diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/adcli/Manifest b/sdk_container/src/third_party/coreos-overlay/app-admin/adcli/Manifest
new file mode 100644
index 0000000000..da573d2524
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/adcli/Manifest
@@ -0,0 +1 @@
+DIST adcli-0.8.2.tar.gz 467168 SHA256 72f6db406e35d96de2bdc413a5ed69f28a4a735c08670c6556713c3f83921aa4 SHA512 a46e3f4b3c5434557a75cfe1c44c8bc7e9e7c7e240fa3a903e0095ef58505c2bcc66e80aa7b9a6bcf3284aed1d9af4068037c57cd5bd9f68a0bde34f429c44e9 WHIRLPOOL d7c8f8b028169dd29f5001762197ef9fd27e66df2711f2a7cd5ae9eed6d6c14c58778e968383b183eb62b0774a183c6031bb7b67f60fb9e4bd3bf3c029c4e6e1
diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/adcli/adcli-0.8.2.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/adcli/adcli-0.8.2.ebuild
new file mode 120000
index 0000000000..555ce8e8cb
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/adcli/adcli-0.8.2.ebuild
@@ -0,0 +1 @@
+adcli-9999.ebuild
\ No newline at end of file
diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/adcli/adcli-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/adcli/adcli-9999.ebuild
new file mode 100644
index 0000000000..54f6d1909a
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/adcli/adcli-9999.ebuild
@@ -0,0 +1,45 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+if [[ ${PV} == *9999 ]]; then
+	EGIT_REPO_URI="https://anongit.freedesktop.org/git/realmd/adcli.git"
+	KEYWORDS="~amd64 ~arm64"
+	inherit git-r3
+else
+	SRC_URI="https://www.freedesktop.org/software/realmd/releases/${P}.tar.gz"
+	KEYWORDS="amd64 arm64"
+fi
+
+inherit autotools
+
+DESCRIPTION="A helper library and tools for Active Directory client operations"
+HOMEPAGE="https://www.freedesktop.org/software/realmd/adcli/"
+
+LICENSE="LGPL-2.1+"
+SLOT="0"
+IUSE="debug doc"
+
+RDEPEND="
+	app-crypt/mit-krb5
+	dev-libs/cyrus-sasl
+	net-nds/openldap
+"
+DEPEND="${RDEPEND}
+	doc? (
+		app-text/docbook-xml-dtd:4.3
+		dev-libs/libxslt
+	)
+"
+
+src_prepare() {
+	eapply_user
+	eautoreconf
+}
+
+src_configure() {
+	econf \
+		$(use_enable debug) \
+		$(use_enable doc)
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/adcli/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-admin/adcli/metadata.xml
new file mode 100644
index 0000000000..097975e3ad
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/adcli/metadata.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+</pkgmetadata>
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1-r279.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1-r280.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1-r279.ebuild
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1-r280.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
index ccbd74485e..bc7f83a2a2 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
@@ -76,6 +76,7 @@ RDEPEND="${RDEPEND}
 # Only applicable or available on amd64
 RDEPEND="${RDEPEND}
 	amd64? (
+		app-admin/adcli
 		app-admin/kubelet-wrapper
 		app-crypt/go-tspi
 		app-emulation/xenserver-pv-version
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/cyrus-sasl/cyrus-sasl-2.1.26-r9.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-libs/cyrus-sasl/cyrus-sasl-2.1.26-r10.ebuild
similarity index 99%
rename from sdk_container/src/third_party/coreos-overlay/dev-libs/cyrus-sasl/cyrus-sasl-2.1.26-r9.ebuild
rename to sdk_container/src/third_party/coreos-overlay/dev-libs/cyrus-sasl/cyrus-sasl-2.1.26-r10.ebuild
index ea251fbe0a..9537cc475a 100644
--- a/sdk_container/src/third_party/coreos-overlay/dev-libs/cyrus-sasl/cyrus-sasl-2.1.26-r9.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/cyrus-sasl/cyrus-sasl-2.1.26-r10.ebuild
@@ -58,6 +58,7 @@ src_prepare() {
 	epatch "${FILESDIR}"/${PN}-2.1.26-canonuser-ldapdb-garbage-in-out-buffer.patch
 	epatch "${FILESDIR}"/${PN}-2.1.26-fix_dovecot_authentication.patch
 	epatch "${FILESDIR}"/${PN}-2.1.26-fix-cross-compiling.patch
+	epatch "${FILESDIR}"/${PN}-2.1.26-fix-cross-compiling-again.patch
 
 	# Get rid of the -R switch (runpath_switch for Sun)
 	# >=gcc-4.6 errors out with unknown option
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-fix-cross-compiling-again.patch b/sdk_container/src/third_party/coreos-overlay/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-fix-cross-compiling-again.patch
new file mode 100644
index 0000000000..019a4f205c
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.26-fix-cross-compiling-again.patch
@@ -0,0 +1,186 @@
+From c34ae6a35909e4ec50b4614628a598ae935c71c4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@gmail.com>
+Date: Thu, 19 Nov 2015 19:40:52 +0100
+Subject: [PATCH] Use AX_PROG_CC_FOR_BUILD for build generators
+
+This allows to call makemd5 in cross-compiled environments.
