diff --git a/backport-KCM-Display-in-the-log-the-limit-as-set-by-the-user.patch b/backport-KCM-Display-in-the-log-the-limit-as-set-by-the-user.patch
new file mode 100644
index 0000000000000000000000000000000000000000..f2338221a6759841d2f657748e62258232079fa5
--- /dev/null
+++ b/backport-KCM-Display-in-the-log-the-limit-as-set-by-the-user.patch
@@ -0,0 +1,42 @@
+From 96d8b77ae6e7d1dd72b9add553935fc4aa6ab2c5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
+Date: Mon, 9 Oct 2023 10:56:08 +0200
+Subject: [PATCH] KCM: Display in the log the limit as set by the user
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+max_uid_ccaches is unconditionally incremented by 2 in ccdb_secdb_init()
+to create space for some internal entries. We cannot just show this
+value as it is not what the user configured.
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+
+Reference: https://github.com/SSSD/sssd/commit/96d8b77ae6e7d1dd72b9add553935fc4aa6ab2c5 
+Conflict: NA
+---
+ src/responder/kcm/secrets/secrets.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/responder/kcm/secrets/secrets.c b/src/responder/kcm/secrets/secrets.c
+index 4dc748c3b..8f32c63e9 100644
+--- a/src/responder/kcm/secrets/secrets.c
++++ b/src/responder/kcm/secrets/secrets.c
+@@ -381,11 +381,12 @@ static int local_db_check_peruid_number_of_secrets(TALLOC_CTX *mem_ctx,
+         ret = local_db_remove_oldest_expired_secret(res, req);
+         if (ret != EOK) {
+             if (ret == ERR_NO_MATCHING_CREDS) {
++                /* max_uid_secrets is incremented by 2 for internal entries. */
+                 DEBUG(SSSDBG_OP_FAILURE,
+                       "Cannot store any more secrets for this client (basedn %s) "
+                       "as the maximum allowed limit (%d) has been reached\n",
+                       ldb_dn_get_linearized(cli_basedn),
+-                      req->quota->max_uid_secrets);
++                      req->quota->max_uid_secrets - 2);
+                 ret = ERR_SEC_INVALID_TOO_MANY_SECRETS;
+             }
+             goto done;
+-- 
+2.33.0
+
diff --git a/backport-KCM-Remove-the-oldest-expired-credential-if-no-more-.patch b/backport-KCM-Remove-the-oldest-expired-credential-if-no-more-.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1070abd7f9f2f367711d6e3c2c487393bb34274d
--- /dev/null
+++ b/backport-KCM-Remove-the-oldest-expired-credential-if-no-more-.patch
@@ -0,0 +1,299 @@
+From 93ee0159a0f467ced3412d034ec706dd3508901e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
+Date: Tue, 3 Oct 2023 12:39:49 +0200
+Subject: [PATCH] KCM: Remove the oldest expired credential if no more space.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+:feature: When adding a new credential to KCM and the user has
+          already reached their limit, the oldest expired credential
+          will be removed to free some space.
+          If no expired credential is found to be removed, the operation
+          will fail as it happened in the previous versions.
+
+Resolves: https://github.com/SSSD/sssd/issues/6667
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+
+Reference: https://github.com/SSSD/sssd/commit/93ee0159a0f467ced3412d034ec706dd3508901e 
+Conflict: NA
+---
+ src/responder/kcm/secrets/secrets.c | 203 +++++++++++++++++++++++++---
+ 1 file changed, 186 insertions(+), 17 deletions(-)
+
+diff --git a/src/responder/kcm/secrets/secrets.c b/src/responder/kcm/secrets/secrets.c
+index 025d1c421..4dc748c3b 100644
+--- a/src/responder/kcm/secrets/secrets.c
++++ b/src/responder/kcm/secrets/secrets.c
+@@ -18,15 +18,18 @@
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
++#include "config.h"
+ 
++#include <fcntl.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+-#include <fcntl.h>
++#include <time.h>
+ #include <uuid/uuid.h>
+ 
+-#include "config.h"
+-
++#include "responder/kcm/kcmsrv_ccache.h"
+ #include "util/util.h"
++#include "util/util_creds.h"
++#include "util/sss_iobuf.h"
+ #include "util/strtonum.h"
+ #include "util/crypto/sss_crypto.h"
+ #include "sec_pvt.h"
+@@ -50,6 +53,10 @@ static struct sss_sec_quota default_kcm_quota = {
+     .containers_nest_level = DEFAULT_SEC_CONTAINERS_NEST_LEVEL,
+ };
+ 
++static char *local_dn_to_path(TALLOC_CTX *mem_ctx,
++                              struct ldb_dn *basedn,
++                              struct ldb_dn *dn);
++
+ static int local_db_check_containers(TALLOC_CTX *mem_ctx,
+                                      struct sss_sec_ctx *sec_ctx,
+                                      struct ldb_dn *leaf_dn)
+@@ -181,11 +188,166 @@ static struct ldb_dn *per_uid_container(TALLOC_CTX *mem_ctx,
+     return uid_base_dn;
+ }
+ 
++static errno_t get_secret_expiration_time(uint8_t *key, size_t key_length,
++                                          uint8_t *sec, size_t sec_length,
++                                          time_t *_expiration)
++{
++    errno_t ret;
++    TALLOC_CTX *tmp_ctx;
++    time_t expiration = 0;
++    struct cli_creds client = {};
++    struct kcm_ccache *cc;
++    struct sss_iobuf *iobuf;
++    krb5_creds **cred_list, **cred;
++    const char *key_str;
++
++    if (_expiration == NULL) {
++        return EINVAL;
++    }
++
++    tmp_ctx = talloc_new(NULL);
++    if (tmp_ctx == NULL) {
++        return ENOMEM;
++    }
++
++    key_str = talloc_strndup(tmp_ctx, (const char *) key, key_length);
++    if (key_str == NULL) {
++        ret = ENOMEM;
++        goto done;
++    }
++
++    iobuf = sss_iobuf_init_readonly(tmp_ctx, sec, sec_length);
++    if (iobuf == NULL) {
++        ret = ENOMEM;
++        goto done;
++    }
++
++    ret = sec_kv_to_ccache_binary(tmp_ctx, key_str, iobuf, &client, &cc);
++    if (ret != EOK) {
++        goto done;
++    }
++
++    cred_list = kcm_cc_unmarshal(tmp_ctx, NULL, cc);
++    if (cred_list == NULL) {
++        ret = ENOMEM;
++        goto done;
++    }
++
++    for (cred = cred_list; *cred != NULL; cred++) {
++        if ((*cred)->times.endtime != 0) {
++            expiration = (time_t) (*cred)->times.endtime;
++            break;
++        }
++    }
++
++    *_expiration = expiration;
++    ret = EOK;
++
++done:
++    talloc_free(tmp_ctx);
++    return ret;
++}
++
++static errno_t local_db_remove_oldest_expired_secret(struct ldb_result *res,
++                                                     struct sss_sec_req *req)
++{
++    struct sss_sec_req *new_req = NULL;
++    const struct ldb_val *val;
++    const struct ldb_val *rdn;
++    struct ldb_message *msg;
++    struct ldb_message_element *elem;
++    struct ldb_dn *basedn;
++    struct ldb_dn *oldest_dn = NULL;
++    time_t oldest_time = time(NULL);
++    time_t expiration;
++    unsigned int i;
++    int ret;
++
++    DEBUG(SSSDBG_TRACE_INTERNAL, "Removing the oldest expired credential\n");
++    /* Between all the messages in result, there is also the key we are
++     * currently treating, but because yet it doesn't have an expiration time,
++     * it will be skipped.
