diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000000000000000000000000000000000000..0a80fdce31f59c062e2abba28776e9521eddff30
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1 @@
+*.gz filter=lfs diff=lfs merge=lfs -text
diff --git a/.lfsconfig b/.lfsconfig
new file mode 100644
index 0000000000000000000000000000000000000000..57403f1800febf0f295fe2af38339d1ca113e5b1
--- /dev/null
+++ b/.lfsconfig
@@ -0,0 +1,2 @@
+[lfs]
+	url = https://artlfs.openeuler.openatom.cn/src-openEuler/sssd
diff --git a/backport-Make-sure-invalid-krb5-context-is-not-used.patch b/backport-Make-sure-invalid-krb5-context-is-not-used.patch
deleted file mode 100644
index 1d874e0196534f634af9f2319d9bf39dc830865b..0000000000000000000000000000000000000000
--- a/backport-Make-sure-invalid-krb5-context-is-not-used.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From bdfb92012d6dec2999469d483ba67d6c2521a078 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Thu, 21 Nov 2024 09:23:36 +0100
-Subject: [PATCH] ldap_child: make sure invalid krb5 context is not used -
- 2.9.4
-
-Resolves: https://github.com/SSSD/sssd/issues/7715
----
- src/util/sss_krb5.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
-index 3f57e5b268f..0b83142ddfc 100644
---- a/src/util/sss_krb5.c
-+++ b/src/util/sss_krb5.c
-@@ -140,6 +140,7 @@ errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx,
- 
-     kerr = sss_krb5_init_context(&krb_ctx);
-     if (kerr) {
-+        krb_ctx = NULL;
-         error_message = "Failed to init Kerberos context";
-         ret = EFAULT;
-         goto done;
-@@ -269,7 +270,7 @@ errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx,
-     }
- 
- done:
--    if (ret != EOK) {
-+    if (ret != EOK && krb_ctx != NULL) {
-         DEBUG(SSSDBG_FATAL_FAILURE, "Failed to read keytab [%s]: %s\n",
-               sss_printable_keytab_name(krb_ctx, keytab_name),
-               (error_message ? error_message : sss_strerror(ret)));
-
diff --git a/backport-add-option-for-dp_opt_dyndns_refresh_offset.patch b/backport-add-option-for-dp_opt_dyndns_refresh_offset.patch
deleted file mode 100644
index 14cb358c4c3a9eda124fca1a0a8b4537f9ca34d2..0000000000000000000000000000000000000000
--- a/backport-add-option-for-dp_opt_dyndns_refresh_offset.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From ee51f604ad0d32e8e25451909114fb4870f65f3f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
-Date: Thu, 14 Nov 2024 17:27:49 +0100
-Subject: [PATCH] OPTS: Add the option for DP_OPT_DYNDNS_REFRESH_OFFSET
-
-The label `DP_OPT_DYNDNS_REFRESH_OFFSET` was introduced in
-https://github.com/SSSD/sssd/blob/fb91349cfeba653942b32141f890e3de78b3fb13/src/providers/be_dyndns.h#L55
-but the corresponding option is missing in
-https://github.com/SSSD/sssd/blob/fb91349cfeba653942b32141f890e3de78b3fb13/src/providers/be_dyndns.c#L1200
-
-This error was introduced by
-https://github.com/SSSD/sssd/commit/35c35de42012481a6bd2690d12d5d11a4ae23ea5
----
- src/providers/be_dyndns.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c
-index 2c655ef1eeb..5d0f5111977 100644
---- a/src/providers/be_dyndns.c
-+++ b/src/providers/be_dyndns.c
-@@ -1200,6 +1200,7 @@ static struct dp_option default_dyndns_opts[] = {
-     { "dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
-     { "dyndns_update_per_family", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
-     { "dyndns_refresh_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER },
-+    { "dyndns_refresh_interval_offset", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER },
-     { "dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING },
-     { "dyndns_ttl", DP_OPT_NUMBER, { .number = 1200 }, NULL_NUMBER },
-     { "dyndns_update_ptr", DP_OPT_BOOL, BOOL_TRUE, BOOL_FALSE },
diff --git a/backport-fix-Missing-dns_update_per_family-option.patch b/backport-fix-Missing-dns_update_per_family-option.patch
deleted file mode 100644
index 1366ebc9b6c19a0b30e6625308e9962ef868b2b3..0000000000000000000000000000000000000000
--- a/backport-fix-Missing-dns_update_per_family-option.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From a822206c7859b5f39af2b2ea1b117850a0589e3c Mon Sep 17 00:00:00 2001
-From: Tomas Halman <thalman@redhat.com>
-Date: Mon, 21 Oct 2024 16:31:38 +0200
-Subject: [PATCH] Missing 'dns_update_per_family' option
-
-This update fixes missing 'dns_update_per_family' option in python code
-and config files.
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
----
- src/config/SSSDConfig/sssdoptions.py | 2 ++
- src/config/SSSDConfigTest.py         | 2 ++
