diff --git a/0028-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch b/0028-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch
new file mode 100644
index 0000000..ea41680
--- /dev/null
+++ b/0028-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch
@@ -0,0 +1,36 @@
+From 29f9df0162096d0e3ec4e85c1f1b5ce87062aa64 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 15 Mar 2018 12:43:34 +0100
+Subject: [PATCH] nss: initialize nss_enum_index in nss_setnetgrent()
+
+setnetgrent() is the first call when looking up a netgroup and sets the
+netgroup name for upcoming getnetgrent() and endnetgrent() calls.
+Currently the state is reset by calling endnetgrent() but it would be
+more robust to unconditionally reset the state in setnetgrent() as well
+in case calling endnetgrent() was forgotten.
+
+Related to https://pagure.io/SSSD/sssd/issue/3679
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit 37a84285aeb497ed4909d16916bbf934af3f68b3)
+---
+ src/responder/nss/nss_cmd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c
+index 956ee53cb..9f8479b7b 100644
+--- a/src/responder/nss/nss_cmd.c
++++ b/src/responder/nss/nss_cmd.c
+@@ -756,6 +756,9 @@ static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx,
+         goto done;
+     }
+ 
++    state_ctx->netgrent.domain = 0;
++    state_ctx->netgrent.result = 0;
++
+     talloc_zfree(state_ctx->netgroup);
+     state_ctx->netgroup = talloc_strdup(state_ctx, netgroup);
+     if (state_ctx->netgroup == NULL) {
+-- 
+2.14.3
+
diff --git a/0029-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch b/0029-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch
new file mode 100644
index 0000000..5af0f87
--- /dev/null
+++ b/0029-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch
@@ -0,0 +1,116 @@
+From 9f85ab4d8eba042b43a9346ed6dfbf3fc60ea488 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 15 Mar 2018 12:50:20 +0100
+Subject: [PATCH] nss: add a netgroup counter to struct nss_enum_index
+
+Netgroups are not looked up with the help of a single request but by
+calling setnetgrent(), getnetgrent() and endnetgrent() where
+getnetgrent() might be called multiple times depending on the number of
+netgroup elements. Since the caller does not provide a state the state
+has to be maintained by the SSSD nss responder. Besides the netgroup
+name this is mainly the number of elements already returned.
+
+This number is used to select the next element to return and currently
+it is assumed that there are not changes to the netgroup while the
+client is requesting the individual elements. But if e.g. the 3 nss
+calls are not used correctly or the netgroup is modified while the
+client is sending getnetgrent() calls the stored number might be out of
+range. To be on the safe side the stored number should be always
+compared with the current number of netgroup elements.
+
+Related to https://pagure.io/SSSD/sssd/issue/3679
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit 08db22b1b1a2e742edbca92e35087294d963adda)
+---
+ src/db/sysdb.h                         | 3 ++-
+ src/db/sysdb_search.c                  | 5 ++++-
+ src/responder/nss/nss_enum.c           | 3 ++-
+ src/responder/nss/nss_private.h        | 1 +
+ src/responder/nss/nss_protocol_netgr.c | 7 +++++++
+ 5 files changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/src/db/sysdb.h b/src/db/sysdb.h
+index fd18ecefe..2660314a7 100644
+--- a/src/db/sysdb.h
++++ b/src/db/sysdb.h
+@@ -1219,7 +1219,8 @@ errno_t sysdb_attrs_to_list(TALLOC_CTX *mem_ctx,
+ 
+ errno_t sysdb_netgr_to_entries(TALLOC_CTX *mem_ctx,
+                                struct ldb_result *res,
+-                               struct sysdb_netgroup_ctx ***entries);
++                               struct sysdb_netgroup_ctx ***entries,
++                               size_t *netgroup_count);
+ 
+ errno_t sysdb_dn_sanitize(TALLOC_CTX *mem_ctx, const char *input,