++     */
++    for (i = 0; i < res->count; i++) {
++        msg = res->msgs[i];
++
++        /* Skip cn=default,... or any non cn=... */
++        rdn = ldb_dn_get_rdn_val(msg->dn);
++        if (strcmp(ldb_dn_get_rdn_name(msg->dn), "cn") != 0
++            || strncmp("default", (char *) rdn->data, rdn->length) == 0) {
++            continue;
++        }
++
++        elem = ldb_msg_find_element(msg, SEC_ATTR_SECRET);
++        if (elem != NULL) {
++            if (elem->num_values != 1) {
++                DEBUG(SSSDBG_MINOR_FAILURE,
++                      "Element %s has %u values. Ignoring it.\n",
++                      SEC_ATTR_SECRET, elem->num_values);
++                ret = ERR_MALFORMED_ENTRY;
++                goto done;
++            }
++
++            val = &elem->values[0];
++            ret = get_secret_expiration_time(rdn->data, rdn->length,
++                                             val->data, val->length,
++                                             &expiration);
++            if (ret != EOK) {
++                goto done;
++            }
++            if (expiration > 0 && expiration < oldest_time) {
++                oldest_dn = msg->dn;
++                oldest_time = expiration;
++            }
++        }
++    }
++
++    if (oldest_dn == NULL) {
++        DEBUG(SSSDBG_TRACE_INTERNAL, "Found no expired credential to remove\n");
++        ret = ERR_NO_MATCHING_CREDS;
++        goto done;
++    }
++
++    new_req = talloc_zero(NULL, struct sss_sec_req);
++    if (new_req == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to allocate the new request\n");
++        ret = ENOMEM;
++        goto done;
++    }
++
++    basedn = ldb_dn_new(new_req, req->sctx->ldb, req->basedn);
++    if (basedn == NULL) {
++        DEBUG(SSSDBG_OP_FAILURE, "Failed to create a dn: %s\n", req->basedn);
++        ret = EINVAL;
++        goto done;
++    }
++
++    new_req->basedn = req->basedn;
++    new_req->quota = req->quota;
++    new_req->req_dn = oldest_dn;
++    new_req->sctx = req->sctx;
++    new_req->path = local_dn_to_path(new_req, basedn, oldest_dn);
++    if (new_req->path == NULL) {
++        DEBUG(SSSDBG_OP_FAILURE, "Failed to create the path\n");
++        ret = EINVAL;
++        goto done;
++    }
++
++    ret = sss_sec_delete(new_req);
++
++done:
++    if (new_req != NULL)
++        talloc_free(new_req);
++
++    return ret;
++}
++
++
+ static int local_db_check_peruid_number_of_secrets(TALLOC_CTX *mem_ctx,
+                                                    struct sss_sec_req *req)
+ {
+     TALLOC_CTX *tmp_ctx;
+-    static const char *attrs[] = { NULL };
++    static const char *attrs[] = { SEC_ATTR_SECRET, NULL };
+     struct ldb_result *res = NULL;
+     struct ldb_dn *cli_basedn = NULL;
+     int ret;
+@@ -214,13 +376,20 @@ static int local_db_check_peruid_number_of_secrets(TALLOC_CTX *mem_ctx,
+     }
+ 
+     if (res->count >= req->quota->max_uid_secrets) {
+-        DEBUG(SSSDBG_OP_FAILURE,
+-              "Cannot store any more secrets for this client (basedn %s) "
+-              "as the maximum allowed limit (%d) has been reached\n",
+-              ldb_dn_get_linearized(cli_basedn),
+-              req->quota->max_uid_secrets);
+-        ret = ERR_SEC_INVALID_TOO_MANY_SECRETS;
+-        goto done;
++        /* We reached the limit. Let's try to removed the
++         * oldest expired credential to free some space. */
++        ret = local_db_remove_oldest_expired_secret(res, req);
++        if (ret != EOK) {
++            if (ret == ERR_NO_MATCHING_CREDS) {
++                DEBUG(SSSDBG_OP_FAILURE,
++                      "Cannot store any more secrets for this client (basedn %s) "
++                      "as the maximum allowed limit (%d) has been reached\n",
++                      ldb_dn_get_linearized(cli_basedn),
++                      req->quota->max_uid_secrets);
++                ret = ERR_SEC_INVALID_TOO_MANY_SECRETS;
++            }
++            goto done;
++        }
+     }
+ 
+     ret = EOK;
+@@ -808,15 +977,15 @@ errno_t sss_sec_put(struct sss_sec_req *req,
+         goto done;
+     }
+ 
+-    ret = local_db_check_number_of_secrets(msg, req);
++    ret = local_db_check_peruid_number_of_secrets(msg, req);
+     if (ret != EOK) {
+         DEBUG(SSSDBG_OP_FAILURE,
+-              "local_db_check_number_of_secrets failed [%d]: %s\n",
++              "local_db_check_peruid_number_of_secrets failed [%d]: %s\n",
+               ret, sss_strerror(ret));
+         goto done;
+     }
+ 
+-    ret = local_db_check_peruid_number_of_secrets(msg, req);
++    ret = local_db_check_number_of_secrets(msg, req);
+     if (ret != EOK) {
+         DEBUG(SSSDBG_OP_FAILURE,
+               "local_db_check_number_of_secrets failed [%d]: %s\n",
+@@ -905,15 +1074,15 @@ errno_t sss_sec_update(struct sss_sec_req *req,
+         goto done;
+     }
+ 
+-    ret = local_db_check_number_of_secrets(msg, req);
++    ret = local_db_check_peruid_number_of_secrets(msg, req);
+     if (ret != EOK) {
+         DEBUG(SSSDBG_OP_FAILURE,
+-              "local_db_check_number_of_secrets failed [%d]: %s\n",
++              "local_db_check_peruid_number_of_secrets failed [%d]: %s\n",
+               ret, sss_strerror(ret));
+         goto done;
+     }
+ 
+-    ret = local_db_check_peruid_number_of_secrets(msg, req);
++    ret = local_db_check_number_of_secrets(msg, req);
+     if (ret != EOK) {
+         DEBUG(SSSDBG_OP_FAILURE,
+               "local_db_check_number_of_secrets failed [%d]: %s\n",
+-- 
+2.33.0
+
diff --git a/backport-Proxy-Avoid-ldb_modify-failed-error.patch b/backport-Proxy-Avoid-ldb_modify-failed-error.patch
new file mode 100644
index 0000000000000000000000000000000000000000..fd2adefa625dc7c5980dc0f2cda5efdff07567bb
--- /dev/null
+++ b/backport-Proxy-Avoid-ldb_modify-failed-error.patch
@@ -0,0 +1,39 @@
+From eebb43def9e93c039203993c67148bfdc72c18ad Mon Sep 17 00:00:00 2001
+From: Justin Stephenson <jstephen@redhat.com>
+Date: Wed, 23 Aug 2023 15:15:26 -0400
+Subject: [PATCH] Proxy: Avoid ldb_modify failed error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Resolves the sysdb errors returned in the proxy provider
+logs when proxy_fast_alias is True.