+---
+ configure.ac               |   1 +
+ include/Makefile.am        |  15 ++++--
+ m4/ax_prog_cc_for_build.m4 | 125 +++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 138 insertions(+), 3 deletions(-)
+ create mode 100644 m4/ax_prog_cc_for_build.m4
+
+diff --git a/configure.ac b/configure.ac
+index 429189e..2abcc61 100644
+--- a/configure.in
++++ b/configure.in
+@@ -93,6 +93,7 @@ AC_ARG_ENABLE(obsolete_cram_attr,
+               enable_obsolete_cram_attr=yes)
+ 
+ AC_PROG_CC
++AX_PROG_CC_FOR_BUILD
+ AC_PROG_CPP
+ AC_PROG_AWK
+ AC_PROG_LN_S
+diff --git a/include/Makefile.am b/include/Makefile.am
+index 5ea5be2..c942efa 100644
+--- a/include/Makefile.am
++++ b/include/Makefile.am
+@@ -51,9 +51,15 @@ noinst_PROGRAMS = makemd5
+ 
+ makemd5_SOURCES = makemd5.c
+ 
+-md5global.h: makemd5
+-	-rm -f md5global.h
+-	./makemd5 md5global.h
++makemd5$(BUILD_EXEEXT) $(makemd5_OBJECTS): CC=$(CC_FOR_BUILD)
++makemd5$(BUILD_EXEEXT) $(makemd5_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
++makemd5$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD)
++
++md5global.h: makemd5$(BUILD_EXEEXT) Makefile
++	-rm -f $@
++	./$< $@
++
++BUILT_SOURCES = md5global.h
+ 
+ EXTRA_DIST = NTMakefile
+ DISTCLEANFILES = md5global.h
+@@ -63,3 +69,6 @@ framedir = /Library/Frameworks/SASL2.framework
+ frameheaderdir = $(framedir)/Versions/A/Headers
+ frameheader_DATA = $(saslinclude_HEADERS)
+ endif
++
++# TODO: automake, don't build it
++makemd5$(EXEEXT):
+diff --git a/m4/ax_prog_cc_for_build.m4 b/m4/ax_prog_cc_for_build.m4
+new file mode 100644
+index 0000000..77fd346
+--- /dev/null
++++ b/m4/ax_prog_cc_for_build.m4
+@@ -0,0 +1,125 @@
++# ===========================================================================
++#   http://www.gnu.org/software/autoconf-archive/ax_prog_cc_for_build.html
++# ===========================================================================
++#
++# SYNOPSIS
++#
++#   AX_PROG_CC_FOR_BUILD
++#
++# DESCRIPTION
++#
++#   This macro searches for a C compiler that generates native executables,
++#   that is a C compiler that surely is not a cross-compiler. This can be
++#   useful if you have to generate source code at compile-time like for
++#   example GCC does.
++#
++#   The macro sets the CC_FOR_BUILD and CPP_FOR_BUILD macros to anything
++#   needed to compile or link (CC_FOR_BUILD) and preprocess (CPP_FOR_BUILD).
++#   The value of these variables can be overridden by the user by specifying
++#   a compiler with an environment variable (like you do for standard CC).
++#
++#   It also sets BUILD_EXEEXT and BUILD_OBJEXT to the executable and object
++#   file extensions for the build platform, and GCC_FOR_BUILD to `yes' if
++#   the compiler we found is GCC. All these variables but GCC_FOR_BUILD are
++#   substituted in the Makefile.
++#
++# LICENSE
++#
++#   Copyright (c) 2008 Paolo Bonzini <bonzini@gnu.org>
++#
++#   Copying and distribution of this file, with or without modification, are
++#   permitted in any medium without royalty provided the copyright notice
++#   and this notice are preserved. This file is offered as-is, without any
++#   warranty.
