diff --git a/.gitignore b/.gitignore
index 76c0ba9..dcf6eb8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/sssd-2.9.5.tar.gz
+SOURCES/sssd-2.9.6.tar.gz
diff --git a/.sssd.metadata b/.sssd.metadata
index 7896512..917a0d0 100644
--- a/.sssd.metadata
+++ b/.sssd.metadata
@@ -1 +1 @@
-f6704a9df1303e154ef8526f9f21e2b72879c046 SOURCES/sssd-2.9.5.tar.gz
+da2490cf07d91fd340ce87ffc209fc2420ccf60c SOURCES/sssd-2.9.6.tar.gz
diff --git a/SOURCES/0001-SYSDB-Use-SYSDB_NAME-from-cached-entry-when-updating.patch b/SOURCES/0001-SYSDB-Use-SYSDB_NAME-from-cached-entry-when-updating.patch
new file mode 100644
index 0000000..fcc2405
--- /dev/null
+++ b/SOURCES/0001-SYSDB-Use-SYSDB_NAME-from-cached-entry-when-updating.patch
@@ -0,0 +1,83 @@
+From 4f9fb5fd301d635ad54bf6d0ef93d6811445c7f9 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Wed, 22 May 2024 13:31:06 +0200
+Subject: [PATCH] SYSDB: Use SYSDB_NAME from cached entry when updating users
+ and groups
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The sysdb_store_user() and sysdb_store_group() functinos search for the
+entry by name to check if it is already cached. This search considers
+SYSDB_ALIAS, added when the domain is case insensitive. If a matching
+entry is found use its SYSDB_NAME instead of the passed name.
+
+It may happen the group is stored in uppercase, but later some server
+returns a memberOf attribute in lowercase. When updating the group to
+add the memberships the first search will find the entry, but the modify
+operation will fail as the group name in the built DN will differ in case.
+
+Signed-off-by: Samuel Cabrero <scabrero@suse.de>
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit d2b734b926e1f23370c9cabd8ba6f07bf6b29a86)
+
+Reviewed-by: Justin Stephenson <jstephen@redhat.com>
+---
+ src/db/sysdb_ops.c | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
+index 76f4580aa..32e49d759 100644
+--- a/src/db/sysdb_ops.c
++++ b/src/db/sysdb_ops.c
+@@ -2615,6 +2615,22 @@ int sysdb_store_user(struct sss_domain_info *domain,
+         }
+     } else {
+         /* the user exists, let's just replace attributes when set */
++        /*
++         * The sysdb_search_user_by_name() function also matches lowercased
++         * aliases, saved when the domain is case-insensitive. This means that
++         * the stored entry name can differ in capitalization from the search
++         * name. Use the cached entry name to perform the modification because
++         * if name capitalization in entry's DN differs the modify operation
++         * will fail.
++         */
++        const char *entry_name =
++            ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
++        if (entry_name != NULL) {
++            name = entry_name;
++        } else {
++            DEBUG(SSSDBG_MINOR_FAILURE, "User '%s' without a name?\n", name);
++        }
++
+         ret = sysdb_store_user_attrs(domain, name, uid, gid, gecos, homedir,
+                                      shell, orig_dn, attrs, remove_attrs,
+                                      cache_timeout, now);
+@@ -2849,6 +2865,22 @@ int sysdb_store_group(struct sss_domain_info *domain,
+         ret = sysdb_store_new_group(domain, name, gid, attrs,
+                                     cache_timeout, now);
+     } else {
++        /*
++         * The sysdb_search_group_by_name() function also matches lowercased
++         * aliases, saved when the domain is case-insensitive. This means that
++         * the stored entry name can differ in capitalization from the search
++         * name. Use the cached entry name to perform the modification because
++         * if name capitalization in entry's DN differs the modify operation
++         * will fail.
++         */
++        const char *entry_name =
++            ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
++        if (entry_name != NULL) {
++            name = entry_name;
++        } else {
++            DEBUG(SSSDBG_MINOR_FAILURE, "Group '%s' without a name?\n", name);
++        }
++
+         ret = sysdb_store_group_attrs(domain, name, gid, attrs,
+                                       cache_timeout, now);
+     }
+-- 
+2.47.0
+
diff --git a/SOURCES/0001-spec-change-passkey_child-owner.patch b/SOURCES/0001-spec-change-passkey_child-owner.patch
deleted file mode 100644
index dac8b4b..0000000
--- a/SOURCES/0001-spec-change-passkey_child-owner.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From ee8de7e404ba65062e0b373f2badc0475835bbde Mon Sep 17 00:00:00 2001
-From: Iker Pedrosa <ipedrosa@redhat.com>
-Date: Tue, 11 Jun 2024 15:57:23 +0200
-Subject: [PATCH] spec: change passkey_child owner
-
-passkey_child owner was incorrectly set to $sssd_user:$sssd_user, when
-it should be root:root. Correcting it.
-
-Fixes: 30daa0ccdae5 ("spec: update to include passkey")
-
-Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-(cherry picked from commit bb72b53d3a222f016d882853a619bd74c237edf9)
----
- contrib/sssd.spec.in | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
-index 03171a872..3735d4f06 100644
---- a/contrib/sssd.spec.in
-+++ b/contrib/sssd.spec.in
-@@ -998,7 +998,7 @@ done
- 
- %if %{build_passkey}
- %files passkey
--%attr(755,%{sssd_user},%{sssd_user}) %{_libexecdir}/%{servicename}/passkey_child
-+%{_libexecdir}/%{servicename}/passkey_child
- %{_libdir}/%{name}/modules/sssd_krb5_passkey_plugin.so
- %{_datadir}/sssd/krb5-snippets/sssd_enable_passkey
- %config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_passkey
--- 
-2.44.0
-
diff --git a/SOURCES/0002-KCM-fix-memory-leak.patch b/SOURCES/0002-KCM-fix-memory-leak.patch
new file mode 100644
index 0000000..f899f57
--- /dev/null
+++ b/SOURCES/0002-KCM-fix-memory-leak.patch
@@ -0,0 +1,93 @@
+From 6aba9a7dd2261c19f053d5fbd5358fdaf335b807 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Wed, 5 Feb 2025 08:59:49 +0100
+Subject: [PATCH] KCM: fix memory leak
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The copy of 'secret' argument - `secret_val.data` - was left hanging
+on `sss_sec_ctx`, effectively resulting in a memory leak.
+But this copy isn't actually required as this data isn't modified in
+below operations.
+
+This is a backport of https://github.com/SSSD/sssd/pull/7823
+
+:fixes:'sssd_kcm' memory leak was fixed.
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Justin Stephenson <jstephen@redhat.com>
+---
+ src/responder/kcm/secrets/secrets.c | 28 ++++++++++++----------------
+ 1 file changed, 12 insertions(+), 16 deletions(-)
+
+diff --git a/src/responder/kcm/secrets/secrets.c b/src/responder/kcm/secrets/secrets.c
+index 730fa68b6..d1a9672d5 100644
+--- a/src/responder/kcm/secrets/secrets.c
++++ b/src/responder/kcm/secrets/secrets.c
+@@ -953,7 +953,7 @@ errno_t sss_sec_put(struct sss_sec_req *req,
+                     size_t secret_len)
+ {
+     struct ldb_message *msg;
+-    struct ldb_val secret_val;
++    const struct ldb_val secret_val = { .length = secret_len, .data = secret };
+     int ret;
+ 
+     if (req == NULL || secret == NULL) {
+@@ -1002,13 +1002,11 @@ errno_t sss_sec_put(struct sss_sec_req *req,
+         goto done;
+     }
+ 
+-    secret_val.length = secret_len;
+-    secret_val.data = talloc_memdup(req->sctx, secret, secret_len);
+-    if (!secret_val.data) {
+-        ret = ENOMEM;
+-        goto done;
+-    }
+-
++    /* `ldb_msg_add_value()` does NOT make a copy of secret_val::*data
++     * but rather copies a pointer under the hood.
++     * This is fine since no operations modifying this data are performed
++     * below and 'msg' is freed before function returns.
++     */
+     ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &secret_val, NULL);
+     if (ret != EOK) {
+         DEBUG(SSSDBG_OP_FAILURE,
+@@ -1050,7 +1048,7 @@ errno_t sss_sec_update(struct sss_sec_req *req,
+                        size_t secret_len)
+ {
+     struct ldb_message *msg;
+-    struct ldb_val secret_val;
++    const struct ldb_val secret_val = { .length = secret_len, .data = secret };
+     int ret;
+ 
+     if (req == NULL || secret == NULL) {
+@@ -1099,13 +1097,6 @@ errno_t sss_sec_update(struct sss_sec_req *req,
+         goto done;
+     }
+ 
+-    secret_val.length = secret_len;
+-    secret_val.data = talloc_memdup(req->sctx, secret, secret_len);
+-    if (!secret_val.data) {
+-        ret = ENOMEM;
+-        goto done;
+-    }
+-
+     /* FIXME - should we have a lastUpdate timestamp? */
+     ret = ldb_msg_add_empty(msg, SEC_ATTR_SECRET, LDB_FLAG_MOD_REPLACE, NULL);
+     if (ret != LDB_SUCCESS) {
+@@ -1115,6 +1106,11 @@ errno_t sss_sec_update(struct sss_sec_req *req,
+         goto done;
+     }
+ 
++    /* `ldb_msg_add_value()` does NOT make a copy of secret_val::*data
++     * but rather copies a pointer under the hood.
++     * This is fine since no operations modifying this data are performed
++     * below and 'msg' is freed before function returns.
++     */
+     ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &secret_val, NULL);
+     if (ret != LDB_SUCCESS) {
+         DEBUG(SSSDBG_MINOR_FAILURE,
+-- 
+2.47.0
+
diff --git a/SOURCES/0002-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch b/SOURCES/0002-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch
deleted file mode 100644
index 503738e..0000000
--- a/SOURCES/0002-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From d234cf5d6e793daf2c96856887acb641c4dff407 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 14 Jun 2024 16:10:34 +0200
-Subject: [PATCH] sysdb: do not fail to add non-posix user to MPG domain
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-SSSD does not handle the root user (UID==0) and treats all accounts with
-UID 0 as non-Posix accounts. The primary GID of those accounts is 0 as
-well and as a result for those accounts in MPG domains the check for a
-collisions of the primary GID should be skipped. The current code might
-e.g. cause issues during GPO evaluation when adding a host account into
-the cache which does not have any UID or GID set in AD and SSSD is
-configured to read UID and GID from AD.
-
-Resolves: https://github.com/SSSD/sssd/issues/7451
-
-Reviewed-by: Alejandro López <allopez@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
-(cherry picked from commit 986bb726202e69b05f861c14c3a220379baf9bd1)
----
- src/db/sysdb_ops.c | 18 ++++++++++--------
- 1 file changed, 10 insertions(+), 8 deletions(-)
-
-diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
-index 0f62e3b1a..76f4580aa 100644
---- a/src/db/sysdb_ops.c
-+++ b/src/db/sysdb_ops.c
-@@ -1914,15 +1914,17 @@ int sysdb_add_user(struct sss_domain_info *domain,
-             goto done;
-         }
- 
--        ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg);
--        if (ret != ENOENT) {
--            if (ret == EOK) {
--                DEBUG(SSSDBG_OP_FAILURE,
--                    "Group with GID [%"SPRIgid"] already exists in an "
--                    "MPG domain\n", gid);
--                ret = EEXIST;
-+        if (uid != 0) { /* uid == 0 means non-POSIX object */
-+            ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg);
-+            if (ret != ENOENT) {
-+                if (ret == EOK) {
-+                    DEBUG(SSSDBG_OP_FAILURE,
-+                        "Group with GID [%"SPRIgid"] already exists in an "
-+                        "MPG domain\n", uid);
-+                    ret = EEXIST;
-+                }
-+                goto done;
-             }
--            goto done;
-         }
-     }
- 
--- 
-2.44.0
-
diff --git a/SOURCES/0003-KCM-another-memory-leak-fixed.patch b/SOURCES/0003-KCM-another-memory-leak-fixed.patch
new file mode 100644
index 0000000..922fbdc
--- /dev/null
+++ b/SOURCES/0003-KCM-another-memory-leak-fixed.patch
@@ -0,0 +1,59 @@
+From e7c76df8c0fa4a361c433684553ba1384166a564 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Wed, 12 Feb 2025 11:30:22 +0100
+Subject: [PATCH] KCM: another memory leak fixed
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+```
+...
+    talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains      0 bytes in   1 blocks (ref 0) 0x563feaabc0a0
+    talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains      0 bytes in   1 blocks (ref 0) 0x563feaa84f90
+    talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains      0 bytes in   1 blocks (ref 0) 0x563feaabf520
+...