+
+This extraneous memset call would overwrite the previously
+returned pwd buffer, therefore an attempt was made to update
+the user's SYSDB_PWD with an empty value causing the error.
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+
+Reference: https://github.com/SSSD/sssd/commit/eebb43def9e93c039203993c67148bfdc72c18ad 
+Conflict: NA
+---
+ src/providers/proxy/proxy_id.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
+index db6bbb2f0..9e7722eb0 100644
+--- a/src/providers/proxy/proxy_id.c
++++ b/src/providers/proxy/proxy_id.c
+@@ -1418,7 +1418,6 @@ static int get_initgr(TALLOC_CTX *mem_ctx,
+     }
+ 
+     uid = pwd->pw_uid;
+-    memset(buffer, 0, buflen);
+ 
+     /* Canonicalize the username in case it was actually an alias */
+     if (ctx->fast_alias == true) {
+-- 
+2.33.0
+
diff --git a/backport-cli-caculate-the-wait_time-in-milliseconds.patch b/backport-cli-caculate-the-wait_time-in-milliseconds.patch
new file mode 100644
index 0000000000000000000000000000000000000000..bde0a9f26b319f69ca76b7322eade4ede711cd2d
--- /dev/null
+++ b/backport-cli-caculate-the-wait_time-in-milliseconds.patch
@@ -0,0 +1,37 @@
+From a997ee7bd9d259e7faf654cb94145c0135df02f8 Mon Sep 17 00:00:00 2001
+From: licunlong <shenxiaogll@163.com>
+Date: Fri, 29 Sep 2023 12:24:45 +0800
+Subject: [PATCH] cli: caculate the wait_time in milliseconds
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The timeout we pass in is 300000ms, and we sleep 1s every
+time we get a EAGAIN error, so we need to multiply 1000
+for sleep_time.
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+
+Reference: https://github.com/SSSD/sssd/commit/a997ee7bd9d259e7faf654cb94145c0135df02f8 
+Conflict: NA
+---
+ src/sss_client/common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sss_client/common.c b/src/sss_client/common.c
+index 53ff6e8e9..c80c8e74b 100644
+--- a/src/sss_client/common.c
++++ b/src/sss_client/common.c
+@@ -617,7 +617,7 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout
+         socklen_t errnosize;
+         struct pollfd pfd;
+ 
+-        wait_time += sleep_time;
++        wait_time += sleep_time * 1000;
+ 
+         ret = connect(sd, (struct sockaddr *)&nssaddr,
+                       sizeof(nssaddr));
+-- 
+2.33.0
+
diff --git a/backport-dyndns-PTR-record-updates-separately.patch b/backport-dyndns-PTR-record-updates-separately.patch
new file mode 100644
index 0000000000000000000000000000000000000000..a5eaf56f2878233d3d2bd04f2a181947898d632d
--- /dev/null
+++ b/backport-dyndns-PTR-record-updates-separately.patch
@@ -0,0 +1,140 @@
+From f0bba9d5178d18e7b08aaa58375916d111dfeb59 Mon Sep 17 00:00:00 2001
+From: Tomas Halman <thalman@redhat.com>
+Date: Tue, 26 Sep 2023 11:05:13 +0200
+Subject: [PATCH] dyndns: PTR record updates separately
+
+DNS server does not allow updates for different zones in one
+single step. Those updates must be sent separately.
+
+It is complicated and in some cases impossible to detect that
+PTR updates does not fit into one zone because it often depends
+on DNS server configuration.
+
+With this patch PTR record updates are always sent separately.
+
+Resolves: https://github.com/SSSD/sssd/issues/6956
+
+Reviewed-by: Dan Lavu <dlavu@redhat.com>
+Reviewed-by: Justin Stephenson <jstephen@redhat.com>
+
+Reference: https://github.com/SSSD/sssd/commit/f0bba9d5178d18e7b08aaa58375916d111dfeb59 
+Conflict: NA
+---
+ src/man/sssd-ad.5.xml          |  5 +++++
+ src/man/sssd-ipa.5.xml         |  5 +++++
+ src/providers/be_dyndns.c      | 18 +++---------------
+ src/tests/cmocka/test_dyndns.c |  5 +++++
+ 4 files changed, 18 insertions(+), 15 deletions(-)
+
+diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
+index 65778124b..082e97e52 100644
+--- a/src/man/sssd-ad.5.xml
++++ b/src/man/sssd-ad.5.xml
+@@ -1262,6 +1262,11 @@ ad_gpo_map_deny = +my_pam_service
+                             updated when updating the client's DNS records.
+                             Applicable only when dyndns_update is true.
+                         </para>
++                        <para>
++                            Note that <emphasis>dyndns_update_per_family</emphasis>
++                            parameter does not apply for PTR record updates.
++                            Those updates are always sent separately.
++                        </para>
+                         <para>
+                             Default: True
+                         </para>
+diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
+index aa6ff2380..4802ce866 100644
+--- a/src/man/sssd-ipa.5.xml
++++ b/src/man/sssd-ipa.5.xml
+@@ -286,6 +286,11 @@
+                             PTR records automatically when forward records
+                             are changed.
+                         </para>
++                        <para>
++                            Note that <emphasis>dyndns_update_per_family</emphasis>
++                            parameter does not apply for PTR record updates.
++                            Those updates are always sent separately.
