From 11749ff4dfc10ee7a8f7dae4d7c44d5cb75a8474 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Jun 16 2013 11:20:21 +0000
Subject: Apply a number of patches from upstream to fix issues found post-beta


In particular:
-- segfault with a high DEBUG level
-- Fix IPA password migration (upstream #1873)
-- Fix fail over when retrying SRV resolution (upstream #1886)

---

diff --git a/0001-Bumping-the-version-for-the-1.10-final-release.patch b/0001-Bumping-the-version-for-the-1.10-final-release.patch
new file mode 100644
index 0000000..d08f64c
--- /dev/null
+++ b/0001-Bumping-the-version-for-the-1.10-final-release.patch
@@ -0,0 +1,23 @@
+From 376e39bc7a7f49f08fd51b1a00aa5d2a456b2314 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Tue, 11 Jun 2013 17:44:04 +0200
+Subject: [PATCH 01/12] Bumping the version for the 1.10 final release
+
+---
+ version.m4 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/version.m4 b/version.m4
+index 1435f6999f6d4ffb06ad0dfd4261b03357fd0cfa..4066d317aae67fee317d13a67abec0dae3ce14aa 100644
+--- a/version.m4
++++ b/version.m4
+@@ -1,5 +1,5 @@
+ # Primary version number
+-m4_define([VERSION_NUMBER], [1.9.94])
++m4_define([VERSION_NUMBER], [1.9.95])
+ 
+ # If the PRERELEASE_VERSION_NUMBER is set, we'll append
+ # it to the release tag when creating an RPM or SRPM
+-- 
+1.8.2.1
+
diff --git a/0002-Change-order-of-libraries-in-linking-process.patch b/0002-Change-order-of-libraries-in-linking-process.patch
new file mode 100644
index 0000000..b5af64f
--- /dev/null
+++ b/0002-Change-order-of-libraries-in-linking-process.patch
@@ -0,0 +1,31 @@
+From fd98a28d6e94080e52bbedc789b06606a6019b10 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Wed, 12 Jun 2013 13:24:12 +0200
+Subject: [PATCH 02/12] Change order of libraries in linking process.
+
+It seems that some linkers have problem with wrong order of libraries.
+This commit only change order.
+---
+ Makefile.am | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 93e3a6fc0ce063cb3c874bd90e0b1773fe053386..88e29fff4f6f1f3686c02ca23b5a6f4725f22797 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -577,10 +577,10 @@ endif
+ libsss_util_la_LDFLAGS = -avoid-version
+ 
+ SSSD_INTERNAL_LTLIBS = \
++    libsss_util.la \
+     libsss_crypt.la \
+     libsss_debug.la \
+-    libsss_child.la \
+-    libsss_util.la
++    libsss_child.la
+ 
+ lib_LTLIBRARIES = libipa_hbac.la libsss_idmap.la libsss_nss_idmap.la
+ dist_pkgconfig_DATA += src/providers/ipa/ipa_hbac.pc
+-- 
+1.8.2.1
+
diff --git a/0003-be_ptask-send-and-recv-shadow-a-global-declaration.patch b/0003-be_ptask-send-and-recv-shadow-a-global-declaration.patch
new file mode 100644
index 0000000..5c0ab38
--- /dev/null
+++ b/0003-be_ptask-send-and-recv-shadow-a-global-declaration.patch
@@ -0,0 +1,92 @@
+From 460e43ee4dcc7a5860bcdc3c76ae51ed79921d79 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Wed, 12 Jun 2013 09:50:54 +0200
+Subject: [PATCH 03/12] be_ptask: send and recv shadow a global declaration
+
+---
+ src/providers/dp_ptask.c | 18 +++++++++---------
+ src/providers/dp_ptask.h |  4 ++--
+ 2 files changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/src/providers/dp_ptask.c b/src/providers/dp_ptask.c
+index d3580981b4abea8471c280a647eb558341d738ef..d0f7c6d9700dd9d5cf588c9f72954590f65f82b5 100644
+--- a/src/providers/dp_ptask.c
++++ b/src/providers/dp_ptask.c
+@@ -39,8 +39,8 @@ struct be_ptask {
+     time_t enabled_delay;
+     time_t timeout;
+     enum be_ptask_offline offline;
+-    be_ptask_send_t send;
+-    be_ptask_recv_t recv;
++    be_ptask_send_t send_fn;
++    be_ptask_recv_t recv_fn;
+     void *pvt;
+     const char *name;
+ 
+@@ -139,7 +139,7 @@ static void be_ptask_execute(struct tevent_context *ev,
