diff --git a/.gitignore b/.gitignore
index cb6f0d8..ae09e99 100644
--- a/.gitignore
+++ b/.gitignore
@@ -110,3 +110,5 @@ sssd-1.2.91.tar.gz
 /sssd-2.9.2.tar.gz
 /sssd-2.9.3.tar.gz
 /sssd-2.9.4.tar.gz
+/sssd-2.10.0~beta1.tar.gz
+/sssd-2.10.0-beta1.tar.gz
diff --git a/0001-ENUMERATION-conditional-build-of-enumeration-support.patch b/0001-ENUMERATION-conditional-build-of-enumeration-support.patch
deleted file mode 100644
index e29fcdc..0000000
--- a/0001-ENUMERATION-conditional-build-of-enumeration-support.patch
+++ /dev/null
@@ -1,244 +0,0 @@
-From b42cc3d2bf4ea1751cacb63e53536c8ad1782632 Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Fri, 23 Jun 2023 16:33:09 +0200
-Subject: [PATCH] ENUMERATION: conditional build of enumeration support for
- providers other than LDAP
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-:relnote:Support of 'enumeration' feature (i.e. ability to list all
-users/groups using 'getent passwd/group' without argument) for AD/IPA
-providers is deprecated and might be removed in further releases.
-Those who are interested to keep using it awhile should configure
-its build explicitly using '--with-extended-enumeration-support'
-./configure option.
-
-Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
-(cherry picked from commit 9240bca7dcc28371ae5dce31c01e85d28409cd04)
----
- configure.ac              |  1 +
- src/conf_macros.m4        | 17 +++++++++++++++++
- src/confdb/confdb.c       | 23 ++++++++++++++++++-----
- src/db/sysdb_subdomains.c |  4 ++++
- src/man/Makefile.am       |  7 ++++++-
- src/man/sssd-ldap.5.xml   |  4 ++--
- src/man/sssd.conf.5.xml   | 14 +++++++++-----
- 7 files changed, 57 insertions(+), 13 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 470c04949..adb2c5447 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -185,6 +185,7 @@ WITH_SUDO
- WITH_SUDO_LIB_PATH
- WITH_AUTOFS
- WITH_FILES_PROVIDER
-+WITH_EXTENDED_ENUMERATION_SUPPORT
- WITH_SUBID
- WITH_SUBID_LIB_PATH
- WITH_PASSKEY
-diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
-index cb97eeb78..5ef257908 100644
---- a/src/conf_macros.m4
-+++ b/src/conf_macros.m4
-@@ -651,6 +651,23 @@ AC_DEFUN([WITH_FILES_PROVIDER],
-     AM_CONDITIONAL([BUILD_FILES_PROVIDER], [test x"$with_files_provider" = xyes])
-   ])
-
-+AC_DEFUN([WITH_EXTENDED_ENUMERATION_SUPPORT],
-+  [ AC_ARG_WITH([extended-enumeration-support],
-+                [AC_HELP_STRING([--with-extended-enumeration-support],
-+                                [Whether to build enumeration support for
-+                                 IPA and AD providers [no].]
-+                               )
-+                ],
-+                [with_extended_enumeration_support=$withval],
-+                with_extended_enumeration_support=no
-+               )
-+
-+    if test x"$with_extended_enumeration_support" = xyes; then
-+        AC_DEFINE(BUILD_EXTENDED_ENUMERATION_SUPPORT, 1, [Whether to build extended enumeration support])
-+    fi
-+    AM_CONDITIONAL([BUILD_EXTENDED_ENUMERATION_SUPPORT], [test x"$with_extended_enumeration_support" = xyes])
-+  ])
-+
- AC_DEFUN([WITH_SUBID],
-   [ AC_ARG_WITH([subid],
-                 [AC_HELP_STRING([--with-subid],
-diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
-index a7344e166..1760ea6b5 100644
---- a/src/confdb/confdb.c
-+++ b/src/confdb/confdb.c
-@@ -1068,6 +1068,9 @@ static errno_t confdb_init_domain_provider_and_enum(struct sss_domain_info *doma
-     errno_t ret;
-     const char *tmp, *tmp_pam_target, *tmp_auth;
-
-+#ifndef BUILD_EXTENDED_ENUMERATION_SUPPORT
-+    if (domain->provider != NULL && strcasecmp(domain->provider, "ldap") == 0) {
-+#endif
-     /* TEMP: test if the old bitfield conf value is used and warn it has been
-      * superseded. */
