diff --git a/0001-Handle-samba-exception-type-change_rhel#17623.patch b/0001-Handle-samba-exception-type-change_rhel#17623.patch
new file mode 100644
index 0000000..b36187f
--- /dev/null
+++ b/0001-Handle-samba-exception-type-change_rhel#17623.patch
@@ -0,0 +1,73 @@
+From 06b4c61b4484efe2093501caf21b03f1fc14093b Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Thu, 19 Oct 2023 12:47:03 +0200
+Subject: [PATCH] group-add-member fails with an external member
+
+The command ipa group-add-member --external aduser@addomain.test
+fails with an internal error when used with samba 4.19.
+
+The command internally calls samba.security.dom_sid(sid) which
+used to raise a TypeError but now raises a ValueError
+(commit 9abdd67 on https://github.com/samba-team/samba).
+
+IPA source code needs to handle properly both exception types.
+
+Fixes: https://pagure.io/freeipa/issue/9466
+
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipaserver/dcerpc.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
+index c1db2f9a499..ee0a229d1f0 100644
+--- a/ipaserver/dcerpc.py
++++ b/ipaserver/dcerpc.py
+@@ -303,7 +303,7 @@ def get_domain_by_sid(self, sid, exact_match=False):
+         # Parse sid string to see if it is really in a SID format
+         try:
+             test_sid = security.dom_sid(sid)
+-        except TypeError:
++        except (TypeError, ValueError):
+             raise errors.ValidationError(name='sid',
+                                          error=_('SID is not valid'))
+ 
+From aa3397378acf1a03fc8bbe34b9fae33e84588b34 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Fri, 20 Oct 2023 10:20:57 +0200
+Subject: [PATCH] Handle samba changes in samba.security.dom_sid()
+
+samba.security.dom_sid() in 4.19 now raises ValueError instead of
+TypeError. Fix the expected exception.
+
+Related: https://pagure.io/freeipa/issue/9466
+
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ ipaserver/dcerpc.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
+index ee0a229d1f0..3e4c71d9976 100644
+--- a/ipaserver/dcerpc.py
++++ b/ipaserver/dcerpc.py
+@@ -97,7 +97,7 @@
+ def is_sid_valid(sid):
+     try:
+         security.dom_sid(sid)
+-    except TypeError:
++    except (TypeError, ValueError):
+         return False
+     else:
+         return True
+@@ -457,7 +457,7 @@ def get_trusted_domain_object_sid(self, object_name,
+         try:
+             test_sid = security.dom_sid(sid)
+             return unicode(test_sid)
+-        except TypeError:
++        except (TypeError, ValueError):
+             raise errors.ValidationError(name=_('trusted domain object'),
+                                          error=_('Trusted domain did not '
+                                                  'return a valid SID for '
diff --git a/0014-ipa-kdb-Make-AD-SIGNEDPATH-optional-with-krb5-DAL-8.patch b/0014-ipa-kdb-Make-AD-SIGNEDPATH-optional-with-krb5-DAL-8.patch
deleted file mode 100644
index 856717c..0000000
--- a/0014-ipa-kdb-Make-AD-SIGNEDPATH-optional-with-krb5-DAL-8.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From d394afc1210a21378c018d0ff93d400a57324289 Mon Sep 17 00:00:00 2001
-From: Julien Rische <jrische@redhat.com>
-Date: Mon, 25 Sep 2023 15:14:03 +0200
-Subject: [PATCH] ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and
- older
-
-Since krb5 1.20, the PAC is generated by default, and the AD-SIGNEDPATH
-authdata is no longer generated. However, on krb5 versions prior to
-1.20, the KDC still expects an AD-SIGNEDPATH when verifying a
-constrained delegation (S4U2Proxy) TGS-REQ. In IPA's case this
-requirement is not needed, because the PAC signatures are already
-fulfilling this role.
-
-CentOS and RHEL downstream releases of krb5 will include the
-"optional_ad_signedpath" KDB string attribute allowing to disable the
-AD-SIGNEDPATH requirement in case the PAC is present.