++
++#serial 8
++
++AU_ALIAS([AC_PROG_CC_FOR_BUILD], [AX_PROG_CC_FOR_BUILD])
++AC_DEFUN([AX_PROG_CC_FOR_BUILD], [dnl
++AC_REQUIRE([AC_PROG_CC])dnl
++AC_REQUIRE([AC_PROG_CPP])dnl
++AC_REQUIRE([AC_EXEEXT])dnl
++AC_REQUIRE([AC_CANONICAL_HOST])dnl
++
++dnl Use the standard macros, but make them use other variable names
++dnl
++pushdef([ac_cv_prog_CPP], ac_cv_build_prog_CPP)dnl
++pushdef([ac_cv_prog_gcc], ac_cv_build_prog_gcc)dnl
++pushdef([ac_cv_prog_cc_works], ac_cv_build_prog_cc_works)dnl
++pushdef([ac_cv_prog_cc_cross], ac_cv_build_prog_cc_cross)dnl
++pushdef([ac_cv_prog_cc_g], ac_cv_build_prog_cc_g)dnl
++pushdef([ac_cv_exeext], ac_cv_build_exeext)dnl
++pushdef([ac_cv_objext], ac_cv_build_objext)dnl
++pushdef([ac_exeext], ac_build_exeext)dnl
++pushdef([ac_objext], ac_build_objext)dnl
++pushdef([CC], CC_FOR_BUILD)dnl
++pushdef([CPP], CPP_FOR_BUILD)dnl
++pushdef([CFLAGS], CFLAGS_FOR_BUILD)dnl
++pushdef([CPPFLAGS], CPPFLAGS_FOR_BUILD)dnl
++pushdef([LDFLAGS], LDFLAGS_FOR_BUILD)dnl
++pushdef([host], build)dnl
++pushdef([host_alias], build_alias)dnl
++pushdef([host_cpu], build_cpu)dnl
++pushdef([host_vendor], build_vendor)dnl
++pushdef([host_os], build_os)dnl
++pushdef([ac_cv_host], ac_cv_build)dnl
++pushdef([ac_cv_host_alias], ac_cv_build_alias)dnl
++pushdef([ac_cv_host_cpu], ac_cv_build_cpu)dnl
++pushdef([ac_cv_host_vendor], ac_cv_build_vendor)dnl
++pushdef([ac_cv_host_os], ac_cv_build_os)dnl
++pushdef([ac_cpp], ac_build_cpp)dnl
++pushdef([ac_compile], ac_build_compile)dnl
++pushdef([ac_link], ac_build_link)dnl
++
++save_cross_compiling=$cross_compiling
++save_ac_tool_prefix=$ac_tool_prefix
++cross_compiling=no
++ac_tool_prefix=
++
++AC_PROG_CC
++AC_PROG_CPP
++AC_EXEEXT
++
++ac_tool_prefix=$save_ac_tool_prefix
++cross_compiling=$save_cross_compiling
++
++dnl Restore the old definitions
++dnl
++popdef([ac_link])dnl
++popdef([ac_compile])dnl
++popdef([ac_cpp])dnl
++popdef([ac_cv_host_os])dnl
++popdef([ac_cv_host_vendor])dnl
++popdef([ac_cv_host_cpu])dnl
++popdef([ac_cv_host_alias])dnl
++popdef([ac_cv_host])dnl
++popdef([host_os])dnl
++popdef([host_vendor])dnl
++popdef([host_cpu])dnl
++popdef([host_alias])dnl
++popdef([host])dnl
++popdef([LDFLAGS])dnl
++popdef([CPPFLAGS])dnl
++popdef([CFLAGS])dnl
++popdef([CPP])dnl
++popdef([CC])dnl
++popdef([ac_objext])dnl
++popdef([ac_exeext])dnl
++popdef([ac_cv_objext])dnl
++popdef([ac_cv_exeext])dnl
++popdef([ac_cv_prog_cc_g])dnl
++popdef([ac_cv_prog_cc_cross])dnl
++popdef([ac_cv_prog_cc_works])dnl
++popdef([ac_cv_prog_gcc])dnl
++popdef([ac_cv_prog_CPP])dnl
++
++dnl Finally, set Makefile variables
++dnl
++BUILD_EXEEXT=$ac_build_exeext
++BUILD_OBJEXT=$ac_build_objext
++AC_SUBST(BUILD_EXEEXT)dnl
++AC_SUBST(BUILD_OBJEXT)dnl
++AC_SUBST([CFLAGS_FOR_BUILD])dnl
++AC_SUBST([CPPFLAGS_FOR_BUILD])dnl
++AC_SUBST([LDFLAGS_FOR_BUILD])dnl
++])
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/Manifest b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/Manifest
new file mode 100644
index 0000000000..8e3f1d2a04
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/Manifest
@@ -0,0 +1,2 @@
+DIST samba-4.5.1.tar.gz 20930661 SHA256 b0a703e069677ff3182e5da3a91e018db344e3b54e0a43ed43dbfd8eb7d3f085 SHA512 636c0d2c68f2e041c6961013365314192b5bdb670281fad52c6a7d9ae8e617d0c678f382cde4132cda694c8c5f0552d681ea45ae98bf6f339fa149227d75a3f2 WHIRLPOOL 5c978b03878cd08beff98ac91213c5ac52da8c41527a1c32150a81a142ec4f2f7911c888dd8a70f8ffbdb4e82508856deefbf0c39fd225db6f324518fdedba80