-     val = ldb_msg_find_attr_as_int(res->msgs[0], CONFDB_DOMAIN_ENUMERATE, 0);
-@@ -1086,6 +1089,11 @@ static errno_t confdb_init_domain_provider_and_enum(struct sss_domain_info *doma
-             goto done;
-         }
-     }
-+#ifndef BUILD_EXTENDED_ENUMERATION_SUPPORT
-+    } else {
-+        domain->enumerate = false;
-+    }
-+#endif
-
-     if (is_files_provider(domain)) {
-         /* The password field must be reported as 'x', else pam_unix won't
-@@ -1122,11 +1130,7 @@ static errno_t confdb_init_domain_provider_and_enum(struct sss_domain_info *doma
-     }
-
-     if (!domain->enumerate) {
--        DEBUG(SSSDBG_TRACE_FUNC, "No enumeration for [%s]!\n", domain->name);
--        DEBUG(SSSDBG_TRACE_FUNC,
--              "Please note that when enumeration is disabled `getent "
--              "passwd` does not return all users by design. See "
--              "sssd.conf man page for more detailed information\n");
-+        DEBUG(SSSDBG_TRACE_FUNC, "No enumeration for [%s]\n", domain->name);
-     }
-
-     ret = EOK;
-@@ -1537,6 +1541,7 @@ static errno_t confdb_init_domain_subdomains(struct sss_domain_info *domain,
-     errno_t ret;
-     const char *tmp;
-
-+#ifdef BUILD_EXTENDED_ENUMERATION_SUPPORT
-     tmp = ldb_msg_find_attr_as_string(res->msgs[0],
-                                       CONFDB_SUBDOMAIN_ENUMERATE,
-                                       CONFDB_DEFAULT_SUBDOMAIN_ENUMERATE);
-@@ -1549,6 +1554,14 @@ static errno_t confdb_init_domain_subdomains(struct sss_domain_info *domain,
-             goto done;
-         }
-     }
-+#else
-+    ret = split_on_separator(domain, "none", ',', true, true,
-+                             &domain->sd_enumerate, NULL);
-+    if (ret != 0) {
-+        DEBUG(SSSDBG_FATAL_FAILURE, "Cannot set 'sd_enumerate'\n");
-+        goto done;
-+    }
-+#endif
-
-     tmp = ldb_msg_find_attr_as_string(res->msgs[0],
-                                       CONFDB_DOMAIN_SUBDOMAIN_INHERIT,
-diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
-index 61cf48c31..149e9a161 100644
---- a/src/db/sysdb_subdomains.c
-+++ b/src/db/sysdb_subdomains.c
-@@ -494,8 +494,12 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
-         }
-         mpg_mode = str_to_domain_mpg_mode(str_mpg_mode);
-
-+#ifdef BUILD_EXTENDED_ENUMERATION_SUPPORT
-         enumerate = ldb_msg_find_attr_as_bool(res->msgs[i],
-                                               SYSDB_SUBDOMAIN_ENUM, false);
-+#else
-+        enumerate = false;
-+#endif
-
-         forest = ldb_msg_find_attr_as_string(res->msgs[i],
-                                              SYSDB_SUBDOMAIN_FOREST, NULL);
-diff --git a/src/man/Makefile.am b/src/man/Makefile.am
-index 1e51aebfd..77b08e84c 100644
---- a/src/man/Makefile.am
-+++ b/src/man/Makefile.am
-@@ -55,12 +55,17 @@ FILES_PROVIDER_CONDS = ;with_files_provider
- else
- FILES_PROVIDER_CONDS = ;without_files_provider
- endif
-+if BUILD_EXTENDED_ENUMERATION_SUPPORT
-+ENUM_CONDS = ;with_ext_enumeration
-+else
-+ENUM_CONDS = ;without_ext_enumeration
-+endif
- if SSSD_NON_ROOT_USER
- SSSD_NON_ROOT_USER_CONDS = ;with_non_root_user_support
- endif
-
-
--CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(FILES_PROVIDER_CONDS)$(SSSD_NON_ROOT_USER_CONDS)
-+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(PASSKEY_CONDS)$(FILES_PROVIDER_CONDS)$(SSSD_NON_ROOT_USER_CONDS)$(ENUM_CONDS)
-
-
- #Special Rules:
-diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
-index 0a814ec35..ccf284abb 100644
---- a/src/man/sssd-ldap.5.xml
-+++ b/src/man/sssd-ldap.5.xml
-@@ -323,7 +323,7 @@
-                             before refreshing its cache of enumerated
-                             records.
-                         </para>
--                        <para>
