diff --git a/.gitignore b/.gitignore
index 8002017..91ca869 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@
 /sssd-2.7.3.tar.gz
 /sssd-2.8.1.tar.gz
 /sssd-2.8.2.tar.gz
+/sssd-2.9.0.tar.gz
diff --git a/0001-FILE-WATCH-Callback-not-executed-on-link-or-relative.patch b/0001-FILE-WATCH-Callback-not-executed-on-link-or-relative.patch
new file mode 100644
index 0000000..21a27c7
--- /dev/null
+++ b/0001-FILE-WATCH-Callback-not-executed-on-link-or-relative.patch
@@ -0,0 +1,248 @@
+From eb43c2400a34a4ab77be4f75ba7536baecda3bef Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
+Date: Wed, 10 May 2023 17:29:07 +0200
+Subject: [PATCH] FILE WATCH: Callback not executed on link or relative path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When the watched file was a symbolic link or was a relative path,
+the calback was not executed because the filename comparison
+was wrongly considering the files to be different.
+
+The solution is to normalize the filenames before comparing them.
+This cannot be easily done at setup because the file could not
+exist at that moment.
+
+The test was adapted to check this situation.
+
+Resolves: https://github.com/SSSD/sssd/issues/6718
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit b2a4ff2aa67707c226c5835c1fcac042fce1cae3)
+---
+ src/tests/file_watch-tests.c | 83 ++++++++++++++++++++++++++----------
+ src/util/file_watch.c        | 26 +++++++++--
+ 2 files changed, 83 insertions(+), 26 deletions(-)
+
+diff --git a/src/tests/file_watch-tests.c b/src/tests/file_watch-tests.c
+index 3ca5b44f9..3e1aea6ce 100644
+--- a/src/tests/file_watch-tests.c
++++ b/src/tests/file_watch-tests.c
+@@ -36,11 +36,19 @@
+ #include "util/file_watch.h"
+ #include "tests/common.h"
+ 
+-#define FW_DIR                            TEST_DIR "/file-watch"
+-#define WATCHED_FILE_INOTIFY              FW_DIR "/watched_file_inotify"
+-#define WATCHED_FILE_POLL                 FW_DIR "/watched_file_poll"
+-#define WATCHED_EXISTING_FILE_INOTIFY     FW_DIR "/watched_file_inotify.exists"
+-#define WATCHED_EXISTING_FILE_POLL        FW_DIR "/watched_file_poll.exists"
++#define FW_NAME                           "/file-watch-test-dir"
++#define FILE_INOTIFY_NAME                 "watched_file_inotify"
++#define FILE_POLL_NAME                    "watched_file_poll"
++#define FW_DIR                            TEST_DIR FW_NAME
++#define EXISTING_FILE_INOTIFY_NAME        FILE_INOTIFY_NAME ".exists"
++#define EXISTING_FILE_POLL_NAME           FILE_POLL_NAME ".exists"
++#define WATCHED_FILE_INOTIFY              FW_DIR "/.." FW_NAME "/" FILE_INOTIFY_NAME
++#define WATCHED_FILE_POLL                 FW_DIR "/.." FW_NAME "/" FILE_POLL_NAME
++#define WATCHED_EXISTING_FILE_INOTIFY     FW_DIR "/.." FW_NAME "/" EXISTING_FILE_INOTIFY_NAME
++#define WATCHED_EXISTING_FILE_POLL        FW_DIR "/.." FW_NAME "/" EXISTING_FILE_POLL_NAME
++#define WATCHED_EXISTING_LINK_INOTIFY     FW_DIR "/" EXISTING_FILE_INOTIFY_NAME ".link"
++#define WATCHED_EXISTING_LINK_POLL        FW_DIR "/" EXISTING_FILE_POLL_NAME ".link"
++#define UNWATCHED_FILE                    FW_DIR "/unwatched_file"
+ 
+ 
+ static TALLOC_CTX *test_mem_ctx;
+@@ -50,34 +58,51 @@ struct fn_arg {
+     int counter;
+ };
+ 
+-static void setup_file_watch(void)
++static void remove_files(void)
+ {
+-    test_mem_ctx = talloc_new(NULL);
+-    mkdir(FW_DIR, 0700);
+     unlink(WATCHED_FILE_INOTIFY);
+     unlink(WATCHED_FILE_POLL);
++    unlink(WATCHED_EXISTING_LINK_INOTIFY);
++    unlink(WATCHED_EXISTING_LINK_POLL);
+     unlink(WATCHED_EXISTING_FILE_INOTIFY);
+     unlink(WATCHED_EXISTING_FILE_POLL);
++    unlink(UNWATCHED_FILE);
+ }
+ 
++static void setup_file_watch(void)
++{
++    DEBUG(SSSDBG_TRACE_ALL, "==========================================\n");
++    test_mem_ctx = talloc_new(NULL);
++    mkdir(FW_DIR, 0700);
++    remove_files();
++}
+ 
+ static void teardown_file_watch(void)
+ {
+-    unlink(WATCHED_FILE_INOTIFY);