- src/config/cfg_rules.ini             | 1 +
- src/config/etc/sssd.api.conf         | 1 +
- 4 files changed, 6 insertions(+)
-
-diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py
-index affe2e52918..7eed403e4bd 100644
---- a/src/config/SSSDConfig/sssdoptions.py
-+++ b/src/config/SSSDConfig/sssdoptions.py
-@@ -197,6 +197,8 @@ def __init__(self):
-         'refresh_expired_interval': _('How often should expired entries be refreshed in background'),
-         'refresh_expired_interval_offset': _("Maximum period deviation when refreshing expired entries in background"),
-         'dyndns_update': _("Whether to automatically update the client's DNS entry"),
-+        'dyndns_update_per_family': _('Whether DNS update of A and AAAA record should be performed '
-+                                      'in one update or in two separate updates'),
-         'dyndns_ttl': _("The TTL to apply to the client's DNS entry after updating it"),
-         'dyndns_iface': _("The interface whose IP should be used for dynamic DNS updates"),
-         'dyndns_refresh_interval': _("How often to periodically update the client's DNS entry"),
-diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
-index bc398cc8b8e..1ce4637eda7 100755
---- a/src/config/SSSDConfigTest.py
-+++ b/src/config/SSSDConfigTest.py
-@@ -558,6 +558,7 @@ def testListOptions(self):
-             'dns_discovery_domain',
-             'failover_primary_timeout',
-             'dyndns_update',
-+            'dyndns_update_per_family',
-             'dyndns_ttl',
-             'dyndns_iface',
-             'dyndns_refresh_interval',
-@@ -919,6 +920,7 @@ def testRemoveProvider(self):
-             'dns_discovery_domain',
-             'failover_primary_timeout',
-             'dyndns_update',
-+            'dyndns_update_per_family',
-             'dyndns_ttl',
-             'dyndns_iface',
-             'dyndns_refresh_interval',
-diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
-index b33cd876b95..950eae630fb 100644
---- a/src/config/cfg_rules.ini
-+++ b/src/config/cfg_rules.ini
-@@ -433,6 +433,7 @@ option = refresh_expired_interval_offset
- 
- # Dynamic DNS updates
- option = dyndns_update
-+option = dyndns_update_per_family
- option = dyndns_ttl
- option = dyndns_iface
- option = dyndns_refresh_interval
-diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
-index b5d42afbb1e..4377a1fc571 100644
---- a/src/config/etc/sssd.api.conf
-+++ b/src/config/etc/sssd.api.conf
-@@ -207,6 +207,7 @@ refresh_expired_interval_offset = int, None, false
- 
- # Dynamic DNS updates
- dyndns_update = bool, None, false
-+dyndns_update_per_family = bool, None, false
- dyndns_ttl = int, None, false
- dyndns_iface = str, None, false
- dyndns_refresh_interval = int, None, false
diff --git a/backport-honor-ad_use_ldaps-setting-with-ad_machine_pw_renewal.patch b/backport-honor-ad_use_ldaps-setting-with-ad_machine_pw_renewal.patch
deleted file mode 100644
index bb15c7cca8587277979dd5e94577882eff9a9ff1..0000000000000000000000000000000000000000
--- a/backport-honor-ad_use_ldaps-setting-with-ad_machine_pw_renewal.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From d004e7b4b977da3dd9f1d3de910c28c093a6fb26 Mon Sep 17 00:00:00 2001
-From: santeri3700 <santeri.pikarinen@gmail.com>
-Date: Tue, 15 Oct 2024 20:13:20 +0300
-Subject: [PATCH] ad: honor ad_use_ldaps setting with ad_machine_pw_renewal
-
-The value of ad_use_ldaps was not passed as `--use-ldaps`
-argument to the adcli update command which handles
-the automatic renewal of AD machine account password.
-
-Resolves: https://github.com/SSSD/sssd/issues/7642
-
-Signed-off-by: santeri3700 <santeri.pikarinen@gmail.com>
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-Reviewed-by: Sumit Bose <sbose@redhat.com>
----
- src/providers/ad/ad_machine_pw_renewal.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/src/providers/ad/ad_machine_pw_renewal.c b/src/providers/ad/ad_machine_pw_renewal.c
-index 56b64a2a955..2e54e9bff0d 100644
---- a/src/providers/ad/ad_machine_pw_renewal.c
-+++ b/src/providers/ad/ad_machine_pw_renewal.c
-@@ -39,6 +39,7 @@ struct renewal_data {
- static errno_t get_adcli_extra_args(const char *ad_domain,
-                                     const char *ad_hostname,
-                                     const char *ad_keytab,
-+                                    bool ad_use_ldaps,
-                                     size_t pw_lifetime_in_days,
-                                     bool add_samba_data,
-                                     size_t period,
