diff --git a/SOURCES/0008-kdb-Use-krb5_pac_full_sign_compat-when-available.patch b/SOURCES/0008-kdb-Use-krb5_pac_full_sign_compat-when-available.patch
new file mode 100644
index 0000000..e277f03
--- /dev/null
+++ b/SOURCES/0008-kdb-Use-krb5_pac_full_sign_compat-when-available.patch
@@ -0,0 +1,80 @@
+From 0fff1cd15158ba8a6299e8bd82e13d695dceb98e Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Fri, 24 Mar 2023 18:32:37 +0100
+Subject: [PATCH] kdb: Use krb5_pac_full_sign_compat() when available
+
+In November 2022, Microsoft introduced a new PAC signature type called
+"extended KDC signature" (or "full PAC checksum"). This new PAC
+signature will be required by default by Active Directory in July 2023
+for S4U requests, and opt-out will no longer be possible after October
+2023.
+
+Support for this new signature type was added to MIT krb5, but it relies
+on the new KDB API introduced in krb5 1.20. For older MIT krb5 versions,
+the code generating extended KDC signatures cannot be backported as it
+is without backporting the full new KDB API code too. This would have
+too much impact to be done.
+
+As a consequence, krb5 packages for Fedora 37, CentOS 8 Stream, and RHEL
+8 will include a downstream-only update adding the
+krb5_pac_full_sign_compat() function, which can be used in combination
+with the prior to 1.20 KDB API to generate PAC extended KDC signatures.
+
+Fixes: https://pagure.io/freeipa/issue/9373
+Signed-off-by: Julien Rische <jrische@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+(cherry picked from commit 922d13ae7847c078b2b71540c7ebda469f0c239f)
+---
+ daemons/ipa-kdb/ipa_kdb_mspac_v6.c | 10 ++++++++++
+ server.m4                          |  9 +++++++++
+ 2 files changed, 19 insertions(+)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_v6.c b/daemons/ipa-kdb/ipa_kdb_mspac_v6.c
+index e506a0fd2..faf47ad1b 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac_v6.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac_v6.c
+@@ -176,11 +176,21 @@ static krb5_error_code ipadb_sign_pac(krb5_context context,
+ 
+     /* only pass with_realm TRUE when it is cross-realm ticket and S4U2Self
+      * was requested */
++#ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT
++    kerr = krb5_pac_full_sign_compat(
++        context, pac, authtime, client_princ, server->princ, server_key,
++        right_krbtgt_signing_key,
++        (is_issuing_referral && (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION)),
++        pac_data
++    );
++#else
++    /* Use standard function, PAC extended KDC signature not supported */
+     kerr = krb5_pac_sign_ext(context, pac, authtime, client_princ, server_key,
+                              right_krbtgt_signing_key,
+                              (is_issuing_referral &&
+                               (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION)),
+                              pac_data);
++#endif
+ 
+ done:
+     free(princ);
+diff --git a/server.m4 b/server.m4
+index a5d083fa2..2ee2cf519 100644
+--- a/server.m4
++++ b/server.m4
+@@ -90,6 +90,15 @@ AC_CHECK_MEMBER([kdb_vftabl.issue_pac],
+                 [have_kdb_issue_pac=yes],
+                 [have_kdb_issue_pac=no], [#include <kdb.h>])
+ 
++dnl ---------------------------------------------------------------------------
++dnl - Check for KRB5 krb5_kdc_sign_ticket function
++dnl ---------------------------------------------------------------------------
++
++AC_CHECK_LIB(krb5, krb5_pac_full_sign_compat,
++             [AC_DEFINE([HAVE_KRB5_PAC_FULL_SIGN_COMPAT], [1],
++                        [krb5_pac_full_sign_compat() is available.])],
++             [AC_MSG_NOTICE([krb5_pac_full_sign_compat() is not available])])
++
+ dnl ---------------------------------------------------------------------------
+ dnl - Check for UUID library
+ dnl ---------------------------------------------------------------------------
+-- 
+2.39.2
+
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index 4aab5cf..9902019 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -64,7 +64,7 @@
 %if 0%{?rhel}
 %global package_name ipa
 %global alt_name freeipa
-%global krb5_version 1.18.2-2
+%global krb5_version 1.18.2-24
 %global krb5_kdb_version 8.0
 # 0.7.16: https://github.com/drkjam/netaddr/issues/71
 %global python_netaddr_version 0.7.19
@@ -189,7 +189,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        5%{?rc_version:.%rc_version}%{?dist}
+Release:        6%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -216,6 +216,7 @@ Patch0004:      0004-server-install-remove-error-log-about-missing-bkup-file_rhb
 Patch0005:      0005-automember-rebuild-add-a-notice-about-high-CPU-usage_rhbz#2018198.patch
 Patch0006:      0006-ipa-kdb-PAC-consistency-checker-needs-to-handle-child-domains-as-well_rhbz#2166324.patch
 Patch0007:      0007-Wipe-the-ipa-ca-DNS-record-when-updating-system-records_rhbz#2158775.patch
+Patch0008:      0008-kdb-Use-krb5_pac_full_sign_compat-when-available.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 Patch1002:      1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
 Patch1003:      1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch
@@ -1715,6 +1716,10 @@ fi
 %endif
 
 %changelog
+* Thu Jun 01 2023 Julien Rische <jrische@redhat.com> - 4.9.11-6
+- Add support for PAC extended KDC signature
+  Resolves: rhbz#2211387
+
 * Fri Feb 10 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.11-5
 - Wipe the ipa-ca DNS record when updating system records
   Resolves: RHBZ#2158775