: Lukáš Slebodník <lslebodn at redhat.com>
+---
+ src/util/usertools.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/util/usertools.c b/src/util/usertools.c
+index 16478998d8936cd2e260c1e53db6b68f1563b0f8..2804953a3e854ddf1a122b389ac1e14c4ff7f865 100644
+--- a/src/util/usertools.c
++++ b/src/util/usertools.c
+@@ -643,7 +643,13 @@ sss_get_domain_name(TALLOC_CTX *mem_ctx,
+ /* check if the name already contains domain part */
+ if (dom->names != NULL) {
+ ret = sss_parse_name(mem_ctx, dom->names, orig_name, &domain, NULL);
+- if (ret != EOK) {
++ if (ret == ERR_REGEX_NOMATCH) {
++ DEBUG(SSSDBG_TRACE_FUNC,
++ "sss_parse_name could not parse domain from [%s]. "
++ "Assuming it is not FQDN.\n", orig_name);
++ } else if (ret != EOK) {
++ DEBUG(SSSDBG_TRACE_FUNC,
++ "sss_parse_name failed [%d]: %s\n", ret, sss_strerror(ret));
+ return NULL;
+ }
+ }
+--
+2.1.0
+
diff --git a/0020-SBUS-Initialize-DBusError-before-using-it.patch b/0020-SBUS-Initialize-DBusError-before-using-it.patch
new file mode 100644
index 0000000..851f670
--- /dev/null
+++ b/0020-SBUS-Initialize-DBusError-before-using-it.patch
@@ -0,0 +1,32 @@
+From ee280ed38752e60d7cba0abc1c9370b016ca3a27 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek at redhat.com>
+Date: Sun, 23 Nov 2014 19:58:45 +0100
+Subject: [PATCH 20/26] SBUS: Initialize DBusError before using it
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In case either handler_fn() or invoker_fn() failed in
+sbus_request_invoke_or_finish() we would have accessed an uninitialized
+DBusError variable, causing a segfault.
+
+Reviewed-by: Lukáš Slebodník <lslebodn at redhat.com>
+---
+ src/sbus/sssd_dbus_request.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/sbus/sssd_dbus_request.c b/src/sbus/sssd_dbus_request.c
+index 7729d4e0d7bf6e517e2efce4dbeb064f6f471b87..0028d3537adeddc26e7b8480eb37e979a6cdb7ba 100644
+--- a/src/sbus/sssd_dbus_request.c
++++ b/src/sbus/sssd_dbus_request.c
+@@ -79,6 +79,7 @@ sbus_request_invoke_or_finish(struct sbus_request *dbus_req,
+ sbus_request_finish(dbus_req, NULL);
+ break;
+ default:
++ dbus_error_init(&error);
+ dbus_set_error_const(&error, DBUS_ERROR_FAILED, INTERNAL_ERROR);
+ sbus_request_fail_and_finish(dbus_req, &error);
+ break;
+--
+2.1.0
+
diff --git a/0021-krb5-handle-KRB5KRB_ERR_GENERIC-as-unspecific-error.patch b/0021-krb5-handle-KRB5KRB_ERR_GENERIC-as-unspecific-error.patch
new file mode 100644
index 0000000..d658c00
--- /dev/null
+++ b/0021-krb5-handle-KRB5KRB_ERR_GENERIC-as-unspecific-error.patch
@@ -0,0 +1,54 @@
+From 05e9fd3773a886424610adca97eba1ad86e72daf Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose at redhat.com>
+Date: Wed, 17 Dec 2014 09:42:57 +0100
+Subject: [PATCH 21/26] krb5: handle KRB5KRB_ERR_GENERIC as unspecific error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+KRB5KRB_ERR_GENERIC is a generic error and we cannot make any
+assumptions about the cause. If there are cases where
+KRB5KRB_ERR_GENERIC is returned and SSSD should behave differently this
+must be solved by other means.
