diff --git a/SOURCES/0008-Use-krb5_pac_full_sign_compat-when-available.patch b/SOURCES/0008-Use-krb5_pac_full_sign_compat-when-available.patch
new file mode 100644
index 0000000..3fe891b
--- /dev/null
+++ b/SOURCES/0008-Use-krb5_pac_full_sign_compat-when-available.patch
@@ -0,0 +1,71 @@
+From a8d81b5005ea15a35d0d63330b922037de3ca253 Mon Sep 17 00:00:00 2001
+From: David Sloboda <david.x.sloboda@oracle.com>
+Date: Fri, 30 Jun 2023 15:37:34 +0200
+Subject: [PATCH] OLERRATA-43634 - Support for PAC extended KDC signature
+
+In November 2022, Microsoft introduced a new PAC signature type called
+"extended KDC signature" (or "full PAC checksum"). This new PAC
+signature will be required by default by Active Directory in July 2023
+for S4U requests, and opt-out will no longer be possible after October
+2023.
+
+Support for this new signature type was added to MIT krb5, but it relies
+on the new KDB API introduced in krb5 1.20. For older MIT krb5 versions,
+the code generating extended KDC signatures cannot be backported as it
+is without backporting the full new KDB API code too. This would have
+too much impact to be done.
+
+As a consequence, krb5 packages for Fedora 37, CentOS 8 Stream, and RHEL
+8 will include a downstream-only update adding the
+krb5_pac_full_sign_compat() function, which can be used in combination
+with the prior to 1.20 KDB API to generate PAC extended KDC signatures.
+
+Fixes: https://pagure.io/freeipa/issue/9373
+Signed-off-by: Julien Rische <jrische@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Signed-off-by: David Sloboda <david.x.sloboda@oracle.com>
+---
+diff -Nuar freeipa-4.9.11.orig/daemons/ipa-kdb/ipa_kdb_mspac_v6.c freeipa-4.9.11/daemons/ipa-kdb/ipa_kdb_mspac_v6.c
+--- freeipa-4.9.11.orig/daemons/ipa-kdb/ipa_kdb_mspac_v6.c	2022-11-25 17:16:11.352773047 +0100
++++ freeipa-4.9.11/daemons/ipa-kdb/ipa_kdb_mspac_v6.c	2023-06-30 14:58:17.198538781 +0200
+@@ -176,11 +176,21 @@
+ 
+     /* only pass with_realm TRUE when it is cross-realm ticket and S4U2Self
+      * was requested */
++#ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT
++    kerr = krb5_pac_full_sign_compat(
++        context, pac, authtime, client_princ, server->princ, server_key,
++        right_krbtgt_signing_key,
++        (is_issuing_referral && (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION)),
++        pac_data
++    );
++#else
++    /* Use standard function, PAC extended KDC signature not supported */
+     kerr = krb5_pac_sign_ext(context, pac, authtime, client_princ, server_key,
+                              right_krbtgt_signing_key,
+                              (is_issuing_referral &&
+                               (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION)),
+                              pac_data);
++#endif
+ 
+ done:
+     free(princ);
+diff -Nuar freeipa-4.9.11.orig/server.m4 freeipa-4.9.11/server.m4
+--- freeipa-4.9.11.orig/server.m4	2022-11-25 17:16:11.353773052 +0100
++++ freeipa-4.9.11/server.m4	2023-06-30 14:59:52.845995040 +0200
+@@ -91,6 +91,15 @@
+                 [have_kdb_issue_pac=no], [#include <kdb.h>])
+ 
+ dnl ---------------------------------------------------------------------------
++dnl - Check for KRB5 krb5_kdc_sign_ticket function
++dnl ---------------------------------------------------------------------------
++
++AC_CHECK_LIB(krb5, krb5_pac_full_sign_compat,
++             [AC_DEFINE([HAVE_KRB5_PAC_FULL_SIGN_COMPAT], [1],
++                        [krb5_pac_full_sign_compat() is available.])],
++             [AC_MSG_NOTICE([krb5_pac_full_sign_compat() is not available])])
++
++dnl ---------------------------------------------------------------------------
+ dnl - Check for UUID library
+ dnl ---------------------------------------------------------------------------
+ PKG_CHECK_MODULES([UUID], [uuid])
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index 4aab5cf..6aab42f 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -189,7 +189,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        5%{?rc_version:.%rc_version}%{?dist}
+Release:        6%{?rc_version:.%rc_version}%{?dist}.alma
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -216,6 +216,8 @@ Patch0004:      0004-server-install-remove-error-log-about-missing-bkup-file_rhb
 Patch0005:      0005-automember-rebuild-add-a-notice-about-high-CPU-usage_rhbz#2018198.patch
 Patch0006:      0006-ipa-kdb-PAC-consistency-checker-needs-to-handle-child-domains-as-well_rhbz#2166324.patch
 Patch0007:      0007-Wipe-the-ipa-ca-DNS-record-when-updating-system-records_rhbz#2158775.patch
+# Patch taken from Oracle Linux ipa-4.9.11-5.0.2.module+el8.8.0+21110+f1feef29.src.rpm
+Patch0008:      0008-Use-krb5_pac_full_sign_compat-when-available.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 Patch1002:      1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
 Patch1003:      1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch
@@ -1715,6 +1717,9 @@ fi
 %endif
 
 %changelog
+* Thu Jul 13 2023 Andrew Lukoshko <alukoshko@almalinux.org> - 4.9.11-6.alma
+- kdb: Use krb5_pac_full_sign_compat() when available
+
 * Fri Feb 10 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.11-5
 - Wipe the ipa-ca DNS record when updating system records
   Resolves: RHBZ#2158775