+```
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+(cherry picked from commit 9e72bc242b600158d7920b2b98644efa42fd1ffa)
+---
+ src/responder/kcm/kcmsrv_ccache.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c
+index 6e4ea64e0..4f4f8b46a 100644
+--- a/src/responder/kcm/kcmsrv_ccache.c
++++ b/src/responder/kcm/kcmsrv_ccache.c
+@@ -404,7 +404,7 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx,
+ 
+     tmp_ctx = talloc_new(NULL);
+     if (tmp_ctx == NULL) {
+-        goto done;
++        goto fail;
+     }
+ 
+     for (cred = kcm_cc_get_cred(cc); cred != NULL; cred = kcm_cc_next_cred(cred)) {
+@@ -417,7 +417,7 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx,
+         cred_list[i] = kcm_cred_to_krb5(krb_context, cred);
+         if (cred_list[i] == NULL) {
+             DEBUG(SSSDBG_CRIT_FAILURE, "Failed to convert kcm cred to krb5\n");
+-            goto done;
++            goto fail;
+         }
+     }
+ 
+@@ -426,8 +426,10 @@ krb5_creds **kcm_cc_unmarshal(TALLOC_CTX *mem_ctx,
+ 
+     talloc_steal(mem_ctx, cred_list);
+ 
++    talloc_free(tmp_ctx);
+     return cred_list;
+-done:
++
++fail:
+     talloc_free(tmp_ctx);
+     return NULL;
+ #endif
+-- 
+2.47.0
+
diff --git a/SOURCES/0003-ad-use-right-memory-context-in-GPO-code.patch b/SOURCES/0003-ad-use-right-memory-context-in-GPO-code.patch
deleted file mode 100644
index 29401e6..0000000
--- a/SOURCES/0003-ad-use-right-memory-context-in-GPO-code.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 723a30b45ba4cbd9a4913fd37d68e392dcfc16ba Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 7 Jun 2024 18:04:00 +0200
-Subject: [PATCH] ad: use right memory context in GPO code
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The original primary SID is allocated on a temporary context and must be
-move to be longer living one to still be available when the SID is
-evaluated later in the code.
-
-Resolves: https://github.com/SSSD/sssd/issues/7411
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
-(cherry picked from commit b25e510ad60f6ce0b57063cce648c3aa48b21241)
----
- src/providers/ad/ad_gpo.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
-index b879b0a08..ed664ec83 100644
---- a/src/providers/ad/ad_gpo.c
-+++ b/src/providers/ad/ad_gpo.c
-@@ -711,7 +711,7 @@ ad_gpo_get_sids(TALLOC_CTX *mem_ctx,
-     }
-     group_sids[i++] = talloc_strdup(group_sids, AD_AUTHENTICATED_USERS_SID);
-     if (orig_gid_sid != NULL) {
--        group_sids[i++] = orig_gid_sid;
-+        group_sids[i++] = talloc_steal(group_sids, orig_gid_sid);
-     }
-     group_sids[i] = NULL;
- 
--- 
-2.44.0
-
diff --git a/SOURCES/0004-SYSDB-don-t-add-group-members-if-ignore_group_member.patch b/SOURCES/0004-SYSDB-don-t-add-group-members-if-ignore_group_member.patch
new file mode 100644
index 0000000..d9fc4c7
--- /dev/null
+++ b/SOURCES/0004-SYSDB-don-t-add-group-members-if-ignore_group_member.patch
@@ -0,0 +1,441 @@
+From addb1a78106cab8a85f8f6c56d79e84b5abd0d5e Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Fri, 14 Feb 2025 21:15:16 +0100
+Subject: [PATCH] SYSDB: don't add group members if 'ignore_group_members ==
+ true'
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Resolves: https://github.com/SSSD/sssd/issues/7793
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 281d9c3ed66ee28a9572433a629eb0d72525ca46)
+---
+ src/db/sysdb.h                              |  51 ++++++---
+ src/db/sysdb_search.c                       |   6 +-
+ src/db/sysdb_views.c                        |  10 +-
+ src/tests/cmocka/test_responder_cache_req.c | 112 +++++++-------------
+ src/tests/cmocka/test_sysdb_ts_cache.c      |   6 +-
+ src/tools/sss_override.c                    |   2 +-
+ 6 files changed, 90 insertions(+), 97 deletions(-)
+
+diff --git a/src/db/sysdb.h b/src/db/sysdb.h
+index 55c6437f2..fb1ced009 100644
+--- a/src/db/sysdb.h
++++ b/src/db/sysdb.h
+@@ -276,19 +276,44 @@
+                         SYSDB_ORIG_DN, \
+                         NULL}
+ 
+-#define SYSDB_GRSRC_ATTRS {SYSDB_NAME, SYSDB_GIDNUM, \
+-                           SYSDB_MEMBERUID, \
+-                           SYSDB_MEMBER, \
+-                           SYSDB_GHOST, \
+-                           SYSDB_DEFAULT_ATTRS, \
+-                           SYSDB_SID_STR, \
+-                           SYSDB_OVERRIDE_DN, \
+-                           SYSDB_OVERRIDE_OBJECT_DN, \
+-                           SYSDB_DEFAULT_OVERRIDE_NAME, \
+-                           SYSDB_UUID, \
+-                           ORIGINALAD_PREFIX SYSDB_NAME, \
+-                           ORIGINALAD_PREFIX SYSDB_GIDNUM, \
+-                           NULL}
++/* Strictly speaking it should return 'const char * const *' but
++ * that gets really unreadable.
++ */
++__attribute__((always_inline))
++static inline const char **SYSDB_GRSRC_ATTRS(const struct sss_domain_info *domain)
++{
++    static const char * __SYSDB_GRSRC_ATTRS_NO_MEMBERS[] = {
++        SYSDB_NAME, SYSDB_GIDNUM,
++        SYSDB_DEFAULT_ATTRS,
++        SYSDB_SID_STR,
++        SYSDB_OVERRIDE_DN,
++        SYSDB_OVERRIDE_OBJECT_DN,
++        SYSDB_DEFAULT_OVERRIDE_NAME,
++        SYSDB_UUID,
++        NULL
++    };
++    static const char * __SYSDB_GRSRC_ATTRS_WITH_MEMBERS[] = {
++        SYSDB_NAME, SYSDB_GIDNUM,
++        SYSDB_MEMBERUID,
++        SYSDB_MEMBER,
++        SYSDB_GHOST,
++        SYSDB_DEFAULT_ATTRS,
++        SYSDB_SID_STR,
++        SYSDB_OVERRIDE_DN,
++        SYSDB_OVERRIDE_OBJECT_DN,
++        SYSDB_DEFAULT_OVERRIDE_NAME,
++        SYSDB_UUID,
++        ORIGINALAD_PREFIX SYSDB_NAME,
++        ORIGINALAD_PREFIX SYSDB_GIDNUM,
++        NULL
++    };
++
++    if (domain && domain->ignore_group_members) {
++        return __SYSDB_GRSRC_ATTRS_NO_MEMBERS;
++    } else {
++        return __SYSDB_GRSRC_ATTRS_WITH_MEMBERS;
++    }
++}
+ 
+ #define SYSDB_NETGR_ATTRS {SYSDB_NAME, SYSDB_NETGROUP_TRIPLE, \
+                            SYSDB_NETGROUP_MEMBER, \
+diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
+index e4c53b853..7f34ddbcb 100644
+--- a/src/db/sysdb_search.c
++++ b/src/db/sysdb_search.c
+@@ -1176,7 +1176,7 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx,
+                    struct ldb_result **_res)
+ {
+     TALLOC_CTX *tmp_ctx;
+-    static const char *attrs[] = SYSDB_GRSRC_ATTRS;
++    const char **attrs = SYSDB_GRSRC_ATTRS(domain);
+     const char *fmt_filter;
+     char *sanitized_name;
+     struct ldb_dn *base_dn;
+@@ -1378,7 +1378,7 @@ int sysdb_getgrgid_attrs(TALLOC_CTX *mem_ctx,
+     struct ldb_dn *base_dn;
+     struct ldb_result *res = NULL;
+     int ret;
+-    static const char *default_attrs[] = SYSDB_GRSRC_ATTRS;
++    const char **default_attrs = SYSDB_GRSRC_ATTRS(domain);
+     const char **attrs = NULL;
+ 
+     tmp_ctx = talloc_new(NULL);
+@@ -1484,7 +1484,7 @@ int sysdb_enumgrent_filter(TALLOC_CTX *mem_ctx,
+                            struct ldb_result **_res)
+ {
+     TALLOC_CTX *tmp_ctx;
+-    static const char *attrs[] = SYSDB_GRSRC_ATTRS;
++    const char **attrs = SYSDB_GRSRC_ATTRS(domain);
+     const char *filter = NULL;
+     const char *ts_filter = NULL;
+     const char *base_filter;
+diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c
+index 19c10977b..71f627974 100644
+--- a/src/db/sysdb_views.c
++++ b/src/db/sysdb_views.c
+@@ -1237,7 +1237,7 @@ errno_t sysdb_search_group_override_by_name(TALLOC_CTX *mem_ctx,
+                                             struct ldb_result **override_obj,
+                                             struct ldb_result **orig_obj)
+ {
+-    const char *attrs[] = SYSDB_GRSRC_ATTRS;
++    const char **attrs = SYSDB_GRSRC_ATTRS(domain);
+ 
+     return sysdb_search_override_by_name(mem_ctx, domain, name,
+                                          SYSDB_GROUP_NAME_OVERRIDE_FILTER,
+@@ -1253,7 +1253,7 @@ static errno_t sysdb_search_override_by_id(TALLOC_CTX *mem_ctx,
+ {
+     TALLOC_CTX *tmp_ctx;
+     static const char *user_attrs[] = SYSDB_PW_ATTRS;
+-    static const char *group_attrs[] = SYSDB_GRSRC_ATTRS;
++    const char **group_attrs = SYSDB_GRSRC_ATTRS(domain);
+     const char **attrs;
+     struct ldb_dn *base_dn;
+     struct ldb_result *override_res;
+@@ -1417,7 +1417,7 @@ errno_t sysdb_add_overrides_to_object(struct sss_domain_info *domain,
+     struct ldb_message *override;
+     uint64_t uid;
+     static const char *user_attrs[] = SYSDB_PW_ATTRS;
+-    static const char *group_attrs[] = SYSDB_GRSRC_ATTRS;
++    const char **group_attrs = SYSDB_GRSRC_ATTRS(domain); /* members don't matter */
+     const char **attrs;
+     struct attr_map {
+         const char *attr;
+@@ -1551,6 +1551,10 @@ errno_t sysdb_add_group_member_overrides(struct sss_domain_info *domain,
+     char *val;
+     struct sss_domain_info *orig_dom;
+ 
++    if (domain->ignore_group_members) {
++        return EOK;
++    }
++
+     tmp_ctx = talloc_new(NULL);
+     if (tmp_ctx == NULL) {
+         DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
+diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c
+index fe69a9dfd..c665e1adb 100644
+--- a/src/tests/cmocka/test_responder_cache_req.c
++++ b/src/tests/cmocka/test_responder_cache_req.c
+@@ -3282,10 +3282,8 @@ void test_object_by_sid_user_multiple_domains_notfound(void **state)
+ 
+ void test_object_by_sid_group_cache_valid(void **state)
+ {
+-    struct cache_req_test_ctx *test_ctx = NULL;
+-    const char *attrs[] = SYSDB_GRSRC_ATTRS;
+-
+-    test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
++    struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
++    const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
+ 
+     /* Setup user. */
+     prepare_group(test_ctx->tctx->dom, &groups[0], 1000, time(NULL));
+@@ -3298,10 +3296,8 @@ void test_object_by_sid_group_cache_valid(void **state)
+ 
+ void test_object_by_sid_group_cache_expired(void **state)
+ {
+-    struct cache_req_test_ctx *test_ctx = NULL;
+-    const char *attrs[] = SYSDB_GRSRC_ATTRS;
+-
+-    test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
++    struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
++    const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
+ 
+     /* Setup user. */
+     prepare_group(test_ctx->tctx->dom, &groups[0], -1000, time(NULL));
+@@ -3320,10 +3316,8 @@ void test_object_by_sid_group_cache_expired(void **state)
+ 
+ void test_object_by_sid_group_cache_midpoint(void **state)
+ {
+-    struct cache_req_test_ctx *test_ctx = NULL;
+-    const char *attrs[] = SYSDB_GRSRC_ATTRS;
+-
+-    test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
++    struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
++    const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
+ 
+     /* Setup user. */
+     prepare_group(test_ctx->tctx->dom, &groups[0], 50, time(NULL) - 26);
+@@ -3341,12 +3335,10 @@ void test_object_by_sid_group_cache_midpoint(void **state)
+ 
+ void test_object_by_sid_group_ncache(void **state)
+ {
+-    struct cache_req_test_ctx *test_ctx = NULL;
+-    const char *attrs[] = SYSDB_GRSRC_ATTRS;
++    struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
++    const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
+     errno_t ret;
+ 
+-    test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+-
+     /* Setup user. */
+     ret = sss_ncache_set_sid(test_ctx->ncache, false, test_ctx->tctx->dom, groups[0].sid);
+     assert_int_equal(ret, EOK);
+@@ -3359,10 +3351,8 @@ void test_object_by_sid_group_ncache(void **state)
+ 
+ void test_object_by_sid_group_missing_found(void **state)
+ {
+-    struct cache_req_test_ctx *test_ctx = NULL;
+-    const char *attrs[] = SYSDB_GRSRC_ATTRS;
+-
+-    test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
++    struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
++    const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
+ 
+     /* Mock values. */
+     will_return(__wrap_sss_dp_get_account_send, test_ctx);
+@@ -3380,10 +3370,8 @@ void test_object_by_sid_group_missing_found(void **state)
+ 
+ void test_object_by_sid_group_missing_notfound(void **state)
+ {
+-    struct cache_req_test_ctx *test_ctx = NULL;
+-    const char *attrs[] = SYSDB_GRSRC_ATTRS;
+-
+-    test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
++    struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
++    const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
+ 
+     /* Mock values. */
+     will_return(__wrap_sss_dp_get_account_send, test_ctx);
+@@ -3397,17 +3385,13 @@ void test_object_by_sid_group_missing_notfound(void **state)
+ 
+ void test_object_by_sid_group_multiple_domains_found(void **state)
+ {
+-    struct cache_req_test_ctx *test_ctx = NULL;