+
+Resolves https://fedorahosted.org/sssd/ticket/2535
+
+Reviewed-by: Lukáš Slebodník <lslebodn at redhat.com>
+---
+ src/providers/krb5/krb5_child.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
+index 3234a4e6c740db5e05f7db8eb7f4ea0cc126e7ce..533e4139fee2abd9a0b8f939522a0819d91426ff 100644
+--- a/src/providers/krb5/krb5_child.c
++++ b/src/providers/krb5/krb5_child.c
+@@ -1049,7 +1049,6 @@ static errno_t map_krb5_error(krb5_error_code kerr)
+ case KRB5_LIBOS_CANTREADPWD:
+ return ERR_NO_CREDS;
+
+- case KRB5KRB_ERR_GENERIC:
+ case KRB5KRB_AP_ERR_SKEW:
+ case KRB5_KDC_UNREACH:
+ case KRB5_REALM_CANT_RESOLVE:
+@@ -1072,6 +1071,18 @@ static errno_t map_krb5_error(krb5_error_code kerr)
+ case KRB5KDC_ERR_PREAUTH_FAILED:
+ return ERR_CREDS_INVALID;
+
++ /* Please do not remove KRB5KRB_ERR_GENERIC here, it is a _generic_ error
++ * code and we cannot make any assumptions about the reason for the error.
++ * As a consequence we cannot return a different error code than a generic
++ * one which unfortunately might result in a unspecific system error
++ * message to the user.
++ *
++ * If there are cases where libkrb5 calls return KRB5KRB_ERR_GENERIC where
++ * SSSD should behave differently this has to be detected by different
++ * means, e.g. by evaluation error messages, and then the error code
++ * should be changed to a more suitable KRB5* error code or immediately to
++ * a SSSD ERR_* error code to avoid the default handling here. */
++ case KRB5KRB_ERR_GENERIC:
+ default:
+ return ERR_INTERNAL;
+ }
+--
+2.1.0
+
diff --git a/0022-IPA-Handle-IPA-groups-returned-from-extop-plugin.patch b/0022-IPA-Handle-IPA-groups-returned-from-extop-plugin.patch
new file mode 100644
index 0000000..fb1e54b
--- /dev/null
+++ b/0022-IPA-Handle-IPA-groups-returned-from-extop-plugin.patch
@@ -0,0 +1,37 @@
+From 1901cd172918c842c57098cf8d13b6325813be7f Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek at redhat.com>
+Date: Sun, 23 Nov 2014 20:47:59 +0100
+Subject: [PATCH 22/26] IPA: Handle IPA groups returned from extop plugin
+
+Reviewed-by: Sumit Bose <sbose at redhat.com>
+---
+ src/providers/ipa/ipa_s2n_exop.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
+index 2c31120b196353df52c87ef5b924a80bda134a17..0eab1afc36e4d2c1d770c596c512a641fd276425 100644
+--- a/src/providers/ipa/ipa_s2n_exop.c
++++ b/src/providers/ipa/ipa_s2n_exop.c
+@@ -960,10 +960,15 @@ static errno_t ipa_s2n_get_groups_step(struct tevent_req *req)
+ return ret;
+ }
+
+- state->obj_domain = find_domain_by_name(parent_domain, domain_name, true);
+- if (state->obj_domain == NULL) {
+- DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_name failed.\n");
+- return ENOMEM;
++ if (domain_name) {
++ state->obj_domain = find_domain_by_name(parent_domain,
++ domain_name, true);
++ if (state->obj_domain == NULL) {
++ DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_name failed.\n");
++ return ENOMEM;
++ }
++ } else {
++ state->obj_domain = parent_domain;
+ }
+
+ state->req_input.inp.name = group_name;
+--
+2.1.0
+
diff --git a/0023-IPA-verify-group-memberships-of-trusted-domain-users.patch b/0023-IPA-verify-group-memberships-of-trusted-domain-users.patch
new file mode 100644
index 0000000..e041c36
--- /dev/null
+++ b/0023-IPA-verify-group-memberships-of-trusted-domain-users.patch
@@ -0,0 +1,215 @@
+From b438c890894bde80b6494512d9fa1660fae431a6 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose at redhat.com>
+Date: Thu, 11 Dec 2014 10:49:39 +0100
+Subject: [PATCH 23/26] IPA: verify group memberships of trusted domain users
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Depending on the state of the cache group object a freshly created or
+updates user entry for a trusted domain user might already be a member
+of the group or not. This cache makes sure the requested user is a
+member of all groups returned from the extdom request. Special care has
+to be taken to cover cross-domain group-memberships properly.