++                        </para>
+                         <para>
+                             Default: False (disabled)
+                         </para>
+diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c
+index 2de9a13a9..2c655ef1e 100644
+--- a/src/providers/be_dyndns.c
++++ b/src/providers/be_dyndns.c
+@@ -402,7 +402,7 @@ nsupdate_msg_add_ptr(char *update_msg, struct sss_iface_addr *addresses,
+             }
+ 
+             updateipv4 = talloc_asprintf_append(updateipv4,
+-                                                "update add %s %d in PTR %s.\n",
++                                                "update add %s %d in PTR %s.\nsend\n",
+                                                 ptr, ttl, hostname);
+             break;
+         case AF_INET6:
+@@ -415,7 +415,7 @@ nsupdate_msg_add_ptr(char *update_msg, struct sss_iface_addr *addresses,
+                 }
+             }
+             updateipv6 = talloc_asprintf_append(updateipv6,
+-                                                "update add %s %d in PTR %s.\n",
++                                                "update add %s %d in PTR %s.\nsend\n",
+                                                 ptr, ttl, hostname);
+             break;
+         }
+@@ -426,21 +426,9 @@ nsupdate_msg_add_ptr(char *update_msg, struct sss_iface_addr *addresses,
+         }
+     }
+ 
+-    if (update_per_family && updateipv4[0] && updateipv6[0]) {
+-        /* update per family and both families present */
+-        return talloc_asprintf_append(update_msg,
+-                                      "%s"
+-                                      "send\n"
+-                                      "%s"
+-                                      "send\n",
+-                                      updateipv4,
+-                                      updateipv6);
+-    }
+-
+     return talloc_asprintf_append(update_msg,
+                                   "%s"
+-                                  "%s"
+-                                  "send\n",
++                                  "%s",
+                                   updateipv4,
+                                   updateipv6);
+ }
+diff --git a/src/tests/cmocka/test_dyndns.c b/src/tests/cmocka/test_dyndns.c
+index 1ef5a9019..7526c16a8 100644
+--- a/src/tests/cmocka/test_dyndns.c
++++ b/src/tests/cmocka/test_dyndns.c
+@@ -663,11 +663,13 @@ void dyndns_test_create_ptr_msg(void **state)
+     assert_string_equal(msg,
+                         "\nupdate delete 1.0.168.192.in-addr.arpa. in PTR\n"
+                         "update add 1.0.168.192.in-addr.arpa. 1234 in PTR bran_stark.\n"
++                        "send\n"
+                         "update delete 2.0.168.192.in-addr.arpa. in PTR\n"
+                         "update add 2.0.168.192.in-addr.arpa. 1234 in PTR bran_stark.\n"
+                         "send\n"
+                         "update delete 4.4.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.b.d.c.1.0.0.2.ip6.arpa. in PTR\n"
+                         "update add 4.4.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.b.d.c.1.0.0.2.ip6.arpa. 1234 in PTR bran_stark.\n"
++                        "send\n"
+                         "update delete 5.5.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.b.d.c.1.0.0.2.ip6.arpa. in PTR\n"
+                         "update add 5.5.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.b.d.c.1.0.0.2.ip6.arpa. 1234 in PTR bran_stark.\n"
+                         "send\n");
+@@ -680,10 +682,13 @@ void dyndns_test_create_ptr_msg(void **state)
+     assert_string_equal(msg,
+                         "\nupdate delete 1.0.168.192.in-addr.arpa. in PTR\n"
+                         "update add 1.0.168.192.in-addr.arpa. 1234 in PTR bran_stark.\n"
++                        "send\n"
+                         "update delete 2.0.168.192.in-addr.arpa. in PTR\n"
+                         "update add 2.0.168.192.in-addr.arpa. 1234 in PTR bran_stark.\n"
++                        "send\n"
+                         "update delete 4.4.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.b.d.c.1.0.0.2.ip6.arpa. in PTR\n"
+                         "update add 4.4.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.b.d.c.1.0.0.2.ip6.arpa. 1234 in PTR bran_stark.\n"
++                        "send\n"
+                         "update delete 5.5.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.b.d.c.1.0.0.2.ip6.arpa. in PTR\n"
+                         "update add 5.5.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.b.d.c.1.0.0.2.ip6.arpa. 1234 in PTR bran_stark.\n"
+                         "send\n");
+-- 
+2.33.0
+
diff --git a/backport-ipa-do-not-go-offline-if-group-does-not-have-SID.patch b/backport-ipa-do-not-go-offline-if-group-does-not-have-SID.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1f3c437667eeb84d5f5fd7f2ccafd910424c5a53
--- /dev/null
+++ b/backport-ipa-do-not-go-offline-if-group-does-not-have-SID.patch
@@ -0,0 +1,220 @@
+From 26047f07c0f7aa61a44543de8674ec7d0904812e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Thu, 10 Aug 2023 13:16:51 +0200
+Subject: [PATCH] ipa: do not go offline if group does not have SID
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This happens during applying overrides on cached group
+during initgroups of trusted user. If the group does not
+have SID (it's GID is outside the sidgen range), SSSD goes
+offline.
+
+Only SSSD running in server_mode is affected.
+
+This patch ignores error in single group and rather continues
+processing the remaining groups.
+
+Resolves: https://github.com/SSSD/sssd/issues/6942
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+
+Reference: https://github.com/SSSD/sssd/commit/26047f07c0f7aa61a44543de8674ec7d0904812e 
+Conflict: NA
+---
+ src/providers/ipa/ipa_id.c                    | 97 +++++++++----------
+ src/tests/system/tests/test_trust_identity.py | 61 ++++++++++++
+ 2 files changed, 109 insertions(+), 49 deletions(-)
+ create mode 100644 src/tests/system/tests/test_trust_identity.py
+
+diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c
+index 636e07965..fcac56ce2 100644
+--- a/src/providers/ipa/ipa_id.c
++++ b/src/providers/ipa/ipa_id.c
+@@ -291,66 +291,65 @@ static int ipa_initgr_get_overrides_step(struct tevent_req *req)
+     int ret;
+     struct tevent_req *subreq;
+     const char *ipa_uuid;
++    const char *dn;
+     struct ipa_initgr_get_overrides_state *state = tevent_req_data(req,
+                                         struct ipa_initgr_get_overrides_state);
+ 
+-    DEBUG(SSSDBG_TRACE_LIBS,
+-          "Processing group %zu/%zu\n", state->group_idx, state->group_count);
++    for (; state->group_idx < state->group_count; state->group_idx++) {
++        dn = ldb_dn_get_linearized(state->groups[state->group_idx]->dn);
+ 
+-    if (state->group_idx >= state->group_count) {
+-        return EOK;
+-    }
++        DEBUG(SSSDBG_TRACE_LIBS, "Processing group %s (%zu/%zu)\n",
++              dn, state->group_idx, state->group_count);
+ 
+-    ipa_uuid = ldb_msg_find_attr_as_string(state->groups[state->group_idx],
+-                                           state->groups_id_attr, NULL);
+-    if (ipa_uuid == NULL) {
+-        /* This should never happen, the search filter used to get the list
+-         * of groups includes "uuid=*"
+-         */
+-        DEBUG(SSSDBG_OP_FAILURE,
+-              "The group %s has no UUID attribute %s, error!\n",