+-    struct sss_domain_info *domain = NULL;
+-    const char *attrs[] = SYSDB_GRSRC_ATTRS;
+-
+-    test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+-
+-    /* Setup user. */
+-    domain = find_domain_by_name(test_ctx->tctx->dom,
+-                                 "responder_cache_req_test_d", true);
++    struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
++    struct sss_domain_info *domain = find_domain_by_name(test_ctx->tctx->dom,
++                                         "responder_cache_req_test_d", true);
+     assert_non_null(domain);
++    const char **attrs = SYSDB_GRSRC_ATTRS(domain);
+ 
++    /* Setup user. */
+     prepare_group(domain, &groups[0], 1000, time(NULL));
+ 
+     /* Mock values. */
+@@ -3423,10 +3407,8 @@ void test_object_by_sid_group_multiple_domains_found(void **state)
+ 
+ void test_object_by_sid_group_multiple_domains_notfound(void **state)
+ {
+-    struct cache_req_test_ctx *test_ctx = NULL;
+-    const char *attrs[] = SYSDB_GRSRC_ATTRS;
+-
+-    test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
++    struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
++    const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
+ 
+     /* Mock values. */
+     will_return_always(__wrap_sss_dp_get_account_send, test_ctx);
+@@ -3605,10 +3587,8 @@ void test_object_by_id_user_multiple_domains_notfound(void **state)
+ 
+ void test_object_by_id_group_cache_valid(void **state)
+ {
+-    struct cache_req_test_ctx *test_ctx = NULL;
+-    const char *attrs[] = SYSDB_GRSRC_ATTRS;
+-
+-    test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
++    struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
++    const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
+ 
+     /* Setup user. */
+     prepare_group(test_ctx->tctx->dom, &groups[0], 1000, time(NULL));
+@@ -3620,10 +3600,8 @@ void test_object_by_id_group_cache_valid(void **state)
+ 
+ void test_object_by_id_group_cache_expired(void **state)
+ {
+-    struct cache_req_test_ctx *test_ctx = NULL;
+-    const char *attrs[] = SYSDB_GRSRC_ATTRS;
+-
+-    test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
++    struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
++    const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
+ 
+     /* Setup user. */
+     prepare_group(test_ctx->tctx->dom, &groups[0], -1000, time(NULL));
+@@ -3641,10 +3619,8 @@ void test_object_by_id_group_cache_expired(void **state)
+ 
+ void test_object_by_id_group_cache_midpoint(void **state)
+ {
+-    struct cache_req_test_ctx *test_ctx = NULL;
+-    const char *attrs[] = SYSDB_GRSRC_ATTRS;
+-
+-    test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
++    struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
++    const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
+ 
+     /* Setup user. */
+     prepare_group(test_ctx->tctx->dom, &groups[0], 50, time(NULL) - 26);
+@@ -3661,12 +3637,10 @@ void test_object_by_id_group_cache_midpoint(void **state)
+ 
+ void test_object_by_id_group_ncache(void **state)
+ {
+-    struct cache_req_test_ctx *test_ctx = NULL;
+-    const char *attrs[] = SYSDB_GRSRC_ATTRS;
++    struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
++    const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
+     errno_t ret;
+ 
+-    test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+-
+     /* Setup group. We explicitly add the UID into BOTH UID and GID
+      * namespaces, because otherwise the cache_req plugin would
+      * search the Data Provider anyway, because it can't be sure
+@@ -3693,10 +3667,8 @@ void test_object_by_id_group_ncache(void **state)
+ 
+ void test_object_by_id_group_missing_found(void **state)
+ {
+-    struct cache_req_test_ctx *test_ctx = NULL;
+-    const char *attrs[] = SYSDB_GRSRC_ATTRS;
+-
+-    test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
++    struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
++    const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
+ 
+     /* Mock values. */
+     will_return(__wrap_sss_dp_get_account_send, test_ctx);
+@@ -3713,10 +3685,8 @@ void test_object_by_id_group_missing_found(void **state)
+ 
+ void test_object_by_id_group_missing_notfound(void **state)
+ {
+-    struct cache_req_test_ctx *test_ctx = NULL;
+-    const char *attrs[] = SYSDB_GRSRC_ATTRS;
+-
+-    test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
++    struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
++    const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
+ 
+     /* Mock values. */
+     will_return(__wrap_sss_dp_get_account_send, test_ctx);
+@@ -3729,17 +3699,13 @@ void test_object_by_id_group_missing_notfound(void **state)
+ 
+ void test_object_by_id_group_multiple_domains_found(void **state)
+ {
+-    struct cache_req_test_ctx *test_ctx = NULL;
+-    struct sss_domain_info *domain = NULL;
+-    const char *attrs[] = SYSDB_GRSRC_ATTRS;
+-
+-    test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+-
+-    /* Setup user. */
+-    domain = find_domain_by_name(test_ctx->tctx->dom,
+-                                 "responder_cache_req_test_d", true);
++    struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
++    struct sss_domain_info *domain = find_domain_by_name(test_ctx->tctx->dom,
++                                         "responder_cache_req_test_d", true);
+     assert_non_null(domain);
++    const char **attrs = SYSDB_GRSRC_ATTRS(domain);
+ 
++    /* Setup user. */
+     prepare_group(domain, &groups[0], 1000, time(NULL));
+ 
+     /* Mock values. */
+@@ -3755,10 +3721,8 @@ void test_object_by_id_group_multiple_domains_found(void **state)
+ 
+ void test_object_by_id_group_multiple_domains_notfound(void **state)
+ {
+-    struct cache_req_test_ctx *test_ctx = NULL;
+-    const char *attrs[] = SYSDB_GRSRC_ATTRS;
+-
+-    test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
++    struct cache_req_test_ctx *test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
++    const char **attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
+ 
+     /* Mock values. */
+     will_return_always(__wrap_sss_dp_get_account_send, test_ctx);
+diff --git a/src/tests/cmocka/test_sysdb_ts_cache.c b/src/tests/cmocka/test_sysdb_ts_cache.c
+index 24b26d950..f349b7061 100644
+--- a/src/tests/cmocka/test_sysdb_ts_cache.c
++++ b/src/tests/cmocka/test_sysdb_ts_cache.c
+@@ -694,7 +694,7 @@ static void test_sysdb_getgr_merges(void **state)
+     struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state,
+                                                      struct sysdb_ts_test_ctx);
+     struct sysdb_attrs *group_attrs = NULL;
+-    const char *gr_fetch_attrs[] = SYSDB_GRSRC_ATTRS;
++    const char **gr_fetch_attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
+     char *filter = NULL;
+     struct ldb_result *res = NULL;
+     size_t msgs_count;
+@@ -783,7 +783,7 @@ static void test_merge_ldb_results(void **state)
+     int ret;
+     struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state,
+                                                      struct sysdb_ts_test_ctx);
+-    const char *gr_fetch_attrs[] = SYSDB_GRSRC_ATTRS;
++    const char **gr_fetch_attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
+     char *filter;
+     struct ldb_result *res;
+     struct ldb_result *res1;
+@@ -856,7 +856,7 @@ static void test_group_bysid(void **state)
+     int ret;
+     struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state,
+                                                      struct sysdb_ts_test_ctx);
+-    const char *gr_fetch_attrs[] = SYSDB_GRSRC_ATTRS;
++    const char **gr_fetch_attrs = SYSDB_GRSRC_ATTRS(test_ctx->tctx->dom);
+     struct sysdb_attrs *group_attrs = NULL;
+     struct ldb_result *res;
+     struct ldb_message *msg = NULL;
+diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c
+index cfd8f17fa..a20859c4d 100644
+--- a/src/tools/sss_override.c
++++ b/src/tools/sss_override.c
+@@ -1218,7 +1218,7 @@ list_group_overrides(TALLOC_CTX *mem_ctx,
+     size_t count;
+     size_t i;
+     errno_t ret;
+-    const char *attrs[] = SYSDB_GRSRC_ATTRS;
++    const char **attrs = SYSDB_GRSRC_ATTRS(domain);
+     const char *fqname;
+     char *name;
+ 
+-- 
+2.47.0
+
diff --git a/SOURCES/0004-TS_CACHE-never-try-to-upgrade-timestamps-cache.patch b/SOURCES/0004-TS_CACHE-never-try-to-upgrade-timestamps-cache.patch
deleted file mode 100644
index 60f5383..0000000
--- a/SOURCES/0004-TS_CACHE-never-try-to-upgrade-timestamps-cache.patch
+++ /dev/null
@@ -1,208 +0,0 @@
-From 09b23e78806d8930c3f1b9e411dc8cf464c18998 Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Tue, 16 Jul 2024 13:08:02 +0200
-Subject: [PATCH 4/5] TS_CACHE: never try to upgrade timestamps cache
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-It's easier and more consistent to recreate it instead.
-
-This is a natural extension of 3b67fc6488ac10ca13561d9032f59951f82203e6
-
-Reviewed-by: Alejandro López <allopez@redhat.com>
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
-(cherry picked from commit fc2a26c306e51b66680aef85aa0d2c41d8049a7f)
----
- src/db/sysdb_init.c    | 103 +----------------------------------------
- src/db/sysdb_upgrade.c |  45 ------------------
- 2 files changed, 1 insertion(+), 147 deletions(-)
-
-diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
-index 38a9cd64a..a1d02d49c 100644
---- a/src/db/sysdb_init.c
-+++ b/src/db/sysdb_init.c
-@@ -376,57 +376,6 @@ static errno_t sysdb_cache_create_empty(struct ldb_context *ldb,
-     return EOK;
- }
- 
--static errno_t sysdb_ts_cache_upgrade(TALLOC_CTX *mem_ctx,
--                                      struct sysdb_ctx *sysdb,
--                                      struct ldb_context *ldb,
--                                      struct sss_domain_info *domain,
--                                      const char *cur_version,
--                                      const char **_new_version)
--{
--    errno_t ret;
--    TALLOC_CTX *tmp_ctx;
--    const char *version;
--    struct ldb_context *save_ldb;
--
--    tmp_ctx = talloc_new(NULL);
--    if (tmp_ctx == NULL) {
--        return ENOMEM;
--    }
--
--    /* The upgrade process depends on having ldb around, yet the upgrade
--     * function shouldn't set the ldb pointer, only the connect function
--     * should after it's successful. To avoid hard refactoring, save the
--     * ldb pointer here and restore in the 'done' handler
--     */
--    save_ldb = sysdb->ldb;
--    sysdb->ldb = ldb;
--
--    version = talloc_strdup(tmp_ctx, cur_version);
--    if (version == NULL) {
--        ret = ENOMEM;
--        goto done;
--    }
--
--    DEBUG(SSSDBG_CONF_SETTINGS,
--          "Upgrading timstamp cache of DB [%s] from version: %s\n",
--          domain->name, version);
--
--    if (strcmp(version, SYSDB_TS_VERSION_0_1) == 0) {
--        ret = sysdb_ts_upgrade_01(sysdb, &version);
--        if (ret != EOK) {
--            goto done;
--        }
--    }
--
--    ret = EOK;
--
--done:
--    sysdb->ldb = save_ldb;
--    *_new_version = version;
--    talloc_free(tmp_ctx);
--    return ret;
--}
--
- static errno_t sysdb_domain_cache_upgrade(TALLOC_CTX *mem_ctx,
-                                           struct sysdb_ctx *sysdb,
-                                           struct sysdb_dom_upgrade_ctx *upgrade_ctx,
-@@ -884,56 +833,6 @@ static int sysdb_timestamp_cache_connect(struct sysdb_ctx *sysdb,
-     }
- 
-     ret = sysdb_ts_cache_connect(tmp_ctx, sysdb, domain, &ldb, &version);
--    switch (ret) {
--    case ERR_SYSDB_VERSION_TOO_OLD:
--        if (upgrade_ctx == NULL) {
--            DEBUG(SSSDBG_FATAL_FAILURE,
--                  "DB version too old [%s], expected [%s] for domain %s!\n",
--                   version, SYSDB_VERSION, domain->name);
--            break;
--        }
--
--        ret = sysdb_ts_cache_upgrade(tmp_ctx, sysdb, ldb, domain, version,
--                                     &version);
--        if (ret != EOK) {
--            DEBUG(SSSDBG_MINOR_FAILURE,
--                  "Could not upgrade the timestamp ldb file (%d) (%s)\n",
--                  ret, sss_strerror(ret));
--            break;
--        }
--
--        /* The version should now match SYSDB_VERSION.
--         * If not, it means we didn't match any of the
--         * known older versions. The DB might be
--         * corrupt or generated by a newer version of
--         * SSSD.
--         */
--        ret = sysdb_version_check(SYSDB_TS_VERSION, version);
--        if (ret == EOK) {
--            /* The cache has been upgraded.
--             * We need to reopen the LDB to ensure that
--             * any changes made above take effect.