+ 
+     task->last_execution = time(NULL);
+ 
+-    task->req = task->send(task, task->ev, task->be_ctx, task, task->pvt);
++    task->req = task->send_fn(task, task->ev, task->be_ctx, task, task->pvt);
+     if (task->req == NULL) {
+         /* skip this iteration and try again later */
+         DEBUG(SSSDBG_OP_FAILURE, ("Task [%s]: failed to execute task, "
+@@ -178,7 +178,7 @@ static void be_ptask_done(struct tevent_req *req)
+ 
+     task = tevent_req_callback_data(req, struct be_ptask);
+ 
+-    ret = task->recv(req);
++    ret = task->recv_fn(req);
+     talloc_zfree(req);
+     task->req = NULL;
+     switch (ret) {
+@@ -246,8 +246,8 @@ errno_t be_ptask_create(TALLOC_CTX *mem_ctx,
+                         time_t enabled_delay,
+                         time_t timeout,
+                         enum be_ptask_offline offline,
+-                        be_ptask_send_t send,
+-                        be_ptask_recv_t recv,
++                        be_ptask_send_t send_fn,
++                        be_ptask_recv_t recv_fn,
+                         void *pvt,
+                         const char *name,
+                         struct be_ptask **_task)
+@@ -255,7 +255,7 @@ errno_t be_ptask_create(TALLOC_CTX *mem_ctx,
+     struct be_ptask *task = NULL;
+     errno_t ret;
+ 
+-    if (be_ctx == NULL || period == 0 || send == NULL || recv == NULL
++    if (be_ctx == NULL || period == 0 || send_fn == NULL || recv_fn == NULL
+         || name == NULL) {
+         return EINVAL;
+     }
+@@ -272,8 +272,8 @@ errno_t be_ptask_create(TALLOC_CTX *mem_ctx,
+     task->enabled_delay = enabled_delay;
+     task->timeout = timeout;
+     task->offline = offline;
+-    task->send = send;
+-    task->recv = recv;
++    task->send_fn = send_fn;
++    task->recv_fn = recv_fn;
+     task->pvt = pvt;
+     task->name = talloc_strdup(task, name);
+     if (task->name == NULL) {
+diff --git a/src/providers/dp_ptask.h b/src/providers/dp_ptask.h
+index ae5f78d586df69bdcfa34bb35f032ad1dbd1b983..7e45862e46c5d9da4eaedca5312e25dcc0eb8abe 100644
+--- a/src/providers/dp_ptask.h
++++ b/src/providers/dp_ptask.h
+@@ -81,8 +81,8 @@ errno_t be_ptask_create(TALLOC_CTX *mem_ctx,
+                         time_t enabled_delay,
+                         time_t timeout,
+                         enum be_ptask_offline offline,
+-                        be_ptask_send_t send,
+-                        be_ptask_recv_t recv,
++                        be_ptask_send_t send_fn,
++                        be_ptask_recv_t recv_fn,
+                         void *pvt,
+                         const char *name,
+                         struct be_ptask **_task);
+-- 
+1.8.2.1
+
diff --git a/0004-be_refresh-send-and-recv-shadow-a-global-declaration.patch b/0004-be_refresh-send-and-recv-shadow-a-global-declaration.patch
new file mode 100644
index 0000000..2cf0e4b
--- /dev/null
+++ b/0004-be_refresh-send-and-recv-shadow-a-global-declaration.patch
@@ -0,0 +1,98 @@
+From d24f0493002037a5809c9fc5ae27fa2ceb81036e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Wed, 12 Jun 2013 09:51:10 +0200
+Subject: [PATCH 04/12] be_refresh: send and recv shadow a global declaration
+
+---
+ src/providers/dp_refresh.c | 22 +++++++++++-----------
+ src/providers/dp_refresh.h |  4 ++--
+ 2 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/src/providers/dp_refresh.c b/src/providers/dp_refresh.c
+index 59d858549d94660e4abd4f5610eda13dabb9b495..c368668e1def76a7a63cee87d6720239830e7c6b 100644
+--- a/src/providers/dp_refresh.c
++++ b/src/providers/dp_refresh.c
+@@ -119,8 +119,8 @@ typedef errno_t
+ struct be_refresh_cb {
+     bool enabled;