-+                        <para condition="with_ext_enumeration">
-                             This option can be also set per subdomain or
-                             inherited via
-                             <emphasis>subdomain_inherit</emphasis>.
-@@ -486,7 +486,7 @@
-                             cached results are returned (and offline mode is
-                             entered)
-                         </para>
--                        <para>
-+                        <para condition="with_ext_enumeration">
-                             This option can be also set per subdomain or
-                             inherited via
-                             <emphasis>subdomain_inherit</emphasis>.
-diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
-index e7a8cbd9a..7276d233f 100644
---- a/src/man/sssd.conf.5.xml
-+++ b/src/man/sssd.conf.5.xml
-@@ -2673,8 +2673,12 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
-                             and store ALL user and group entries from the
-                             remote server.
-                         </para>
-+                        <para condition="without_ext_enumeration">
-+                            Feature is only supported for domains with
-+                            id_provider = ldap.
-+                        </para>
-                         <para>
--                            Note: Enabling enumeration has a moderate
-+                            Note: Enabling enumeration has a severe
-                             performance impact on SSSD while enumeration
-                             is running. It may take up to several minutes
-                             after SSSD startup to fully complete enumerations.
-@@ -2709,7 +2713,7 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
-                     </listitem>
-                 </varlistentry>
-
--                <varlistentry>
-+                <varlistentry condition="with_ext_enumeration">
-                     <term>subdomain_enumerate (string)</term>
-                     <listitem>
-                         <para>
-@@ -3857,10 +3861,10 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
-                         <para>
-                             ldap_offline_timeout
-                         </para>
--                        <para>
-+                        <para condition="with_ext_enumeration">
-                             ldap_enumeration_refresh_timeout
-                         </para>
--                        <para>
-+                        <para condition="with_ext_enumeration">
-                             ldap_enumeration_refresh_offset
-                         </para>
-                         <para>
-@@ -3876,7 +3880,7 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
-                         <para>
-                             ldap_krb5_ticket_lifetime
-                         </para>
--                        <para>
-+                        <para condition="with_ext_enumeration">
-                             ldap_enumeration_search_timeout
-                         </para>
-                         <para>
---
-2.41.0
diff --git a/0002-Fix-the-build-with-Samba-4.20.patch b/0002-Fix-the-build-with-Samba-4.20.patch
deleted file mode 100644
index 02b8485..0000000
--- a/0002-Fix-the-build-with-Samba-4.20.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 6b0cbea2f643269c5af6333b59979de9c0ad6ce5 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Wed, 31 Jan 2024 10:42:40 +0100
-Subject: [PATCH] Fix the build with Samba 4.20
-
-Guenther
----
- src/external/samba.m4 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/external/samba.m4 b/src/external/samba.m4
-index 49c6db8d2..5ab0e7527 100644
---- a/src/external/samba.m4