--             */
--            ret = sysdb_ldb_reconnect(tmp_ctx,
--                                      sysdb->ldb_ts_file,
--                                      LDB_FLG_NOSYNC,
--                                      &ldb);
--            if (ret != EOK) {
--                DEBUG(SSSDBG_MINOR_FAILURE,
--                      "Could not reopen the timestamp ldb file (%d) (%s)\n",
--                      ret, sss_strerror(ret));
--            }
--        }
--        break;
--    case ERR_SYSDB_VERSION_TOO_NEW:
--        DEBUG(SSSDBG_MINOR_FAILURE,
--              "DB version too new [%s], expected [%s] for domain %s!\n",
--              version, SYSDB_TS_VERSION, domain->name);
--        break;
--    default:
--        break;
--    }
--
-     if (ret != EOK) {
-         DEBUG(SSSDBG_MINOR_FAILURE,
-               "The timestamps cache could not be opened. "
-@@ -953,7 +852,7 @@ static int sysdb_timestamp_cache_connect(struct sysdb_ctx *sysdb,
-         ret = sysdb_ts_cache_connect(tmp_ctx, sysdb, domain, &ldb, &version);
-         if (ret != EOK) {
-             DEBUG(SSSDBG_MINOR_FAILURE,
--                  "Could not delete the timestamp ldb file (%d) (%s)\n",
-+                  "sysdb_ts_cache_connect() failed after cache deletion [%d]: %s\n",
-                   ret, sss_strerror(ret));
-         }
-     }
-diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c
-index 328bd2962..37c0007cb 100644
---- a/src/db/sysdb_upgrade.c
-+++ b/src/db/sysdb_upgrade.c
-@@ -2774,51 +2774,6 @@ done:
-     return ret;
- }
- 
--int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver)
--{
--    struct upgrade_ctx *ctx;
--    errno_t ret;
--    struct ldb_message *msg = NULL;
--
--    ret = commence_upgrade(sysdb, sysdb->ldb, SYSDB_TS_VERSION_0_2, &ctx);
--    if (ret) {
--        return ret;
--    }
--
--    /* Remove @IDXONE from index */
--    talloc_free(msg);
--    msg = ldb_msg_new(ctx);
--    if (msg == NULL) {
--        ret = ENOMEM;
--        goto done;
--    }
--
--    msg->dn = ldb_dn_new(msg, sysdb->ldb, "@INDEXLIST");
--    if (msg->dn == NULL) {
--        ret = ENOMEM;
--        goto done;
--    }
--
--    ret = ldb_msg_add_empty(msg, "@IDXONE", LDB_FLAG_MOD_DELETE, NULL);
--    if (ret != LDB_SUCCESS) {
--        ret = ENOMEM;
--        goto done;
--    }
--
--    ret = ldb_modify(sysdb->ldb, msg);
--    if (ret != LDB_SUCCESS) {
--        ret = sysdb_error_to_errno(ret);
--        goto done;
--    }
--
--    /* conversion done, update version number */
--    ret = update_version(ctx);
--
--done:
--    ret = finish_upgrade(ret, &ctx, ver);
--    return ret;
--}
--
- /*
-  * Example template for future upgrades.
-  * Copy and change version numbers as appropriate.
--- 
-2.45.2
-
diff --git a/SOURCES/0005-SYSDB-remove-index-on-dataExpireTimestamp.patch b/SOURCES/0005-SYSDB-remove-index-on-dataExpireTimestamp.patch
deleted file mode 100644
index ee1a718..0000000
--- a/SOURCES/0005-SYSDB-remove-index-on-dataExpireTimestamp.patch
+++ /dev/null
@@ -1,147 +0,0 @@
-From 13e3d0390b9aaf72a855b857857c3cdd6eb6252a Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Fri, 21 Jun 2024 19:09:29 +0200
-Subject: [PATCH 5/5] SYSDB: remove index on `dataExpireTimestamp`
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This index was only used in cleanup tasks that don't run often.
-On the other hand, this index is huge and degrades performance of libldb
-in general.
-
-Reviewed-by: Alejandro López <allopez@redhat.com>
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
-(cherry picked from commit f0d45464cee1d2a6a2719dbffe5bbf6189d0554a)
----
- src/db/sysdb_init.c    |  8 ++++++++
- src/db/sysdb_private.h |  9 +++++----
- src/db/sysdb_upgrade.c | 27 +++++++++++++++++++++++++++
- 3 files changed, 40 insertions(+), 4 deletions(-)
-
-diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
-index a1d02d49c..68b9744dd 100644
---- a/src/db/sysdb_init.c
-+++ b/src/db/sysdb_init.c
-@@ -559,6 +559,13 @@ static errno_t sysdb_domain_cache_upgrade(TALLOC_CTX *mem_ctx,
-         }
-     }
- 
-+    if (strcmp(version, SYSDB_VERSION_0_24) == 0) {
-+        ret = sysdb_upgrade_24(sysdb, &version);
-+        if (ret != EOK) {
-+            goto done;
-+        }
-+    }
-+
-     ret = EOK;
- done:
-     sysdb->ldb = save_ldb;
-@@ -765,6 +772,7 @@ static int sysdb_domain_cache_connect(struct sysdb_ctx *sysdb,
-         ret = sysdb_domain_cache_upgrade(tmp_ctx, sysdb, upgrade_ctx,
-                                          ldb, domain, version, &version);
-         if (ret != EOK) {
-+            DEBUG(SSSDBG_TRACE_FUNC, "sysdb_domain_cache_upgrade() failed\n");
-             goto done;
-         }
- 
-diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h
-index 63f7b5601..b814f97a5 100644
---- a/src/db/sysdb_private.h
-+++ b/src/db/sysdb_private.h
-@@ -23,6 +23,7 @@
- #ifndef __INT_SYS_DB_H__
- #define __INT_SYS_DB_H__
- 
-+#define SYSDB_VERSION_0_25 "0.25"
- #define SYSDB_VERSION_0_24 "0.24"
- #define SYSDB_VERSION_0_23 "0.23"
- #define SYSDB_VERSION_0_22 "0.22"
-@@ -48,7 +49,7 @@
- #define SYSDB_VERSION_0_2 "0.2"
- #define SYSDB_VERSION_0_1 "0.1"
- 
--#define SYSDB_VERSION SYSDB_VERSION_0_24
-+#define SYSDB_VERSION SYSDB_VERSION_0_25
- 
- #define SYSDB_BASE_LDIF \
-      "dn: @ATTRIBUTES\n" \
-@@ -72,7 +73,6 @@
-      "@IDXATTR: uidNumber\n" \
-      "@IDXATTR: gidNumber\n" \
-      "@IDXATTR: lastUpdate\n" \
--     "@IDXATTR: dataExpireTimestamp\n" \
-      "@IDXATTR: originalDN\n" \
-      "@IDXATTR: nameAlias\n" \
-      "@IDXATTR: servicePort\n" \
-@@ -104,10 +104,11 @@
-      "\n"
- 
- /* The timestamp cache has its own versioning */
-+#define SYSDB_TS_VERSION_0_3 "0.3"
- #define SYSDB_TS_VERSION_0_2 "0.2"
- #define SYSDB_TS_VERSION_0_1 "0.1"
- 
--#define SYSDB_TS_VERSION SYSDB_TS_VERSION_0_2
-+#define SYSDB_TS_VERSION SYSDB_TS_VERSION_0_3
- 
- #define SYSDB_TS_BASE_LDIF \
-      "dn: @ATTRIBUTES\n" \
-@@ -115,7 +116,6 @@
-      "\n" \
-      "dn: @INDEXLIST\n" \
-      "@IDXATTR: lastUpdate\n" \
--     "@IDXATTR: dataExpireTimestamp\n" \
-      "\n" \
-      "dn: cn=sysdb\n" \
-      "cn: sysdb\n" \
-@@ -194,6 +194,7 @@ int sysdb_upgrade_20(struct sysdb_ctx *sysdb, const char **ver);
- int sysdb_upgrade_21(struct sysdb_ctx *sysdb, const char **ver);
- int sysdb_upgrade_22(struct sysdb_ctx *sysdb, const char **ver);
- int sysdb_upgrade_23(struct sysdb_ctx *sysdb, const char **ver);
-+int sysdb_upgrade_24(struct sysdb_ctx *sysdb, const char **ver);
- 
- int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver);
- 
-diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c
-index 37c0007cb..b010488ca 100644
---- a/src/db/sysdb_upgrade.c
-+++ b/src/db/sysdb_upgrade.c
-@@ -2774,6 +2774,33 @@ done:
-     return ret;
- }
- 
-+int sysdb_upgrade_24(struct sysdb_ctx *sysdb, const char **ver)
-+{
-+    struct upgrade_ctx *ctx;
-+    errno_t ret;
-+
-+    ret = commence_upgrade(sysdb, sysdb->ldb, SYSDB_VERSION_0_25, &ctx);
-+    if (ret) {
-+        return ret;
-+    }
-+
-+    ret = sysdb_ldb_mod_index(sysdb, SYSDB_IDX_DELETE, sysdb->ldb, "dataExpireTimestamp");
-+    if (ret == ENOENT) { /*nothing to delete */
-+        ret = EOK;
-+    }
-+    if (ret != EOK) {
-+        DEBUG(SSSDBG_TRACE_FUNC, "sysdb_ldb_mod_index() failed [%d]: %s\n",
-+              ret, sss_strerror(ret));
-+        goto done;
-+    }
-+
-+    ret = update_version(ctx);
-+
-+done:
-+    ret = finish_upgrade(ret, &ctx, ver);
-+    return ret;
-+}
-+
- /*
-  * Example template for future upgrades.
-  * Copy and change version numbers as appropriate.
--- 
-2.45.2
-
diff --git a/SOURCES/0006-pam_sss-fix-passthrow-of-old-authtok-from-another-pa.patch b/SOURCES/0006-pam_sss-fix-passthrow-of-old-authtok-from-another-pa.patch
deleted file mode 100644
index 43f9e2d..0000000
--- a/SOURCES/0006-pam_sss-fix-passthrow-of-old-authtok-from-another-pa.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-From 39cbb8df402f59b4df2442eb291600773e7062cc Mon Sep 17 00:00:00 2001
-From: Petr Mikhalicin <pmikhalicin@rutoken.ru>
-Date: Fri, 10 Nov 2023 15:24:48 +0600
-Subject: [PATCH 6/8] pam_sss: fix passthrow of old authtok from another pam
- modules at PAM_PRELIM_CHECK
-
-pam_sss ignored old authtoks passed from another pam modules
-
-Resolves: https://github.com/SSSD/sssd/issues/7007
-Resolves: https://github.com/SSSD/sssd/issues/5418
-
-Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-(cherry picked from commit ae6b9163be0a5a8846e8dbf2e0da2c29221781b9)
-
-Reviewed-by: Sumit Bose <sbose@redhat.com>
----
- src/sss_client/pam_sss.c | 75 ++++++++++++++++++++++++----------------
- 1 file changed, 45 insertions(+), 30 deletions(-)
-
-diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
-index 41a528dda..5171e58ec 100644
---- a/src/sss_client/pam_sss.c
-+++ b/src/sss_client/pam_sss.c
-@@ -2728,42 +2728,57 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
-         exp_data = NULL;
-     }
- 
--    /* we query for the old password during PAM_PRELIM_CHECK to make
--     * pam_sss work e.g. with pam_cracklib */
-     if (pam_flags & PAM_PRELIM_CHECK) {
--        if ( (getuid() != 0 || exp_data ) && !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)) {
--            if (flags & PAM_CLI_FLAGS_USE_2FA
--                    || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
--                            && pi->otp_challenge != NULL)) {
--                if (pi->password_prompting) {
--                    ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "),
--                                     _("Second Factor (optional): "));
--                } else {
--                    ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "),
--                                     _("Second Factor: "));
--                }
-+        if (getuid() == 0 && !exp_data )
-+            return PAM_SUCCESS;
-+
-+        if (flags & PAM_CLI_FLAGS_USE_2FA
-+                || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
-+                        && pi->otp_challenge != NULL)) {
-+            if (pi->password_prompting) {
-+                ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "),
-+                                 _("Second Factor (optional): "));
-             } else {
--                ret = prompt_password(pamh, pi, _("Current Password: "));
-+                ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "),
-+                                 _("Second Factor: "));
-             }
--            if (ret != PAM_SUCCESS) {
--                D(("failed to get credentials from user"));
--                return ret;
-+        } else if ((flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
-+                       && check_authtok_data(pamh, pi) != 0) {
-+            if (pi->pamstack_oldauthtok == NULL) {
-+                pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY;
-+                pi->pam_authtok = NULL;
-+                pi->pam_authtok_size = 0;
-+            } else {
-+                pi->pam_authtok = strdup(pi->pamstack_oldauthtok);
-+                if (pi->pam_authtok == NULL) {
-+                    D(("strdup failed"));
-+                    return PAM_BUF_ERR;
-+                }
-+                pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
-+                pi->pam_authtok_size = strlen(pi->pam_authtok);
-             }
-+            ret = PAM_SUCCESS;
-+        } else {
-+            ret = prompt_password(pamh, pi, _("Current Password: "));
-+        }
-+        if (ret != PAM_SUCCESS) {
-+            D(("failed to get credentials from user"));
-+            return ret;
-+        }
- 
--            ret = pam_set_item(pamh, PAM_OLDAUTHTOK, pi->pam_authtok);
--            if (ret != PAM_SUCCESS) {
--                D(("Failed to set PAM_OLDAUTHTOK [%s], "
--                   "oldauthtok may not be available",
--                   pam_strerror(pamh,ret)));
--                   return ret;
--            }
-+        ret = pam_set_item(pamh, PAM_OLDAUTHTOK, pi->pam_authtok);
-+        if (ret != PAM_SUCCESS) {
-+            D(("Failed to set PAM_OLDAUTHTOK [%s], "
-+                "oldauthtok may not be available",
-+               pam_strerror(pamh,ret)));
-+               return ret;
-+        }
- 
--            if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA) {
--                ret = keep_authtok_data(pamh, pi);
--                if (ret != 0) {
--                    D(("Failed to store authtok data to pam handle. Password "
--                       "change might fail."));
--                }
-+        if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA) {
-+            ret = keep_authtok_data(pamh, pi);
-+            if (ret != 0) {
-+                D(("Failed to store authtok data to pam handle. Password "
-+                   "change might fail."));
-             }
-         }
- 
--- 
-2.45.2
-
diff --git a/SOURCES/0007-krb5_child-do-not-try-passwords-with-OTP.patch b/SOURCES/0007-krb5_child-do-not-try-passwords-with-OTP.patch
deleted file mode 100644
index 27c987f..0000000
--- a/SOURCES/0007-krb5_child-do-not-try-passwords-with-OTP.patch
+++ /dev/null
@@ -1,178 +0,0 @@
-From ef375cdd67b51d8fb63cae4d3cd40f3a5c2bc173 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Mon, 1 Jul 2024 20:40:30 +0200
-Subject: [PATCH 7/8] krb5_child: do not try passwords with OTP
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-During two-factor authentication (OTP) krb5_child should use use the
-dedicated OTP auth types SSS_AUTHTOK_TYPE_2FA and
-SSS_AUTHTOK_TYPE_2FA_SINGLE exclusively and should not try password or
-other types.
