diff --git a/0024-ipatests-Tests-for-Autoprivate-group.patch b/0024-ipatests-Tests-for-Autoprivate-group.patch
new file mode 100644
index 0000000..f66b4cc
--- /dev/null
+++ b/0024-ipatests-Tests-for-Autoprivate-group.patch
@@ -0,0 +1,326 @@
+From 6b70e3c49acc55b5553101cf850fc40978861979 Mon Sep 17 00:00:00 2001
+From: Anuja More <amore@redhat.com>
+Date: Mon, 17 Jan 2022 16:57:52 +0530
+Subject: [PATCH] ipatests: Tests for Autoprivate group.
+
+Added tests using posix AD trust and non posix AD trust.
+For option --auto-private-groups=[hybrid/true/false]
+
+Related : https://pagure.io/freeipa/issue/8807
+
+Signed-off-by: Anuja More <amore@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Anuja More <amore@redhat.com>
+---
+ .../nightly_ipa-4-9_latest.yaml               |   2 +-
+ .../nightly_ipa-4-9_latest_selinux.yaml       |   2 +-
+ .../nightly_ipa-4-9_previous.yaml             |   2 +-
+ ipatests/test_integration/test_trust.py       | 242 +++++++++++++++++-
+ 4 files changed, 240 insertions(+), 8 deletions(-)
+
+diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
+index 6817421b278999c52c32b3e28dd06587e30d874f..8b1f58c4d99e744e319e6c758050a62a8d35c9ee 100644
+--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
++++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
+@@ -1627,7 +1627,7 @@ jobs:
+         build_url: '{fedora-latest-ipa-4-9/build_url}'
+         test_suite: test_integration/test_trust.py
+         template: *ci-ipa-4-9-latest
+-        timeout: 9000
++        timeout: 10000
+         topology: *adroot_adchild_adtree_master_1client
+ 
+   fedora-latest-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust:
+diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
+index 817329756dc145fa5e6bc7aa0477e5df2a6ece5b..a11376ab836e7ed2f942c29753707e5b8e88a00f 100644
+--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
++++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
+@@ -1743,7 +1743,7 @@ jobs:
+         selinux_enforcing: True
+         test_suite: test_integration/test_trust.py
+         template: *ci-ipa-4-9-latest
+-        timeout: 9000
++        timeout: 10000
+         topology: *adroot_adchild_adtree_master_1client
+ 
+   fedora-latest-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust:
+diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
+index 4196265c772ec393ebb8f8bbdc4af845cd6d2d24..3f8ce8b7641fdfdc27278651cbf83c2b152e1a16 100644
+--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
++++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
+@@ -1627,7 +1627,7 @@ jobs:
+         build_url: '{fedora-previous-ipa-4-9/build_url}'
+         test_suite: test_integration/test_trust.py
+         template: *ci-ipa-4-9-previous
+-        timeout: 9000
++        timeout: 10000
+         topology: *adroot_adchild_adtree_master_1client
+ 
+   fedora-previous-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust:
+diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
+index 0634badbb6a9aa148db2e3062e866215e61e89e7..ff2dd9cc819e1c5620ce449384957a633ae6d1f0 100644
+--- a/ipatests/test_integration/test_trust.py
++++ b/ipatests/test_integration/test_trust.py
+@@ -62,11 +62,12 @@ class BaseTestTrust(IntegrationTest):
+         cls.check_sid_generation()
+         tasks.sync_time(cls.master, cls.ad)
+ 
+-        cls.child_ad = cls.ad_subdomains[0]
+-        cls.ad_subdomain = cls.child_ad.domain.name
+-        cls.tree_ad = cls.ad_treedomains[0]
+-        cls.ad_treedomain = cls.tree_ad.domain.name
+-
++        if cls.num_ad_subdomains > 0:
++            cls.child_ad = cls.ad_subdomains[0]
++            cls.ad_subdomain = cls.child_ad.domain.name
++        if cls.num_ad_treedomains > 0:
++            cls.tree_ad = cls.ad_treedomains[0]
++            cls.ad_treedomain = cls.tree_ad.domain.name
+         # values used in workaround for
+         # https://bugzilla.redhat.com/show_bug.cgi?id=1711958
+         cls.srv_gc_record_name = \
+@@ -106,6 +107,63 @@ class BaseTestTrust(IntegrationTest):
+         expected_text = 'iparangetype: %s\n' % expected_type
+         assert expected_text in result.stdout_text
+ 
++    def mod_idrange_auto_private_group(
++        self, option='false'
++    ):
++        """
++        Set the auto-private-group option of the default trusted
++        AD domain range.