+DIST samba-disable-python-patches-4.5.0_rc1.tar.xz 6204 SHA256 fa0d776e04e3222c0dc4761e376717f4154937cdcb85f4117b8978dfb770a78e SHA512 920089ba3c6e8e7d913b1d7ef1017262a19d1af41215adb30cfc98a57556efc4b0116931d4ef774c01124149d8eca2be3a23814ce7e11daf0180d2c111799927 WHIRLPOOL 6d55710895435ad012e23f8c252e5276966241014710349ca7fa9cf037e8742030b8e053f7cb71309a0a45f48d2235d55393243bf4d19476a22dd39bb1b7748d
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/4.4/samba4.confd b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/4.4/samba4.confd
new file mode 100644
index 0000000000..58b2c7827b
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/4.4/samba4.confd
@@ -0,0 +1,38 @@
+# Add "winbind" to the daemon_list if you also want winbind to start.
+# Replace "smbd nmbd" by "samba4" if you want the active directory domain controller part or the ntvfs
+# file server part or the rpc proxy to start.
+# Note that samba4 controls 'smbd' by itself, thus it can't be started manually. You can, however,
+# tweak the behaviour of a samba4-controlled smbd by modifying your '/etc/samba/smb.conf' file
+# accordingly.
+daemon_list="smbd nmbd"
+
+#----------------------------------------------------------------------------
+# Daemons calls: <daemon_name>_<command_option>
+#----------------------------------------------------------------------------
+my_service_name="samba"
+my_service_PRE="unset TMP TMPDIR"
+my_service_POST=""
+
+#----------------------------------------------------------------------------
+# Daemons calls: <daemon_name>_<command_option>
+#----------------------------------------------------------------------------
+smbd_start_options="-D"
+smbd_start="start-stop-daemon --start --exec /usr/sbin/smbd -- ${smbd_start_options}"
+smbd_stop="start-stop-daemon --stop --exec /usr/sbin/smbd"
+smbd_reload="killall -HUP smbd"
+
+nmbd_start_options="-D"
+nmbd_start="start-stop-daemon --start --exec /usr/sbin/nmbd -- ${nmbd_start_options}"
+nmbd_stop="start-stop-daemon --stop --exec /usr/sbin/nmbd"
+nmbd_reload="killall -HUP nmbd"
+
+samba4_start_options=""
+samba4_start="start-stop-daemon --start --exec /usr/sbin/samba -- ${samba4_start_options}"
+samba4_stop="start-stop-daemon --stop --exec /usr/sbin/samba"
+samba4_reload="killall -HUP samba"
+
+winbind_start_options=""
+winbind_start="start-stop-daemon --start --exec /usr/sbin/winbindd -- ${winbind_start_options}"
+winbind_stop="start-stop-daemon --stop --exec /usr/sbin/winbindd"
+winbind_reload="killall -HUP winbindd"
+
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/4.4/samba4.initd-r1 b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/4.4/samba4.initd-r1
new file mode 100644
index 0000000000..bf162ad745
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/4.4/samba4.initd-r1
@@ -0,0 +1,56 @@
+#!/sbin/openrc-run
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License, v2 or later
+# $Id$
+
+extra_started_commands="reload"
+piddir="/run/samba"
+
+depend() {
+	after slapd
+	need net
+	use cupsd
+}
+
+DAEMONNAME="${SVCNAME##samba.}"
+[ "${DAEMONNAME}" != "samba" ] && daemon_list=${DAEMONNAME}
+
+signal_do() {
+	local signal="$1"
+	[ -z "${signal}" ] && return 0
+
+	local result=0 last_result=0 daemon= cmd_exec=
+	for daemon in ${daemon_list} ; do
+		eval cmd_exec=\$${daemon}_${signal}
+		if [ -n "${cmd_exec}" ]; then
+			ebegin "${my_service_name} -> ${signal}: ${daemon}"
+			#echo ${cmd} '->' ${!cmd}
+			${cmd_exec} > /dev/null
+			last_result=$?