-
-The special handling needed of ssh under certain conditions are
-documented in the code and the man page.
-
-Resolves: https://github.com/SSSD/sssd/issues/7456
-
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
-(cherry picked from commit af799964e5fa1264467b49988021c054586eff27)
-
-Reviewed-by: Sumit Bose <sbose@redhat.com>
----
- src/man/sssd.conf.5.xml         | 11 +++++++++
- src/providers/krb5/krb5_child.c | 11 +--------
- src/sss_client/pam_sss.c        | 44 ++++++++++++++++++++++++---------
- 3 files changed, 44 insertions(+), 22 deletions(-)
-
-diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
-index fb86a4e41..8ac1a4418 100644
---- a/src/man/sssd.conf.5.xml
-+++ b/src/man/sssd.conf.5.xml
-@@ -4559,6 +4559,17 @@ ldap_user_extra_attrs = phone:telephoneNumber
-                     to log in either only with the password or with both factors
-                     two-step prompting has to be used.
-                     </para>
-+                    <para>
-+                    Some clients, such as SSH with
-+                    'PasswordAuthentication yes', generate their own prompts
-+                    and do not use prompts provided by SSSD or other PAM
-+                    modules. Additionally, for SSH with
-+                    PasswordAuthentication, if two-factor authentication is
-+                    available, SSSD expects that the
-+                    credentials entered by the user at the SSH password prompt
-+                    will always be the two factors in a single string, even if
-+                    two-factor authentication is optional.
-+                    </para>
-                 </listitem>
-             </varlistentry>
-         </variablelist>
-diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
-index 494711de9..cb9a9ce73 100644
---- a/src/providers/krb5/krb5_child.c
-+++ b/src/providers/krb5/krb5_child.c
-@@ -536,15 +536,6 @@ static krb5_error_code tokeninfo_matches(TALLOC_CTX *mem_ctx,
-     size_t fa2_len;
- 
-     switch (sss_authtok_get_type(auth_tok)) {
--    case SSS_AUTHTOK_TYPE_PASSWORD:
--        ret = sss_authtok_get_password(auth_tok, &pwd, &len);
--        if (ret != EOK) {
--            DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_password failed.\n");
--            return ret;
--        }
--
--        return tokeninfo_matches_pwd(mem_ctx, ti, pwd, len, out_token, out_pin);
--        break;
-     case SSS_AUTHTOK_TYPE_2FA_SINGLE:
-         ret = sss_authtok_get_2fa_single(auth_tok, &pwd, &len);
-         if (ret != EOK) {
-@@ -569,7 +560,7 @@ static krb5_error_code tokeninfo_matches(TALLOC_CTX *mem_ctx,
-               "Unsupported authtok type %d\n", sss_authtok_get_type(auth_tok));
-     }
- 
--    return EINVAL;
-+    return EAGAIN;
- }
- 
- static krb5_error_code answer_otp(krb5_context ctx,
-diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
-index 5171e58ec..d43bd0f55 100644
---- a/src/sss_client/pam_sss.c
-+++ b/src/sss_client/pam_sss.c
-@@ -1656,6 +1656,7 @@ static int prompt_password(pam_handle_t *pamh, struct pam_items *pi,
- }
- 
- static int prompt_2fa(pam_handle_t *pamh, struct pam_items *pi,
-+                      bool second_factor_optional,
-                       const char *prompt_fa1, const char *prompt_fa2)
- {
-     int ret;
-@@ -1706,13 +1707,30 @@ static int prompt_2fa(pam_handle_t *pamh, struct pam_items *pi,
-         goto done;
-     }
- 
--    if (resp[1].resp == NULL || *(resp[1].resp) == '\0'
--            || (pi->pam_service != NULL && strcmp(pi->pam_service, "sshd") == 0
--                    && strcmp(resp[0].resp, resp[1].resp) == 0)) {
-+    if (resp[1].resp == NULL || *(resp[1].resp) == '\0') {
-         /* Missing second factor, assume first factor contains combined 2FA
--         * credentials.
--         * Special handling for SSH with password authentication. Combined
--         * 2FA credentials are used but SSH puts them in both responses. */
-+         * credentials if the second factor is not optional. If it is optional
-+         * then it is assumed that the first factor contain the password. */
-+        pi->pam_authtok = strndup(resp[0].resp, MAX_AUTHTOK_SIZE);
-+        if (pi->pam_authtok == NULL) {
-+            D(("strndup failed."));
-+            ret = PAM_BUF_ERR;
-+            goto done;
-+        }
-+        pi->pam_authtok_size = strlen(pi->pam_authtok) + 1;
-+        pi->pam_authtok_type = second_factor_optional
-+                                        ? SSS_AUTHTOK_TYPE_PASSWORD
-+                                        : SSS_AUTHTOK_TYPE_2FA_SINGLE;
-+    } else if (pi->pam_service != NULL && strcmp(pi->pam_service, "sshd") == 0
-+                    && strcmp(resp[0].resp, resp[1].resp) == 0) {
-+        /* Special handling for SSH with password authentication (ssh's
-+         * 'PasswordAuthentication' option. In this mode the ssh client
-+         * directly prompts the user for a password and the prompts we are
-+         * sending are ignored. Since we send two prompts ssh * will create two
-+         * response as well with the same content. We assume that the combined
-+         * 2FA credentials are used even if the second factor is optional
-+         * because there is no indication about the intention of the user. As a
-+         * result we prefer the more secure variant. */
- 
-         pi->pam_authtok = strndup(resp[0].resp, MAX_AUTHTOK_SIZE);
-         if (pi->pam_authtok == NULL) {
-@@ -1721,7 +1739,7 @@ static int prompt_2fa(pam_handle_t *pamh, struct pam_items *pi,
-             goto done;
-         }
-         pi->pam_authtok_size = strlen(pi->pam_authtok) + 1;
--        pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
-+        pi->pam_authtok_type = SSS_AUTHTOK_TYPE_2FA_SINGLE;
-     } else {
- 
-         ret = sss_auth_pack_2fa_blob(resp[0].resp, 0, resp[1].resp, 0, NULL, 0,
-@@ -2487,7 +2505,7 @@ static int prompt_by_config(pam_handle_t *pamh, struct pam_items *pi)
-             ret = prompt_password(pamh, pi, pc_get_password_prompt(pi->pc[c]));
-             break;
-         case PC_TYPE_2FA:
--            ret = prompt_2fa(pamh, pi, pc_get_2fa_1st_prompt(pi->pc[c]),
-+            ret = prompt_2fa(pamh, pi, false, pc_get_2fa_1st_prompt(pi->pc[c]),
-                              pc_get_2fa_2nd_prompt(pi->pc[c]));
-             break;
-         case PC_TYPE_2FA_SINGLE:
-@@ -2564,10 +2582,10 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
-                     || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
-                             && pi->otp_challenge != NULL)) {
-                 if (pi->password_prompting) {
--                    ret = prompt_2fa(pamh, pi, _("First Factor: "),
-+                    ret = prompt_2fa(pamh, pi, true, _("First Factor: "),
-                                      _("Second Factor (optional): "));
-                 } else {
--                    ret = prompt_2fa(pamh, pi, _("First Factor: "),
-+                    ret = prompt_2fa(pamh, pi, false, _("First Factor: "),
-                                      _("Second Factor: "));
-                 }
-             } else if (pi->passkey_prompt_pin) {
-@@ -2736,10 +2754,12 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
-                 || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
-                         && pi->otp_challenge != NULL)) {
-             if (pi->password_prompting) {
--                ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "),
-+                ret = prompt_2fa(pamh, pi, true,
-+                                 _("First Factor (Current Password): "),
-                                  _("Second Factor (optional): "));
-             } else {
--                ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "),
-+                ret = prompt_2fa(pamh, pi, false,
-+                                 _("First Factor (Current Password): "),
-                                  _("Second Factor: "));
-             }
-         } else if ((flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
--- 
-2.45.2
-
diff --git a/SOURCES/0008-pam_sss-add-missing-optional-2nd-factor-handling.patch b/SOURCES/0008-pam_sss-add-missing-optional-2nd-factor-handling.patch
deleted file mode 100644
index 62c1ec4..0000000
--- a/SOURCES/0008-pam_sss-add-missing-optional-2nd-factor-handling.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 7e76396a891b4c704f1db8c71a217f869bef0ec3 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 12 Jul 2024 13:46:00 +0200
-Subject: [PATCH 8/8] pam_sss: add missing optional 2nd factor handling
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This is a follow up to pull-request #7462 and adds the proper handling of
-an optional second factor in case the prompting is configured.
-
-Resolves: https://github.com/SSSD/sssd/issues/7456
-
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
-(cherry picked from commit 077d2993a1b306e7cfe61618cbd5d03c602572f8)
-
-Reviewed-by: Sumit Bose <sbose@redhat.com>
----
- src/sss_client/pam_sss.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
-index d43bd0f55..d1101e16c 100644
---- a/src/sss_client/pam_sss.c
-+++ b/src/sss_client/pam_sss.c
-@@ -2505,8 +2505,13 @@ static int prompt_by_config(pam_handle_t *pamh, struct pam_items *pi)
-             ret = prompt_password(pamh, pi, pc_get_password_prompt(pi->pc[c]));
-             break;
-         case PC_TYPE_2FA:
--            ret = prompt_2fa(pamh, pi, false, pc_get_2fa_1st_prompt(pi->pc[c]),
--                             pc_get_2fa_2nd_prompt(pi->pc[c]));
-+            if (pi->password_prompting) {
-+                ret = prompt_2fa(pamh, pi, true, pc_get_2fa_1st_prompt(pi->pc[c]),
-+                                 pc_get_2fa_2nd_prompt(pi->pc[c]));
-+            } else {
-+                ret = prompt_2fa(pamh, pi, false, pc_get_2fa_1st_prompt(pi->pc[c]),
-+                                 pc_get_2fa_2nd_prompt(pi->pc[c]));
-+            }
-             break;
-         case PC_TYPE_2FA_SINGLE:
-             ret = prompt_2fa_single(pamh, pi,
--- 
-2.45.2
-
diff --git a/SOURCES/0009-pam-only-set-SYSDB_LOCAL_SMARTCARD_AUTH-to-true-but-.patch b/SOURCES/0009-pam-only-set-SYSDB_LOCAL_SMARTCARD_AUTH-to-true-but-.patch
deleted file mode 100644
index e069a48..0000000
--- a/SOURCES/0009-pam-only-set-SYSDB_LOCAL_SMARTCARD_AUTH-to-true-but-.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From b4c496856d466ff00d06cd5177cb216110f5e3b3 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 18 Sep 2024 15:18:14 +0200
-Subject: [PATCH] pam: only set SYSDB_LOCAL_SMARTCARD_AUTH to 'true' but never
- to 'false'.
-
-The krb5 backend will only returns that Smartcard authentication is
-available if a Smartcard is present. That means if the user
-authenticates with a different method and a Smartcard is not present at
-this time 'sc_allow' will be 'false' and might overwrite a 'true' value
-written during a previous authentication attempt where a Smartcard was
-present. To avoid this we only write 'true' values. Since the default if
-SYSDB_LOCAL_SMARTCARD_AUTH is missing is 'false' local Smartcard
-authentication (offline) will still only be enabled if online Smartcard
-authentication was detected.