+     be_refresh_get_values_t get_values;
+-    be_refresh_send_t send;
+-    be_refresh_recv_t recv;
++    be_refresh_send_t send_fn;
++    be_refresh_recv_t recv_fn;
+     void *pvt;
+ };
+ 
+@@ -145,11 +145,11 @@ struct be_refresh_ctx *be_refresh_ctx_init(TALLOC_CTX *mem_ctx)
+ 
+ errno_t be_refresh_add_cb(struct be_refresh_ctx *ctx,
+                           enum be_refresh_type type,
+-                          be_refresh_send_t send,
+-                          be_refresh_recv_t recv,
++                          be_refresh_send_t send_fn,
++                          be_refresh_recv_t recv_fn,
+                           void *pvt)
+ {
+-    if (ctx == NULL || send == NULL || recv == NULL
++    if (ctx == NULL || send_fn == NULL || recv_fn == NULL
+             || type >= BE_REFRESH_TYPE_SENTINEL) {
+         return EINVAL;
+     }
+@@ -159,8 +159,8 @@ errno_t be_refresh_add_cb(struct be_refresh_ctx *ctx,
+     }
+ 
+     ctx->callbacks[type].enabled = true;
+-    ctx->callbacks[type].send = send;
+-    ctx->callbacks[type].recv = recv;
++    ctx->callbacks[type].send_fn = send_fn;
++    ctx->callbacks[type].recv_fn = recv_fn;
+     ctx->callbacks[type].pvt = pvt;
+ 
+     return EOK;
+@@ -246,8 +246,8 @@ static errno_t be_refresh_step(struct tevent_req *req)
+         goto done;
+     }
+ 
+-    if (state->cb->get_values == NULL || state->cb->send == NULL
+-        || state->cb->recv == NULL) {
++    if (state->cb->get_values == NULL || state->cb->send_fn == NULL
++        || state->cb->recv_fn == NULL) {
+         ret = EINVAL;
+         goto done;
+     }
+@@ -260,7 +260,7 @@ static errno_t be_refresh_step(struct tevent_req *req)
+         goto done;
+     }
+ 
+-    subreq = state->cb->send(state, state->ev, state->be_ctx,
++    subreq = state->cb->send_fn(state, state->ev, state->be_ctx,
+                              values, state->cb->pvt);
+     if (subreq == NULL) {
+         ret = ENOMEM;
+@@ -288,7 +288,7 @@ static void be_refresh_done(struct tevent_req *subreq)
+     req = tevent_req_callback_data(subreq, struct tevent_req);
+     state = tevent_req_data(req, struct be_refresh_state);
+ 
+-    ret = state->cb->recv(subreq);
++    ret = state->cb->recv_fn(subreq);
+     talloc_zfree(subreq);
+     if (ret != EOK) {
+         goto done;
+diff --git a/src/providers/dp_refresh.h b/src/providers/dp_refresh.h
+index a7b324702b0546d8156e8fa395b39fa58b52812d..0dedbc3c14bfb661ebf296a9021fa397769dee66 100644
+--- a/src/providers/dp_refresh.h
++++ b/src/providers/dp_refresh.h
+@@ -54,8 +54,8 @@ struct be_refresh_ctx *be_refresh_ctx_init(TALLOC_CTX *mem_ctx);
+ 
+ errno_t be_refresh_add_cb(struct be_refresh_ctx *ctx,
+                           enum be_refresh_type type,
+-                          be_refresh_send_t send,
+-                          be_refresh_recv_t recv,
++                          be_refresh_send_t send_fn,
++                          be_refresh_recv_t recv_fn,
+                           void *pvt);
+ 
+ struct tevent_req *be_refresh_send(TALLOC_CTX *mem_ctx,
+-- 
+1.8.2.1
+
diff --git a/0005-Use-the-correct-talloc-context-when-creating-AD-subd.patch b/0005-Use-the-correct-talloc-context-when-creating-AD-subd.patch
new file mode 100644
index 0000000..ae6f3dd
--- /dev/null
+++ b/0005-Use-the-correct-talloc-context-when-creating-AD-subd.patch
@@ -0,0 +1,28 @@
+From 49f3aebcc8614d483c5753109a9d65aa33d301ea Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Tue, 11 Jun 2013 12:48:06 +0200
+Subject: [PATCH 05/12] Use the correct talloc context when creating AD
+ subdomains
+
+sdom was only ever guaranteed to be set when a new domain was being
+created. sditer is a valid pointer in both cases, so just use that.