+			eend ${last_result}
+		fi
+		result=$(( ${result} + ${last_result} ))
+	done
+	return ${result}
+}
+
+start() {
+	${my_service_PRE}
+	[ -d "${piddir}" ] || mkdir -p "${piddir}"
+	signal_do start && return 0
+
+	eerror "Error: starting services (see system logs)"
+	signal_do stop
+	return 1
+}
+stop() {
+	${my_service_PRE}
+	if signal_do stop ; then
+		${my_service_POST}
+		return 0
+	fi
+}
+reload() {
+	${my_service_PRE}
+	signal_do reload
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/nmbd.service b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/nmbd.service
new file mode 100644
index 0000000000..44b4ffba1f
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/nmbd.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Samba NetBIOS name server
+After=network.target
+
+[Service]
+Type=forking
+PIDFile=/var/run/samba/nmbd.pid
+ExecStart=/usr/sbin/nmbd -D 
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.4.0-pam.patch b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.4.0-pam.patch
new file mode 100644
index 0000000000..451601383d
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.4.0-pam.patch
@@ -0,0 +1,29 @@
+--- samba-4.4.0rc2/source3/wscript
++++ samba-4.4.0rc2/source3/wscript
+@@ -870,7 +870,7 @@
+         if conf.env.with_iconv:
+             conf.DEFINE('HAVE_ICONV', 1)
+ 
+-    if Options.options.with_pam:
++    if Options.options.with_pam != False:
+         use_pam=True
+         conf.CHECK_HEADERS('security/pam_appl.h pam/pam_appl.h')
+         if not conf.CONFIG_SET('HAVE_SECURITY_PAM_APPL_H') and not conf.CONFIG_SET('HAVE_PAM_PAM_APPL_H'):
+@@ -943,6 +943,17 @@
+             conf.DEFINE('WITH_PAM', 1)
+             conf.DEFINE('WITH_PAM_MODULES', 1)
+ 
++    else:
++        Logs.warn("PAM disabled")
++        use_pam=False
++        conf.undefine('WITH_PAM')
++        conf.undefine('WITH_PAM_MODULES')
++        conf.undefine('HAVE_SECURITY_PAM_APPL_H')
++        conf.undefine('PAM_RHOST')
++        conf.undefine('PAM_TTY')
++        conf.undefine('HAVE_PAM_PAM_APPL_H')
++
++
+     seteuid = False
+ 
+ #
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba.conf b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba.conf
new file mode 100644
index 0000000000..e0a6f325cf
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba.conf
@@ -0,0 +1,2 @@
+D /run/samba 0755 root root
+D /run/lock/samba 0755 root root
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba.service b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba.service
new file mode 100644
index 0000000000..8214ff8631
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Samba AD server
+After=network.target winbindd.service
+Conflicts=nmbd.service smbd.service
+
+[Service]
+ExecStart=/usr/sbin/samba --interactive 
+
+[Install]
+WantedBy=multi-user.target
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/smbd.service b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/smbd.service
new file mode 100644
index 0000000000..5c006a44ed
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/smbd.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Samba SMB/CIFS server
+After=network.target nmbd.service winbindd.service
+
+[Service]
+Type=forking
+PIDFile=/var/run/samba/smbd.pid
+ExecStart=/usr/sbin/smbd -D 
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/smbd.socket b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/smbd.socket
new file mode 100644
index 0000000000..833bf43883
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/smbd.socket
@@ -0,0 +1,9 @@
+[Unit]
+Description=Samba SMB/CIFS server socket
+
+[Socket]
+ListenStream=445
+Accept=yes
+
+[Install]
+WantedBy=sockets.target
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/smbd_at.service b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/smbd_at.service
new file mode 100644
index 0000000000..e1f71be3f7
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/smbd_at.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Samba SMB/CIFS server instance
+
+[Service]
+ExecStart=/usr/sbin/smbd -F
+ExecReload=/bin/kill -HUP $MAINPID
+StandardInput=socket
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/winbindd.service b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/winbindd.service
new file mode 100644
index 0000000000..67a778fc76
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/winbindd.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Samba Winbind daemon
+After=network.target nmbd.service
+
+[Service]
+Type=forking
+PIDFile=/var/run/samba/winbindd.pid
+ExecStart=/usr/sbin/winbindd -D 
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/metadata.xml b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/metadata.xml
new file mode 100644
index 0000000000..b367f4d2c3
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/metadata.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="project">
+		<email>samba@gentoo.org</email>
+		<name>Samba Team</name>
+	</maintainer>
+	<longdescription>
+		Samba is an Open Source/Free Software suite that provides seamless file and print services to SMB/CIFS clients. Integration with various accounting and antivirus backends. License: GNU General Public License.