-+++ b/src/external/samba.m4
-@@ -58,7 +58,7 @@ with argument --without-samba
-         SAVE_CFLAGS=$CFLAGS
-         SAVE_LIBS=$LIBS
-         CFLAGS="$CFLAGS $SMBCLIENT_CFLAGS $NDR_NBT_CFLAGS $NDR_KRB5PAC_CFLAGS"
--        LIBS="$LIBS -L${sambalibdir} -lidmap-samba4 -Wl,-rpath ${sambalibdir}"
-+        LIBS="$LIBS -L${sambalibdir} -lidmap-private-samba -Wl,-rpath ${sambalibdir}"
-         AC_RUN_IFELSE(
-             [AC_LANG_SOURCE([
- #include <stdlib.h>
---
-2.43.0
diff --git a/0003-tests-Drop-extensions-from-openssl-command-if-there-.patch b/0003-tests-Drop-extensions-from-openssl-command-if-there-.patch
deleted file mode 100644
index 6d717df..0000000
--- a/0003-tests-Drop-extensions-from-openssl-command-if-there-.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 32b72c7c3303edb2bf55ae9a22e8db7855f3d7d1 Mon Sep 17 00:00:00 2001
-From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
-Date: Wed, 24 Jan 2024 23:03:04 +0100
-Subject: [PATCH] tests: Drop -extensions from openssl command if there is no
- -x509
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The 'openssl req' ignores the '-extensions' option without '-x509'.
-OpenSSL versions prior 3.2 simply ignored it. Starting with version 3.2
-an error is generated:
-
-| /usr/bin/openssl req -batch -config
-| ../../../../../src/tests/test_CA/intermediate_CA/SSSD_test_intermediate_CA.config
-| -new -nodes -key
-| …/build/../src/tests/test_CA/intermediate_CA/SSSD_test_intermediate_CA_key.pem
--sha256 -extensions v3_ca -out SSSD_test_intermediate_CA_req.pem
-| Error adding request extensions from section v3_ca
-| 003163BAB27F0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:../crypto/x509/v3_akid.c:156:
-| 003163BAB27F0000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:../crypto/x509/v3_conf.c:48:section=v3_ca, name=authorityKeyIdentifier, value=keyid:always,issuer:always
-|
-
-Remove the '-extensions' option.
-
-Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
-
-Reviewed-by: Sumit Bose <sbose@redhat.com>
----
- src/tests/test_CA/intermediate_CA/Makefile.am | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/tests/test_CA/intermediate_CA/Makefile.am b/src/tests/test_CA/intermediate_CA/Makefile.am
-index b439f82cb03e5c99006b948c9eba2ba26ef4206c..50fcddb8d22213400f7ee31c6ba1eb7b8ccd14cd 100644
---- a/src/tests/test_CA/intermediate_CA/Makefile.am
-+++ b/src/tests/test_CA/intermediate_CA/Makefile.am
-@@ -33,7 +33,7 @@ SSSD_test_CA.pem:
- 	ln -s $(builddir)/../$@
- 
- SSSD_test_intermediate_CA_req.pem: $(openssl_intermediate_ca_key) $(openssl_intermediate_ca_config) SSSD_test_CA.pem
--	$(OPENSSL) req -batch -config ${openssl_intermediate_ca_config} -new -nodes -key $< -sha256 -extensions v3_ca -out $@
-+	$(OPENSSL) req -batch -config ${openssl_intermediate_ca_config} -new -nodes -key $< -sha256 -out $@
- 
- SSSD_test_intermediate_CA.pem: SSSD_test_intermediate_CA_req.pem $(openssl_root_ca_config) $(openssl_root_ca_key)
- 	cd .. && $(OPENSSL) ca -config ${openssl_root_ca_config} -batch -notext -keyfile $(openssl_root_ca_key) -in $(abs_builddir)/$< -days 200 -extensions v3_intermediate_ca -out $(abs_builddir)/$@
--- 
-2.43.2
-
diff --git a/sources b/sources
index e94222a..e8d914a 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (sssd-2.9.4.tar.gz) = 9546cf074628f32137b16ca0c763988785271124244b645d1e786762e8578f10d983793a29bffcc004b064452fe8d465476a3041688d2f3c11c2751fb5bec3e2
+SHA512 (sssd-2.10.0-beta1.tar.gz) = f643872c36b22f14eab9e8d8495d8720499a5710e45c117e71aa59ac75593767725b6c63295f37a784c1f3206cf3aef68d12b0292a5db60ca81a3aa5191dbea4
diff --git a/sssd.spec b/sssd.spec
index 4f7a634..cb1ed50 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -1,19 +1,24 @@
 # SSSD SPEC file for Fedora 34+ and RHEL-9+
 