+---
+ src/providers/ad/ad_subdomains.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
+index f4eec6a48019d55436631487a6108be405254766..07b523df5466319739e1f44164b7f08156ea214b 100644
+--- a/src/providers/ad/ad_subdomains.c
++++ b/src/providers/ad/ad_subdomains.c
+@@ -120,7 +120,7 @@ ads_store_sdap_subdom(struct ad_subdomains_ctx *ctx,
+         }
+ 
+         /* Convert the domain name into search base */
+-        ret = domain_to_basedn(sdom, sditer->dom->name, &basedn);
++        ret = domain_to_basedn(sditer, sditer->dom->name, &basedn);
+         if (ret != EOK) {
+             DEBUG(SSSDBG_OP_FAILURE,
+                 ("Cannot convert domain name [%s] to base DN [%d]: %s\n",
+-- 
+1.8.2.1
+
diff --git a/0006-Fix-minor-typos.patch b/0006-Fix-minor-typos.patch
new file mode 100644
index 0000000..6c5aa09
--- /dev/null
+++ b/0006-Fix-minor-typos.patch
@@ -0,0 +1,90 @@
+From 1091c0ae2f1596ceb161e5b765a91c23c413b369 Mon Sep 17 00:00:00 2001
+From: Yuri Chornoivan <yurchor@ukr.net>
+Date: Tue, 11 Jun 2013 19:12:41 +0300
+Subject: [PATCH 06/12] Fix minor typos
+
+---
+ src/man/sssd-krb5.5.xml      | 2 +-
+ src/man/sssd-ldap.5.xml      | 2 +-
+ src/man/sssd.conf.5.xml      | 4 ++--
+ src/providers/ipa/ipa_hbac.h | 2 +-
+ src/tools/tools_mc_util.c    | 2 +-
+ 5 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
+index 906aee096d9815bcf32b992260a7f5254b93b947..df124b4d20f7f3b553d2eac554eaf5411c3c8436 100644
+--- a/src/man/sssd-krb5.5.xml
++++ b/src/man/sssd-krb5.5.xml
+@@ -455,7 +455,7 @@
+                     <term>krb5_use_kdcinfo (boolean)</term>
+                     <listitem>
+                         <para>
+-                            Specifies if the SSSD should be instructing the Kerberos
++                            Specifies if the SSSD should instruct the Kerberos
+                             libraries what realm and which KDCs to use. This option
+                             is on by default, if you disable it, you need to configure
+                             the Kerberos library using the
+diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
+index 9cd594c7bdcf682b8fd355e8e566229afcb18a43..fd29650e94db917b0afb3f3a73e4082773d1340f 100644
+--- a/src/man/sssd-ldap.5.xml
++++ b/src/man/sssd-ldap.5.xml
+@@ -1592,7 +1592,7 @@
+                     <term>krb5_use_kdcinfo (boolean)</term>
+                     <listitem>
+                         <para>
+-                            Specifies if the SSSD should be instructing the Kerberos
++                            Specifies if the SSSD should instruct the Kerberos
+                             libraries what realm and which KDCs to use. This option
+                             is on by default, if you disable it, you need to configure
+                             the Kerberos library using the
+diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
+index d3e393c83e3ba130bab35a4d2153560710e16ba6..8df2bd97c4edb793e74a698b9531b3e7ab7c1abe 100644
+--- a/src/man/sssd.conf.5.xml
++++ b/src/man/sssd.conf.5.xml
+@@ -172,7 +172,7 @@
+                                             <para>
+                                                 domain flat name. Mostly usable
+                                                 for Active Directory domains, both
+-                                                directly configured or disovered
++                                                directly configured or discovered
+                                                 via IPA trusts.
+                                             </para>
+                                         </listitem>
+@@ -1605,7 +1605,7 @@ override_homedir = /home/%u
+                                         <para>
+                                             domain flat name. Mostly usable
+                                             for Active Directory domains, both
+-                                            directly configured or disovered
++                                            directly configured or discovered
+                                             via IPA trusts.
+                                         </para>
+                                     </listitem>
+diff --git a/src/providers/ipa/ipa_hbac.h b/src/providers/ipa/ipa_hbac.h
+index 02077e37ebeebd99ba06a9d27311c0885c4e2b7f..8bc2c4f90f32a83d14240abb4979ae265913ae6a 100644
+--- a/src/providers/ipa/ipa_hbac.h
++++ b/src/providers/ipa/ipa_hbac.h
+@@ -212,7 +212,7 @@ enum hbac_error_code {
+     /** Unexpected error */
+     HBAC_ERROR_UNKNOWN = -1,
+ 
+-    /** Succesful evaluation */
++    /** Successful evaluation */
+     HBAC_SUCCESS,
+ 
+     /** Function is not yet implemented */
+diff --git a/src/tools/tools_mc_util.c b/src/tools/tools_mc_util.c
+index 33d5d26dbefaa547da3a5c49947793b485896e83..5d4300fbe4c0fc8fd678d619277f1d8be18f0912 100644
+--- a/src/tools/tools_mc_util.c
++++ b/src/tools/tools_mc_util.c
+@@ -111,7 +111,7 @@ done:
+         /* Closing the file also releases the lock */
+         close(mc_fd);
+ 
+-        /* Only unlink the file if invalidation was succesful */
++        /* Only unlink the file if invalidation was successful */
+         if (ret == EOK) {
+             pret = unlink(mc_filename);
+             if (pret == -1) {
+-- 
+1.8.2.1
+
diff --git a/0007-failover-set-state-out-when-meta-server-remains-in-S.patch b/0007-failover-set-state-out-when-meta-server-remains-in-S.patch
new file mode 100644
index 0000000..eae1849
--- /dev/null
+++ b/0007-failover-set-state-out-when-meta-server-remains-in-S.patch
@@ -0,0 +1,26 @@
+From d3b39cf07164b23d47bbce3d6e6541b13fc895f5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Thu, 13 Jun 2013 10:32:31 +0200
+Subject: [PATCH 07/12] failover: set state->out when meta server remains in
+ SRV_RESOLVE_ERROR
+
+https://fedorahosted.org/sssd/ticket/1886
+---
+ src/providers/fail_over.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/providers/fail_over.c b/src/providers/fail_over.c
+index 12b6c37828b7da0e68579bbb94668c21574974f1..1d2813589495ebb2ff56e93cddaed9d5172e128e 100644
+--- a/src/providers/fail_over.c
++++ b/src/providers/fail_over.c
+@@ -1207,6 +1207,7 @@ resolve_srv_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev,
+         break;
+     case SRV_RESOLVE_ERROR: /* query could not be resolved but don't retry yet */
+         ret = EIO;
++        state->out = server;
+         goto done;
+     case SRV_RESOLVED:  /* The query is resolved and valid. Return. */
+         state->out = server;
+-- 
+1.8.2.1
+
diff --git a/0008-KRB-Handle-preauthentication-error-correctly.patch b/0008-KRB-Handle-preauthentication-error-correctly.patch
new file mode 100644
index 0000000..97b041f
--- /dev/null
+++ b/0008-KRB-Handle-preauthentication-error-correctly.patch
@@ -0,0 +1,76 @@
+From 22a21e910fd216ec1468fe769dcc29f1621a52a4 Mon Sep 17 00:00:00 2001
+From: Ondrej Kos <okos@redhat.com>
+Date: Thu, 13 Jun 2013 15:28:23 +0200
+Subject: [PATCH 08/12] KRB: Handle preauthentication error correctly
+
+https://fedorahosted.org/sssd/ticket/1873
+
+KRB preauthentication error was later mishandled like authentication error.