-
-Resolves: https://github.com/SSSD/sssd/issues/7532
-
-Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-(cherry picked from commit 67ba42c48abb9270982836310488e35d9fc1d451)
----
- src/responder/pam/pamsrv_cmd.c | 19 ++++++++++++++++---
- 1 file changed, 16 insertions(+), 3 deletions(-)
-
-diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
-index 1394147a0..941446d94 100644
---- a/src/responder/pam/pamsrv_cmd.c
-+++ b/src/responder/pam/pamsrv_cmd.c
-@@ -554,9 +554,22 @@ static errno_t set_local_auth_type(struct pam_auth_req *preq,
-         goto fail;
-     }
- 
--    ret = sysdb_attrs_add_bool(attrs, SYSDB_LOCAL_SMARTCARD_AUTH, sc_allow);
--    if (ret != EOK) {
--        goto fail;
-+    if (sc_allow) {
-+        /* Only set SYSDB_LOCAL_SMARTCARD_AUTH to 'true' but never to
-+         * 'false'. The krb5 backend will only returns that Smartcard
-+         * authentication is available if a Smartcard is present. That means
-+         * if the user authenticates with a different method and a Smartcard
-+         * is not present at this time 'sc_allow' will be 'false' and might
-+         * overwrite a 'true' value written during a previous authentication
-+         * attempt where a Smartcard was present. To avoid this we only write
-+         * 'true' values. Since the default if SYSDB_LOCAL_SMARTCARD_AUTH is
-+         * missing is 'false' local Smartcard authentication (offline) will
-+         * still only be enabled if online Smartcard authentication was
-+         * detected. */
-+        ret = sysdb_attrs_add_bool(attrs, SYSDB_LOCAL_SMARTCARD_AUTH, sc_allow);
-+        if (ret != EOK) {
-+            goto fail;
-+        }
-     }
- 
-     ret = sysdb_attrs_add_bool(attrs, SYSDB_LOCAL_PASSKEY_AUTH, passkey_allow);
--- 
-2.45.0
-
diff --git a/SOURCES/0010-sdap-allow-to-provide-user_map-when-looking-up-group.patch b/SOURCES/0010-sdap-allow-to-provide-user_map-when-looking-up-group.patch
deleted file mode 100644
index 1286417..0000000
--- a/SOURCES/0010-sdap-allow-to-provide-user_map-when-looking-up-group.patch
+++ /dev/null
@@ -1,307 +0,0 @@
-From 321ca19ae09609ac4195f323b696bdcd7ee573e4 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 6 Sep 2024 14:27:19 +0200
-Subject: [PATCH 10/11] sdap: allow to provide user_map when looking up group
- memberships
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-To allow to lookup group memberships of other objects similar to user
-objects but with different attribute mappings, e.g. host objects in AD,
-a new option to provide an alternative attribute map is added.
-
-Resolves: https://github.com/SSSD/sssd/issues/7590
-
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
-(cherry picked from commit 69f63f1fa64bd9cc7c2ee1f8e8d736727b13b3be)
----
- src/providers/ad/ad_gpo.c                  |  2 +-
- src/providers/ldap/ldap_common.h           |  2 +
- src/providers/ldap/ldap_id.c               |  9 ++++
- src/providers/ldap/sdap_async.h            |  2 +
- src/providers/ldap/sdap_async_initgroups.c | 51 ++++++++++++++--------
- 5 files changed, 48 insertions(+), 18 deletions(-)
-
-diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
-index ed664ec83..fa68d814f 100644
---- a/src/providers/ad/ad_gpo.c
-+++ b/src/providers/ad/ad_gpo.c
-@@ -2244,7 +2244,7 @@ ad_gpo_connect_done(struct tevent_req *subreq)
-                                  search_bases,
-                                  state->host_fqdn,
-                                  BE_FILTER_NAME,
--                                 NULL,
-+                                 NULL, NULL, 0,
-                                  true,
-                                  true);
-     tevent_req_set_callback(subreq, ad_gpo_target_dn_retrieval_done, req);
-diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
-index 2c984ef50..61a35553b 100644
---- a/src/providers/ldap/ldap_common.h
-+++ b/src/providers/ldap/ldap_common.h
-@@ -308,6 +308,8 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
-                                        const char *filter_value,
-                                        int filter_type,
-                                        const char *extra_value,
-+                                       struct sdap_attr_map *user_map,
-+                                       size_t user_map_cnt,
-                                        bool noexist_delete,
-                                        bool set_non_posix);
- 
-diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
-index b3ea2333f..0596ad4cf 100644
---- a/src/providers/ldap/ldap_id.c
-+++ b/src/providers/ldap/ldap_id.c
-@@ -1144,6 +1144,8 @@ struct groups_by_user_state {
-     const char *filter_value;
-     int filter_type;
-     const char *extra_value;
-+    struct sdap_attr_map *user_map;
-+    size_t user_map_cnt;
-     const char **attrs;
-     bool non_posix;
- 
-@@ -1165,6 +1167,8 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
-                                        const char *filter_value,
-                                        int filter_type,
-                                        const char *extra_value,
-+                                       struct sdap_attr_map *user_map,
-+                                       size_t user_map_cnt,
-                                        bool noexist_delete,
-                                        bool set_non_posix)
- {
-@@ -1192,6 +1196,8 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
-     state->filter_value = filter_value;
-     state->filter_type = filter_type;
-     state->extra_value = extra_value;
-+    state->user_map = user_map;
-+    state->user_map_cnt = user_map_cnt;
-     state->domain = sdom->dom;
-     state->sysdb = sdom->dom->sysdb;
-     state->search_bases = search_bases;
-@@ -1256,6 +1262,8 @@ static void groups_by_user_connect_done(struct tevent_req *subreq)
-                                   state->sdom,
-                                   sdap_id_op_handle(state->op),
-                                   state->ctx,
-+                                  state->user_map,
-+                                  state->user_map_cnt,
-                                   state->conn,
-                                   state->search_bases,
-                                   state->filter_value,
-@@ -1457,6 +1465,7 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx,
-                                      ar->filter_value,
-                                      ar->filter_type,
-                                      ar->extra_value,
-+                                     NULL, 0,
-                                      noexist_delete, false);
-         break;
- 
-diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
-index 89245f41f..a45e057d0 100644
---- a/src/providers/ldap/sdap_async.h
-+++ b/src/providers/ldap/sdap_async.h
-@@ -157,6 +157,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
-                                         struct sdap_domain *sdom,
-                                         struct sdap_handle *sh,
-                                         struct sdap_id_ctx *id_ctx,
-+                                        struct sdap_attr_map *user_map,
-+                                        size_t user_map_cnt,
-                                         struct sdap_id_conn_ctx *conn,
-                                         struct sdap_search_base **search_bases,
-                                         const char *name,
-diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
-index fb3d8fe24..8ce1f6cd4 100644
---- a/src/providers/ldap/sdap_async_initgroups.c
-+++ b/src/providers/ldap/sdap_async_initgroups.c
-@@ -785,6 +785,8 @@ struct sdap_initgr_nested_state {
-     struct tevent_context *ev;
-     struct sysdb_ctx *sysdb;
-     struct sdap_options *opts;
-+    struct sdap_attr_map *user_map;
-+    size_t user_map_cnt;
-     struct sss_domain_info *dom;
-     struct sdap_handle *sh;
- 
-@@ -812,6 +814,8 @@ static void sdap_initgr_nested_store(struct tevent_req *req);
- static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx,
-                                                   struct tevent_context *ev,
-                                                   struct sdap_options *opts,
-+                                                  struct sdap_attr_map *user_map,
-+                                                  size_t user_map_cnt,
-                                                   struct sysdb_ctx *sysdb,
-                                                   struct sss_domain_info *dom,
-                                                   struct sdap_handle *sh,
-@@ -828,6 +832,8 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx,
- 
-     state->ev = ev;
-     state->opts = opts;
-+    state->user_map = user_map;
-+    state->user_map_cnt = user_map_cnt;
-     state->sysdb = sysdb;
-     state->dom = dom;
-     state->sh = sh;
-@@ -968,7 +974,7 @@ static errno_t sdap_initgr_nested_deref_search(struct tevent_req *req)
- 
-     subreq = sdap_deref_search_send(state, state->ev, state->opts,
-                     state->sh, state->orig_dn,
--                    state->opts->user_map[SDAP_AT_USER_MEMBEROF].name,
-+                    state->user_map[SDAP_AT_USER_MEMBEROF].name,
-                     sdap_attrs, num_maps, maps, timeout);
-     if (!subreq) {
-         ret = EIO;
-@@ -2697,6 +2703,8 @@ struct sdap_get_initgr_state {
-     struct tevent_context *ev;
-     struct sysdb_ctx *sysdb;
-     struct sdap_options *opts;
-+    struct sdap_attr_map *user_map;
-+    size_t user_map_cnt;
-     struct sss_domain_info *dom;
-     struct sdap_domain *sdom;
-     struct sdap_handle *sh;
-@@ -2731,6 +2739,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
-                                         struct sdap_domain *sdom,
-                                         struct sdap_handle *sh,
-                                         struct sdap_id_ctx *id_ctx,
-+                                        struct sdap_attr_map *user_map,
-+                                        size_t user_map_cnt,
-                                         struct sdap_id_conn_ctx *conn,
-                                         struct sdap_search_base **search_bases,
-                                         const char *filter_value,
-@@ -2754,6 +2764,12 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
- 
-     state->ev = ev;
-     state->opts = id_ctx->opts;
-+    state->user_map = user_map;
-+    state->user_map_cnt = user_map_cnt;
-+    if (state->user_map == NULL) {
-+        state->user_map = id_ctx->opts->user_map;
-+        state->user_map_cnt = id_ctx->opts->user_map_cnt;
-+    }
-     state->dom = sdom->dom;
-     state->sysdb = sdom->dom->sysdb;
-     state->sdom = sdom;
-@@ -2785,7 +2801,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
- 
-     switch (filter_type) {
-     case BE_FILTER_SECID:
--        search_attr =  state->opts->user_map[SDAP_AT_USER_OBJECTSID].name;
-+        search_attr =  state->user_map[SDAP_AT_USER_OBJECTSID].name;
- 
-         ret = sss_filter_sanitize(state, state->filter_value, &clean_name);
-         if (ret != EOK) {
-@@ -2794,7 +2810,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
-         }
-         break;
-     case BE_FILTER_UUID:
--        search_attr =  state->opts->user_map[SDAP_AT_USER_UUID].name;
-+        search_attr =  state->user_map[SDAP_AT_USER_UUID].name;
- 
-         ret = sss_filter_sanitize(state, state->filter_value, &clean_name);
-         if (ret != EOK) {
-@@ -2812,23 +2828,23 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
-             }
- 
-             ep_filter = get_enterprise_principal_string_filter(state,
--                                 state->opts->user_map[SDAP_AT_USER_PRINC].name,
-+                                 state->user_map[SDAP_AT_USER_PRINC].name,
-                                  clean_name, state->opts->basic);
-             state->user_base_filter =
-                     talloc_asprintf(state,
-                                  "(&(|(%s=%s)(%s=%s)%s)(objectclass=%s)",
--                                 state->opts->user_map[SDAP_AT_USER_PRINC].name,
-+                                 state->user_map[SDAP_AT_USER_PRINC].name,
-                                  clean_name,
--                                 state->opts->user_map[SDAP_AT_USER_EMAIL].name,
-+                                 state->user_map[SDAP_AT_USER_EMAIL].name,
-                                  clean_name,
-                                  ep_filter == NULL ? "" : ep_filter,
--                                 state->opts->user_map[SDAP_OC_USER].name);
-+                                 state->user_map[SDAP_OC_USER].name);
-             if (state->user_base_filter == NULL) {
-                 talloc_zfree(req);
-                 return NULL;
-             }
-         } else {
--            search_attr = state->opts->user_map[SDAP_AT_USER_NAME].name;
-+            search_attr = state->user_map[SDAP_AT_USER_NAME].name;
- 
-             ret = sss_parse_internal_fqname(state, filter_value,
-                                             &state->shortname, NULL);
-@@ -2860,7 +2876,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
-         state->user_base_filter =
-                 talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)",
-                                 search_attr, clean_name,
--                                state->opts->user_map[SDAP_OC_USER].name);
-+                                state->user_map[SDAP_OC_USER].name);
-         if (!state->user_base_filter) {
-             talloc_zfree(req);
-             return NULL;
-@@ -2877,14 +2893,14 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
-          */
-         state->user_base_filter = talloc_asprintf_append(state->user_base_filter,
-                                         "(%s=*))",
--                                        id_ctx->opts->user_map[SDAP_AT_USER_OBJECTSID].name);
-+                                        state->user_map[SDAP_AT_USER_OBJECTSID].name);
-     } else {
-         /* When not ID-mapping or looking up app users, make sure there
-          * is a non-NULL UID */
-         state->user_base_filter = talloc_asprintf_append(state->user_base_filter,
-                                         "(&(%s=*)(!(%s=0))))",
--                                        id_ctx->opts->user_map[SDAP_AT_USER_UID].name,
--                                        id_ctx->opts->user_map[SDAP_AT_USER_UID].name);
-+                                        state->user_map[SDAP_AT_USER_UID].name,
-+                                        state->user_map[SDAP_AT_USER_UID].name);
-     }
-     if (!state->user_base_filter) {
-         talloc_zfree(req);
-@@ -2892,8 +2908,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
-     }
- 
-     ret = build_attrs_from_map(state,
--                               state->opts->user_map,
--                               state->opts->user_map_cnt,
-+                               state->user_map,
-+                               state->user_map_cnt,
-                                NULL, &state->user_attrs, NULL);
-     if (ret) {
-         talloc_zfree(req);
-@@ -2990,7 +3006,7 @@ static errno_t sdap_get_initgr_next_base(struct tevent_req *req)
-             state->user_search_bases[state->user_base_iter]->basedn,
-             state->user_search_bases[state->user_base_iter]->scope,
-             state->filter, state->user_attrs,
--            state->opts->user_map, state->opts->user_map_cnt,
-+            state->user_map, state->user_map_cnt,
-             state->timeout,
-             false);
-     if (!subreq) {
-@@ -3179,6 +3195,7 @@ static void sdap_get_initgr_user(struct tevent_req *subreq)
- 
-     case SDAP_SCHEMA_IPA_V1:
-         subreq = sdap_initgr_nested_send(state, state->ev, state->opts,
-+                                         state->user_map, state->user_map_cnt,
-                                          state->sysdb, state->dom, state->sh,
-                                          state->orig_user, state->grp_attrs);
-         if (!subreq) {
-@@ -3377,7 +3394,7 @@ static void sdap_get_initgr_done(struct tevent_req *subreq)
-          */
-         ret = sdap_attrs_get_sid_str(
-                 tmp_ctx, opts->idmap_ctx, state->orig_user,
--                opts->user_map[SDAP_AT_USER_OBJECTSID].sys_name,
-+                state->user_map[SDAP_AT_USER_OBJECTSID].sys_name,
-                 &sid_str);
-         if (ret != EOK) goto done;
- 
-@@ -3392,7 +3409,7 @@ static void sdap_get_initgr_done(struct tevent_req *subreq)
- 
-         ret = sysdb_attrs_get_uint32_t(
-                 state->orig_user,
--                opts->user_map[SDAP_AT_USER_PRIMARY_GROUP].sys_name,
-+                state->user_map[SDAP_AT_USER_PRIMARY_GROUP].sys_name,
-                 &primary_gid);
-         if (ret != EOK) {
-             DEBUG(SSSDBG_MINOR_FAILURE,
--- 
-2.45.0
-
diff --git a/SOURCES/0011-ad-use-default-user_map-when-looking-of-host-groups-.patch b/SOURCES/0011-ad-use-default-user_map-when-looking-of-host-groups-.patch
deleted file mode 100644
index 6318be3..0000000
--- a/SOURCES/0011-ad-use-default-user_map-when-looking-of-host-groups-.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From 2c233636c093708d5cdd7ddb69af9b0ecde633bd Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 6 Sep 2024 14:37:05 +0200
-Subject: [PATCH 11/11] ad: use default user_map when looking of host groups
- for GPO
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Use the default AD user attribute map to lookup the group membership of
-the AD host object. This should help to avoid issues if user attributes
-are overwritten in the user attribute map.