 # define SSSD user
-%if 0%{?rhel}
+%if 0%{?fedora} >= 41 || 0%{?rhel}
+%global use_sssd_user 1
 %global sssd_user sssd
 %else
+%global use_sssd_user 0
 %global sssd_user root
 %endif
 
-# Set setuid bit on child helpers if we support non-root user.
-%if "%{sssd_user}" == "root"
-%global child_attrs 0750
+# sysusers depends on presence of sssd user
+%if 0%{?fedora} >= 41 || 0%{?rhel} >= 10
+%global use_sysusers 1
 %else
-%global child_attrs 4750
+%global use_sysusers 0
 %endif
 
+# Capabilities of privileged child helpers (required even if SSSD runs under root)
+%global child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
+
 %if 0%{?fedora} >= 35 || 0%{?rhel} >= 9
 %global build_subid 1
 %else
@@ -30,6 +35,18 @@
 %global build_kcm_renewals 0
 %endif
 
+%if 0%{?fedora} >= 39 || 0%{?rhel} >= 9
+%global build_passkey 1
+%else
+%global build_passkey 0
+%endif
+
+%if 0%{?fedora} >= 41 || 0%{?rhel} >= 10
+%global build_ssh_known_hosts_proxy 0
+%else
+%global build_ssh_known_hosts_proxy 1
+%endif
+
 # we don't want to provide private python extension libs
 %define __provides_exclude_from %{python3_sitearch}/.*\.so$
 
@@ -42,17 +59,16 @@
 %global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
 
 Name: sssd
-Version: 2.9.4
-Release: 6%{?dist}
+Version: 2.10.0~beta1
+# Using '.el10' directly is a work around RHEL-38900
+Release: 1.el10
 Summary: System Security Services Daemon
 License: GPL-3.0-or-later
 URL: https://github.com/SSSD/sssd/
-Source0: https://github.com/SSSD/sssd/releases/download/2.9.4/sssd-2.9.4.tar.gz
+Source0: https://github.com/SSSD/sssd/releases/download/2.10.0-beta1/sssd-2.10.0-beta1.tar.gz
+Source1: sssd.sysusers
 
 ### Patches ###
-Patch0001: 0001-ENUMERATION-conditional-build-of-enumeration-support.patch
-Patch0002: 0002-Fix-the-build-with-Samba-4.20.patch
-Patch0003: 0003-tests-Drop-extensions-from-openssl-command-if-there-.patch
 
 ### Dependencies ###
 
@@ -78,7 +94,6 @@ Suggests: sssd-dbus = %{version}-%{release}
 %global secdbpath %{sssdstatedir}/secrets
 %global deskprofilepath %{sssdstatedir}/deskprofile
 
-
 ### Build Dependencies ###
 
 BuildRequires: autoconf
@@ -97,14 +112,17 @@ BuildRequires: gettext-devel
 # required for p11_child smartcard tests
 BuildRequires: gnutls-utils
 BuildRequires: jansson-devel
+BuildRequires: libcap-devel
 BuildRequires: libcurl-devel
 BuildRequires: libjose-devel
 BuildRequires: keyutils-libs-devel
 BuildRequires: krb5-devel
 BuildRequires: libcmocka-devel >= 1.0.0
 BuildRequires: libdhash-devel >= 0.4.2
+%if %{build_passkey}
 BuildRequires: libfido2-devel
-BuildRequires: libini_config-devel >= 1.1
+%endif
+BuildRequires: libini_config-devel >= 1.3
 BuildRequires: libldb-devel >= %{ldb_version}
 BuildRequires: libnfsidmap-devel
 BuildRequires: libnl3-devel
@@ -135,7 +153,7 @@ BuildRequires: pcre2-devel
 BuildRequires: pkgconfig
 BuildRequires: popt-devel
 BuildRequires: python3-devel
-BuildRequires: (python3-setuptools if python3 >= 3.12)
+BuildRequires: python3-setuptools
 BuildRequires: samba-devel
 # required for idmap_sss.so
 BuildRequires: samba-winbind
@@ -147,12 +165,17 @@ BuildRequires: systemd-devel
 BuildRequires: systemtap-sdt-devel
 BuildRequires: uid_wrapper
 BuildRequires: po4a
+BuildRequires: valgrind-devel
 %if %{build_subid}
 BuildRequires: shadow-utils-subid-devel
 %endif
 %if %{build_kcm_renewals}
 BuildRequires: krb5-libs >= %{krb5_version}
 %endif
+%if %{use_sysusers} || %{build_passkey}
+BuildRequires: systemd-rpm-macros
+%{?sysusers_requires_compat}
+%endif
 
 %description
 Provides a set of daemons to manage access to remote directories and
@@ -180,7 +203,9 @@ Requires: (libsss_autofs%{?_isa} = %{version}-%{release} if autofs)
 Requires: (sssd-nfs-idmap = %{version}-%{release} if libnfsidmap)
 Requires: libsss_idmap = %{version}-%{release}
 Requires: libsss_certmap = %{version}-%{release}
-%if 0%{?rhel}
+Requires(post): coreutils
+Requires(postun): coreutils
+%if %{use_sssd_user}
 Requires(pre): shadow-utils
 %endif
 %{?systemd_requires}
@@ -429,7 +454,7 @@ Requires: sssd-common = %{version}-%{release}
 Provides the D-Bus responder of the SSSD, called the InfoPipe, that allows
 the information from the SSSD to be transmitted over the system bus.
 