+                           char **sanitized);
+diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
+index dc0bd4f2c..b7ceb6e59 100644
+--- a/src/db/sysdb_search.c
++++ b/src/db/sysdb_search.c
+@@ -1831,7 +1831,8 @@ done:
+ 
+ errno_t sysdb_netgr_to_entries(TALLOC_CTX *mem_ctx,
+                                struct ldb_result *res,
+-                               struct sysdb_netgroup_ctx ***entries)
++                               struct sysdb_netgroup_ctx ***entries,
++                               size_t *netgroup_count)
+ {
+     errno_t ret;
+     size_t size = 0;
+@@ -1935,6 +1936,8 @@ errno_t sysdb_netgr_to_entries(TALLOC_CTX *mem_ctx,
+     tmp_entry[c] = NULL;
+ 
+     *entries = talloc_steal(mem_ctx, tmp_entry);
++    *netgroup_count = c;
++
+     ret = EOK;
+ 
+ done:
+diff --git a/src/responder/nss/nss_enum.c b/src/responder/nss/nss_enum.c
+index 031db9f2e..a45b65233 100644
+--- a/src/responder/nss/nss_enum.c
++++ b/src/responder/nss/nss_enum.c
+@@ -144,7 +144,8 @@ static void nss_setent_internal_done(struct tevent_req *subreq)
+             /* We need to expand the netgroup into triples and members. */
+             ret = sysdb_netgr_to_entries(state->enum_ctx,
+                                          result[0]->ldb_result,
+-                                         &state->enum_ctx->netgroup);
++                                         &state->enum_ctx->netgroup,
++                                         &state->enum_ctx->netgroup_count);
+             if (ret != EOK) {
+                 goto done;
+             }
+diff --git a/src/responder/nss/nss_private.h b/src/responder/nss/nss_private.h
+index 5fc19d26b..aa8d8e9cd 100644
+--- a/src/responder/nss/nss_private.h
++++ b/src/responder/nss/nss_private.h
+@@ -41,6 +41,7 @@ struct nss_enum_index {
+ struct nss_enum_ctx {
+     struct cache_req_result **result;
+     struct sysdb_netgroup_ctx **netgroup;
++    size_t netgroup_count;
+ 
+     /* Ongoing cache request that is constructing enumeration result. */
+     struct tevent_req *ongoing;
+diff --git a/src/responder/nss/nss_protocol_netgr.c b/src/responder/nss/nss_protocol_netgr.c
+index ed04fd258..9f27c6b78 100644
+--- a/src/responder/nss/nss_protocol_netgr.c
++++ b/src/responder/nss/nss_protocol_netgr.c
+@@ -126,6 +126,13 @@ nss_protocol_fill_netgrent(struct nss_ctx *nss_ctx,
+     idx = cmd_ctx->enum_index;
+     entries = cmd_ctx->enum_ctx->netgroup;
+ 
++    if (idx->result > cmd_ctx->enum_ctx->netgroup_count) {
++        DEBUG(SSSDBG_CRIT_FAILURE,
++              "Unconsistent state while processing netgroups.\n");
++        ret = EINVAL;
++        goto done;
++    }
++
+     /* First two fields (length and reserved), filled up later. */
+     ret = sss_packet_grow(packet, 2 * sizeof(uint32_t));
+     if (ret != EOK) {
+-- 
+2.14.3
+
diff --git a/sssd.spec b/sssd.spec
index a5a0523..c86fa78 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -69,6 +69,8 @@ Patch0024: 0024-TESTS-Add-a-test-for-the-multiple-files-feature.patch
 Patch0025: 0025-AD-Missing-header-in-ad_access.h.patch
 Patch0026: 0026-GPO-Add-ad_options-to-ad_gpo_process_som_state.patch
 Patch0027: 0027-GPO-Use-AD-site-override-if-set.patch
+Patch0028: 0028-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch
+Patch0029: 0029-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch
 
 Patch0502: 0502-SYSTEMD-Use-capabilities.patch
 Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch
@@ -1280,6 +1282,7 @@ fi
                             netgrous in 1.15
 - Resolves: upstream#3402 - Support alternative sources for the files provider
 - Resolves: upstream#3646 - SSSD's GPO code ignores ad_site option
+- Resolves: upstream#3679 - Make nss netgroup requests more robust
 
 * Fri Mar 30 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-2
 - Resolves: upstream#3573 - sssd won't show netgroups with blank domain