+-    unlink(WATCHED_FILE_POLL);
+-    unlink(WATCHED_EXISTING_FILE_INOTIFY);
+-    unlink(WATCHED_EXISTING_FILE_POLL);
+     talloc_free(test_mem_ctx);
++    remove_files();
++    rmdir(FW_DIR);
+ }
+ 
+ 
+ static void callback(const char *filename, void *arg)
+ {
+-    DEBUG(SSSDBG_TRACE_FUNC, "Callback invoked\n");
++    static char received[PATH_MAX + 1];
++    static char expected[PATH_MAX + 1];
++    char *res;
+     struct fn_arg *data = (struct fn_arg *) arg;
+ 
++    DEBUG(SSSDBG_TRACE_FUNC, "Callback invoked\n");
++
+     ck_assert_msg(data != NULL, "Callback received NULL argument");
+-    ck_assert_msg(strcmp(filename, data->filename) == 0,
++
++    res = realpath(data->filename, expected);
++    ck_assert_msg(res != NULL, "Failed to normalize the expected filename");
++
++    res = realpath(filename, received);
++    ck_assert_msg(res != NULL, "Failed to normalize the received filename");
++
++    ck_assert_msg(strcmp(expected, received) == 0,
+                   "Wrong filename in the callback.");
+     data->counter++;
+ }
+@@ -88,7 +113,7 @@ static void modify_file(const char *filename)
+     int fd;
+     int res;
+ 
+-    DEBUG(SSSDBG_TRACE_FUNC, "File modified\n");
++    DEBUG(SSSDBG_TRACE_FUNC, "Modifying file %s\n", filename);
+     fd = open(filename, O_WRONLY | O_CREAT | O_APPEND, S_IRUSR | S_IWUSR);
+     ck_assert_msg(fd != -1, "Failed to open the file.");
+ 
+@@ -119,11 +144,14 @@ static void test_file_watch_no_file(bool use_inotify)
+     arg.filename = filename;
+     arg.counter = 0;
+ 
++    DEBUG(SSSDBG_TRACE_ALL, "Watching file %s\n", filename);
+     ctx = fw_watch_file(test_mem_ctx, ev, filename, use_inotify, callback, &arg);
+     ck_assert_msg(ctx != NULL, "Failed to watch a file.");
+     ck_assert_msg(arg.counter == 0, "Unexpected callback invocation.");
+ 
+-    // At this point the file doesn't exist, we will create it.
++    // At this point the file doesn't exist. We create the watched and an
++    // unwatched file
++    modify_file(UNWATCHED_FILE);
+     modify_file(filename);
+     if (use_inotify) {
+         res = tevent_loop_once(ev);
+@@ -152,26 +180,35 @@ static void test_file_watch_with_file(bool use_inotify)
+ {
+     struct file_watch_ctx *ctx;
+     struct tevent_context *ev;
++    const char *filepath;
+     const char *filename;
++    const char *linkpath;
+     struct fn_arg arg;
+     int res;
+ 
+     if (use_inotify) {
+-        filename = WATCHED_EXISTING_FILE_INOTIFY;
++        filename = EXISTING_FILE_INOTIFY_NAME;
++        filepath = WATCHED_EXISTING_FILE_INOTIFY;
++        linkpath = WATCHED_EXISTING_LINK_INOTIFY;
+     } else {
+-        filename = WATCHED_EXISTING_FILE_POLL;
++        filename = EXISTING_FILE_POLL_NAME;
++        filepath = WATCHED_EXISTING_FILE_POLL;
++        linkpath = WATCHED_EXISTING_LINK_POLL;
+     }
+-    modify_file(filename);
++    modify_file(filepath);
++    res = symlink(filename, linkpath);
++    ck_assert_msg(res == 0, "Failed create the symbolic link");
+ 
+     ev = tevent_context_init(test_mem_ctx);
+     ck_assert_msg(ev != NULL, "Failed to create the tevent context.");
+ 
+-    arg.filename = filename;
++    arg.filename = linkpath;
+     arg.counter = 0;
+ 
+     // File already exists
+-    ctx = fw_watch_file(test_mem_ctx, ev, filename, use_inotify, callback, &arg);
+-    ck_assert_msg(ctx != NULL, "Failed to watch a file.");
++    DEBUG(SSSDBG_TRACE_ALL, "Watching link %s\n", linkpath);
++    ctx = fw_watch_file(test_mem_ctx, ev, linkpath, use_inotify, callback, &arg);
++    ck_assert_msg(ctx != NULL, "Failed to watch a link.");
+     ck_assert_msg(arg.counter >= 1, "Callback not invoked at start up.");
+     ck_assert_msg(arg.counter <= 1, "Callback invoked too many times at start up.");
+ 
+@@ -179,7 +216,7 @@ static void test_file_watch_with_file(bool use_inotify)
+     if (!use_inotify) {
+         sleep(2); // Detection by polling is based on the file's modification time.