+
+Resolves https://fedorahosted.org/sssd/ticket/2529
+
+Reviewed-by: Lukáš Slebodník <lslebodn at redhat.com>
+---
+ src/providers/ipa/ipa_s2n_exop.c | 145 ++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 144 insertions(+), 1 deletion(-)
+
+diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
+index 0eab1afc36e4d2c1d770c596c512a641fd276425..677d1625860186ad02d4d8c7290d45b782bc4c38 100644
+--- a/src/providers/ipa/ipa_s2n_exop.c
++++ b/src/providers/ipa/ipa_s2n_exop.c
+@@ -568,7 +568,7 @@ static errno_t add_v1_user_data(BerElement *ber, struct resp_attrs *attrs)
+ attrs->ngroups++);
+
+ if (attrs->ngroups > 0) {
+- attrs->groups = talloc_array(attrs, char *, attrs->ngroups);
++ attrs->groups = talloc_zero_array(attrs, char *, attrs->ngroups + 1);
+ if (attrs->groups == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n");
+ ret = ENOMEM;
+@@ -1528,6 +1528,81 @@ done:
+ return;
+ }
+
++static errno_t get_groups_dns(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
++ char **name_list, char ***_dn_list)
++{
++ int ret;
++ TALLOC_CTX *tmp_ctx;
++ int c;
++ struct sss_domain_info *root_domain;
++ char **dn_list;
++
++ if (name_list == NULL) {
++ *_dn_list = NULL;
++ return EOK;
++ }
++
++ /* To handle cross-domain memberships we have to check the domain for
++ * each group the member should be added or deleted. Since sub-domains
++ * use fully-qualified names by default any short name can only belong
++ * to the root/head domain. find_domain_by_object_name() will return
++ * the domain given in the first argument if the second argument is a
++ * a short name hence we always use root_domain as first argument. */
++ root_domain = get_domains_head(dom);
++ if (root_domain->fqnames) {
++ DEBUG(SSSDBG_TRACE_FUNC,
++ "Root domain uses fully-qualified names, " \
++ "objects might not be correctly added to groups with " \
++ "short names.\n");
++ }
++
++ tmp_ctx = talloc_new(NULL);
++ if (tmp_ctx == NULL) {
++ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
++ return ENOMEM;
++ }
++
++ for (c = 0; name_list[c] != NULL; c++);
++
++ dn_list = talloc_zero_array(tmp_ctx, char *, c + 1);
++ if (dn_list == NULL) {
++ DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n");
++ ret = ENOMEM;
++ goto done;
++ }
++
++ for (c = 0; name_list[c] != NULL; c++) {
++ dom = find_domain_by_object_name(root_domain, name_list[c]);
++ if (dom == NULL) {
++ DEBUG(SSSDBG_CRIT_FAILURE,
++ "Cannot find domain for [%s].\n", name_list[c]);
++ ret = ENOENT;
++ goto done;
++ }
++
++ /* This might fail if some unexpected cases are used. But current
++ * sysdb code which handles group membership constructs DNs this way
++ * as well, IPA names are lowercased and AD names by default will be
++ * lowercased as well. If there are really use-cases which cause an
++ * issue here, sysdb_group_strdn() has to be replaced by a proper
++ * search. */
++ dn_list[c] = sysdb_group_strdn(dn_list, dom->name, name_list[c]);
++ if (dn_list[c] == NULL) {
++ DEBUG(SSSDBG_OP_FAILURE, "sysdb_group_strdn failed.\n");
++ ret = ENOMEM;
++ goto done;
++ }
++ }
++
++ *_dn_list = talloc_steal(mem_ctx, dn_list);
++ ret = EOK;
++
++done:
++ talloc_free(tmp_ctx);
++
++ return ret;
++}
++
+ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
+ struct req_input *req_input,
+ struct resp_attrs *attrs,
+@@ -1548,6 +1623,13 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
+ const char *tmp_str;
+ struct ldb_result *res;
+ enum sysdb_member_type type;
++ char **sysdb_grouplist;
++ char **add_groups;
++ char **add_groups_dns;
++ char **del_groups;
++ char **del_groups_dns;
++ bool in_transaction = false;
++ int tret;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+@@ -1716,6 +1798,13 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
+ gid = attrs->a.user.pw_gid;
+ }
+
++ ret = sysdb_transaction_start(dom->sysdb);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
++ goto done;
++ }
++ in_transaction = true;
++
+ ret = sysdb_store_user(dom, name, NULL,
+ attrs->a.user.pw_uid,
+ gid, attrs->a.user.pw_gecos,
+@@ -1726,6 +1815,53 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_user failed.\n");
+ goto done;
+ }
++
++ if (attrs->response_type == RESP_USER_GROUPLIST) {
++ ret = get_sysdb_grouplist(tmp_ctx, dom->sysdb, dom, name,