++        """
++        tasks.kinit_admin(self.master)
++        rangename = self.ad_domain.upper() + '_id_range'
++        error_msg = "ipa: ERROR: no modifications to be performed"
++        cmd = ["ipa", "idrange-mod", rangename,
++               "--auto-private-groups", option]
++        result = self.master.run_command(cmd, raiseonerr=False)
++        if result.returncode != 0:
++            tasks.assert_error(result, error_msg)
++        tasks.clear_sssd_cache(self.master)
++        tasks.clear_sssd_cache(self.clients[0])
++        test = self.master.run_command(["ipa", "idrange-show", rangename])
++        assert "Auto private groups: {0}".format(option) in test.stdout_text
++
++    def get_user_id(self, host, username):
++        """
++        User uid gid is parsed from the output of id user command.
++        """
++        tasks.clear_sssd_cache(self.master)
++        tasks.clear_sssd_cache(self.clients[0])
++        self.master.run_command(["id", username])
++        test_id = host.run_command(["id", username])
++        regex = r"^uid=(?P<uid>\d+).*gid=(?P<gid>\d+).*groups=(?P<groups>\d+)"
++        match = re.match(regex, test_id.stdout_text)
++        uid = match.group('uid')
++        gid = match.group('gid')
++        return uid, gid
++
++    @contextmanager
++    def set_idoverrideuser(self, user, uid, gid):
++        """
++        Fixture to add/remove idoverrideuser for default idview,
++        also creates idm group with the provided gid because
++        gid overrides requires an existing group.
++        """
++        tasks.clear_sssd_cache(self.master)
++        tasks.clear_sssd_cache(self.clients[0])
++        tasks.kinit_admin(self.master)
++        try:
++            args = ["ipa", "idoverrideuser-add", "Default Trust View",
++                    "--gid", gid, "--uid", uid, user]
++            self.master.run_command(args)
++            tasks.group_add(self.master, "idgroup",
++                            extra_args=["--gid", gid])
++            yield
++        finally:
++            self.master.run_command([
++                "ipa", "idoverrideuser-del", "Default Trust View", user]
++            )
++            self.master.run_command(["ipa", "group-del", "idgroup"])
++
+     def remove_trust(self, ad):
+         tasks.remove_trust_with_ad(self.master,
+                                    ad.domain.name, ad.hostname)
+@@ -993,3 +1051,177 @@ class TestTrust(BaseTestTrust):
+             self.master.run_command(['rm', '-f', ad_zone_file])
+             tasks.configure_dns_for_trust(self.master, self.ad)
+             self.remove_trust(self.ad)
++
++
++class TestNonPosixAutoPrivateGroup(BaseTestTrust):
++    """
++    Tests for auto-private-groups option with non posix AD trust
++    Related : https://pagure.io/freeipa/issue/8807
++    """
++    topology = 'line'
++    num_ad_domains = 1
++    num_clients = 1
++    num_ad_subdomains = 0
++    num_ad_treedomains = 0
++    uid_override = "99999999"
++    gid_override = "78878787"
++
++    def test_add_nonposix_trust(self):
++        tasks.configure_dns_for_trust(self.master, self.ad)
++        tasks.establish_trust_with_ad(
++            self.master, self.ad_domain,
++            extra_args=['--range-type', 'ipa-ad-trust'])
++
++    @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
++    def test_auto_private_groups_default_trusted_range(self, type):
++        """
++        Modify existing range for default trusted AD domain range
++        with auto-private-groups set as true/hybrid/false and test
++        user with no posix attributes.