+---
+ src/providers/krb5/krb5_auth.c  | 6 ++++++
+ src/providers/krb5/krb5_child.c | 4 +++-
+ src/util/util_errors.c          | 1 +
+ src/util/util_errors.h          | 1 +
+ 4 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
+index f65e5993d54a5a265e4217e7f23d9549915c6b32..f6acfb4891cf5e99878ccfa7994ffeddf5447e2c 100644
+--- a/src/providers/krb5/krb5_auth.c
++++ b/src/providers/krb5/krb5_auth.c
+@@ -1026,6 +1026,12 @@ static void krb5_auth_done(struct tevent_req *subreq)
+         ret = EOK;
+         goto done;
+ 
++    case ERR_CREDS_INVALID:
++        state->pam_status = PAM_CRED_ERR;
++        state->dp_err = DP_ERR_OK;
++        ret = EOK;
++        goto done;
++
+     case ERR_NO_CREDS:
+         state->pam_status = PAM_CRED_UNAVAIL;
+         state->dp_err = DP_ERR_OK;
+diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
+index 8f746a8db561928349ffed8b7434db2a113a1f86..74d730aaa2e84af111982a450dafd524d411f472 100644
+--- a/src/providers/krb5/krb5_child.c
++++ b/src/providers/krb5/krb5_child.c
+@@ -1172,9 +1172,11 @@ static errno_t map_krb5_error(krb5_error_code kerr)
+         return ERR_CREDS_EXPIRED;
+ 
+     case KRB5KRB_AP_ERR_BAD_INTEGRITY:
++        return ERR_AUTH_FAILED;
++
+     case KRB5_PREAUTH_FAILED:
+     case KRB5KDC_ERR_PREAUTH_FAILED:
+-        return ERR_AUTH_FAILED;
++        return ERR_CREDS_INVALID;
+ 
+     default:
+         return ERR_INTERNAL;
+diff --git a/src/util/util_errors.c b/src/util/util_errors.c
+index b617f540691a245d1132469a1f019bcb0eb6e775..22a3045a6f9656d9ab8fe66673301a508e444771 100644
+--- a/src/util/util_errors.c
++++ b/src/util/util_errors.c
+@@ -31,6 +31,7 @@ struct err_string error_to_str[] = {
+     { "Invalid credential type" },  /* ERR_INVALID_CRED_TYPE */
+     { "No credentials available" }, /* ERR_NO_CREDS */
+     { "Credentials are expired" }, /* ERR_CREDS_EXPIRED */
++    { "Failure setting user credentials"}, /* ERR_CREDS_INVALID */
+     { "No cached credentials available" }, /* ERR_NO_CACHED_CREDS */
+     { "Cached credentials are expired" }, /* ERR_CACHED_CREDS_EXPIRED */
+     { "Authentication Denied" }, /* ERR_AUTH_DENIED */
+diff --git a/src/util/util_errors.h b/src/util/util_errors.h
+index a602a6ea92f72a51f5e21342940b2072bbe9296d..65d37aedb544bb303d7540fc59e1a802aee11898 100644
+--- a/src/util/util_errors.h
++++ b/src/util/util_errors.h
+@@ -53,6 +53,7 @@ enum sssd_errors {
+     ERR_INVALID_CRED_TYPE,
+     ERR_NO_CREDS,
+     ERR_CREDS_EXPIRED,
++    ERR_CREDS_INVALID,
+     ERR_NO_CACHED_CREDS,
+     ERR_CACHED_CREDS_EXPIRED,
+     ERR_AUTH_DENIED,
+-- 
+1.8.2.1
+
diff --git a/0009-AD-Fix-segfault-in-DEBUG-message.patch b/0009-AD-Fix-segfault-in-DEBUG-message.patch
new file mode 100644
index 0000000..7d2d064
--- /dev/null
+++ b/0009-AD-Fix-segfault-in-DEBUG-message.patch
@@ -0,0 +1,25 @@
+From bb4172259e04925ffc3a92e4450029634d295134 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Fri, 14 Jun 2013 14:05:24 +0200
+Subject: [PATCH 09/12] AD: Fix segfault in DEBUG message
+
+---
+ src/providers/ad/ad_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
+index 1aad85de337870ede08114490398dfbde32bf62f..d53acf9ee03a88c78bca58e664121142a7331ade 100644
+--- a/src/providers/ad/ad_common.c
++++ b/src/providers/ad/ad_common.c
+@@ -854,7 +854,7 @@ ad_get_auth_options(TALLOC_CTX *mem_ctx,
+     ad_opts->service->krb5_service->write_kdcinfo = \
+         dp_opt_get_bool(krb5_options, KRB5_USE_KDCINFO);
+     DEBUG(SSSDBG_CONF_SETTINGS, ("Option %s set to %s\n",
+-          ad_opts->auth[KRB5_USE_KDCINFO].opt_name,
++          krb5_options[KRB5_USE_KDCINFO].opt_name,
+           ad_opts->service->krb5_service->write_kdcinfo ? "true" : "false"));
+ 