+-              ldb_dn_get_linearized(state->groups[state->group_idx]->dn),
+-              state->groups_id_attr);
+-        return EINVAL;
+-    }
++        ipa_uuid = ldb_msg_find_attr_as_string(state->groups[state->group_idx],
++                                               state->groups_id_attr, NULL);
++        if (ipa_uuid == NULL) {
++            DEBUG(SSSDBG_OP_FAILURE,
++                  "The group %s has no UUID attribute %s, error!\n",
++                  dn, state->groups_id_attr);
++            continue;
++        }
+ 
+-    talloc_free(state->ar); /* Avoid spiking memory with many groups */
++        talloc_free(state->ar); /* Avoid spiking memory with many groups */
+ 
+-    if (strcmp(state->groups_id_attr, SYSDB_UUID) == 0) {
+-        ret = get_dp_id_data_for_uuid(state, ipa_uuid,
+-                                       state->user_dom->name, &state->ar);
+-        if (ret != EOK) {
+-            DEBUG(SSSDBG_OP_FAILURE, "get_dp_id_data_for_sid failed.\n");
+-            return ret;
+-        }
+-    } else if (strcmp(state->groups_id_attr, SYSDB_SID_STR) == 0) {
+-        ret = get_dp_id_data_for_sid(state, ipa_uuid,
+-                                      state->user_dom->name, &state->ar);
+-        if (ret != EOK) {
+-            DEBUG(SSSDBG_OP_FAILURE, "get_dp_id_data_for_sid failed.\n");
+-            return ret;
++        if (strcmp(state->groups_id_attr, SYSDB_UUID) == 0) {
++            ret = get_dp_id_data_for_uuid(state, ipa_uuid,
++                                          state->user_dom->name, &state->ar);
++            if (ret != EOK) {
++                DEBUG(SSSDBG_OP_FAILURE, "get_dp_id_data_for_sid failed.\n");
++                return ret;
++            }
++        } else if (strcmp(state->groups_id_attr, SYSDB_SID_STR) == 0) {
++            ret = get_dp_id_data_for_sid(state, ipa_uuid,
++                                         state->user_dom->name, &state->ar);
++            if (ret != EOK) {
++                DEBUG(SSSDBG_OP_FAILURE, "get_dp_id_data_for_sid failed.\n");
++                return ret;
++            }
++        } else {
++            DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported groups ID type [%s].\n",
++                  state->groups_id_attr);
++            return EINVAL;
+         }
+-    } else {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported groups ID type [%s].\n",
+-                                   state->groups_id_attr);
+-        return EINVAL;
+-    }
+ 
+-    DEBUG(SSSDBG_TRACE_LIBS, "Fetching group %s\n", ipa_uuid);
++        DEBUG(SSSDBG_TRACE_LIBS, "Fetching group %s: %s\n", dn, ipa_uuid);
+ 
+-    subreq = ipa_get_ad_override_send(state, state->ev,
+-                                      state->ipa_ctx->sdap_id_ctx,
+-                                      state->ipa_ctx->ipa_options,
+-                                      state->realm,
+-                                      state->ipa_ctx->view_name,
+-                                      state->ar);
+-    if (subreq == NULL) {
+-        DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_override_send failed.\n");
+-        return ENOMEM;
++        subreq = ipa_get_ad_override_send(state, state->ev,
++                                          state->ipa_ctx->sdap_id_ctx,
++                                          state->ipa_ctx->ipa_options,
++                                          state->realm,
++                                          state->ipa_ctx->view_name,
++                                          state->ar);
++        if (subreq == NULL) {
++            DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_override_send failed.\n");
++            return ENOMEM;
++        }
++        tevent_req_set_callback(subreq,
++                                ipa_initgr_get_overrides_override_done, req);
++        return EAGAIN;
+     }
+-    tevent_req_set_callback(subreq,
+-                            ipa_initgr_get_overrides_override_done, req);
+-    return EAGAIN;
++
++    return EOK;
+ }
+ 
+ static void ipa_initgr_get_overrides_override_done(struct tevent_req *subreq)
+diff --git a/src/tests/system/tests/test_trust_identity.py b/src/tests/system/tests/test_trust_identity.py
+new file mode 100644
+index 000000000..9076b8724
+--- /dev/null
++++ b/src/tests/system/tests/test_trust_identity.py
+@@ -0,0 +1,61 @@
++"""
++Identity of trusted users and groups.
++
++:requirement: IDM-SSSD-REQ: Testing SSSD in IPA Provider
++"""
++
++from __future__ import annotations
++
++import pytest
++from sssd_test_framework.roles.generic import GenericADProvider
++from sssd_test_framework.roles.ipa import IPA
++from sssd_test_framework.topology import KnownTopologyGroup
++
++
++@pytest.mark.importance("low")
++@pytest.mark.ticket(jira="RHEL-3925", gh=6942)
++@pytest.mark.topology(KnownTopologyGroup.IPATrust)
++def test_trust_identity__group_without_sid(ipa: IPA, trusted: GenericADProvider):
++    """
++    :title: Subdomain goes offline if IPA group is missing SID
++    :setup:
++        1. Create IPA external group "external-group" and add AD user "Administrator" as a member
++        2. Create IPA posix group "posix-group" and add "external-group" as a member
++        3. Clear SSSD cache and logs on IPA server
++        4. Restart SSSD on IPA server
++    :steps:
++        1. Resolve user "Administrator@addomain"
++        2. Expire user "Administrator@addomain"
++        3. Resolve user "Administrator@addomain"
++        4. Run "sssctl domain-status addomain"
++    :expectedresults:
++        1. User is resolved and member of posix-group
++        2. User is expired in SSSD cache
++        3. User is resolved and member of posix-group
++        4. The Active Directory domain is still online
++    :customerscenario: True
++    """
++    username = trusted.fqn("administrator")
++    external = ipa.group("external-group").add(external=True).add_member(username)
++    ipa.group("posix-group").add(gid=5001).add_member(external)
++
++    ipa.sssd.clear(db=True, memcache=True, logs=True)
++    ipa.sssd.restart()
++
++    # Cache trusted user
++    result = ipa.tools.id(username)
++    assert result is not None
++    assert result.user.name == username
++    assert result.memberof("posix-group")
++
++    # Expire the user and resolve it again, this will trigger the affected code path
++    ipa.sssctl.cache_expire(user=username)
++    result = ipa.tools.id(username)
++    assert result is not None
++    assert result.user.name == username
++    assert result.memberof("posix-group")
++
++    # Check that SSSD did not go offline
++    status = ipa.sssctl.domain_status(trusted.domain, online=True)
++    assert "online status: offline" not in status.stdout.lower()
++    assert "online status: online" in status.stdout.lower()
+-- 
+2.33.0
+
diff --git a/backport-sss_iface-do-not-add-cli_id-to-chain-key.patch b/backport-sss_iface-do-not-add-cli_id-to-chain-key.patch
new file mode 100644
index 0000000000000000000000000000000000000000..beb54ce254ce543b3a26efee092014d3870bcd80
--- /dev/null
+++ b/backport-sss_iface-do-not-add-cli_id-to-chain-key.patch
@@ -0,0 +1,407 @@
+From 1e5dfc187c7659cca567d2f7d5592e72794ef13c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Mon, 4 Sep 2023 14:12:58 +0200
+Subject: [PATCH] sss_iface: do not add cli_id to chain key
+
+Otherwise we only chain identical requests from the same client
+which effectively renders chaining not functional.