++ &sysdb_grouplist);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_OP_FAILURE, "get_sysdb_grouplist failed.\n");
++ goto done;
++ }
++
++ ret = diff_string_lists(tmp_ctx, attrs->groups, sysdb_grouplist,
++ &add_groups, &del_groups, NULL);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_OP_FAILURE, "diff_string_lists failed.\n");
++ goto done;
++ }
++
++ ret = get_groups_dns(tmp_ctx, dom, add_groups, &add_groups_dns);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n");
++ goto done;
++ }
++
++ ret = get_groups_dns(tmp_ctx, dom, del_groups, &del_groups_dns);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n");
++ goto done;
++ }
++
++ DEBUG(SSSDBG_TRACE_INTERNAL, "Updating memberships for %s\n",
++ name);
++ ret = sysdb_update_members_dn(dom, name, SYSDB_MEMBER_USER,
++ (const char *const *) add_groups_dns,
++ (const char *const *) del_groups_dns);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_CRIT_FAILURE, "Membership update failed [%d]: %s\n",
++ ret, sss_strerror(ret));
++ goto done;
++ }
++ }
++
++ ret = sysdb_transaction_commit(dom->sysdb);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n");
++ goto done;
++ }
++ in_transaction = false;
++
+ break;
+ case RESP_GROUP:
+ case RESP_GROUP_MEMBERS:
+@@ -1818,6 +1954,13 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
+ }
+
+ done:
++ if (in_transaction) {
++ tret = sysdb_transaction_cancel(dom->sysdb);
++ if (tret != EOK) {
++ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n");
++ }
++ }
++
+ talloc_free(tmp_ctx);
+
+ return ret;
+--
+2.1.0
+
diff --git a/0024-IPA-properly-handle-groups-from-different-domains.patch b/0024-IPA-properly-handle-groups-from-different-domains.patch
new file mode 100644
index 0000000..ba5a11d
--- /dev/null
+++ b/0024-IPA-properly-handle-groups-from-different-domains.patch
@@ -0,0 +1,51 @@
+From d58be56e09962a311d3599d4e134e1f7bbadc90f Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn at redhat.com>
+Date: Fri, 12 Dec 2014 13:07:55 -0500
+Subject: [PATCH 24/26] IPA: properly handle groups from different domains
+
+When groups are resolved on IPA clients as part of a user lookup not all
+groups have to be from the same domain as the used. This has to be
+checked to store the group object properly in the cache.
+
+Related to https://fedorahosted.org/sssd/ticket/2529
+ and https://fedorahosted.org/sssd/ticket/2524
+
+Reviewed-by: Sumit Bose <sbose at redhat.com>
+---
+ src/providers/ipa/ipa_s2n_exop.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
+index 677d1625860186ad02d4d8c7290d45b782bc4c38..6d5b45edf20f720f5b97f0ed5c8ec591c580de0d 100644
+--- a/src/providers/ipa/ipa_s2n_exop.c
++++ b/src/providers/ipa/ipa_s2n_exop.c
+@@ -1867,10 +1867,24 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
+ case RESP_GROUP_MEMBERS:
+ type = SYSDB_MEMBER_GROUP;
+
++ if (0 != strcmp(dom->name, attrs->domain_name)) {
++ dom = find_domain_by_name(get_domains_head(dom),
++ attrs->domain_name, true);
++ if (dom == NULL) {
++ DEBUG(SSSDBG_OP_FAILURE,
++ "Cannot find domain: [%s]\n", attrs->domain_name);
++ ret = EINVAL;
++ goto done;
++ }
++ }
++
+ if (name == NULL) {
++ name = attrs->a.group.gr_name;
++ }
++
++ if (IS_SUBDOMAIN(dom)) {
+ /* we always use the fully qualified name for subdomain users */
+- name = sss_tc_fqname(tmp_ctx, dom->names, dom,
+- attrs->a.group.gr_name);
++ name = sss_tc_fqname(tmp_ctx, dom->names, dom, name);
+ if (!name) {
+ DEBUG(SSSDBG_OP_FAILURE, "failed to format user name,\n");
+ ret = ENOMEM;
+--
+2.1.0
+
diff --git a/0025-IPA-do-not-try-to-add-override-gid-twice.patch b/0025-IPA-do-not-try-to-add-override-gid-twice.patch
new file mode 100644
index 0000000..932a645
--- /dev/null
+++ b/0025-IPA-do-not-try-to-add-override-gid-twice.patch
@@ -0,0 +1,42 @@
+From 46da6ab87c8065ab36de30f1f9d882736425777c Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose at redhat.com>
+Date: Tue, 2 Dec 2014 21:10:01 +0100
+Subject: [PATCH 25/26] IPA: do not try to add override gid twice
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+By default user and group overrides use the same attribute name for the
+GID and this cause SSSD machinery to add the same value twice which
+cause an error in ldb_add() or ldm_modify().