-
-This commit sets the "optional_ad_signedpath" string attribute to "true"
-systematically on the TGS principal if the database abstract layer (DAL)
-of krb5 is version 8 or older (prior to krb5 1.20).
-
-Fixes: https://pagure.io/freeipa/issue/9448
-
-Signed-off-by: Julien Rische <jrische@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- daemons/ipa-kdb/ipa_kdb_principals.c | 38 ++++++++++++++++++++++++++--
- 1 file changed, 36 insertions(+), 2 deletions(-)
-
-diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
-index e95cb453c..fadb132ed 100644
---- a/daemons/ipa-kdb/ipa_kdb_principals.c
-+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
-@@ -113,6 +113,10 @@ static char *std_principal_obj_classes[] = {
- 
- #define DEFAULT_TL_DATA_CONTENT "\x00\x00\x00\x00principal@UNINITIALIZED"
- 
-+#ifndef KRB5_KDB_SK_OPTIONAL_AD_SIGNEDPATH
-+#define KRB5_KDB_SK_OPTIONAL_AD_SIGNEDPATH "optional_ad_signedpath"
-+#endif
-+
- static int ipadb_ldap_attr_to_tl_data(LDAP *lcontext, LDAPMessage *le,
-                                       char *attrname,
-                                       krb5_tl_data **result, int *num)
-@@ -178,6 +182,25 @@ done:
-     return ret;
- }
- 
-+static bool
-+is_tgs_princ(krb5_context kcontext, krb5_const_principal princ)
-+{
-+    krb5_data *primary;
-+    size_t l_tgs_name;
-+
-+    if (2 != krb5_princ_size(kcontext, princ))
-+        return false;
-+
-+    primary = krb5_princ_component(kcontext, princ, 0);
-+
-+    l_tgs_name = strlen(KRB5_TGS_NAME);
-+
-+    if (l_tgs_name != primary->length)
-+        return false;
-+
-+    return 0 == memcmp(primary->data, KRB5_TGS_NAME, l_tgs_name);
-+}
-+
- static krb5_error_code ipadb_set_tl_data(krb5_db_entry *entry,
-                                          krb5_int16 type,
-                                          krb5_ui_2 length,
-@@ -1647,11 +1670,22 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext,
- 
-     /* Lookup local names and aliases first. */
-     kerr = dbget_princ(kcontext, ipactx, search_for, flags, entry);
--    if (kerr != KRB5_KDB_NOENTRY) {
-+    if (kerr == KRB5_KDB_NOENTRY) {
-+        kerr = dbget_alias(kcontext, ipactx, search_for, flags, entry);
-+    }
-+    if (kerr)
-         return kerr;
-+
-+#if KRB5_KDB_DAL_MAJOR_VERSION <= 8
-+    /* If TGS principal, some virtual attributes may be added */
-+    if (is_tgs_princ(kcontext, (*entry)->princ)) {
-+        kerr = krb5_dbe_set_string(kcontext, *entry,
-+                                   KRB5_KDB_SK_OPTIONAL_AD_SIGNEDPATH,
-+                                   "true");
-     }
-+#endif
- 
--    return dbget_alias(kcontext, ipactx, search_for, flags, entry);
-+    return kerr;
- }
- 
- void ipadb_free_principal_e_data(krb5_context kcontext, krb5_octet *e_data)
--- 
-2.41.0
-
diff --git a/ipa.spec b/ipa.spec
index 5cceb0b..ed12bf4 100644
--- a/ipa.spec
+++ b/ipa.spec
@@ -189,7 +189,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        1%{?rc_version:.%rc_version}%{?dist}
+Release:        2%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -208,6 +208,7 @@ Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
 
 # RHEL spec file only: START
 %if %{NON_DEVELOPER_BUILD}
+Patch0001:      0001-Handle-samba-exception-type-change_rhel#17623.patch
 %if 0%{?rhel} >= 8
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 Patch1002:      1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
@@ -1723,6 +1724,10 @@ fi
 %endif
 
 %changelog
+* Thu Nov 30 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-2
+- Handle new samba exception types.
+  Resolves: RHEL-17623
+
 * Tue Nov 21 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-1
 - Rebase ipa to 4.9.13
   Resolves: RHEL-16936