+
+Resolves: https://github.com/SSSD/sssd/issues/6911
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Justin Stephenson <jstephen@redhat.com>
+
+Reference: https://github.com/SSSD/sssd/commit/1e5dfc187c7659cca567d2f7d5592e72794ef13c 
+Conflict: NA
+---
+ src/sss_iface/sbus_sss_client_async.c | 12 +++----
+ src/sss_iface/sbus_sss_interface.h    | 24 ++++++-------
+ src/sss_iface/sbus_sss_keygens.c      | 50 +++++++++++++--------------
+ src/sss_iface/sbus_sss_keygens.h      | 10 +++---
+ src/sss_iface/sss_iface.xml           | 12 +++----
+ 5 files changed, 54 insertions(+), 54 deletions(-)
+
+diff --git a/src/sss_iface/sbus_sss_client_async.c b/src/sss_iface/sbus_sss_client_async.c
+index 042d1b7b3..5ca925283 100644
+--- a/src/sss_iface/sbus_sss_client_async.c
++++ b/src/sss_iface/sbus_sss_client_async.c
+@@ -1861,7 +1861,7 @@ sbus_call_dp_autofs_Enumerate_send
+      const char * arg_mapname,
+      uint32_t arg_cli_id)
+ {
+-    return sbus_method_in_usu_out__send(mem_ctx, conn, _sbus_sss_key_usu_0_1_2,
++    return sbus_method_in_usu_out__send(mem_ctx, conn, _sbus_sss_key_usu_0_1,
+         busname, object_path, "sssd.DataProvider.Autofs", "Enumerate", arg_dp_flags, arg_mapname, arg_cli_id);
+ }
+ 
+@@ -1883,7 +1883,7 @@ sbus_call_dp_autofs_GetEntry_send
+      const char * arg_entryname,
+      uint32_t arg_cli_id)
+ {
+-    return sbus_method_in_ussu_out__send(mem_ctx, conn, _sbus_sss_key_ussu_0_1_2_3,
++    return sbus_method_in_ussu_out__send(mem_ctx, conn, _sbus_sss_key_ussu_0_1_2,
+         busname, object_path, "sssd.DataProvider.Autofs", "GetEntry", arg_dp_flags, arg_mapname, arg_entryname, arg_cli_id);
+ }
+ 
+@@ -1904,7 +1904,7 @@ sbus_call_dp_autofs_GetMap_send
+      const char * arg_mapname,
+      uint32_t arg_cli_id)
+ {
+-    return sbus_method_in_usu_out__send(mem_ctx, conn, _sbus_sss_key_usu_0_1_2,
++    return sbus_method_in_usu_out__send(mem_ctx, conn, _sbus_sss_key_usu_0_1,
+         busname, object_path, "sssd.DataProvider.Autofs", "GetMap", arg_dp_flags, arg_mapname, arg_cli_id);
+ }
+ 
+@@ -2142,7 +2142,7 @@ sbus_call_dp_dp_getAccountDomain_send
+      const char * arg_filter,
+      uint32_t arg_cli_id)
+ {
+-    return sbus_method_in_uusu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uusu_0_1_2_3,
++    return sbus_method_in_uusu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uusu_0_1_2,
+         busname, object_path, "sssd.dataprovider", "getAccountDomain", arg_dp_flags, arg_entry_type, arg_filter, arg_cli_id);
+ }
+ 
+@@ -2170,7 +2170,7 @@ sbus_call_dp_dp_getAccountInfo_send
+      const char * arg_extra,
+      uint32_t arg_cli_id)
+ {
+-    return sbus_method_in_uusssu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uusssu_0_1_2_3_4_5,
++    return sbus_method_in_uusssu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uusssu_0_1_2_3_4,
+         busname, object_path, "sssd.dataprovider", "getAccountInfo", arg_dp_flags, arg_entry_type, arg_filter, arg_domain, arg_extra, arg_cli_id);
+ }
+ 
+@@ -2267,7 +2267,7 @@ sbus_call_dp_dp_resolverHandler_send
+      const char * arg_filter_value,
+      uint32_t arg_cli_id)
+ {
+-    return sbus_method_in_uuusu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uuusu_0_1_2_3_4,
++    return sbus_method_in_uuusu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uuusu_0_1_2_3,
+         busname, object_path, "sssd.dataprovider", "resolverHandler", arg_dp_flags, arg_entry_type, arg_filter_type, arg_filter_value, arg_cli_id);
+ }
+ 
+diff --git a/src/sss_iface/sbus_sss_interface.h b/src/sss_iface/sbus_sss_interface.h
+index fc86c71d9..5b4d1c362 100644
+--- a/src/sss_iface/sbus_sss_interface.h
++++ b/src/sss_iface/sbus_sss_interface.h
+@@ -166,7 +166,7 @@
+         &_sbus_sss_args_sssd_DataProvider_Autofs_Enumerate, \
+         NULL, \
+         _sbus_sss_invoke_in_usu_out__send, \
+-        _sbus_sss_key_usu_0_1_2, \
++        _sbus_sss_key_usu_0_1, \
+         (handler), (data)); \
+ })
+ 
+@@ -177,7 +177,7 @@
+         &_sbus_sss_args_sssd_DataProvider_Autofs_Enumerate, \
+         NULL, \
+         _sbus_sss_invoke_in_usu_out__send, \
+-        _sbus_sss_key_usu_0_1_2, \
++        _sbus_sss_key_usu_0_1, \
+         (handler_send), (handler_recv), (data)); \
+ })
+ 
+@@ -188,7 +188,7 @@
+         &_sbus_sss_args_sssd_DataProvider_Autofs_GetEntry, \
+         NULL, \
+         _sbus_sss_invoke_in_ussu_out__send, \
+-        _sbus_sss_key_ussu_0_1_2_3, \
++        _sbus_sss_key_ussu_0_1_2, \
+         (handler), (data)); \
+ })
+ 
+@@ -199,7 +199,7 @@
+         &_sbus_sss_args_sssd_DataProvider_Autofs_GetEntry, \
+         NULL, \
+         _sbus_sss_invoke_in_ussu_out__send, \
+-        _sbus_sss_key_ussu_0_1_2_3, \
++        _sbus_sss_key_ussu_0_1_2, \
+         (handler_send), (handler_recv), (data)); \
+ })
+ 
+@@ -210,7 +210,7 @@
+         &_sbus_sss_args_sssd_DataProvider_Autofs_GetMap, \
+         NULL, \
+         _sbus_sss_invoke_in_usu_out__send, \
+-        _sbus_sss_key_usu_0_1_2, \
++        _sbus_sss_key_usu_0_1, \
+         (handler), (data)); \
+ })
+ 
+@@ -221,7 +221,7 @@
+         &_sbus_sss_args_sssd_DataProvider_Autofs_GetMap, \
+         NULL, \
+         _sbus_sss_invoke_in_usu_out__send, \
+-        _sbus_sss_key_usu_0_1_2, \
++        _sbus_sss_key_usu_0_1, \
+         (handler_send), (handler_recv), (data)); \
+ })
+ 
+@@ -522,7 +522,7 @@
+         &_sbus_sss_args_sssd_dataprovider_getAccountDomain, \
+         NULL, \
+         _sbus_sss_invoke_in_uusu_out_qus_send, \
+-        _sbus_sss_key_uusu_0_1_2_3, \
++        _sbus_sss_key_uusu_0_1_2, \
+         (handler), (data)); \
+ })
+ 
+@@ -533,7 +533,7 @@
+         &_sbus_sss_args_sssd_dataprovider_getAccountDomain, \
+         NULL, \
+         _sbus_sss_invoke_in_uusu_out_qus_send, \
+-        _sbus_sss_key_uusu_0_1_2_3, \
++        _sbus_sss_key_uusu_0_1_2, \
+         (handler_send), (handler_recv), (data)); \
+ })
+ 
+@@ -544,7 +544,7 @@
+         &_sbus_sss_args_sssd_dataprovider_getAccountInfo, \