+
+Related to https://fedorahosted.org/sssd/ticket/2514
+
+Reviewed-by: Lukáš Slebodník <lslebodn at redhat.com>
+---
+ src/db/sysdb_views.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c
+index 926cd847c8dd8ddc33c0b517642a11bbe78059b5..6011fd09db4528b0b1c7aa0a6266ea719e47792f 100644
+--- a/src/db/sysdb_views.c
++++ b/src/db/sysdb_views.c
+@@ -371,8 +371,14 @@ errno_t sysdb_store_override(struct sss_domain_info *domain,
+ goto done;
+ }
+
+- /* TODO: add nameAlias for case-insentitive searches */
+ for (c = 0; c < attrs->num; c++) {
++ /* Set num_values to 1 because by default user and group overrides
++ * use the same attribute name for the GID and this cause SSSD
++ * machinery to add the same value twice */
++ if (attrs->a[c].num_values > 1
++ && strcmp(attrs->a[c].name, SYSDB_GIDNUM) == 0) {
++ attrs->a[c].num_values = 1;
++ }
+ msg->elements[c] = attrs->a[c];
+ msg->elements[c].flags = LDB_FLAG_MOD_ADD;
+ }
+--
+2.1.0
+
diff --git a/0026-IPA-handle-GID-overrides-for-MPG-domains-on-clients.patch b/0026-IPA-handle-GID-overrides-for-MPG-domains-on-clients.patch
new file mode 100644
index 0000000..5216055
--- /dev/null
+++ b/0026-IPA-handle-GID-overrides-for-MPG-domains-on-clients.patch
@@ -0,0 +1,62 @@
+From 51ecb61c7c6e2f002c2da188e30f69d67f767ead Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose at redhat.com>
+Date: Thu, 4 Dec 2014 12:50:03 +0100
+Subject: [PATCH 26/26] IPA: handle GID overrides for MPG domains on clients
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Resolves https://fedorahosted.org/sssd/ticket/2514
+
+Reviewed-by: Lukáš Slebodník <lslebodn at redhat.com>
+---
+ src/providers/ipa/ipa_s2n_exop.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
+index 6d5b45edf20f720f5b97f0ed5c8ec591c580de0d..55450c7029391a99bfc33b8446765f71c4d0928a 100644
+--- a/src/providers/ipa/ipa_s2n_exop.c
++++ b/src/providers/ipa/ipa_s2n_exop.c
+@@ -1618,6 +1618,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
+ char *realm;
+ char *upn = NULL;
+ gid_t gid;
++ gid_t orig_gid = 0;
+ TALLOC_CTX *tmp_ctx;
+ const char *sid_str;
+ const char *tmp_str;
+@@ -1796,6 +1797,31 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
+ gid = 0;
+ if (dom->mpg == false) {
+ gid = attrs->a.user.pw_gid;
++ } else {
++ /* The extdom plugin always returns the objects with the
++ * default view applied. Since the GID is handled specially
++ * for MPG domains we have add any overridden GID separately.