+     *_opts = talloc_steal(mem_ctx, krb5_options);
+-- 
+1.8.2.1
+
diff --git a/0010-AD-Remove-ad_options-auth-options-reference.patch b/0010-AD-Remove-ad_options-auth-options-reference.patch
new file mode 100644
index 0000000..635af3d
--- /dev/null
+++ b/0010-AD-Remove-ad_options-auth-options-reference.patch
@@ -0,0 +1,26 @@
+From 9f1106573a4fca41b99a468d06fa392486faf43c Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Fri, 14 Jun 2013 14:19:25 +0200
+Subject: [PATCH 10/12] AD: Remove ad_options->auth options reference
+
+The options are stored in ad_options->auth_ctx->opts, this member was
+completely unused and confusing.
+---
+ src/providers/ad/ad_common.h | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
+index 801815528c30ef05956eb51dce7cc6f8b161ffa8..1503059e87d60c90d33c00cdd3ebb55b4f4530f0 100644
+--- a/src/providers/ad/ad_common.h
++++ b/src/providers/ad/ad_common.h
+@@ -67,7 +67,6 @@ struct ad_options {
+     struct ad_id_ctx *id_ctx;
+ 
+     /* Auth and chpass Provider */
+-    struct dp_option *auth;
+     struct krb5_ctx *auth_ctx;
+ 
+     /* Dynamic DNS updates */
+-- 
+1.8.2.1
+
diff --git a/0011-subdomains-touch-krb5.conf-when-creating-new-domain-.patch b/0011-subdomains-touch-krb5.conf-when-creating-new-domain-.patch
new file mode 100644
index 0000000..e403509
--- /dev/null
+++ b/0011-subdomains-touch-krb5.conf-when-creating-new-domain-.patch
@@ -0,0 +1,122 @@
+From 03713859dffacc7142393e53c73d8d4cf7dee8d5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Wed, 12 Jun 2013 13:44:19 +0200
+Subject: [PATCH 11/12] subdomains: touch krb5.conf when creating new
+ domain-realm mappings
+
+https://fedorahosted.org/sssd/ticket/1815
+---
+ configure.ac                       |  1 +
+ src/conf_macros.m4                 | 13 +++++++++++++
+ src/providers/ipa/ipa_subdomains.c |  8 ++++++++
+ src/util/sss_krb5.c                | 22 ++++++++++++++++++++++
+ src/util/sss_krb5.h                |  3 +++
+ 5 files changed, 47 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index e63e678705ee059b984612a6ffab1a10a4f7e7f8..7eeee2e2a069b2c4f7a3408798740cb7aba88513 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -110,6 +110,7 @@ WITH_XML_CATALOG
+ WITH_KRB5_PLUGIN_PATH
+ WITH_KRB5_RCACHE_DIR
+ WITH_KRB5AUTHDATA_PLUGIN_PATH
++WITH_KRB5_CONF
+ WITH_PYTHON_BINDINGS
+ WITH_SELINUX
+ WITH_NSCD
+diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
+index c72b3dd73d5a3eac76c17d8ce2568088f78cfcb3..1dd296039719fb29b2dbd40710fe7428ef417e16 100644
+--- a/src/conf_macros.m4
++++ b/src/conf_macros.m4
+@@ -291,6 +291,19 @@ AC_DEFUN([WITH_KRB5AUTHDATA_PLUGIN_PATH],
+     AC_SUBST(krb5authdatapluginpath)
+   ])
+ 
++AC_DEFUN([WITH_KRB5_CONF],
++  [ AC_ARG_WITH([krb5_conf],
++                [AC_HELP_STRING([--with-krb5-conf=PATH], [Path to krb5.conf file [/etc/krb5.conf]])
++                ]
++               )
++
++    KRB5_CONF_PATH="${sysconfdir}/krb5.conf"
++    if test x"$with_krb5_conf" != x; then
++        KRB5_CONF_PATH=$with_krb5_conf
++    fi
++    AC_DEFINE_UNQUOTED([KRB5_CONF_PATH], ["$KRB5_CONF_PATH"], [KRB5 configuration file])
++  ])
++
+ AC_DEFUN([WITH_PYTHON_BINDINGS],
+   [ AC_ARG_WITH([python-bindings],
+                 [AC_HELP_STRING([--with-python-bindings],
+diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
+index 18878ae33dc014639cfce0be54f9ca3a44c4ddbb..881f27c5d83f03a7e3bb1afb74fee765906e9148 100644
+--- a/src/providers/ipa/ipa_subdomains.c
++++ b/src/providers/ipa/ipa_subdomains.c
+@@ -382,6 +382,14 @@ ipa_subdomains_write_mappings(struct sss_domain_info *domain)
+         goto done;
+     }
+ 
++    /* touch krb5.conf to ensure that new mappings are loaded */
++    ret = sss_krb5_touch_config();
++    if (ret != EOK) {
++        DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to change last modification time "
++              "of krb5.conf. Created mappings may not be loaded.\n"));
++        /* just continue */
++    }
++
+     ret = EOK;
+ done:
+     if (fstream) {
+diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
+index 674e9fcdd99e3d1df26b0db9854a80a6e3870d33..74db98fe9ee4cba858de5b459f0a5540003c63f8 100644
+--- a/src/util/sss_krb5.c
++++ b/src/util/sss_krb5.c
+@@ -20,6 +20,7 @@
+ #include <stdio.h>
+ #include <errno.h>
+ #include <talloc.h>
++#include <utime.h>
+ 
+ #include "config.h"
+ 
+@@ -1176,3 +1177,24 @@ done:
+     return ENOTSUP;
+ #endif
+ }
++
++errno_t sss_krb5_touch_config(void)
++{
++    const char *config = NULL;
++    errno_t ret;
++
++    config = getenv("KRB5_CONFIG");
++    if (config == NULL) {
++        config = KRB5_CONF_PATH;
++    }
++
++    ret = utime(config, NULL);
++    if (ret == -1) {
++        ret = errno;
++        DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to change mtime of \"%s\" "
++                                    "[%d]: %s\n", config, strerror(ret)));
++        return ret;
++    }
++
++    return EOK;
++}
+diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h
+index 5fe7178c1aed8afaa9d85be99dd91634e0cedb36..9bae2f92b6d132ffd2631773deee4e9c56ad483d 100644
+--- a/src/util/sss_krb5.h
++++ b/src/util/sss_krb5.h
+@@ -191,4 +191,7 @@ krb5_error_code sss_extract_pac(krb5_context ctx,
+                                 krb5_principal client_principal,
+                                 krb5_keytab keytab,
+                                 krb5_authdata ***_pac_authdata);
++
++errno_t sss_krb5_touch_config(void);
++
+ #endif /* __SSS_KRB5_H__ */
+-- 
+1.8.2.1
+
diff --git a/0012-rpm-couple-of-small-fixes.patch b/0012-rpm-couple-of-small-fixes.patch
new file mode 100644
index 0000000..45006a8
--- /dev/null
+++ b/0012-rpm-couple-of-small-fixes.patch
@@ -0,0 +1,39 @@
+From 47d19d62aaabb9e7f09353ecad9f48aa4054e3b1 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Wed, 12 Jun 2013 14:14:41 +0200
+Subject: [PATCH 12/12] rpm: couple of small fixes
+
+* Include localized pam_sss manpages in sssd-client
+* Call ldconfig after libsss_nss_idmap is installed or removed
+---
+ contrib/sssd.spec.in | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
+index b9f852201dd9b9d53876c4dcd1c280bb5a31c73c..bee939092a135f5d7d97f9e361c3b4b8583a630c 100644
+--- a/contrib/sssd.spec.in
++++ b/contrib/sssd.spec.in
+@@ -471,6 +471,9 @@ do
+         sssd_krb5_*)
+             echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang
+             ;;
++        pam_sss*)
++            echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang
++            ;;
+         sssd-ldap*)
+             echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_ldap.lang
+             ;;
+@@ -775,6 +778,10 @@ fi
+ 
+ %postun -n libsss_idmap -p /sbin/ldconfig
+ 
++%post -n libsss_nss_idmap -p /sbin/ldconfig
++
++%postun -n libsss_nss_idmap -p /sbin/ldconfig
++
+ %changelog
+ * Mon Mar 15 2010 Stephen Gallagher <sgallagh@redhat.com> - @PACKAGE_VERSION@-0@PRERELEASE_VERSION@
+ - Automated build of the SSSD
+-- 
+1.8.2.1
+
diff --git a/0013-nested-groups-allocate-more-space-if-deref-returns-m.patch b/0013-nested-groups-allocate-more-space-if-deref-returns-m.patch
new file mode 100644
index 0000000..2665bf8
--- /dev/null
+++ b/0013-nested-groups-allocate-more-space-if-deref-returns-m.patch
@@ -0,0 +1,53 @@
+From 354febd0c5647e16c9ce5d3985600baa4b8a86ab Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Fri, 14 Jun 2013 13:49:47 +0200
+Subject: [PATCH] nested groups: allocate more space if deref returns more
+ members
+
+https://fedorahosted.org/sssd/ticket/1894
+---
+ src/providers/ldap/sdap_async_nested_groups.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/src/providers/ldap/sdap_async_nested_groups.c b/src/providers/ldap/sdap_async_nested_groups.c
+index e8d5295cc31319599212f96d7b58c8f5bd38245a..4f8dca9f50cdd150bacc14b1e834847e940b5e75 100644
+--- a/src/providers/ldap/sdap_async_nested_groups.c
++++ b/src/providers/ldap/sdap_async_nested_groups.c
+@@ -2048,6 +2048,18 @@ sdap_nested_group_deref_direct_process(struct tevent_req *subreq)
+     DEBUG(SSSDBG_TRACE_INTERNAL, ("Received %d dereference results, "
+           "about to process them\n", num_entries));
+ 
++    if (num_entries != members->num_values) {
++        /* Dereference returned more values than obtained earlier. We need
++         * to adjust group array size. */
++        state->nested_groups = talloc_realloc(state, state->nested_groups,
++                                              struct sysdb_attrs *,
++                                              num_entries);
++        if (state->nested_groups == NULL) {
++            ret = ENOMEM;
++            goto done;
++        }
++    }
++
+     for (i = 0; i < num_entries; i++) {
+         ret = sysdb_attrs_get_string(entries[i]->attrs,
+                                      SYSDB_ORIG_DN, &orig_dn);
+@@ -2155,6 +2167,15 @@ sdap_nested_group_deref_direct_process(struct tevent_req *subreq)
+         }
+     }
+ 
++    /* adjust size of nested groups array */
++    state->nested_groups = talloc_realloc(state, state->nested_groups,
++                                          struct sysdb_attrs *,
++                                          state->num_groups);
++    if (state->nested_groups == NULL) {
++        ret = ENOMEM;
++        goto done;
++    }
++
+     ret = EOK;
+ 
+ done:
+-- 
+1.7.11.7
+
diff --git a/sssd.spec b/sssd.spec
index e8eff61..d2ab0a7 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -16,7 +16,7 @@
 
 Name: sssd
 Version: 1.10.0
-Release: 10%{?dist}.beta2
+Release: 11%{?dist}.beta2
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@@ -25,6 +25,20 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}beta2.tar.gz
 BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
 ### Patches ###
+Patch0001: 0001-Bumping-the-version-for-the-1.10-final-release.patch
+Patch0002: 0002-Change-order-of-libraries-in-linking-process.patch
+Patch0003: 0003-be_ptask-send-and-recv-shadow-a-global-declaration.patch
+Patch0004: 0004-be_refresh-send-and-recv-shadow-a-global-declaration.patch
+Patch0005: 0005-Use-the-correct-talloc-context-when-creating-AD-subd.patch
+Patch0006: 0006-Fix-minor-typos.patch
+Patch0007: 0007-failover-set-state-out-when-meta-server-remains-in-S.patch
+Patch0008: 0008-KRB-Handle-preauthentication-error-correctly.patch
+Patch0009: 0009-AD-Fix-segfault-in-DEBUG-message.patch
+Patch0010: 0010-AD-Remove-ad_options-auth-options-reference.patch
+Patch0011: 0011-subdomains-touch-krb5.conf-when-creating-new-domain-.patch
+Patch0012: 0012-rpm-couple-of-small-fixes.patch
+Patch0013: 0013-nested-groups-allocate-more-space-if-deref-returns-m.patch
+
 Patch0501:  0501-FEDORA-Switch-the-default-ccache-location.patch
 
 ### Dependencies ###
@@ -714,6 +728,13 @@ fi
 %postun -n libsss_idmap -p /sbin/ldconfig
 
 %changelog
+* Sun Jun 16 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.10.0-11.beta2
+- Apply a number of patches from upstream to fix issues found post-beta,
+  in particular:
+  -- segfault with a high DEBUG level
+  -- Fix IPA password migration (upstream #1873)
+  -- Fix fail over when retrying SRV resolution (upstream #1886)
+
 * Thu Jun 13 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.10.0-10.beta2
 - Only BuildRequire libcmocka on Fedora