+     }
+-    modify_file(filename);
++    modify_file(filepath);
+     if (use_inotify) {
+         res = tevent_loop_once(ev);
+         ck_assert_msg(res == 0, "tevent_loop_once() failed.");
+diff --git a/src/util/file_watch.c b/src/util/file_watch.c
+index b994e4116..d19fdccd6 100644
+--- a/src/util/file_watch.c
++++ b/src/util/file_watch.c
+@@ -121,7 +121,10 @@ static int watched_file_inotify_cb(const char *filename,
+                                   uint32_t flags,
+                                   void *pvt)
+ {
++    static char received[PATH_MAX + 1];
++    static char expected[PATH_MAX + 1];
+     struct file_watch_ctx *fw_ctx;
++    char *res;
+ 
+     DEBUG(SSSDBG_TRACE_LIBS,
+           "Received inotify notification for %s\n", filename);
+@@ -131,15 +134,32 @@ static int watched_file_inotify_cb(const char *filename,
+         return EINVAL;
+     }
+ 
+-    if (strcmp(fw_ctx->filename, filename) == 0) {
+-        if (access(fw_ctx->filename, F_OK) == 0) {
+-            fw_ctx->cb(fw_ctx->filename, fw_ctx->cb_arg);
++    res = realpath(fw_ctx->filename, expected);
++    if (res == NULL) {
++         DEBUG(SSSDBG_TRACE_LIBS,
++               "Normalization failed for expected %s. Skipping the callback.\n",
++               fw_ctx->filename);
++        goto done;
++    }
++
++    res = realpath(filename, received);
++    if (res == NULL) {
++         DEBUG(SSSDBG_TRACE_LIBS,
++               "Normalization failed for received %s. Skipping the callback.\n",
++               filename);
++        goto done;
++    }
++
++    if (strcmp(expected, received) == 0) {
++        if (access(received, F_OK) == 0) {
++            fw_ctx->cb(received, fw_ctx->cb_arg);
+         } else {
+             DEBUG(SSSDBG_TRACE_LIBS,
+                   "File %s is missing. Skipping the callback.\n", filename);
+         }
+     }
+ 
++done:
+     return EOK;
+ }
+ 
+-- 
+2.38.1
+
diff --git a/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch b/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch
deleted file mode 100644
index 60feece..0000000
--- a/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch
+++ /dev/null
@@ -1,158 +0,0 @@
-From d7da2966f5931bac3b17f42e251adbbb7e793619 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Thu, 8 Dec 2022 15:14:05 +0100
-Subject: [PATCH] ldap: update shadow last change in sysdb as well
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Otherwise pam can use the changed information whe id chaching is
-enabled, so next authentication that fits into the id timeout
-(5 seconds by default) will still sees the password as expired.