+         NULL, \
+         _sbus_sss_invoke_in_uusssu_out_qus_send, \
+-        _sbus_sss_key_uusssu_0_1_2_3_4_5, \
++        _sbus_sss_key_uusssu_0_1_2_3_4, \
+         (handler), (data)); \
+ })
+ 
+@@ -555,7 +555,7 @@
+         &_sbus_sss_args_sssd_dataprovider_getAccountInfo, \
+         NULL, \
+         _sbus_sss_invoke_in_uusssu_out_qus_send, \
+-        _sbus_sss_key_uusssu_0_1_2_3_4_5, \
++        _sbus_sss_key_uusssu_0_1_2_3_4, \
+         (handler_send), (handler_recv), (data)); \
+ })
+ 
+@@ -632,7 +632,7 @@
+         &_sbus_sss_args_sssd_dataprovider_resolverHandler, \
+         NULL, \
+         _sbus_sss_invoke_in_uuusu_out_qus_send, \
+-        _sbus_sss_key_uuusu_0_1_2_3_4, \
++        _sbus_sss_key_uuusu_0_1_2_3, \
+         (handler), (data)); \
+ })
+ 
+@@ -643,7 +643,7 @@
+         &_sbus_sss_args_sssd_dataprovider_resolverHandler, \
+         NULL, \
+         _sbus_sss_invoke_in_uuusu_out_qus_send, \
+-        _sbus_sss_key_uuusu_0_1_2_3_4, \
++        _sbus_sss_key_uuusu_0_1_2_3, \
+         (handler_send), (handler_recv), (data)); \
+ })
+ 
+diff --git a/src/sss_iface/sbus_sss_keygens.c b/src/sss_iface/sbus_sss_keygens.c
+index 1bffc1360..0bded60f8 100644
+--- a/src/sss_iface/sbus_sss_keygens.c
++++ b/src/sss_iface/sbus_sss_keygens.c
+@@ -90,87 +90,87 @@ _sbus_sss_key_ussu_0_1
+ }
+ 
+ const char *
+-_sbus_sss_key_ussu_0_1_2_3
++_sbus_sss_key_ussu_0_1_2
+    (TALLOC_CTX *mem_ctx,
+     struct sbus_request *sbus_req,
+     struct _sbus_sss_invoker_args_ussu *args)
+ {
+     if (sbus_req->sender == NULL) {
+-        return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%s:%s:%" PRIu32 "",
++        return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%s:%s",
+             sbus_req->type, sbus_req->interface, sbus_req->member,
+-            sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
++            sbus_req->path, args->arg0, args->arg1, args->arg2);
+     }
+ 
+-    return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%s:%s:%" PRIu32 "",
++    return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%s:%s",
+         sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member,
+-        sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
++        sbus_req->path, args->arg0, args->arg1, args->arg2);
+ }
+ 
+ const char *
+-_sbus_sss_key_usu_0_1_2
++_sbus_sss_key_usu_0_1
+    (TALLOC_CTX *mem_ctx,
+     struct sbus_request *sbus_req,
+     struct _sbus_sss_invoker_args_usu *args)
+ {
+     if (sbus_req->sender == NULL) {
+-        return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%s:%" PRIu32 "",
++        return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%s",
+             sbus_req->type, sbus_req->interface, sbus_req->member,
+-            sbus_req->path, args->arg0, args->arg1, args->arg2);
++            sbus_req->path, args->arg0, args->arg1);
+     }
+ 
+-    return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%s:%" PRIu32 "",
++    return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%s",
+         sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member,
+-        sbus_req->path, args->arg0, args->arg1, args->arg2);
++        sbus_req->path, args->arg0, args->arg1);
+ }
+ 
+ const char *
+-_sbus_sss_key_uusssu_0_1_2_3_4_5
++_sbus_sss_key_uusssu_0_1_2_3_4
+    (TALLOC_CTX *mem_ctx,
+     struct sbus_request *sbus_req,
+     struct _sbus_sss_invoker_args_uusssu *args)
+ {
+     if (sbus_req->sender == NULL) {
+-        return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%s:%s:%" PRIu32 "",
++        return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%s:%s",
+             sbus_req->type, sbus_req->interface, sbus_req->member,
+-            sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4, args->arg5);
++            sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4);
+     }
+ 
+-    return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%s:%s:%" PRIu32 "",
++    return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%s:%s",
+         sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member,
+-        sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4, args->arg5);
++        sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4);
+ }
+ 
+ const char *
+-_sbus_sss_key_uusu_0_1_2_3
++_sbus_sss_key_uusu_0_1_2
+    (TALLOC_CTX *mem_ctx,
+     struct sbus_request *sbus_req,
+     struct _sbus_sss_invoker_args_uusu *args)
+ {
+     if (sbus_req->sender == NULL) {
+-        return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%" PRIu32 "",
++        return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s",
+             sbus_req->type, sbus_req->interface, sbus_req->member,
+-            sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
++            sbus_req->path, args->arg0, args->arg1, args->arg2);
+     }
+ 
+-    return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%" PRIu32 "",
++    return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s",
+         sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member,
+-        sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
++        sbus_req->path, args->arg0, args->arg1, args->arg2);
+ }
+ 
+ const char *
+-_sbus_sss_key_uuusu_0_1_2_3_4
++_sbus_sss_key_uuusu_0_1_2_3
+    (TALLOC_CTX *mem_ctx,
+     struct sbus_request *sbus_req,
+     struct _sbus_sss_invoker_args_uuusu *args)
+ {
+     if (sbus_req->sender == NULL) {
+-        return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%" PRIu32 ":%s:%" PRIu32 "",
++        return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%" PRIu32 ":%s",
+             sbus_req->type, sbus_req->interface, sbus_req->member,
+-            sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4);
++            sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
+     }
+ 
+-    return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%" PRIu32 ":%s:%" PRIu32 "",