++        """
++        self.mod_idrange_auto_private_group(type)
++        nonposixuser = "nonposixuser@%s" % self.ad_domain
++        (uid, gid) = self.get_user_id(self.clients[0], nonposixuser)
++        if type == "true":
++            assert uid == gid
++        else:
++            test_group = self.clients[0].run_command(["id", nonposixuser])
++            gid_str = "gid={0}(domain users@{1})".format(gid, self.ad_domain)
++            grp_str = "groups={0}(domain users@{1})".format(gid,
++                                                            self.ad_domain)
++            assert gid_str in test_group.stdout_text
++            assert grp_str in test_group.stdout_text
++            assert uid != gid
++
++    @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
++    def test_idoverride_with_auto_private_group(self, type):
++        """
++        Override ad trusted user in default trust view
++        and set auto-private-groups=[hybrid,true,false]
++        and ensure that overridden values takes effect.
++        """
++        nonposixuser = "nonposixuser@%s" % self.ad_domain
++        with self.set_idoverrideuser(nonposixuser,
++                                     self.uid_override,
++                                     self.gid_override
++                                     ):
++            self.mod_idrange_auto_private_group(type)
++            (uid, gid) = self.get_user_id(self.clients[0], nonposixuser)
++            assert (uid == self.uid_override and gid == self.gid_override)
++            test_group = self.clients[0].run_command(
++                ["id", nonposixuser]).stdout_text
++            assert "domain users@{0}".format(self.ad_domain) in test_group
++
++    @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
++    def test_nonposixuser_nondefault_primary_group(self, type):
++        """
++        Test for non default primary group.
++        For hybrid/false gid corresponds to the group testgroup1.
++        """
++        nonposixuser1 = "nonposixuser1@%s" % self.ad_domain
++        self.mod_idrange_auto_private_group(type)
++        (uid, gid) = self.get_user_id(self.clients[0], nonposixuser1)
++        if type == "true":
++            assert uid == gid
++        else:
++            test_group = self.clients[0].run_command(["id", nonposixuser1])
++            gid_str = "gid={0}(testgroup1@{1})".format(gid, self.ad_domain)
++            group = "groups={0}(testgroup1@{1})".format(gid, self.ad_domain)
++            assert (gid_str in test_group.stdout_text
++                    and group in test_group.stdout_text)
++
++
++class TestPosixAutoPrivateGroup(BaseTestTrust):
++    """
++    Tests for auto-private-groups option with posix AD trust
++    Related : https://pagure.io/freeipa/issue/8807
++    """
++    topology = 'line'
++    num_ad_domains = 1
++    num_clients = 1
++    num_ad_subdomains = 0
++    num_ad_treedomains = 0
++    uid_override = "99999999"
++    gid_override = "78878787"
++
++    def test_add_posix_trust(self):
++        tasks.configure_dns_for_trust(self.master, self.ad)
++        tasks.establish_trust_with_ad(
++            self.master, self.ad_domain,
++            extra_args=['--range-type', 'ipa-ad-trust-posix'])
++
++    @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
++    def test_gidnumber_not_corresponding_existing_group(self, type):
++        """
++        Test checks that sssd can resolve AD users which
++        contain posix attributes (uidNumber and gidNumber)
++        but there is no group with the corresponding gidNumber.