+	</longdescription>
+	<use>
+		<flag name="addc">Enable Active Directory Domain Controller support</flag>
+		<flag name="ads">Enable Active Directory support</flag>
+		<flag name="swat">Enables support for swat configuration gui</flag>
+		<flag name="winbind">Enables support for the winbind auth daemon</flag>
+		<flag name="client">Enables the client part</flag>
+		<flag name="server">Enables the server part</flag>
+		<flag name="netapi">Enable building of netapi bits</flag>
+		<flag name="addns">Enable AD DNS integration</flag>
+		<flag name="aio">Enable asynchronous IO support</flag>
+		<flag name="cluster">Enable support for clustering</flag>
+		<flag name="dmapi">Enable support for DMAPI. This currently works only in combination with XFS.</flag>
+		<flag name="ldb">Enable the ldb tools</flag>
+		<flag name="quota">Enables support for user quotas</flag>
+		<flag name="smbclient">Enable smbclient tool</flag>
+		<flag name="smbsharemodes">Enable special smb share modes (?) </flag>
+		<flag name="system-mitkrb5">Use <pkg>app-crypt/mit-krb5</pkg> instead of
+			<pkg>app-crypt/heimdal</pkg>.</flag>
+		<flag name="iprint">Enabling iPrint technology by Novell</flag>
+	</use>
+</pkgmetadata>
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.5.1.ebuild b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.5.1.ebuild
new file mode 100644
index 0000000000..4773633386
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.5.1.ebuild
@@ -0,0 +1,241 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+PYTHON_COMPAT=( python2_7 )
+PYTHON_REQ_USE='threads(+),xml(+)'
+
+inherit python-single-r1 waf-utils multilib-minimal linux-info systemd eutils
+
+MY_PV="${PV/_rc/rc}"
+MY_P="${PN}-${MY_PV}"
+
+SRC_PATH="stable"
+[[ ${PV} = *_rc* ]] && SRC_PATH="rc"
+
+SRC_URI="mirror://samba/${SRC_PATH}/${MY_P}.tar.gz
+	https://dev.gentoo.org/~polynomial-c/samba-disable-python-patches-4.5.0_rc1.tar.xz"
+[[ ${PV} = *_rc* ]] || \
+KEYWORDS="amd64 arm64 ~hppa ~x86"
+
+DESCRIPTION="Samba Suite Version 4"
+HOMEPAGE="http://www.samba.org/"
+LICENSE="GPL-3"
+
+SLOT="0"
+
+IUSE="acl addc addns ads client cluster cups dmapi fam gnutls iprint ldap
++minimal pam quota selinux syslog +system-mitkrb5 systemd test winbind zeroconf"
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/samba-4.0/policy.h
+	/usr/include/samba-4.0/dcerpc_server.h
+	/usr/include/samba-4.0/ctdb.h
+	/usr/include/samba-4.0/ctdb_client.h
+	/usr/include/samba-4.0/ctdb_protocol.h
+	/usr/include/samba-4.0/ctdb_private.h
+	/usr/include/samba-4.0/ctdb_typesafe_cb.h
+	/usr/include/samba-4.0/ctdb_version.h
+)
+
+# sys-apps/attr is an automagic dependency (see bug #489748)
+CDEPEND="
+	>=app-arch/libarchive-3.1.2[${MULTILIB_USEDEP}]
+	dev-libs/libaio[${MULTILIB_USEDEP}]
+	dev-libs/libbsd[${MULTILIB_USEDEP}]
+	dev-libs/iniparser:0
+	dev-libs/popt[${MULTILIB_USEDEP}]
+	sys-libs/readline:=
+	virtual/libiconv
+	sys-apps/attr[${MULTILIB_USEDEP}]
+	sys-libs/libcap
+	sys-libs/ncurses:0=[${MULTILIB_USEDEP}]
+	sys-libs/zlib[${MULTILIB_USEDEP}]
+	pam? ( virtual/pam )
+	acl? ( virtual/acl )
+	addns? ( net-dns/bind-tools[gssapi] )
+	cluster? ( !dev-db/ctdb )
+	cups? ( net-print/cups )
+	dmapi? ( sys-apps/dmapi )
+	fam? ( virtual/fam )