-%if 0%{?rhel}
+%if %{use_sssd_user}
 %package polkit-rules
 Summary: Rules for polkit integration for SSSD
 Group: Applications/System
@@ -485,6 +510,7 @@ License: GPL-3.0-or-later
 Requires: sssd-common = %{version}-%{release}
 %if %{build_kcm_renewals}
 Requires: krb5-libs >= %{krb5_version}
+Requires: sssd-krb5-common = %{version}-%{release}
 %endif
 %{?systemd_requires}
 
@@ -502,24 +528,30 @@ This package provides Kerberos plugins that are required to enable
 authentication against external identity providers. Additionally a helper
 program to handle the OAuth 2.0 Device Authorization Grant is provided.
 
+%if %{build_passkey}
 %package passkey
 Summary: SSSD helpers and plugins needed for authentication with passkey token
 License: GPL-3.0-or-later
 Requires: sssd-common = %{version}-%{release}
 Requires: libfido2
+%if "%{sssd_user}" != "root"
+Requires: acl
+%endif
 
 %description passkey
 This package provides helper processes and Kerberos plugins that are required to
 enable authentication with passkey token.
+%endif
 
 %prep
-%autosetup -p1
+%autosetup -n sssd-2.10.0-beta1 -p1
 
 %build
 
 autoreconf -ivf
 
 %configure \
+    --runstatedir=%{_rundir} \
     --disable-rpath \
     --disable-static \
     --enable-gss-spnego-for-zero-maxssf \
@@ -534,7 +566,6 @@ autoreconf -ivf
     --with-initscript=systemd \
     --with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
     --with-mcache-path=%{mcpath} \
-    --with-pid-path=%{_rundir} \
     --with-pipe-path=%{pipepath} \
     --with-pubconf-path=%{pubconfpath} \
     --with-sssd-user=%{sssd_user} \
@@ -543,10 +574,15 @@ autoreconf -ivf
 %if %{build_subid}
     --with-subid \
 %endif
-%if 0%{?fedora}
+%if ! %{use_sssd_user}
     --disable-polkit-rules-path \
 %endif
+%if %{build_passkey}
     --with-passkey \
+%endif
+%if %{build_ssh_known_hosts_proxy}
+    --with-ssh-known-hosts-proxy \
+%endif
     %{nil}
 
 %make_build all docs runstatedir=%{_rundir}
@@ -584,8 +620,13 @@ cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_idp \
    $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_idp
 
 # Enable krb5 passkey plugins by default (when sssd-passkey package is installed)
+%if %{build_passkey}
 cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_passkey \
    $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_passkey
+%if "%{sssd_user}" != "root"
+install -D -p -m 0644 contrib/90-sssd-token-access.rules %{buildroot}%{_udevrulesdir}/90-sssd-token-access.rules
+%endif
+%endif
 
 # krb5 configuration snippet
 cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \
@@ -595,6 +636,9 @@ cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \
 # Otherwise this directory could not be owned by sssd-client
 mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/cifs-utils
 
+# tmpfiles.d config
+install -D -m 0644 contrib/sssd-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/%{name}.conf
+
 # Remove .la files created by libtool
 find $RPM_BUILD_ROOT -name "*.la" -exec rm -f {} \;
 
@@ -689,6 +733,10 @@ do
     cat $subpackage.lang
 done
 
+%if %{use_sysusers}
+install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf
+%endif
+
 %files
 %license COPYING
 
@@ -704,13 +752,14 @@ done
 %{_unitdir}/sssd-pac.socket
 %{_unitdir}/sssd-pac.service
 %{_unitdir}/sssd-pam.socket
-%{_unitdir}/sssd-pam-priv.socket
 %{_unitdir}/sssd-pam.service
 %{_unitdir}/sssd-ssh.socket
 %{_unitdir}/sssd-ssh.service
 %{_unitdir}/sssd-sudo.socket
 %{_unitdir}/sssd-sudo.service
 
+%{_tmpfilesdir}/%{name}.conf
+
 %dir %{_libexecdir}/%{servicename}
 %{_libexecdir}/%{servicename}/sssd_be
 %{_libexecdir}/%{servicename}/sssd_nss
@@ -742,40 +791,42 @@ done
 