++    return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%" PRIu32 ":%s",
+         sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member,
+-        sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4);
++        sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
+ }
+ 
+diff --git a/src/sss_iface/sbus_sss_keygens.h b/src/sss_iface/sbus_sss_keygens.h
+index 8f09b46de..7e42c2c53 100644
+--- a/src/sss_iface/sbus_sss_keygens.h
++++ b/src/sss_iface/sbus_sss_keygens.h
+@@ -49,31 +49,31 @@ _sbus_sss_key_ussu_0_1
+     struct _sbus_sss_invoker_args_ussu *args);
+ 
+ const char *
+-_sbus_sss_key_ussu_0_1_2_3
++_sbus_sss_key_ussu_0_1_2
+    (TALLOC_CTX *mem_ctx,
+     struct sbus_request *sbus_req,
+     struct _sbus_sss_invoker_args_ussu *args);
+ 
+ const char *
+-_sbus_sss_key_usu_0_1_2
++_sbus_sss_key_usu_0_1
+    (TALLOC_CTX *mem_ctx,
+     struct sbus_request *sbus_req,
+     struct _sbus_sss_invoker_args_usu *args);
+ 
+ const char *
+-_sbus_sss_key_uusssu_0_1_2_3_4_5
++_sbus_sss_key_uusssu_0_1_2_3_4
+    (TALLOC_CTX *mem_ctx,
+     struct sbus_request *sbus_req,
+     struct _sbus_sss_invoker_args_uusssu *args);
+ 
+ const char *
+-_sbus_sss_key_uusu_0_1_2_3
++_sbus_sss_key_uusu_0_1_2
+    (TALLOC_CTX *mem_ctx,
+     struct sbus_request *sbus_req,
+     struct _sbus_sss_invoker_args_uusu *args);
+ 
+ const char *
+-_sbus_sss_key_uuusu_0_1_2_3_4
++_sbus_sss_key_uuusu_0_1_2_3
+    (TALLOC_CTX *mem_ctx,
+     struct sbus_request *sbus_req,
+     struct _sbus_sss_invoker_args_uuusu *args);
+diff --git a/src/sss_iface/sss_iface.xml b/src/sss_iface/sss_iface.xml
+index 6709c4e48..82c65aa0b 100644
+--- a/src/sss_iface/sss_iface.xml
++++ b/src/sss_iface/sss_iface.xml
+@@ -91,18 +91,18 @@
+         <method name="GetMap">
+             <arg name="dp_flags" type="u" direction="in" key="1" />
+             <arg name="mapname" type="s" direction="in" key="2" />
+-            <arg name="cli_id" type="u" direction="in" key="3" />
++            <arg name="cli_id" type="u" direction="in" />
+         </method>
+         <method name="GetEntry">
+             <arg name="dp_flags" type="u" direction="in" key="1" />
+             <arg name="mapname" type="s" direction="in" key="2" />
+             <arg name="entryname" type="s" direction="in" key="3" />
+-            <arg name="cli_id" type="u" direction="in" key="4" />
++            <arg name="cli_id" type="u" direction="in" />
+         </method>
+         <method name="Enumerate">
+             <arg name="dp_flags" type="u" direction="in" key="1" />
+             <arg name="mapname" type="s" direction="in" key="2" />
+-            <arg name="cli_id" type="u" direction="in" key="3" />
++            <arg name="cli_id" type="u" direction="in" />
+         </method>
+     </interface>
+ 
+@@ -133,7 +133,7 @@
+             <arg name="entry_type" type="u" direction="in" key="2" />
+             <arg name="filter_type" type="u" direction="in" key="3" />
+             <arg name="filter_value" type="s" direction="in" key="4" />
+-            <arg name="cli_id" type="u" direction="in" key="5" />
++            <arg name="cli_id" type="u" direction="in" />
+             <arg name="dp_error" type="q" direction="out" />
+             <arg name="error" type="u" direction="out" />
+             <arg name="error_message" type="s" direction="out" />
+@@ -150,7 +150,7 @@
+             <arg name="filter" type="s" direction="in" key="3" />
+             <arg name="domain" type="s" direction="in" key="4" />
+             <arg name="extra" type="s" direction="in" key="5" />
+-            <arg name="cli_id" type="u" direction="in" key="6" />
++            <arg name="cli_id" type="u" direction="in" />
+             <arg name="dp_error" type="q" direction="out" />
+             <arg name="error" type="u" direction="out" />
+             <arg name="error_message" type="s" direction="out" />
+@@ -159,7 +159,7 @@
+             <arg name="dp_flags" type="u" direction="in" key="1" />
+             <arg name="entry_type" type="u" direction="in" key="2" />
+             <arg name="filter" type="s" direction="in" key="3" />
+-            <arg name="cli_id" type="u" direction="in" key="4" />
++            <arg name="cli_id" type="u" direction="in" />
+             <arg name="dp_error" type="q" direction="out" />
+             <arg name="error" type="u" direction="out" />
+             <arg name="domain_name" type="s" direction="out" />
+-- 
+2.33.0
+
diff --git a/sssd.spec b/sssd.spec
index 734038712096fc6abe58c426aad844fc2019e2cd..de143d26fc1d2e769e8514c7ef6ba74888d7442e 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -1,6 +1,6 @@
 Name: sssd
 Version: 2.6.1
-Release: 11
+Release: 12
 Summary: System Security Services Daemon
 License: GPLv3+ and LGPLv3+
 URL: https://pagure.io/SSSD/sssd/
@@ -36,6 +36,13 @@ Patch6026: backport-SYSDB-in-case-ignore_group_members-true-group-is-act.patch
 Patch6027: backport-KRB5-avoid-another-attempt-to-free-cc-in-done-sectio.patch
 Patch6028: backport-CONFDB-check-the-return-values.patch
 Patch6029: backport-UTILS-swap-order-of-seteuid-setegid.patch
+Patch6030: backport-sss_iface-do-not-add-cli_id-to-chain-key.patch
+Patch6031: backport-KCM-Remove-the-oldest-expired-credential-if-no-more-.patch
+Patch6032: backport-Proxy-Avoid-ldb_modify-failed-error.patch
+Patch6033: backport-cli-caculate-the-wait_time-in-milliseconds.patch
+Patch6034: backport-dyndns-PTR-record-updates-separately.patch
+Patch6035: backport-ipa-do-not-go-offline-if-group-does-not-have-SID.patch
+Patch6036: backport-KCM-Display-in-the-log-the-limit-as-set-by-the-user.patch
 
 Requires: python3-sssd = %{version}-%{release}
 Requires: libldb
@@ -543,6 +550,9 @@ fi
 %systemd_postun_with_restart sssd.service
 
 %changelog
+* Tue Nov 28 2023 wangcheng <wangcheng156@huawei.com> - 2.6.1-12
+- backport upstream patches
+
 * Fri Sep 22 2023 fuanan <fuanan3@h-partners.com> - 2.6.1-11
 - backport upstream patches