-
-Resolves: https://github.com/SSSD/sssd/issues/6477
-
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
-(cherry picked from commit 7e8b97c14b8ef218d6ea23214be28d25dba13886)
----
- src/db/sysdb.h                 |  4 ++++
- src/db/sysdb_ops.c             | 32 ++++++++++++++++++++++++++++++++
- src/providers/ldap/ldap_auth.c | 21 ++++++++++++++++-----
- 3 files changed, 52 insertions(+), 5 deletions(-)
-
-diff --git a/src/db/sysdb.h b/src/db/sysdb.h
-index 7c666f5c4..06b44f5ba 100644
---- a/src/db/sysdb.h
-+++ b/src/db/sysdb.h
-@@ -1061,6 +1061,10 @@ int sysdb_set_user_attr(struct sss_domain_info *domain,
-                         struct sysdb_attrs *attrs,
-                         int mod_op);
- 
-+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain,
-+                                             const char *name,
-+                                             const char *attrname);
-+
- /* Replace group attrs */
- int sysdb_set_group_attr(struct sss_domain_info *domain,
-                          const char *name,
-diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
-index 0d6f2d5cd..ed0df9872 100644
---- a/src/db/sysdb_ops.c
-+++ b/src/db/sysdb_ops.c
-@@ -1485,6 +1485,38 @@ done:
-     return ret;
- }
- 
-+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain,
-+                                             const char *name,
-+                                             const char *attrname)
-+{
-+    struct sysdb_attrs *attrs;
-+    char *value;
-+    errno_t ret;
-+
-+    attrs = sysdb_new_attrs(NULL);
-+    if (attrs == NULL) {
-+        return ENOMEM;
-+    }
-+
-+    /* The attribute contains number of days since the epoch */
-+    value = talloc_asprintf(attrs, "%ld", (long)time(NULL)/86400);
-+    if (value == NULL) {
-+        ret = ENOMEM;
-+        goto done;
-+    }
-+
-+    ret = sysdb_attrs_add_string(attrs, attrname, value);
-+    if (ret != EOK) {
-+        goto done;
-+    }
-+
-+    ret = sysdb_set_user_attr(domain, name, attrs, SYSDB_MOD_REP);
-+
-+done:
-+    talloc_free(attrs);
-+    return ret;
-+}
-+
- /* =Replace-Attributes-On-Group=========================================== */
- 
- int sysdb_set_group_attr(struct sss_domain_info *domain,
-diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
-index 6404a9d3a..96b9d6df4 100644
---- a/src/providers/ldap/ldap_auth.c
-+++ b/src/providers/ldap/ldap_auth.c
-@@ -1240,6 +1240,7 @@ struct sdap_pam_chpass_handler_state {
-     struct pam_data *pd;
-     struct sdap_handle *sh;
-     char *dn;
-+    enum pwexpire pw_expire_type;
- };
- 
- static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq);
-@@ -1339,7 +1340,6 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
- {
-     struct sdap_pam_chpass_handler_state *state;
-     struct tevent_req *req;
--    enum pwexpire pw_expire_type;
-     void *pw_expire_data;
-     size_t msg_len;
-     uint8_t *msg;
-@@ -1349,7 +1349,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
-     state = tevent_req_data(req, struct sdap_pam_chpass_handler_state);
- 
-     ret = auth_recv(subreq, state, &state->sh, &state->dn,
--                    &pw_expire_type, &pw_expire_data);
-+                    &state->pw_expire_type, &pw_expire_data);
-     talloc_free(subreq);
- 
-     if ((ret == EOK || ret == ERR_PASSWORD_EXPIRED) &&
-@@ -1361,7 +1361,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
-     }
- 
-     if (ret == EOK) {
--        switch (pw_expire_type) {
-+        switch (state->pw_expire_type) {
-         case PWEXPIRE_SHADOW:
-             ret = check_pwexpire_shadow(pw_expire_data, time(NULL), NULL);
-             break;
-@@ -1381,7 +1381,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
-             break;
-         default:
-             DEBUG(SSSDBG_CRIT_FAILURE,
--                  "Unknown password expiration type %d.\n", pw_expire_type);
-+                  "Unknown password expiration type %d.\n",
-+                  state->pw_expire_type);
-             state->pd->pam_status = PAM_SYSTEM_ERR;
-             goto done;
-         }
-@@ -1392,7 +1393,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
-         case ERR_PASSWORD_EXPIRED:
-             DEBUG(SSSDBG_TRACE_LIBS,
-                   "user [%s] successfully authenticated.\n", state->dn);
--            ret = sdap_pam_chpass_handler_change_step(state, req, pw_expire_type);
-+            ret = sdap_pam_chpass_handler_change_step(state, req,