 %{ldb_modulesdir}/memberof.so
 %{_bindir}/sss_ssh_authorizedkeys
+%{_bindir}/sss_ssh_knownhosts
 %{_bindir}/sss_ssh_knownhostsproxy
 %{_sbindir}/sss_cache
 %{_libexecdir}/%{servicename}/sss_signal
 
-%dir %{sssdstatedir}
+%attr(775,%{sssd_user},%{sssd_user}) %dir %{sssdstatedir}
 %dir %{_localstatedir}/cache/krb5rcache
-%attr(700,%{sssd_user},%{sssd_user}) %dir %{dbpath}
+%attr(770,%{sssd_user},%{sssd_user}) %dir %{dbpath}
 %attr(775,%{sssd_user},%{sssd_user}) %dir %{mcpath}
-%attr(700,root,root) %dir %{secdbpath}
-%attr(751,root,root) %dir %{deskprofilepath}
-%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/passwd
-%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/group
-%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/initgroups
-%attr(755,%{sssd_user},%{sssd_user}) %dir %{pipepath}
-%attr(750,%{sssd_user},root) %dir %{pipepath}/private
-%attr(755,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}
-%attr(755,%{sssd_user},%{sssd_user}) %dir %{gpocachepath}
-%attr(750,%{sssd_user},%{sssd_user}) %dir %{_var}/log/%{name}
-%attr(700,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd
-%attr(711,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/conf.d
-%attr(711,root,root) %dir %{_sysconfdir}/sssd/pki
-%ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
+%attr(770,%{sssd_user},%{sssd_user}) %dir %{secdbpath}
+%attr(771,%{sssd_user},%{sssd_user}) %dir %{deskprofilepath}
+%attr(775,%{sssd_user},%{sssd_user}) %dir %{pipepath}
+%attr(770,%{sssd_user},%{sssd_user}) %dir %{pipepath}/private
+%attr(775,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}
+%attr(770,%{sssd_user},%{sssd_user}) %dir %{gpocachepath}
+%attr(770,%{sssd_user},%{sssd_user}) %dir %{_var}/log/%{name}
+%attr(750,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd
+%attr(750,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/conf.d
+%attr(750,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/pki
+%ghost %attr(0600,%{sssd_user},%{sssd_user}) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
 %dir %{_sysconfdir}/logrotate.d
 %config(noreplace) %{_sysconfdir}/logrotate.d/sssd
 %dir %{_sysconfdir}/rwtab.d
 %config(noreplace) %{_sysconfdir}/rwtab.d/sssd
 %dir %{_datadir}/sssd
+%attr(775,%{sssd_user},%{sssd_user}) %dir %{_rundir}/sssd
 %config(noreplace) %{_sysconfdir}/pam.d/sssd-shadowutils
 %dir %{_libdir}/%{name}/conf
 %{_libdir}/%{name}/conf/sssd.conf
 
 %{_datadir}/sssd/cfg_rules.ini
 %{_mandir}/man1/sss_ssh_authorizedkeys.1*
+%{_mandir}/man1/sss_ssh_knownhosts.1*
+%if %{build_ssh_known_hosts_proxy}
 %{_mandir}/man1/sss_ssh_knownhostsproxy.1*
+%endif
 %{_mandir}/man5/sssd.conf.5*
 %{_mandir}/man5/sssd-simple.5*
 %{_mandir}/man5/sssd-sudo.5*
@@ -792,8 +843,12 @@ done
 %{_datadir}/systemtap/tapset/sssd.stp
 %{_datadir}/systemtap/tapset/sssd_functions.stp
 %{_mandir}/man5/sssd-systemtap.5*
+%if %{use_sysusers}
+%{_sysusersdir}/sssd.conf
+%endif
 
-%if 0%{?rhel}
+
+%if %{use_sssd_user}
 %files polkit-rules
 %{_datadir}/polkit-1/rules.d/*
 %endif
@@ -806,9 +861,9 @@ done
 
 %files krb5-common
 %license COPYING
-%attr(755,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d
-%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/ldap_child
-%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/krb5_child
+%attr(775,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d
+%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{servicename}/ldap_child
+%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{servicename}/krb5_child
 