++        """
++        posixuser = "testuser2@%s" % self.ad_domain
++        self.mod_idrange_auto_private_group(type)
++        if type != "true":
++            result = self.clients[0].run_command(['id', posixuser],
++                                                 raiseonerr=False)
++            tasks.assert_error(result, "no such user")
++        else:
++            (uid, gid) = self.get_user_id(self.clients[0], posixuser)
++            assert uid == gid
++            assert uid == '10060'
++
++    @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
++    def test_only_uid_number_auto_private_group_default(self, type):
++        """
++        Test checks that posix user with only uidNumber defined
++        and gidNumber not set, auto-private-group
++        is set to false/true/hybrid
++        """
++        posixuser = "testuser1@%s" % self.ad_domain
++        self.mod_idrange_auto_private_group(type)
++        if type == "true":
++            (uid, gid) = self.get_user_id(self.clients[0], posixuser)
++            assert uid == gid
++        else:
++            for host in [self.master, self.clients[0]]:
++                result = host.run_command(['id', posixuser], raiseonerr=False)
++                tasks.assert_error(result, "no such user")
++
++    @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
++    def test_auto_private_group_primary_group(self, type):
++        """
++        Test checks that AD users which contain posix attributes
++        (uidNumber and gidNumber) and there is primary group
++        with gid number defined.
++        """
++        posixuser = "testuser@%s" % self.ad_domain
++        self.mod_idrange_auto_private_group(type)
++        (uid, gid) = self.get_user_id(self.clients[0], posixuser)
++        test_grp = self.clients[0].run_command(["id", posixuser])
++        assert uid == '10042'
++        if type == "true":
++            assert uid == gid
++            groups = "groups=10042(testuser@{0}),10047(testgroup@{1})".format(
++                self.ad_domain, self.ad_domain)
++            assert groups in test_grp.stdout_text
++        else:
++            assert gid == '10047'
++            groups = "10047(testgroup@{0})".format(self.ad_domain)
++            assert groups in test_grp.stdout_text
++
++    @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
++    def test_idoverride_with_auto_private_group(self, type):
++        """
++        Override ad trusted user in default trust view
++        and set auto-private-groups=[hybrid,true,false]
++        and ensure that overridden values takes effect.
++        """
++        posixuser = "testuser@%s" % self.ad_domain
++        with self.set_idoverrideuser(posixuser,
++                                     self.uid_override,
++                                     self.gid_override):
++            self.mod_idrange_auto_private_group(type)
++            (uid, gid) = self.get_user_id(self.clients[0], posixuser)
++            assert(uid == self.uid_override
++                   and gid == self.gid_override)
++            result = self.clients[0].run_command(['id', posixuser])
++            assert "10047(testgroup@{0})".format(
++                self.ad_domain) in result.stdout_text
+-- 
+2.34.1
+
diff --git a/0025-mark-xfail-for-test_idoverride_with_auto_private_gro.patch b/0025-mark-xfail-for-test_idoverride_with_auto_private_gro.patch
new file mode 100644
index 0000000..2b84d99
--- /dev/null
+++ b/0025-mark-xfail-for-test_idoverride_with_auto_private_gro.patch
@@ -0,0 +1,43 @@
+From 84381001d2e114b1f29fe89e16155c040b56b80f Mon Sep 17 00:00:00 2001
+From: Anuja More <amore@redhat.com>
+Date: Thu, 10 Feb 2022 17:07:45 +0530
+Subject: [PATCH] mark xfail for
+ test_idoverride_with_auto_private_group[hybrid]
+
+Related : https://github.com/SSSD/sssd/issues/5989
+
+Signed-off-by: Anuja More <amore@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Anuja More <amore@redhat.com>
+---
+ ipatests/test_integration/test_trust.py | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
+index ff2dd9cc819e1c5620ce449384957a633ae6d1f0..54bd154628cb8fb063d9839d7928acd37647e2a4 100644
+--- a/ipatests/test_integration/test_trust.py
++++ b/ipatests/test_integration/test_trust.py
+@@ -15,6 +15,7 @@ from ipaplatform.paths import paths
+ from ipatests.test_integration.base import IntegrationTest