-+                                                      state->pw_expire_type);
-             if (ret != EOK) {
-                 DEBUG(SSSDBG_OP_FAILURE,
-                       "sdap_pam_chpass_handler_change_step() failed.\n");
-@@ -1506,6 +1508,15 @@ static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq)
- 
-     switch (ret) {
-     case EOK:
-+        if (state->pw_expire_type == PWEXPIRE_SHADOW) {
-+            ret = sysdb_update_user_shadow_last_change(state->be_ctx->domain,
-+                    state->pd->user, SYSDB_SHADOWPW_LASTCHANGE);
-+            if (ret != EOK) {
-+                state->pd->pam_status = PAM_SYSTEM_ERR;
-+                goto done;
-+            }
-+        }
-+
-         state->pd->pam_status = PAM_SUCCESS;
-         break;
-     case ERR_CHPASS_DENIED:
--- 
-2.37.3
-
diff --git a/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch b/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch
deleted file mode 100644
index fdc756a..0000000
--- a/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From f3333b9dbeda33a9344b458accaa4ff372adb660 Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Fri, 3 Feb 2023 11:35:42 +0100
-Subject: [PATCH 2/4] SSS_CLIENT: fix error codes returned by common
- read/write/check helpers.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-It's kind of expected that in case `(POLLERR | POLLHUP | POLLNVAL)`
-error condition is detected, regular `POLLIN/POLLOUT` won't be set.
-Error code set by error condition should have a priority. This enables
-users of this helper to retry attempt (as designed).
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-(cherry picked from commit 0b8638d8de435384562f17d041655887b73523cd)
----
- src/sss_client/common.c | 9 +++------
- 1 file changed, 3 insertions(+), 6 deletions(-)
-
-diff --git a/src/sss_client/common.c b/src/sss_client/common.c
-index 2c888faa9..27e09f6f3 100644
---- a/src/sss_client/common.c
-+++ b/src/sss_client/common.c
-@@ -161,8 +161,7 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd,
-         case 1:
-             if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
-                 *errnop = EPIPE;
--            }
--            if (!(pfd.revents & POLLOUT)) {
-+            } else if (!(pfd.revents & POLLOUT)) {
-                 *errnop = EBUSY;
-             }
-             break;
-@@ -273,8 +272,7 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd,
-             }
-             if (pfd.revents & (POLLERR | POLLNVAL)) {
-                 *errnop = EPIPE;
--            }
--            if (!(pfd.revents & POLLIN)) {
-+            } else if (!(pfd.revents & POLLIN)) {
-                 *errnop = EBUSY;
-             }
-             break;
-@@ -725,8 +723,7 @@ static enum sss_status sss_cli_check_socket(int *errnop,
-         case 1:
-             if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
-                 *errnop = EPIPE;
--            }
--            if (!(pfd.revents & (POLLIN | POLLOUT))) {
-+            } else if (!(pfd.revents & (POLLIN | POLLOUT))) {
-                 *errnop = EBUSY;
-             }
-             break;
--- 
-2.37.3
-
diff --git a/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch b/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch
deleted file mode 100644
index d7c875f..0000000
--- a/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From a40b25a3af29706c058ce5a02dd0ba294dbb6874 Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Wed, 8 Feb 2023 17:48:52 +0100
-Subject: [PATCH 3/4] SSS_CLIENT: if poll() returns POLLNVAL then socket is
- alredy closed (or wasn't open) so it shouldn't be closed again. Otherwise
- there is a risk to close "foreign" socket opened in another thread.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-(cherry picked from commit ef93284b5a1f196425d9a61e8e24de8972240eb3)
----
- src/sss_client/common.c | 18 +++++++++++++++---
- 1 file changed, 15 insertions(+), 3 deletions(-)
-
-diff --git a/src/sss_client/common.c b/src/sss_client/common.c
-index 27e09f6f3..c8ade645b 100644
---- a/src/sss_client/common.c
-+++ b/src/sss_client/common.c
-@@ -159,7 +159,11 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd,
-             *errnop = ETIME;
-             break;
-         case 1:
--            if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
-+            if (pfd.revents & (POLLERR | POLLHUP)) {
-+                *errnop = EPIPE;
-+            } else if (pfd.revents & POLLNVAL) {