+	gnutls? ( dev-libs/libgcrypt:0
+		>=net-libs/gnutls-1.4.0 )
+	ldap? ( net-nds/openldap[${MULTILIB_USEDEP}] )
+	system-mitkrb5? ( app-crypt/mit-krb5[${MULTILIB_USEDEP}] )
+	!system-mitkrb5? ( >=app-crypt/heimdal-1.5[-ssl,${MULTILIB_USEDEP}] )
+	systemd? ( sys-apps/systemd:0= )"
+DEPEND="${CDEPEND}
+	dev-lang/perl:=
+	virtual/pkgconfig"
+RDEPEND="${CDEPEND}
+	client? ( net-fs/cifs-utils[ads?] )
+	selinux? ( sec-policy/selinux-samba )
+	!dev-perl/Parse-Yapp
+"
+
+REQUIRED_USE="addc? ( gnutls !system-mitkrb5 )
+	ads? ( acl gnutls ldap )
+	"
+
+S="${WORKDIR}/${MY_P}"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-4.4.0-pam.patch"
+)
+
+#CONFDIR="${FILESDIR}/$(get_version_component_range 1-2)"
+CONFDIR="${FILESDIR}/4.4"
+
+WAF_BINARY="${S}/buildtools/bin/waf"
+
+SHAREDMODS=""
+
+pkg_setup() {
+	python-single-r1_pkg_setup
+	if use cluster ; then
+		SHAREDMODS="${SHAREDMODS}idmap_rid,idmap_tdb2,idmap_ad"
+	fi
+}
+
+src_prepare() {
+	default
+
+	# install the patches from tarball(s)
+	eapply "${WORKDIR}/patches/"
+
+	multilib_copy_sources
+}
+
+multilib_src_configure() {
+	local myconf=()
+	myconf=(
+		--enable-fhs
+		--sysconfdir="${EPREFIX}/etc"
+		--localstatedir="${EPREFIX}/var"
+		--with-modulesdir="${EPREFIX}/usr/$(get_libdir)/samba"
+		--with-piddir="${EPREFIX}/run/${PN}"
+		--bundled-libraries=ALL
+		--builtin-libraries=NONE
+		--disable-rpath
+		--disable-rpath-install
+		--disable-python
+		--nopyc
+		--nopyo
+	)
+	if multilib_is_native_abi ; then
+		myconf+=(
+			$(use_with acl acl-support)
+			$(usex addc '' '--without-ad-dc')
+			$(use_with addns dnsupdate)
+			$(use_with ads)
+			$(usex ads '--with-shared-modules=idmap_ad' '')
+			$(use_with cluster cluster-support)
+			$(use_enable cups)
+			$(use_with dmapi)
+			$(use_with fam)
+			$(use_enable gnutls)
+			$(use_enable iprint)
+			$(use_with ldap)
+			$(use_with pam)
+			$(usex pam "--with-pammodulesdir=${EPREFIX}/$(get_libdir)/security" '')
+			$(use_with quota quotas)
+			$(use_with syslog)
+			$(use_with systemd)
+			$(usex system-mitkrb5 '--with-system-mitkrb5' '')
+			$(use_with winbind)
+			$(usex test '--enable-selftest' '')
+			$(use_enable zeroconf avahi)
+			--with-shared-modules=${SHAREDMODS}
+		)
+	else
+		myconf+=(
+			--without-acl-support
+			--without-ad-dc
+			--without-dnsupdate
+			--without-ads
+			--disable-avahi
+			--without-cluster-support
+			--disable-cups
+			--without-dmapi
+			--without-fam
+			--disable-gnutls
+			--disable-iprint
+			$(use_with ldap)
+			--without-pam
+			--without-quotas
+			--without-syslog
+			--without-systemd
+			$(usex system-mitkrb5 '--with-system-mitkrb5' '')
+			--without-winbind
+		)
+	fi
+
+	CPPFLAGS="-I${SYSROOT}${EPREFIX}/usr/include/et ${CPPFLAGS}" \
+		waf-utils_src_configure ${myconf[@]}
+}
+
+multilib_src_install() {
+	waf-utils_src_install
+
+	# Make all .so files executable
+	find "${D}" -type f -name "*.so" -exec chmod +x {} +
+
+	if multilib_is_native_abi; then
+		# install ldap schema for server (bug #491002)
+		if use ldap ; then
+			insinto /etc/openldap/schema
+			doins examples/LDAP/samba.schema
+		fi
+
+		# create symlink for cups (bug #552310)
+		if use cups ; then
+			dosym /usr/bin/smbspool /usr/libexec/cups/backend/smb