-
-Resolves: https://github.com/SSSD/sssd/issues/7590
-
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
-(cherry picked from commit 5f5077ac1158deff6fbb51722d37b9c5f8b05cf7)
----
- src/providers/ad/ad_access.h |  1 +
- src/providers/ad/ad_gpo.c    | 15 ++++++++++++++-
- 2 files changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/src/providers/ad/ad_access.h b/src/providers/ad/ad_access.h
-index 34d5597da..c54b53eed 100644
---- a/src/providers/ad/ad_access.h
-+++ b/src/providers/ad/ad_access.h
-@@ -49,6 +49,7 @@ struct ad_access_ctx {
-     } gpo_map_type;
-     hash_table_t *gpo_map_options_table;
-     enum gpo_map_type gpo_default_right;
-+    struct sdap_attr_map *host_attr_map;
- };
- 
- struct tevent_req *
-diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
-index fa68d814f..6b154f71d 100644
---- a/src/providers/ad/ad_gpo.c
-+++ b/src/providers/ad/ad_gpo.c
-@@ -45,6 +45,7 @@
- #include "providers/ad/ad_common.h"
- #include "providers/ad/ad_domain_info.h"
- #include "providers/ad/ad_gpo.h"
-+#include "providers/ad/ad_opts.h"
- #include "providers/ldap/sdap_access.h"
- #include "providers/ldap/sdap_async.h"
- #include "providers/ldap/sdap.h"
-@@ -2238,13 +2239,25 @@ ad_gpo_connect_done(struct tevent_req *subreq)
-               "trying with user search base.");
-     }
- 
-+    if (state->access_ctx->host_attr_map == NULL) {
-+        ret = sdap_copy_map(state->access_ctx,
-+                            ad_2008r2_user_map, SDAP_OPTS_USER,
-+                            &state->access_ctx->host_attr_map);
-+        if (ret != EOK) {
-+            DEBUG(SSSDBG_OP_FAILURE, "Failed to copy user map.\n");
-+            goto done;
-+        }
-+    }
-+
-     subreq = groups_by_user_send(state, state->ev,
-                                  state->access_ctx->ad_id_ctx->sdap_id_ctx,
-                                  sdom, state->conn,
-                                  search_bases,
-                                  state->host_fqdn,
-                                  BE_FILTER_NAME,
--                                 NULL, NULL, 0,
-+                                 NULL,
-+                                 state->access_ctx->host_attr_map,
-+                                 SDAP_OPTS_USER,
-                                  true,
-                                  true);
-     tevent_req_set_callback(subreq, ad_gpo_target_dn_retrieval_done, req);
--- 
-2.45.0
-
diff --git a/SOURCES/0012-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch b/SOURCES/0012-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch
deleted file mode 100644
index 7a364d4..0000000
--- a/SOURCES/0012-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch
+++ /dev/null
@@ -1,230 +0,0 @@
-From acd5da528789734411b12fa8b19007b00eea9f2c Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 13 Sep 2024 15:45:59 +0200
-Subject: [PATCH 6/9] ldap: add 'exop_force' value for ldap_pwmodify_mode
-
-In case the LDAP server allows to run the extended operation to change a
-password even if an authenticated bind fails due to missing grace logins
-the new option 'exop_force' can be used to run the extended operation to
-change the password anyways.
-
-:config: Added `exop_force` value for configuration option
-  `ldap_pwmodify_mode`. This can be used to force a password change even
-  if no grace logins are left. Depending on the configuration of the
-  LDAP server it might be expected that the password change will fail.
-
-(cherry picked from commit 72a7fd0ded236a16b00bb4e26221f7e23b702a53)
-
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-(cherry picked from commit e3a3f44c4cdcb936b59941636ff576de613366d1)
-
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
----
- src/man/sssd-ldap.5.xml                    | 11 +++++++++
- src/providers/ipa/ipa_auth.c               |  3 ++-
- src/providers/ldap/ldap_auth.c             |  5 +++-
- src/providers/ldap/ldap_options.c          |  2 ++
- src/providers/ldap/sdap.h                  |  5 ++--
- src/providers/ldap/sdap_async.h            |  3 ++-
- src/providers/ldap/sdap_async_connection.c | 27 +++++++++++++++++-----
- 7 files changed, 45 insertions(+), 11 deletions(-)
-
-diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
-index 0a814ec35..a9994aade 100644
---- a/src/man/sssd-ldap.5.xml
-+++ b/src/man/sssd-ldap.5.xml
-@@ -234,6 +234,17 @@
-                                         userPassword (not recommended).
-                                     </para>
-                                 </listitem>
-+                                <listitem>
-+                                    <para>
-+                                        exop_force - Try Password Modify
-+                                        Extended Operation (RFC 3062) even if
-+                                        there are no grace logins left.
-+                                        Depending on the type and configuration
-+                                        of the LDAP server the password change
-+                                        might fail because an authenticated bind
-+                                        is not possible.
-+                                    </para>
-+                                </listitem>
-                             </itemizedlist>
-                         </para>
-                         <para>
-diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
-index 1d61a1052..b2e5b6f35 100644
---- a/src/providers/ipa/ipa_auth.c
-+++ b/src/providers/ipa/ipa_auth.c
-@@ -381,7 +381,8 @@ static void ipa_pam_auth_handler_connect_done(struct tevent_req *subreq)
-                              SDAP_OPT_TIMEOUT);
- 
-     subreq = sdap_auth_send(state, state->ev, sh, NULL, NULL, dn,
--                            state->pd->authtok, timeout);
-+                            state->pd->authtok, timeout,
-+                            state->auth_ctx->sdap_auth_ctx->opts->pwmodify_mode);
-     if (subreq == NULL) {
-         goto done;
-     }
-diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
-index 8ec4d3af5..023ed2277 100644
---- a/src/providers/ldap/ldap_auth.c
-+++ b/src/providers/ldap/ldap_auth.c
-@@ -896,7 +896,8 @@ static void auth_do_bind(struct tevent_req *req)
-                             NULL, NULL, state->dn,
-                             state->authtok,
-                             dp_opt_get_int(state->ctx->opts->basic,
--                                           SDAP_OPT_TIMEOUT));
-+                                           SDAP_OPT_TIMEOUT),
-+                            state->ctx->opts->pwmodify_mode);
-     if (!subreq) {
-         tevent_req_error(req, ENOMEM);
-         return;
-@@ -1186,6 +1187,7 @@ sdap_pam_change_password_send(TALLOC_CTX *mem_ctx,
- 
-     switch (opts->pwmodify_mode) {
-     case SDAP_PWMODIFY_EXOP:
-+    case SDAP_PWMODIFY_EXOP_FORCE:
-         subreq = sdap_exop_modify_passwd_send(state, ev, sh, user_dn,
-                                               password, new_password,
-                                               timeout);
-@@ -1229,6 +1231,7 @@ static void sdap_pam_change_password_done(struct tevent_req *subreq)
- 
-     switch (state->mode) {
-     case SDAP_PWMODIFY_EXOP:
-+    case SDAP_PWMODIFY_EXOP_FORCE:
-         ret = sdap_exop_modify_passwd_recv(subreq, state,
-                                            &state->user_error_message);
-         break;
-diff --git a/src/providers/ldap/ldap_options.c b/src/providers/ldap/ldap_options.c
-index 277bcb529..72a95300d 100644
---- a/src/providers/ldap/ldap_options.c
-+++ b/src/providers/ldap/ldap_options.c
-@@ -294,6 +294,8 @@ int ldap_get_options(TALLOC_CTX *memctx,
-         opts->pwmodify_mode = SDAP_PWMODIFY_EXOP;
-     } else if (strcasecmp(pwmodify, "ldap_modify") == 0) {
-         opts->pwmodify_mode = SDAP_PWMODIFY_LDAP;
-+    } else if (strcasecmp(pwmodify, "exop_force") == 0) {
-+        opts->pwmodify_mode = SDAP_PWMODIFY_EXOP_FORCE;
-     } else {
-         DEBUG(SSSDBG_FATAL_FAILURE, "Unrecognized pwmodify mode: %s\n", pwmodify);
-         ret = EINVAL;
-diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
-index 103d50ed4..cc34c8198 100644
---- a/src/providers/ldap/sdap.h
-+++ b/src/providers/ldap/sdap.h
-@@ -546,8 +546,9 @@ struct sdap_options {
- 
-     /* password modify mode */
-     enum pwmodify_mode {
--        SDAP_PWMODIFY_EXOP = 1,     /* pwmodify extended operation */
--        SDAP_PWMODIFY_LDAP = 2      /* ldap_modify of userPassword */
-+        SDAP_PWMODIFY_EXOP = 1,      /* pwmodify extended operation */
-+        SDAP_PWMODIFY_LDAP = 2,      /* ldap_modify of userPassword */
-+        SDAP_PWMODIFY_EXOP_FORCE = 3 /* forced pwmodify extended operation */
-     } pwmodify_mode;
- 
-     /* The search bases for the domain or its subdomain */
-diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
-index a45e057d0..80b403bc3 100644
---- a/src/providers/ldap/sdap_async.h
-+++ b/src/providers/ldap/sdap_async.h
-@@ -146,7 +146,8 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
-                                   const char *sasl_user,
-                                   const char *user_dn,
-                                   struct sss_auth_token *authtok,
--                                  int simple_bind_timeout);
-+                                  int simple_bind_timeout,
-+                                  enum pwmodify_mode pwmodify_mode);
- 
- errno_t sdap_auth_recv(struct tevent_req *req,
-                        TALLOC_CTX *memctx,
-diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
-index e8638725c..992a5798c 100644
---- a/src/providers/ldap/sdap_async_connection.c
-+++ b/src/providers/ldap/sdap_async_connection.c
-@@ -643,6 +643,7 @@ struct simple_bind_state {
-     struct tevent_context *ev;
-     struct sdap_handle *sh;
-     const char *user_dn;
-+    enum pwmodify_mode pwmodify_mode;
- 
-     struct sdap_op *op;
- 
-@@ -659,7 +660,8 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx,
-                                            struct sdap_handle *sh,
-                                            int timeout,
-                                            const char *user_dn,
--                                           struct berval *pw)
-+                                           struct berval *pw,
-+                                           enum pwmodify_mode pwmodify_mode)
- {
-     struct tevent_req *req;
-     struct simple_bind_state *state;
-@@ -682,6 +684,7 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx,
-     state->ev = ev;
-     state->sh = sh;
-     state->user_dn = user_dn;
-+    state->pwmodify_mode = pwmodify_mode;
- 
-     ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST,
-                                   0, NULL, 0, &ctrls[0]);
-@@ -866,7 +869,12 @@ static void simple_bind_done(struct sdap_op *op,
-                      * Grace Authentications". */
-                     DEBUG(SSSDBG_TRACE_LIBS,
-                           "Password expired, grace logins exhausted.\n");
--                    ret = ERR_AUTH_FAILED;
-+                    if (state->pwmodify_mode == SDAP_PWMODIFY_EXOP_FORCE) {
-+                        DEBUG(SSSDBG_TRACE_LIBS, "Password change forced.\n");
-+                        ret = ERR_PASSWORD_EXPIRED;
-+                    } else {
-+                        ret = ERR_AUTH_FAILED;
-+                    }
-                 }
-             } else if (strcmp(response_controls[c]->ldctl_oid,
-                               LDAP_CONTROL_PWEXPIRED) == 0) {