-+                /* Invalid request: fd is not opened */
-+                sss_cli_sd = -1;
-                 *errnop = EPIPE;
-             } else if (!(pfd.revents & POLLOUT)) {
-                 *errnop = EBUSY;
-@@ -270,7 +274,11 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd,
-             if (pfd.revents & (POLLHUP)) {
-                 pollhup = true;
-             }
--            if (pfd.revents & (POLLERR | POLLNVAL)) {
-+            if (pfd.revents & POLLERR) {
-+                *errnop = EPIPE;
-+            } else if (pfd.revents & POLLNVAL) {
-+                /* Invalid request: fd is not opened */
-+                sss_cli_sd = -1;
-                 *errnop = EPIPE;
-             } else if (!(pfd.revents & POLLIN)) {
-                 *errnop = EBUSY;
-@@ -721,7 +729,11 @@ static enum sss_status sss_cli_check_socket(int *errnop,
-             *errnop = ETIME;
-             break;
-         case 1:
--            if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
-+            if (pfd.revents & (POLLERR | POLLHUP)) {
-+                *errnop = EPIPE;
-+            } else if (pfd.revents & POLLNVAL) {
-+                /* Invalid request: fd is not opened */
-+                sss_cli_sd = -1;
-                 *errnop = EPIPE;
-             } else if (!(pfd.revents & (POLLIN | POLLOUT))) {
-                 *errnop = EBUSY;
--- 
-2.37.3
-
diff --git a/sources b/sources
index 49e768c..230117e 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (sssd-2.8.2.tar.gz) = 10b7a641823aefb43e30bff9e5f309a1f48446ffff421a06f86496db24ba1fbd384733b5690864507ef9b2f04c91e563fe9820536031f83f1bd6e93edfedee55
+SHA512 (sssd-2.9.0.tar.gz) = cf65572cfa6468c4b3edc3a33a48ab6d58979917901662eb8b2d8fc5931494be81da13295246500a3a315b71d0395594c9a565014e5875f3cdde50da096f253d
diff --git a/sssd.spec b/sssd.spec
index c395105..d7a98ea 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -18,8 +18,8 @@
 %global enable_systemtap_opt --enable-systemtap
 
 Name: sssd
-Version: 2.8.2
-Release: 2%{?dist}
+Version: 2.9.0
+Release: 1%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@@ -27,10 +27,7 @@ URL: https://github.com/SSSD/sssd
 Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
 
 ### Patches ###
-Patch0001: 0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch
-Patch0002: 0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch
-Patch0003: 0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch
-Patch0004: 0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch
+Patch0001: 0001-FILE-WATCH-Callback-not-executed-on-link-or-relative.patch
 
 ### Downstream Patches ###
 
@@ -214,7 +211,6 @@ Summary: Userspace tools for use with the SSSD
 Group: Applications/System
 License: GPLv3+
 Requires: sssd-common = %{version}-%{release}
-Requires: libsss_simpleifp = %{version}-%{release}
 # required by sss_obfuscate
 Requires: python3-sss = %{version}-%{release}
 Requires: python3-sssdconfig = %{version}-%{release}
@@ -594,6 +590,8 @@ autoreconf -ivf
     --with-initscript=systemd \
     --with-syslog=journald \
     --with-subid \
+    --with-files-provider \
+    --with-libsifp \
     --enable-sss-default-nss-plugin \
     --without-python2-bindings \
     --with-sssd-user=sssd \
@@ -910,7 +908,7 @@ done
 %{_mandir}/man5/sssd-ifp.5*
 %{_unitdir}/sssd-ifp.service
 # InfoPipe DBus plumbing
-%{_sysconfdir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
+%{_datadir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
 %{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service
 
 %files -n libsss_simpleifp
@@ -1213,6 +1211,15 @@ fi
 %systemd_postun_with_restart sssd.service
 
 %changelog
+* Mon May 15 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-1
+- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9
+- Resolves: rhbz#2101489 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed)
+- Resolves: rhbz#2143925 - kinit switches KCM away from the newly issued ticket
+- Resolves: rhbz#2151403 - AD user is not found on IPA client after upgrading to RHEL8.7
+- Resolves: rhbz#2164805 - man page entry should make clear that a nested group needs a name
+- Resolves: rhbz#2170484 - Unable to lookup AD user from child domain (or "make filtering of the domains more configurable")
+- Resolves: rhbz#2180981 - sss allows extraneous @ characters prefixed to username #
+
 * Mon Feb 13 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-2
 - Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy"