diff --git a/.gitignore b/.gitignore
index 45802ae..7d1d85e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/sssd-2.9.7.tar.gz
+SOURCES/sssd-2.9.8.tar.gz
diff --git a/.sssd.metadata b/.sssd.metadata
index 5305089..b881c79 100644
--- a/.sssd.metadata
+++ b/.sssd.metadata
@@ -1 +1 @@
-b8c9deadb0f0a9b0afdea1dcfc3f0f955f8a7f64 SOURCES/sssd-2.9.7.tar.gz
+e75ee2920ca2856f0dedb51681cbed340f916db3 SOURCES/sssd-2.9.8.tar.gz
diff --git a/SOURCES/0001-authtok-add-IS_PW_OR_ST_AUTHTOK.patch b/SOURCES/0001-authtok-add-IS_PW_OR_ST_AUTHTOK.patch
deleted file mode 100644
index e23008a..0000000
--- a/SOURCES/0001-authtok-add-IS_PW_OR_ST_AUTHTOK.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From be42436c2070e1dc9b2e5d3e03700624f4cc20bf Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 18 Jun 2025 14:30:57 +0200
-Subject: [PATCH 3/4] authtok: add IS_PW_OR_ST_AUTHTOK()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This patch adds a helper macro to determine if an authtok struct is of
-type SSS_AUTHTOK_TYPE_PASSWORD or SSS_AUTHTOK_TYPE_PAM_STACKED. This is
-useful if a password is expected but an authentication token forwarded
-by an different PAM module, which is most probably a password, can be
-used as well.
-
-Resolves: https://github.com/SSSD/sssd/issues/7968
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-Reviewed-by: Shridhar Gadekar <sgadekar@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
-(cherry picked from commit 297ecc467efb6035e370f62e62ffa668bb1d0050)
----
- src/util/authtok.h | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/util/authtok.h b/src/util/authtok.h
-index b58e9dbbd..acabb7078 100644
---- a/src/util/authtok.h
-+++ b/src/util/authtok.h
-@@ -28,6 +28,10 @@
-     sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_PIN \
-         || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_KEYPAD)
- 
-+#define IS_PW_OR_ST_AUTHTOK(tok) ( \
-+    sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_PASSWORD \
-+        || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_PAM_STACKED)
-+
- 
- /* Use sss_authtok_* accessor functions instead of struct sss_auth_token
-  */
--- 
-2.50.0
-
diff --git a/SOURCES/0002-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch b/SOURCES/0002-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch
deleted file mode 100644
index 98e3788..0000000
--- a/SOURCES/0002-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-From 6d3e61523698bc0ec17287de01a2dbe1a2d0acab Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Tue, 10 Jun 2025 14:22:19 +0200
-Subject: [PATCH 4/4] krb5: offline with SSS_AUTHTOK_TYPE_PAM_STACKED
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Recently a new authtok type SSS_AUTHTOK_TYPE_PAM_STACKED was added to
-handle credentials forwarded by other PAM modules. Before it was
-unconditionally assumed that it is a password and hence
-SSS_AUTHTOK_TYPE_PASSWORD was used.
-
-When SSS_AUTHTOK_TYPE_PAM_STACKED was introduce the main use-cases were
-already handled but currently offline use-cases fail because here only
-SSS_AUTHTOK_TYPE_PASSWORD is expected. With this patch
-SSS_AUTHTOK_TYPE_PAM_STACKED can be used to store or validate offline
-credentials as well.
-
-Resolves: https://github.com/SSSD/sssd/issues/7968
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-Reviewed-by: Shridhar Gadekar <sgadekar@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
-(cherry picked from commit 3b106f1888b6430b8bab75e1c0fe0f054eafce48)
----
- src/providers/krb5/krb5_auth.c                        | 11 +++++++----
- src/providers/krb5/krb5_child.c                       |  4 ++++
- .../krb5/krb5_delayed_online_authentication.c         |  2 +-
- src/responder/pam/pamsrv_cmd.c                        |  1 +
- 4 files changed, 13 insertions(+), 5 deletions(-)
-
-diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
-index 07e4d807f..fb2f58869 100644
---- a/src/providers/krb5/krb5_auth.c
-+++ b/src/providers/krb5/krb5_auth.c
-@@ -366,8 +366,12 @@ static void krb5_auth_store_creds(struct sss_domain_info *domain,
-                           domain->cache_credentials_min_ff_length);
-                     ret = EINVAL;
-                 }
--            } else if (sss_authtok_get_type(pd->authtok) ==
--                                                    SSS_AUTHTOK_TYPE_PASSWORD) {
-+            } else if (IS_PW_OR_ST_AUTHTOK(pd->authtok)) {
-+                /* At this point we can be sure that
-+                 * SSS_AUTHTOK_TYPE_PAM_STACKED is a password because
-+                 * krb5_auth_store_creds() is not called if 2FA/otp was used,
-+                 * only if SSS_AUTHTOK_TYPE_2FA was used for authentication.
-+                 */
-                 ret = sss_authtok_get_password(pd->authtok, &password, NULL);
-             } else {
-                 DEBUG(SSSDBG_MINOR_FAILURE, "Cannot cache authtok type [%d].\n",
-@@ -1211,8 +1215,7 @@ static void krb5_auth_done(struct tevent_req *subreq)
-     if (kr->is_offline) {
-         if (dp_opt_get_bool(kr->krb5_ctx->opts,
-                             KRB5_STORE_PASSWORD_IF_OFFLINE)
--                && sss_authtok_get_type(pd->authtok)
--                            == SSS_AUTHTOK_TYPE_PASSWORD) {
-+                && IS_PW_OR_ST_AUTHTOK(pd->authtok)) {
-             krb5_auth_cache_creds(state->kr->krb5_ctx,
-                                   state->domain,
-                                   state->be_ctx->cdb,
-diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
-index 5830305a0..21ec38627 100644
---- a/src/providers/krb5/krb5_child.c
-+++ b/src/providers/krb5/krb5_child.c
-@@ -2385,6 +2385,10 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
-         if (kerr != 0) {
-             KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
- 
-+            if (kerr == EAGAIN) {
-+                kerr = KRB5_KDC_UNREACH;
-+            }
-+
-             /* Special case for IPA password migration */
-             if (kr->pd->cmd == SSS_PAM_AUTHENTICATE
-                     && kerr == KRB5_PREAUTH_FAILED
-diff --git a/src/providers/krb5/krb5_delayed_online_authentication.c b/src/providers/krb5/krb5_delayed_online_authentication.c
-index f88d8ab9b..1fac986a6 100644
---- a/src/providers/krb5/krb5_delayed_online_authentication.c
-+++ b/src/providers/krb5/krb5_delayed_online_authentication.c
-@@ -258,7 +258,7 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx,
-         return EINVAL;
-     }
- 
--    if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
-+    if (!IS_PW_OR_ST_AUTHTOK(pd->authtok)) {
-         DEBUG(SSSDBG_CRIT_FAILURE,
-               "Invalid authtok for user [%s].\n", pd->user);
-         return EINVAL;
-diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
-index d4cb421f4..c6a436069 100644
---- a/src/responder/pam/pamsrv_cmd.c
-+++ b/src/responder/pam/pamsrv_cmd.c
-@@ -1101,6 +1101,7 @@ static errno_t get_password_for_cache_auth(struct sss_auth_token *authtok,
- 
-     switch (sss_authtok_get_type(authtok)) {
-     case SSS_AUTHTOK_TYPE_PASSWORD:
-+    case SSS_AUTHTOK_TYPE_PAM_STACKED:
-         ret = sss_authtok_get_password(authtok, password, NULL);
-         break;
-     case SSS_AUTHTOK_TYPE_2FA:
--- 
-2.50.0
-
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index 87b7451..ea83e65 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -26,16 +26,14 @@
 %global samba_package_version %(rpm -q samba-devel --queryformat %{version})
 
 Name: sssd
-Version: 2.9.7
-Release: 4%{?dist}
+Version: 2.9.8
+Release: 1%{?dist}
 Summary: System Security Services Daemon
 License: GPLv3+
 URL: https://github.com/SSSD/sssd/
 Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
 
 ### Patches ###
-Patch0001: 0001-authtok-add-IS_PW_OR_ST_AUTHTOK.patch
-Patch0002: 0002-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch
 
 ### Dependencies ###
 
@@ -1085,6 +1083,19 @@ fi
 %systemd_postun_with_restart sssd.service
 
 %changelog
+* Thu Jan 22 2026 Tomas Halman <thalman@redhat.com> - 2.9.8-1
+- Resolves: RHEL-143692 - SSSD Rebase for RHEL 9.8
+- Resolves: RHEL-133967 - Remove SSSD option ipa_enable_dns_sites
+- Resolves: RHEL-133469 - 'sssd_nss' hangs when looking up an object by ID that has expired cache entry and filtered out by name 
+- Resolves: RHEL-133006 - SSSD: change a default value of 'session_provider' sssd.conf option to 'none'
+- Resolves: RHEL-132984 - sssd_be: segfault at 8 ip 00007f6fd25b2b90 sp 00007ffc02dfbae0 error 4 in libsss_ipa.so
+- Resolves: RHEL-132506 - RFE: package LDAP provider support for subid ranges
+- Resolves: RHEL-120297 - CVE-2025-11561 sssd: SSSD default Kerberos configuration allows privilege escalation on AD-joined Linux
+- Resolves: RHEL-87530 - AD user in external group is not cleared when expiring the cache
+
+* Tue Sep 23 2025 Pavel Filipenský <pfilipen@redhat.com> - 2.9.7-5
+- Related: RHEL-114548 - Rebase Samba to the latest 4.23.x release
+
 * Thu Aug 14 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.7-4
 - Related: RHEL-87530 - AD user in external group is not cleared when expiring the cache [rhel-9]
   Patch used to fix this ticket causes a regression (RHEL-106987) and is being reverted.