 %files krb5 -f sssd_krb5.lang
 %license COPYING
@@ -824,9 +879,9 @@ done
 
 %files ipa -f sssd_ipa.lang
 %license COPYING
-%attr(700,%{sssd_user},%{sssd_user}) %dir %{keytabdir}
+%attr(770,%{sssd_user},%{sssd_user}) %dir %{keytabdir}
 %{_libdir}/%{name}/libsss_ipa.so
-%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/selinux_child
+%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{servicename}/selinux_child
 %{_mandir}/man5/sssd-ipa.5*
 
 %files ad -f sssd_ad.lang
@@ -837,7 +892,7 @@ done
 
 %files proxy
 %license COPYING
-%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/proxy_child
+%{_libexecdir}/%{servicename}/proxy_child
 %{_libdir}/%{name}/libsss_proxy.so
 
 %files dbus -f sssd_dbus.lang
@@ -981,17 +1036,26 @@ done
 %{_datadir}/sssd/krb5-snippets/sssd_enable_idp
 %config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_idp
 
+%if %{build_passkey}
 %files passkey
 %attr(755,%{sssd_user},%{sssd_user}) %{_libexecdir}/%{servicename}/passkey_child
 %{_libdir}/%{name}/modules/sssd_krb5_passkey_plugin.so
 %{_datadir}/sssd/krb5-snippets/sssd_enable_passkey
+%if "%{sssd_user}" != "root"
+%{_udevrulesdir}/90-sssd-token-access.rules
+%endif
 %config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_passkey
+%endif
 
-%if 0%{?rhel}
+%if %{use_sssd_user}
 %pre common
+%if %{use_sysusers}
+%sysusers_create_compat %{SOURCE1}
+%else
 getent group sssd >/dev/null || groupadd -r sssd
 getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd
 %endif
+%endif
 
 %post common
 %systemd_post sssd.service
@@ -999,9 +1063,17 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us
 %systemd_post sssd-nss.socket
 %systemd_post sssd-pac.socket
 %systemd_post sssd-pam.socket
-%systemd_post sssd-pam-priv.socket
 %systemd_post sssd-ssh.socket
 %systemd_post sssd-sudo.socket
+%__rm -f %{mcpath}/passwd
+%__rm -f %{mcpath}/group
+%__rm -f %{mcpath}/initgroups
+%__rm -f %{mcpath}/sid
+%__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true
+%__chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true
+%__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true
+%__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true
+%__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true
 
 %preun common
 %systemd_preun sssd.service
@@ -1009,16 +1081,18 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us
 %systemd_preun sssd-nss.socket
 %systemd_preun sssd-pac.socket
 %systemd_preun sssd-pam.socket
-%systemd_preun sssd-pam-priv.socket
 %systemd_preun sssd-ssh.socket
 %systemd_preun sssd-sudo.socket
 
 %postun common
+%__rm -f %{mcpath}/passwd
+%__rm -f %{mcpath}/group
+%__rm -f %{mcpath}/initgroups
+%__rm -f %{mcpath}/sid
 %systemd_postun_with_restart sssd-autofs.socket
 %systemd_postun_with_restart sssd-nss.socket
 %systemd_postun_with_restart sssd-pac.socket
 %systemd_postun_with_restart sssd-pam.socket
-%systemd_postun_with_restart sssd-pam-priv.socket
 %systemd_postun_with_restart sssd-ssh.socket
 %systemd_postun_with_restart sssd-sudo.socket
 
@@ -1061,6 +1135,13 @@ fi
 %systemd_postun_with_restart sssd.service
 
 %changelog
+* Thu Jun  6 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.10.0~beta1-1
+- Resolves: RHEL-40253 - Rebase SSSD for RHEL 10-beta
+- Resolves: RHEL-29303 - Issue discovered by static analyzer.
+- Resolves: RHEL-11181 - sssd[4022110]: gencache_init: Failed to create directory: //.cache/samba - Permission denied
+- Resolves: RHEL-4986 - [RFE] sssd use systemd-sysusers
+- Resolves: RHEL-4974 - sssd status shows error "krb5_kt_start_seq_get failed: Permission denied" when running as unprivileged user 'sssd'
+
 * Thu Feb 22 2024 Troy Dawson <tdawson@redhat.com> - 2.9.4-6
 - Bump release to rebuild on correct samba
 
diff --git a/sssd.sysusers b/sssd.sysusers
new file mode 100644
index 0000000..ee8a05d
--- /dev/null
+++ b/sssd.sysusers
@@ -0,0 +1 @@
+u     sssd   -   "User for sssd"     /run/sssd/      /sbin/nologin