+ from ipatests.pytest_ipa.integration import tasks
+ from ipatests.pytest_ipa.integration import fips
++from ipatests.util import xfail_context
+ from ipapython.dn import DN
+ from collections import namedtuple
+ from contextlib import contextmanager
+@@ -1110,7 +1111,11 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust):
+             assert (uid == self.uid_override and gid == self.gid_override)
+             test_group = self.clients[0].run_command(
+                 ["id", nonposixuser]).stdout_text
+-            assert "domain users@{0}".format(self.ad_domain) in test_group
++            version = tasks.get_sssd_version(self.clients[0])
++            with xfail_context(version <= tasks.parse_version('2.6.3')
++                               and type == "hybrid",
++                               'https://github.com/SSSD/sssd/issues/5989'):
++                assert "domain users@{0}".format(self.ad_domain) in test_group
+ 
+     @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
+     def test_nonposixuser_nondefault_primary_group(self, type):
+-- 
+2.34.1
+
diff --git a/0026-Mark-xfail-test_gidnumber_not_corresponding_existing.patch b/0026-Mark-xfail-test_gidnumber_not_corresponding_existing.patch
new file mode 100644
index 0000000..a45d917
--- /dev/null
+++ b/0026-Mark-xfail-test_gidnumber_not_corresponding_existing.patch
@@ -0,0 +1,38 @@
+From 7ad500e5d3f7d9af81e8a3137158672c6fafb0b4 Mon Sep 17 00:00:00 2001
+From: Anuja More <amore@redhat.com>
+Date: Thu, 10 Feb 2022 17:29:45 +0530
+Subject: [PATCH] Mark xfail
+ test_gidnumber_not_corresponding_existing_group[true,hybrid]
+
+Related : https://github.com/SSSD/sssd/issues/5988
+
+Signed-off-by: Anuja More <amore@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Anuja More <amore@redhat.com>
+---
+ ipatests/test_integration/test_trust.py | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
+index 54bd154628cb8fb063d9839d7928acd37647e2a4..c128378151ec4c0fb295823d75f2a04df2f7ffa0 100644
+--- a/ipatests/test_integration/test_trust.py
++++ b/ipatests/test_integration/test_trust.py
+@@ -1169,9 +1169,12 @@ class TestPosixAutoPrivateGroup(BaseTestTrust):
+                                                  raiseonerr=False)
+             tasks.assert_error(result, "no such user")
+         else:
+-            (uid, gid) = self.get_user_id(self.clients[0], posixuser)
+-            assert uid == gid
+-            assert uid == '10060'
++            sssd_version = tasks.get_sssd_version(self.clients[0])
++            with xfail_context(sssd_version <= tasks.parse_version('2.6.3'),
++                               'https://github.com/SSSD/sssd/issues/5988'):
++                (uid, gid) = self.get_user_id(self.clients[0], posixuser)
++                assert uid == gid
++                assert uid == '10060'
+ 
+     @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
+     def test_only_uid_number_auto_private_group_default(self, type):
+-- 
+2.34.1
+
diff --git a/freeipa.spec b/freeipa.spec
index c145291..acfc67e 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -198,7 +198,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        5%{?rc_version:.%rc_version}%{?dist}
+Release:        6%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -241,6 +241,9 @@ Patch0020:      0020-Test-ipa-ccache-sweep.timer-enabled-by-default-durin.patch
 Patch0021:      0021-ipa_cldap-fix-memory-leak.patch
 Patch0022:      0022-ipatests-remove-additional-check-for-failed-units_rhbz#2053025.patch
 Patch0023:      0023-ipatests-fix-TestOTPToken-rhbz#2053025.patch
+Patch0024:      0024-ipatests-Tests-for-Autoprivate-group.patch
+Patch0025:      0025-mark-xfail-for-test_idoverride_with_auto_private_gro.patch
+Patch0026:      0026-Mark-xfail-test_gidnumber_not_corresponding_existing.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 %endif
 %endif
@@ -1732,6 +1735,12 @@ fi
 %endif
 
 %changelog
+* Thu Feb 24 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-6
+- Resolves: rhbz#2057467 Backport latest test fixes in python3-ipatests
+  - ipatests: Tests for Autoprivate group.
+  - mark xfail for test_idoverride_with_auto_private_group[hybrid]
+  - Mark xfail test_gidnumber_not_corresponding_existing_group[true,hybrid]
+
 * Mon Feb 14 2022 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.8-5
 - Resolves: rhbz#2053025
   - add IPA test suite fixes