++ */
++ ret = sysdb_attrs_get_uint32_t(attrs->sysdb_attrs,
++ ORIGINALAD_PREFIX SYSDB_GIDNUM,
++ &orig_gid);
++ if (ret == EOK || ret == ENOENT) {
++ if ((orig_gid != 0 && orig_gid != attrs->a.user.pw_gid)
++ || attrs->a.user.pw_uid != attrs->a.user.pw_gid) {
++ ret = sysdb_attrs_add_uint32(attrs->sysdb_attrs,
++ SYSDB_GIDNUM,
++ attrs->a.user.pw_gid);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_OP_FAILURE,
++ "sysdb_attrs_add_uint32 failed.\n");
++ goto done;
++ }
++ }
++ } else {
++ DEBUG(SSSDBG_OP_FAILURE,
++ "sysdb_attrs_get_uint32_t failed.\n");
++ goto done;
++ }
+ }
+
+ ret = sysdb_transaction_start(dom->sysdb);
+--
+2.1.0
+
diff --git a/sssd.spec b/sssd.spec
index c1d3cd3..f5cef0b 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -25,7 +25,7 @@
Name: sssd
Version: 1.12.2
-Release: 5%{?dist}
+Release: 6%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@@ -38,6 +38,28 @@ Patch0001: 0001-ipa-fix-issues-with-older-servers-not-supporting-vie.patch
Patch0002: 0002-ipa-improve-error-reporting-for-extdom-LDAP-exop.patch
Patch0003: 0003-ipa_subdomains_handler_master_done-initialize-reply_.patch
Patch0004: 0004-IPA-Handle-NULL-members-in-process_members.patch
+Patch0005: 0005-GPO-Terminate-request-on-error.patch
+Patch0006: 0006-nss-group-enumeration-fix.patch
+Patch0007: 0007-IPA-Don-t-fail-the-request-when-BE-doesn-t-find-the-.patch
+Patch0008: 0008-IPA-use-ipaUserGroup-object-class-for-groups.patch
+Patch0009: 0009-PAM-Remove-authtok-from-PAM-stack-with-OTP.patch
+Patch0010: 0010-Revert-LDAP-Remove-unused-option-ldap_user_uuid.patch
+Patch0011: 0011-Revert-LDAP-Remove-unused-option-ldap_group_uuid.patch
+Patch0012: 0012-Fix-uuid-defaults.patch
+Patch0013: 0013-Revert-LDAP-Change-defaults-for-ldap_user-group_obje.patch
+Patch0014: 0014-LDAP-Disable-token-groups-by-default.patch
+Patch0015: 0015-sss_client-Extract-destroying-of-mmap-cache-to-funct.patch
+Patch0016: 0016-sss_client-Fix-race-condition-in-memory-cache.patch
+Patch0017: 0017-test-Wrong-parameter-type-in-sss_parse_name_check.patch
+Patch0018: 0018-util-Special-case-PCRE_ERROR_NOMATCH-in-sss_parse_na.patch
+Patch0019: 0019-util-sss_get_domain_name-regex-mismatch-not-fatal.patch
+Patch0020: 0020-SBUS-Initialize-DBusError-before-using-it.patch
+Patch0021: 0021-krb5-handle-KRB5KRB_ERR_GENERIC-as-unspecific-error.patch
+Patch0022: 0022-IPA-Handle-IPA-groups-returned-from-extop-plugin.patch
+Patch0023: 0023-IPA-verify-group-memberships-of-trusted-domain-users.patch
+Patch0024: 0024-IPA-properly-handle-groups-from-different-domains.patch
+Patch0025: 0025-IPA-do-not-try-to-add-override-gid-twice.patch
+Patch0026: 0026-IPA-handle-GID-overrides-for-MPG-domains-on-clients.patch
### Dependencies ###
Requires: sssd-common = %{version}-%{release}
@@ -882,6 +904,12 @@ if [ $1 -eq 0 ]; then
fi
%changelog
+* Wed Dec 17 2014 Lukas Slebodnik <lslebodn at redhat.com> - 1.12.2-6
+- Fix regressions and bugs in sssd upstream 1.12.2
+- https://fedorahosted.org/sssd/ticket/{id}
+- Regressions: #2471, #2475, #2483, #2487, #2529, #2535
+- Bugs: #2287, #2445
+
* Sun Dec 7 2014 Jakub Hrozek <jhrozek at redhat.com> - 1.12.2-5
- Rebuild for libldb 1.1.18
More information about the scm-commits
mailing list