+		fi
+
+		# install example config file
+		insinto /etc/samba
+		doins examples/smb.conf.default
+
+		if ! use minimal ; then
+			systemd_dotmpfilesd "${FILESDIR}"/samba.conf
+		fi
+		systemd_dounit "${FILESDIR}"/nmbd.service
+		systemd_dounit "${FILESDIR}"/smbd.{service,socket}
+		systemd_newunit "${FILESDIR}"/smbd_at.service 'smbd@.service'
+		systemd_dounit "${FILESDIR}"/winbindd.service
+		systemd_dounit "${FILESDIR}"/samba.service
+	fi
+	rm ${D}/usr/lib*/samba/ldb/*
+	rm ${D}/etc/samba/smb.conf.default
+
+	if use minimal ; then
+	   mv ${D}/usr/bin/net ${T}
+	   rm ${D}/usr/bin/*
+	   mv ${T}/net ${D}/usr/bin/net
+	   rm ${D}/usr/sbin/*
+	   rm -rf ${D}/lib*/security
+	   rm -rf ${D}/usr/lib/systemd
+	   rm -rf ${D}/var/
+	   rm -rf ${D}/usr/lib*/perl5
+	   rm -rf ${D}/usr/lib*/python2.7
+	fi
+}
+
+multilib_src_test() {
+	if multilib_is_native_abi ; then
+		"${WAF_BINARY}" test || die "test failed"
+	fi
+}
+
+pkg_postinst() {
+	ewarn "Be aware the this release contains the best of all of Samba's"
+	ewarn "technology parts, both a file server (that you can reasonably expect"
+	ewarn "to upgrade existing Samba 3.x releases to) and the AD domain"
+	ewarn "controller work previously known as 'samba4'."
+
+	elog "For further information and migration steps make sure to read "
+	elog "http://samba.org/samba/history/${P}.html "
+	elog "http://samba.org/samba/history/${PN}-4.2.0.html and"
+	elog "http://wiki.samba.org/index.php/Samba4/HOWTO "
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords
index bc08910a44..3e664659c0 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords
@@ -2,6 +2,7 @@
 # Keep these in alphabetical order.
 
 =app-crypt/gnupg-2.1.15 ~arm64
+=app-crypt/mit-krb5-1.14.2 ~arm64
 =app-editors/vim-8.0.0106 ~arm64
 =app-shells/bash-completion-2.4-r1 ~arm64
 =app-shells/gentoo-bashcomp-20140911 ~arm64
@@ -28,6 +29,7 @@
 =net-misc/bridge-utils-1.5 ~arm64
 =net-misc/iperf-3.1.3 **
 =net-misc/whois-5.2.12 ~arm64
+=net-nds/openldap-2.4.38-r2 **
 =sys-apps/ethtool-4.5 **
 =sys-apps/gptfdisk-1.0.1 ~arm64
 =sys-apps/i2c-tools-3.1.1-r1 ~arm64
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
index 3524dff99a..a8ecb161e0 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
@@ -71,7 +71,7 @@ net-dns/bind-tools gssapi
 dev-libs/cyrus-sasl kerberos -berkdb -gdbm
 
 # don't build manpages for sssd
-sys-auth/sssd -manpages -python kerberos gssapi ssh sudo
+sys-auth/sssd -manpages -python samba kerberos gssapi ssh sudo
 
 # needed for realmd build
 sys-auth/polkit introspection
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf
index b93cb388c3..1347b5c621 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf
+++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/sssd/files/tmpfiles.d/sssd.conf
@@ -2,5 +2,8 @@ d /etc/sssd			0700	root	root	-	-
 C /etc/sssd/sssd.conf		0600	root	root	-	/usr/share/sssd/sssd-example.conf
 d /var/lib/sss			-	root	root	-	-
 d /var/lib/sss/db		0700	root	root	-	-
+d /var/lib/sss/mc		0700	root	root	-	-
 d /var/lib/sss/pipes		-	root	root	-	-
 d /var/lib/sss/pipes/private	0700	root	root	-	-
+d /var/lib/sss/pubconf		0700	root	root	-	-
+d /var/lib/sss/pubconf/krb5.include.d	0700	root	root	-	-