-@@ -879,7 +887,12 @@ static void simple_bind_done(struct sdap_op *op,
-                 if (result == LDAP_INVALID_CREDENTIALS) {
-                     DEBUG(SSSDBG_TRACE_LIBS,
-                           "Password expired, grace logins exhausted.\n");
--                    ret = ERR_AUTH_FAILED;
-+                    if (state->pwmodify_mode == SDAP_PWMODIFY_EXOP_FORCE) {
-+                        DEBUG(SSSDBG_TRACE_LIBS, "Password change forced.\n");
-+                        ret = ERR_PASSWORD_EXPIRED;
-+                    } else {
-+                        ret = ERR_AUTH_FAILED;
-+                    }
-                 } else {
-                     DEBUG(SSSDBG_TRACE_LIBS,
-                           "Password expired, user must set a new password.\n");
-@@ -1358,7 +1371,8 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
-                                   const char *sasl_user,
-                                   const char *user_dn,
-                                   struct sss_auth_token *authtok,
--                                  int simple_bind_timeout)
-+                                  int simple_bind_timeout,
-+                                  enum pwmodify_mode pwmodify_mode)
- {
-     struct tevent_req *req, *subreq;
-     struct sdap_auth_state *state;
-@@ -1397,7 +1411,7 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
-         pw.bv_len = pwlen;
- 
-         state->is_sasl = false;
--        subreq = simple_bind_send(state, ev, sh, simple_bind_timeout, user_dn, &pw);
-+        subreq = simple_bind_send(state, ev, sh, simple_bind_timeout, user_dn, &pw, pwmodify_mode);
-         if (!subreq) {
-             tevent_req_error(req, ENOMEM);
-             return tevent_req_post(req, ev);
-@@ -1972,7 +1986,8 @@ static void sdap_cli_auth_step(struct tevent_req *req)
-                                               SDAP_SASL_AUTHID),
-                             user_dn, authtok,
-                             dp_opt_get_int(state->opts->basic,
--                                           SDAP_OPT_TIMEOUT));
-+                                           SDAP_OPT_TIMEOUT),
-+                            state->opts->pwmodify_mode);
-     talloc_free(authtok);
-     if (!subreq) {
-         tevent_req_error(req, ENOMEM);
--- 
-2.43.5
-
diff --git a/SOURCES/0013-OPTS-Add-the-option-for-DP_OPT_DYNDNS_REFRESH_OFFSET.patch b/SOURCES/0013-OPTS-Add-the-option-for-DP_OPT_DYNDNS_REFRESH_OFFSET.patch
deleted file mode 100644
index 0f8542e..0000000
--- a/SOURCES/0013-OPTS-Add-the-option-for-DP_OPT_DYNDNS_REFRESH_OFFSET.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 5fc4540e97625a23f2573b0804a1509cf46931c9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
-Date: Thu, 14 Nov 2024 17:27:49 +0100
-Subject: [PATCH 1/9] OPTS: Add the option for DP_OPT_DYNDNS_REFRESH_OFFSET
-
-The label `DP_OPT_DYNDNS_REFRESH_OFFSET` was introduced in
-https://github.com/SSSD/sssd/blob/fb91349cfeba653942b32141f890e3de78b3fb13/src/providers/be_dyndns.h#L55
-but the corresponding option is missing in
-https://github.com/SSSD/sssd/blob/fb91349cfeba653942b32141f890e3de78b3fb13/src/providers/be_dyndns.c#L1200
-
-This error was introduced by
-https://github.com/SSSD/sssd/commit/35c35de42012481a6bd2690d12d5d11a4ae23ea5
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-(cherry picked from commit 9ee10f98e0070774e0e7f0794bc296ef06a671e4)
----
- src/providers/be_dyndns.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c
-index 2c655ef1e..5d0f51119 100644
---- a/src/providers/be_dyndns.c
-+++ b/src/providers/be_dyndns.c
-@@ -1201,6 +1201,7 @@ static struct dp_option default_dyndns_opts[] = {
-     { "dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
-     { "dyndns_update_per_family", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
-     { "dyndns_refresh_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER },
-+    { "dyndns_refresh_interval_offset", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER },
-     { "dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING },
-     { "dyndns_ttl", DP_OPT_NUMBER, { .number = 1200 }, NULL_NUMBER },
-     { "dyndns_update_ptr", DP_OPT_BOOL, BOOL_TRUE, BOOL_FALSE },
--- 
-2.43.5
-
diff --git a/SOURCES/0014-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch b/SOURCES/0014-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch
deleted file mode 100644
index 955722e..0000000
--- a/SOURCES/0014-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 3e7e0cc7038c89132c9f4b8a48b6b1e0c0febff4 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Thu, 21 Nov 2024 09:16:09 +0100
-Subject: [PATCH 8/9] ldap_child: make sure invalid krb5 context is not used
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Resolves: https://github.com/SSSD/sssd/issues/7715
-
-Reviewed-by: Alejandro López <allopez@redhat.com>
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-(cherry picked from commit fce94aec3f335cbe33c509b14e389b9df0748744)
----
- src/util/sss_krb5.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
-index 3f57e5b26..f44df2b5f 100644
---- a/src/util/sss_krb5.c
-+++ b/src/util/sss_krb5.c
-@@ -83,6 +83,10 @@ const char *sss_printable_keytab_name(krb5_context ctx, const char *keytab_name)
-         return keytab_name;
-     }
- 
-+    if (ctx == NULL) {
-+        return "-unknown-";
-+    }
-+
-     if (krb5_kt_default_name(ctx, buff, sizeof(buff)) != 0) {
-         return "-default keytab-";
-     }
-@@ -1355,8 +1359,9 @@ krb5_error_code sss_krb5_init_context(krb5_context *context)
- {
-     krb5_error_code kerr;
-     const char *msg;
-+    krb5_context ctx;
- 
--    kerr = krb5_init_context(context);
-+    kerr = krb5_init_context(&ctx);
-     if (kerr != 0) {
-         /* It is safe to call (sss_)krb5_get_error_message() with NULL as first
-          * argument. */
-@@ -1365,6 +1370,8 @@ krb5_error_code sss_krb5_init_context(krb5_context *context)
-               "Failed to init Kerberos context [%s]\n", msg);
-         sss_log(SSS_LOG_CRIT, "Failed to init Kerberos context [%s]\n", msg);
-         sss_krb5_free_error_message(NULL, msg);
-+    } else {
-+        *context = ctx;
-     }
- 
-     return kerr;
--- 
-2.43.5
-
diff --git a/SOURCES/2002-orabug32810448-restore-default-debug-sss_cache.patch b/SOURCES/2002-orabug32810448-restore-default-debug-sss_cache.patch
deleted file mode 100644
index fbf8d90..0000000
--- a/SOURCES/2002-orabug32810448-restore-default-debug-sss_cache.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From: Alex Burmashev <alexander.burmashev@oracle.com>
-Date: Tue, 04 May 2021 13:31:41 +0100
-Subject: [PATCH] restore default debug level for sss_cache
-
-We want only fatal failures to be logged, otherwise in some conditions log is.
-flooded with unneeded "errors"
-
-Resolves: https://github.com/SSSD/sssd/issues/5488
-
-Orabug: 32810448
-Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
-
-Patch migrated from ol8 to ol9 without any modification
-Signed-off-by: Darren Archibald <darren.archibald@oracle.com>
-diff -ruN sssd-2.4.0.orig/src/tools/sss_cache.c sssd-2.4.0/src/tools/sss_cache.c
---- sssd-2.4.0.orig/src/tools/sss_cache.c	2021-06-29 12:48:07.035970021 -0700
-+++ sssd-2.4.0/src/tools/sss_cache.c	2021-06-29 13:11:23.126918933 -0700
-@@ -709,7 +709,7 @@
-     struct cache_tool_ctx *ctx = NULL;
-     int idb = INVALIDATE_NONE;
-     struct input_values values = { 0 };
--    int debug = SSSDBG_TOOLS_DEFAULT;
-+    int debug = SSSDBG_FATAL_FAILURE;
-     errno_t ret = EOK;
- 
-     poptContext pc = NULL;
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index f6428ec..9edf02e 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -23,31 +23,21 @@
 %global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)
 %global ldb_version 1.2.0
 
-%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
+%global samba_package_version %(rpm -q samba-devel --queryformat %{version})
 
 Name: sssd
-Version: 2.9.5
-Release: 4%{?dist}.4
+Version: 2.9.6
+Release: 4%{?dist}.2
 Summary: System Security Services Daemon
 License: GPLv3+
 URL: https://github.com/SSSD/sssd/
 Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
 
 ### Patches ###
-Patch0001: 0001-spec-change-passkey_child-owner.patch
-Patch0002: 0002-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch
-Patch0003: 0003-ad-use-right-memory-context-in-GPO-code.patch
-Patch0004: 0004-TS_CACHE-never-try-to-upgrade-timestamps-cache.patch
-Patch0005: 0005-SYSDB-remove-index-on-dataExpireTimestamp.patch
-Patch0006: 0006-pam_sss-fix-passthrow-of-old-authtok-from-another-pa.patch
-Patch0007: 0007-krb5_child-do-not-try-passwords-with-OTP.patch
-Patch0008: 0008-pam_sss-add-missing-optional-2nd-factor-handling.patch
-Patch0009: 0009-pam-only-set-SYSDB_LOCAL_SMARTCARD_AUTH-to-true-but-.patch
-Patch0010: 0010-sdap-allow-to-provide-user_map-when-looking-up-group.patch
-Patch0011: 0011-ad-use-default-user_map-when-looking-of-host-groups-.patch
-Patch0012: 0012-ldap-add-exop_force-value-for-ldap_pwmodify_mode.patch
-Patch0013: 0013-OPTS-Add-the-option-for-DP_OPT_DYNDNS_REFRESH_OFFSET.patch
-Patch0014: 0014-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch
+Patch0001: 0001-SYSDB-Use-SYSDB_NAME-from-cached-entry-when-updating.patch
+Patch0002: 0002-KCM-fix-memory-leak.patch
+Patch0003: 0003-KCM-another-memory-leak-fixed.patch
+Patch0004: 0004-SYSDB-don-t-add-group-members-if-ignore_group_member.patch
 
 ### Dependencies ###
 
@@ -1097,11 +1087,30 @@ fi
 %systemd_postun_with_restart sssd.service
 
 %changelog
-* Mon Dec 23 2024 Kevin Lyons <kevin.x.lyons@oracle.com> - 2.9.5-4.4
+* Mon Apr  7 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.6-4.2
+- Resolves: RHEL-82419 - Disk cache failure with large db sizes [rhel-9]
+
+* Wed Apr  2 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.6-4.1
+- Resolves: RHEL-82419 - Disk cache failure with large db sizes [rhel-9]
+
+* Wed Feb 12 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.6-4
+- Resolves: RHEL-78253 - 'sssd_kcm' leaks memory [rhel-9]
+
+* Mon Feb 10 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.6-3
+- Resolves: RHEL-78253 - 'sssd_kcm' leaks memory [rhel-9]
+
+* Tue Jan 14 2025 Alexey Tikhonov <atikhono@redhat.com> - 2.9.6-2
+- Resolves: RHEL-73400 - Use the DN from existing entry when updating a cached group [rhel-9]
+
+* Thu Dec  5 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.6-1
+- Resolves: RHEL-70189 - Rebase SSSD for RHEL 9.6
 - Resolves: RHEL-67670 - Label DP_OPT_DYNDNS_REFRESH_OFFSET has no corresponding option [rhel-9]
 - Resolves: RHEL-68369 - sssd backend process segfaults when krb5.conf is invalid
 - Resolves: RHEL-66266 - SSSD needs an option to indicate if the LDAP server can run the exop with an anonymous bind or not [rhel-9]
 
+* Mon Oct 21 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.5-5
+- Related: RHEL-59788 - Rebase Samba to the latest 4.21.x release
+
 * Tue Sep 24 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.9.5-4.1
 - Resolves: RHEL-59876 - EL9/CentOS Stream 9 lost offline smart card authentication
 - Resolves: RHEL-50912 - possible regression of rhbz#2196521
@@ -1179,6 +1188,7 @@ fi
 - Resolves: rhbz#2234829 - SSSD runs multiples lookup search for each NFS request (SBUS req chaining stopped working)
 - Resolves: rhbz#2236119 - dbus and crond getting terminated with SIGBUS in sss_client code
 
+
 * Mon Jul 10 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.1-2
 - Resolves: rhbz#2218858 - [sssd] SSSD enters failed state after heavy load in the system