-@@ -59,7 +60,7 @@ static errno_t get_adcli_extra_args(const char *ad_domain,
-         return ENOMEM;
-     }
- 
--    args = talloc_array(renewal_data, const char *, 9);
-+    args = talloc_array(renewal_data, const char *, 10);
-     if (args == NULL) {
-         DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n");
-         return ENOMEM;
-@@ -79,6 +80,9 @@ static errno_t get_adcli_extra_args(const char *ad_domain,
-         args[c++] = talloc_asprintf(args, "--host-keytab=%s", ad_keytab);
-     }
-     args[c++] = talloc_asprintf(args, "--domain=%s", ad_domain);
-+    if (ad_use_ldaps) {
-+        args[c++] = talloc_strdup(args, "--use-ldaps");
-+    }
-     if (DEBUG_IS_SET(SSSDBG_TRACE_LIBS)) {
-         args[c++] = talloc_strdup(args, "--verbose");
-     }
-@@ -390,6 +394,7 @@ errno_t ad_machine_account_password_renewal_init(struct be_ctx *be_ctx,
-                    dp_opt_get_cstring(ad_opts->basic, AD_HOSTNAME),
-                    dp_opt_get_cstring(ad_opts->id_ctx->sdap_id_ctx->opts->basic,
-                                       SDAP_KRB5_KEYTAB),
-+                   dp_opt_get_bool(ad_opts->basic, AD_USE_LDAPS),
-                    lifetime,
-                    dp_opt_get_bool(ad_opts->basic,
-                                    AD_UPDATE_SAMBA_MACHINE_ACCOUNT_PASSWORD),
diff --git a/backport-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch b/backport-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch
deleted file mode 100644
index d33cda0c445d9bf0e9c5d584013fe841a9b31fae..0000000000000000000000000000000000000000
--- a/backport-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From fce94aec3f335cbe33c509b14e389b9df0748744 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Thu, 21 Nov 2024 09:16:09 +0100
-Subject: [PATCH] ldap_child: make sure invalid krb5 context is not used
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Resolves: https://github.com/SSSD/sssd/issues/7715
-
-Reviewed-by: Alejandro López <allopez@redhat.com>
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
----
- src/util/sss_krb5.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
-index aa3b5b96e..6b6dd2069 100644
---- a/src/util/sss_krb5.c
-+++ b/src/util/sss_krb5.c
-@@ -45,6 +45,10 @@ const char *sss_printable_keytab_name(krb5_context ctx, const char *keytab_name)
-         return keytab_name;
-     }
- 
-+    if (ctx == NULL) {
-+        return "-unknown-";
-+    }
-+
-     if (krb5_kt_default_name(ctx, buff, sizeof(buff)) != 0) {
-         return "-default keytab-";
-     }
-@@ -1122,8 +1126,9 @@ krb5_error_code sss_krb5_init_context(krb5_context *context)
- {
-     krb5_error_code kerr;
-     const char *msg;
-+    krb5_context ctx;
- 
--    kerr = krb5_init_context(context);
-+    kerr = krb5_init_context(&ctx);
-     if (kerr != 0) {
-         /* It is safe to call (sss_)krb5_get_error_message() with NULL as first
-          * argument. */
-@@ -1132,6 +1137,8 @@ krb5_error_code sss_krb5_init_context(krb5_context *context)
-               "Failed to init Kerberos context [%s]\n", msg);
-         sss_log(SSS_LOG_CRIT, "Failed to init Kerberos context [%s]\n", msg);
-         sss_krb5_free_error_message(NULL, msg);
-+    } else {
-+        *context = ctx;
-     }
- 
-     return kerr;
--- 
-2.43.0
-
diff --git a/backport-mistype-fix.patch b/backport-mistype-fix.patch
deleted file mode 100644
index d56bdf11808f2a7fd3c5f9de8e0f6ff665d7aaf7..0000000000000000000000000000000000000000
--- a/backport-mistype-fix.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 3621a587a32589e8404ed1f2356fcbfebc128efc Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Mon, 2 Sep 2024 21:04:34 +0200
-Subject: [PATCH] TOOLS: mistype fix
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
----
- src/tools/sssctl/sssctl_data.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
-index 79e12078e4b..43b9814eaf0 100644
---- a/src/tools/sssctl/sssctl_data.c
-+++ b/src/tools/sssctl/sssctl_data.c
-@@ -168,7 +168,7 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
-         }
-     }
- 
--    if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
-+    if (sssctl_backup_file_exists(SSS_BACKUP_GROUP_OVERRIDES)) {
-         ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
-                                                   SSS_BACKUP_GROUP_OVERRIDES, NULL});
-         if (ret != EOK) {
diff --git a/backport-test-default_dyndns_opts.patch b/backport-test-default_dyndns_opts.patch
deleted file mode 100644
index 440e4e9b2d2cba88d59f44678cd7c0a3fefa9994..0000000000000000000000000000000000000000
--- a/backport-test-default_dyndns_opts.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 181b8e90e9a32f33cf75652864fbf0fe4d9f05f0 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
-Date: Thu, 14 Nov 2024 18:46:44 +0100
-Subject: [PATCH] TESTS: Also test default_dyndns_opts
-
-Compare this structure to ipa_dyndns_opts, which is already compared
-to ad_dyndns_opts.
----
- src/providers/be_dyndns.c      | 2 +-
- src/providers/be_dyndns.h      | 1 +
- src/tests/ipa_ldap_opt-tests.c | 6 ++++++
- 3 files changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c
-index 5d0f5111977..e6fa7dfd69e 100644
---- a/src/providers/be_dyndns.c
-+++ b/src/providers/be_dyndns.c
-@@ -1197,7 +1197,7 @@ be_nsupdate_check(void)
-     return ret;
- }
- 
--static struct dp_option default_dyndns_opts[] = {
-+struct dp_option default_dyndns_opts[] = {
-     { "dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
-     { "dyndns_update_per_family", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
-     { "dyndns_refresh_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER },
-diff --git a/src/providers/be_dyndns.h b/src/providers/be_dyndns.h
-index 2185fee9563..719c1394255 100644
---- a/src/providers/be_dyndns.h
-+++ b/src/providers/be_dyndns.h
-@@ -63,6 +63,7 @@ enum dp_dyndns_opts {
- 
-     DP_OPT_DYNDNS /* attrs counter */
- };
-+extern struct dp_option default_dyndns_opts[DP_OPT_DYNDNS + 1];
- 
- #define DYNDNS_REMOVE_A     0x1
- #define DYNDNS_REMOVE_AAAA  0x2
-diff --git a/src/tests/ipa_ldap_opt-tests.c b/src/tests/ipa_ldap_opt-tests.c
-index a1a0e9cc6db..da990acaf9a 100644
---- a/src/tests/ipa_ldap_opt-tests.c
-+++ b/src/tests/ipa_ldap_opt-tests.c
-@@ -103,6 +103,10 @@ START_TEST(test_compare_opts)
-     ret = compare_dp_options(ipa_dyndns_opts, DP_OPT_DYNDNS,
-                              ad_dyndns_opts);
-     ck_assert_msg(ret == EOK, "[%s]", strerror(ret));
-+
-+    ret = compare_dp_options(ipa_dyndns_opts, DP_OPT_DYNDNS,
-+                             default_dyndns_opts);
-+    ck_assert_msg(ret == EOK, "[%s]", strerror(ret));
- }
- END_TEST
- 
-@@ -200,6 +204,8 @@ START_TEST(test_dp_opt_sentinel)
- 
-     fail_unless_dp_opt_is_terminator(&default_krb5_opts[KRB5_OPTS]);
- 
-+    fail_unless_dp_opt_is_terminator(&default_dyndns_opts[DP_OPT_DYNDNS]);
-+
-     fail_unless_dp_opt_is_terminator(&ad_basic_opts[AD_OPTS_BASIC]);
-     fail_unless_dp_opt_is_terminator(&ad_def_ldap_opts[SDAP_OPTS_BASIC]);
-     fail_unless_dp_opt_is_terminator(&ad_def_krb5_opts[KRB5_OPTS]);
diff --git a/sssd-2.11.0-openEuler-replace-version.patch b/sssd-2.11.0-openEuler-replace-version.patch
new file mode 100644
index 0000000000000000000000000000000000000000..e7bd0b72850e826e3c240e54fcaa40319397fb90
--- /dev/null
+++ b/sssd-2.11.0-openEuler-replace-version.patch
@@ -0,0 +1,22 @@
+--- sssd-2.11.0/src/config/setup.py.orig	2025-06-15 22:48:07.566680400 +0800
++++ sssd-2.11.0/src/config/setup.py	2025-06-15 22:52:46.885972500 +0800
+@@ -34,7 +34,7 @@
+     # X.Y.Z-alpha1 -> X.Y.Za1
+     # X.Y.Z-beta1 -> X.Y.Zb1
+     # X.Y.Z-rc1 -> X.Y.Zrc1
+-    return version.replace('-', '').replace('alpha', 'a').replace('beta', 'b')
++    return version.replace('-', '').replace('alpha', 'a').replace('beta', 'b').replace(' (LTS)', '')
+ 
+ setup(
+     name='SSSDConfig',
+--- sssd-2.11.0/src/config/setup.py.in.orig	2025-06-15 22:48:07.566680400 +0800
++++ sssd-2.11.0/src/config/setup.py.in	2025-06-15 22:52:46.885972500 +0800
+@@ -34,7 +34,7 @@
+     # X.Y.Z-alpha1 -> X.Y.Za1
+     # X.Y.Z-beta1 -> X.Y.Zb1
+     # X.Y.Z-rc1 -> X.Y.Zrc1
+-    return version.replace('-', '').replace('alpha', 'a').replace('beta', 'b')
++    return version.replace('-', '').replace('alpha', 'a').replace('beta', 'b').replace(' (LTS)', '')
+ 
+ setup(
+     name='SSSDConfig',
diff --git a/sssd-2.11.0.tar.gz b/sssd-2.11.0.tar.gz
new file mode 100644
index 0000000000000000000000000000000000000000..fb59a9221342a70a6a6c3f8c8900a855e6ded6f3
--- /dev/null
+++ b/sssd-2.11.0.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5f83ca16aa0ab38050451d0140fdd0664d3e6000d758b2ec71a8ed3e4bd20a3c
+size 9253481
diff --git a/sssd-2.9.5.tar.gz b/sssd-2.9.5.tar.gz
deleted file mode 100644
index f584fd8553e65ecb0e1051a45ed49f42dc3597d3..0000000000000000000000000000000000000000
Binary files a/sssd-2.9.5.tar.gz and /dev/null differ
diff --git a/sssd.spec b/sssd.spec
index a27dfea0a28edeecb04e31e0bbf9642feb3162a8..b39234fcd3af5970d26d7153c284314d6213ce16 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -7,21 +7,15 @@
 %global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
 
 Name: sssd
-Version: 2.9.5
-Release: 5
+Version: 2.11.0
+Release: 1
 Summary: System Security Services Daemon
 License: GPL-3.0-or-later
 URL: https://github.com/SSSD/sssd/
 Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
+Source1: sssd.sysusers
 
-Patch0001: backport-Make-sure-invalid-krb5-context-is-not-used.patch
-Patch0002: backport-fix-Missing-dns_update_per_family-option.patch
-Patch0003: backport-honor-ad_use_ldaps-setting-with-ad_machine_pw_renewal.patch
-Patch0004: backport-mistype-fix.patch
-Patch0005: backport-add-option-for-dp_opt_dyndns_refresh_offset.patch
-Patch0006: backport-test-default_dyndns_opts.patch
-Patch0007: backport-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch
-
+Patch0000: sssd-2.11.0-openEuler-replace-version.patch
 Requires: sssd-ad = %{version}-%{release}
 Requires: sssd-common = %{version}-%{release}
 Requires: sssd-ipa = %{version}-%{release}
@@ -34,6 +28,17 @@ Suggests: python3-sssdconfig = %{version}-%{release}
 Suggests: sssd-dbus = %{version}-%{release}
 Obsoletes: python3-sssd < %{version}-%{release}
 
+%global servicename sssd
+%global sssdstatedir %{_localstatedir}/lib/sss
+%global dbpath %{sssdstatedir}/db
+%global keytabdir %{sssdstatedir}/keytabs
+%global pipepath %{sssdstatedir}/pipes
+%global mcpath %{sssdstatedir}/mc
+%global pubconfpath %{sssdstatedir}/pubconf
+%global gpocachepath %{sssdstatedir}/gpo_cache
+%global secdbpath %{sssdstatedir}/secrets
+%global deskprofilepath %{sssdstatedir}/deskprofile
+
 BuildRequires: libtool popt-devel
 BuildRequires: libldb-devel
 BuildRequires: libini_config-devel openldap-devel pam-devel
@@ -48,6 +53,36 @@ BuildRequires: p11-kit-devel openssl-devel
 BuildRequires: chrpath dbus-devel
 BuildRequires: libcurl-devel libjose-devel keyutils-libs-devel krb5-devel
 BuildRequires: pcre2-devel libunistring libunistring-devel 
+BuildRequires: libcap-devel
+BuildRequires: pkgconfig(check) >= 0.9.5
+BuildRequires: pkgconfig(cmocka) >= 1.0.0
+BuildRequires: pkgconfig(dbus-1)
+BuildRequires: pkgconfig(dhash) >= 0.4.2
+BuildRequires: pkgconfig(ini_config) >= 1.3.0
+BuildRequires: pkgconfig(jansson)
+BuildRequires: pkgconfig(jose)
+BuildRequires: pkgconfig(krb5-gssapi)
+BuildRequires: pkgconfig(ldb) >= 0.9.2
+BuildRequires: pkgconfig(libcap)
+BuildRequires: pkgconfig(libcares)
+BuildRequires: pkgconfig(libcrypto) >= 1.0.1
+BuildRequires: pkgconfig(libcurl)
+BuildRequires: pkgconfig(libnfsidmap)
+BuildRequires: pkgconfig(libpcre2-8)
+BuildRequires: pkgconfig(libsasl2)
+BuildRequires: pkgconfig(libsystemd)
+BuildRequires: pkgconfig(ndr_krb5pac)
+BuildRequires: pkgconfig(ndr_nbt)
+BuildRequires: pkgconfig(p11-kit-1) >= 0.23.3
+BuildRequires: pkgconfig(popt)
+BuildRequires: pkgconfig(samba-util)
+BuildRequires: pkgconfig(smbclient)
+BuildRequires: pkgconfig(systemd)
+BuildRequires: pkgconfig(talloc)
+BuildRequires: pkgconfig(tdb) >= 1.1.3
+BuildRequires: pkgconfig(tevent)
+BuildRequires: pkgconfig(uuid)
+BuildRequires: softhsm >= 2.1.0
 
 %description
 Provides a set of daemons to manage access to remote directories and
@@ -71,6 +106,7 @@ Requires: libsss_autofs%{?_isa} = %{version}-%{release}
 Requires: sssd-nfs-idmap = %{version}-%{release}
 Requires: libsss_idmap = %{version}-%{release}
 Requires: libsss_certmap = %{version}-%{release}
+%{?sysusers_requires_compat}
 %{?systemd_requires}
 Provides: libsss_sudo-devel = %{version}-%{release}
 Obsoletes: libsss_sudo-devel <= 1.10.0-7%{?dist}.beta1
@@ -172,6 +208,7 @@ Summary: SSSD helpers needed for Kerberos and GSSAPI authentication
 License: GPL-3.0-or-later
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: sssd-common = %{version}-%{release}
+Conflicts: %{name}-krb5 < 2.11.0
 
 %description krb5-common
 Provides helper processes that the LDAP and Kerberos back ends can use for
@@ -378,36 +415,34 @@ program to handle the OAuth 2.0 Device Authorization Grant is provided.
 %autosetup -p1
 
 %build
-
-autoreconf -ivf
-
 %configure \
-    --with-test-dir=/dev/shm \
-    --with-db-path=%{_localstatedir}/lib/sss/db \
-    --with-mcache-path=%{_localstatedir}/lib/sss/mc \
-    --with-pipe-path=%{_localstatedir}/lib/sss/pipes \
-    --with-pubconf-path=%{_localstatedir}/lib/sss/pubconf \
-    --with-gpo-cache-path=%{_localstatedir}/lib/sss/gpo_cache \
-    --with-init-dir=%{_initrddir} \
-    --with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
+    --runstatedir=%{_rundir} \
+    --disable-rpath \
+    --disable-static \
+    --enable-gss-spnego-for-zero-maxssf \
+    --enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \
     --enable-nsslibdir=%{_libdir} \
     --enable-pammoddir=%{_libdir}/security \
-    --enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \
-    --disable-static \
-    --disable-rpath \
+    --enable-sss-default-nss-plugin \
+    --enable-systemtap \
+    --with-db-path=%{dbpath} \
+    --with-gpo-cache-path=%{gpocachepath} \
+    --with-init-dir=%{_initrddir} \
     --with-initscript=systemd \
+    --with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
+    --with-mcache-path=%{mcpath} \
+    --with-pipe-path=%{pipepath} \
+    --with-pubconf-path=%{pubconfpath} \
+    --with-sssd-user=sssd \
     --with-syslog=journald \
-    --with-crypto=libcrypto \
-    --without-python2-bindings \
-    --enable-sss-default-nss-plugin \
-    %{?with_cifs_utils_plugin_option} \
-    --enable-systemtap
+    --with-test-dir=/dev/shm \
+%{nil}
 
-%make_build all docs
+%make_build all docs runstatedir=%{_rundir}
 
 %check
 export CK_TIMEOUT_MULTIPLIER=10
-make %{?_smp_mflags} check VERBOSE=yes
+%make_build check VERBOSE=yes
 unset CK_TIMEOUT_MULTIPLIER
 
 %install
@@ -422,7 +457,7 @@ sed -i -e 's:/usr/bin/python:/usr/bin/python3:' src/tools/sss_obfuscate
 %make_install
 
 # Prepare language files
-/usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sssd
+%find_lang sssd
 
 # install default sssd.conf file
 install -m600 src/examples/sssd-example.conf $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.conf
@@ -488,7 +523,6 @@ chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_iface.so
 chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_iface_sync.so
 chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_krb5_common.so
 chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_ldap_common.so
-chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_semanage.so
 chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_simple.so
 chrpath -d $RPM_BUILD_ROOT%{_libdir}/%{name}/libsss_util.so
 chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sssd/p11_child
@@ -516,9 +550,6 @@ chrpath -d $RPM_BUILD_ROOT%{_sbindir}/sss_override
 chrpath -d $RPM_BUILD_ROOT%{_sbindir}/sss_seed
 chrpath -d $RPM_BUILD_ROOT%{_sbindir}/sssctl
 
-mkdir -p $RPM_BUILD_ROOT/etc/ld.so.conf.d
-echo "/usr/lib64/sssd" > $RPM_BUILD_ROOT/etc/ld.so.conf.d/%{name}-%{_arch}.conf
-
 for man in `find $RPM_BUILD_ROOT/%{_mandir}/??/man?/ -type f | sed -e "s#$RPM_BUILD_ROOT/%{_mandir}/##"`
 do
     lang=`echo $man | cut -c 1-2`
@@ -592,6 +623,8 @@ do
     cat $subpackage.lang
 done
 
+install -D -p -m 0644 %{S:1} %{buildroot}%{_sysusersdir}/sssd.conf
+
 %files
 %license COPYING
 
@@ -607,7 +640,6 @@ done
 %{_unitdir}/sssd-pac.socket
 %{_unitdir}/sssd-pac.service
 %{_unitdir}/sssd-pam.socket
-%{_unitdir}/sssd-pam-priv.socket
 %{_unitdir}/sssd-pam.service
 %{_unitdir}/sssd-ssh.socket
 %{_unitdir}/sssd-ssh.service
@@ -617,7 +649,7 @@ done
 %dir %{_libexecdir}/sssd
 %{_libexecdir}/sssd/sssd_be
 %{_libexecdir}/sssd/sssd_nss
-%{_libexecdir}/sssd/sssd_pam
+%attr(0750,root,sssd) %caps(cap_dac_read_search=p) %{_libexecdir}/sssd/sssd_pam
 %{_libexecdir}/sssd/sssd_autofs
 %{_libexecdir}/sssd/sssd_ssh
 %{_libexecdir}/sssd/sssd_sudo
@@ -634,7 +666,6 @@ done
 %{_libdir}/%{name}/libsss_krb5_common.so
 %{_libdir}/%{name}/libsss_ldap_common.so
 %{_libdir}/%{name}/libsss_util.so
-%{_libdir}/%{name}/libsss_semanage.so
 %{_libdir}/%{name}/libifp_iface.so
 %{_libdir}/%{name}/libifp_iface_sync.so
 %{_libdir}/%{name}/libsss_iface.so
@@ -644,35 +675,33 @@ done
 
 %{ldb_modulesdir}/memberof.so
 %{_bindir}/sss_ssh_authorizedkeys
+%{_bindir}/sss_ssh_knownhosts
 %{_bindir}/sss_ssh_knownhostsproxy
 %{_sbindir}/sss_cache
 %{_libexecdir}/sssd/sss_signal
 
-%dir %{_localstatedir}/lib/sss
+%attr(775,sssd,sssd) %dir %{sssdstatedir}
 %dir %{_localstatedir}/cache/krb5rcache
-%attr(700,root,root) %dir %{_localstatedir}/lib/sss/db
-%attr(755,root,root) %dir %{_localstatedir}/lib/sss/mc
-%attr(700,root,root) %dir %{_localstatedir}/lib/sss/secrets
-%attr(751,root,root) %dir %{_localstatedir}/lib/sss/deskprofile
-%ghost %attr(0644,root,root) %verify(not md5 size mtime) %{_localstatedir}/lib/sss/mc/passwd
-%ghost %attr(0644,root,root) %verify(not md5 size mtime) %{_localstatedir}/lib/sss/mc/group
-%ghost %attr(0644,root,root) %verify(not md5 size mtime) %{_localstatedir}/lib/sss/mc/initgroups
-%attr(755,root,root) %dir %{_localstatedir}/lib/sss/pipes
-%attr(700,root,root) %dir %{_localstatedir}/lib/sss/pipes/private
-%attr(755,root,root) %dir %{_localstatedir}/lib/sss/pubconf
-%attr(755,root,root) %dir %{_localstatedir}/lib/sss/gpo_cache
-%attr(750,root,root) %dir %{_var}/log/%{name}
-%attr(700,root,root) %dir %{_sysconfdir}/sssd
-%attr(711,root,root) %dir %{_sysconfdir}/sssd/conf.d
-%attr(711,root,root) %dir %{_sysconfdir}/sssd/pki
-%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
+%attr(770,sssd,sssd) %dir %{dbpath}
+%attr(775,sssd,sssd) %dir %{mcpath}
+%attr(770,sssd,sssd) %dir %{secdbpath}
+%attr(771,sssd,sssd) %dir %{deskprofilepath}
+%attr(775,sssd,sssd) %dir %{pipepath}
+%attr(770,sssd,sssd) %dir %{pipepath}/private
+%attr(775,sssd,sssd) %dir %{pubconfpath}
+%attr(770,sssd,sssd) %dir %{gpocachepath}
+%attr(770,sssd,sssd) %dir %{_var}/log/%{name}
+%attr(750,root,sssd) %dir %{_sysconfdir}/sssd
+%attr(750,root,sssd) %dir %{_sysconfdir}/sssd/conf.d
+%attr(750,root,sssd) %dir %{_sysconfdir}/sssd/pki
+%ghost %attr(0640,root,sssd) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
 %dir %{_sysconfdir}/logrotate.d
 %config(noreplace) %{_sysconfdir}/logrotate.d/sssd
-%config(noreplace) /etc/ld.so.conf.d/*
 %dir %{_sysconfdir}/rwtab.d
 %config(noreplace) %{_sysconfdir}/rwtab.d/sssd
 %dir %{_datadir}/sssd
-%{_sysconfdir}/pam.d/sssd-shadowutils
+%attr(775,sssd,sssd) %dir %{_rundir}/sssd
+%config(noreplace) %{_sysconfdir}/pam.d/sssd-shadowutils
 %dir %{_libdir}/%{name}/conf
 %{_libdir}/%{name}/conf/sssd.conf
 
@@ -686,6 +715,8 @@ done
 %dir %{_datadir}/systemtap/tapset
 %{_datadir}/systemtap/tapset/sssd.stp
 %{_datadir}/systemtap/tapset/sssd_functions.stp
+%{_sysusersdir}/sssd.conf
+%{_datadir}/polkit-1/rules.d/*
 
 %files ldap -f sssd_ldap.lang
 %license COPYING
@@ -693,16 +724,16 @@ done
 
 %files krb5-common
 %license COPYING
-%attr(755,root,root) %dir %{_localstatedir}/lib/sss/pubconf/krb5.include.d
-%{_libexecdir}/sssd/ldap_child
-%{_libexecdir}/sssd/krb5_child
+%attr(775,sssd,sssd) %dir %{pubconfpath}/krb5.include.d
+%attr(0750,root,sssd) %caps(cap_dac_read_search=p) %{_libexecdir}/%{servicename}/ldap_child
+%attr(0750,root,sssd) %caps(cap_dac_read_search,cap_setuid,cap_setgid=p) %{_libexecdir}/%{servicename}/krb5_child
+%config(noreplace) %{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
+%dir %{_datadir}/sssd/krb5-snippets
+%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir
 
 %files krb5 -f sssd_krb5.lang
 %license COPYING
 %{_libdir}/%{name}/libsss_krb5.so
-%config(noreplace) %{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
-%dir %{_datadir}/sssd/krb5-snippets
-%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir
 
 %files common-pac
 %license COPYING
@@ -710,9 +741,9 @@ done
 
 %files ipa -f sssd_ipa.lang
 %license COPYING
-%attr(700,root,root) %dir %{_localstatedir}/lib/sss/keytabs
+%attr(770,sssd,sssd) %dir %{_localstatedir}/lib/sss/keytabs
 %{_libdir}/%{name}/libsss_ipa.so
-%{_libexecdir}/sssd/selinux_child
+%attr(0750,root,sssd) %caps(cap_setuid,cap_setgid=p) %{_libexecdir}/sssd/selinux_child
 
 %files ad -f sssd_ad.lang
 %license COPYING
@@ -721,7 +752,7 @@ done
 
 %files proxy
 %license COPYING
-%{_libexecdir}/sssd/proxy_child
+%attr(0750,root,sssd) %{_libexecdir}/sssd/proxy_child
 %{_libdir}/%{name}/libsss_proxy.so
 
 %files dbus -f sssd_dbus.lang
@@ -841,6 +872,7 @@ done
 %{_unitdir}/sssd-kcm.service
 
 %files idp
+%{_libdir}/%{name}/libsss_idp.so
 %{_libexecdir}/sssd/oidc_child
 %{_libdir}/%{name}/modules/sssd_krb5_idp_plugin.so
 %{_datadir}/sssd/krb5-snippets/sssd_enable_idp
@@ -852,23 +884,36 @@ done
 %{_mandir}/man5/*
 %{_mandir}/man8/*
 
+%pre common
+%sysusers_create_compat %{S:1}
+
 %post common
 %systemd_post sssd.service
 %systemd_post sssd-autofs.socket
 %systemd_post sssd-nss.socket
 %systemd_post sssd-pac.socket
 %systemd_post sssd-pam.socket
-%systemd_post sssd-pam-priv.socket
 %systemd_post sssd-ssh.socket
 %systemd_post sssd-sudo.socket
 
+%__rm -f %{mcpath}/passwd
+%__rm -f %{mcpath}/group
+%__rm -f %{mcpath}/initgroups
+%__rm -f %{mcpath}/sid
+%__rm -f %{pubconfpath}/known_hosts
+%__chown -f -R root:sssd %{_sysconfdir}/sssd || true
+%__chmod -f -R g+r %{_sysconfdir}/sssd || true
+%__chown -f sssd:sssd %{dbpath}/* || true
+%__chown -f sssd:sssd %{_var}/log/%{name}/*.log || true
+%__chown -f sssd:sssd %{secdbpath}/*.ldb || true
+%__chown -f -R sssd:sssd %{gpocachepath} || true
+
 %preun common
 %systemd_preun sssd.service
 %systemd_preun sssd-autofs.socket
 %systemd_preun sssd-nss.socket
 %systemd_preun sssd-pac.socket
 %systemd_preun sssd-pam.socket
-%systemd_preun sssd-pam-priv.socket
 %systemd_preun sssd-ssh.socket
 %systemd_preun sssd-sudo.socket
 
@@ -877,7 +922,6 @@ done
 %systemd_postun_with_restart sssd-nss.socket
 %systemd_postun_with_restart sssd-pac.socket
 %systemd_postun_with_restart sssd-pam.socket
-%systemd_postun_with_restart sssd-pam-priv.socket
 %systemd_postun_with_restart sssd-ssh.socket
 %systemd_postun_with_restart sssd-sudo.socket
 
@@ -919,6 +963,10 @@ fi
 %systemd_postun_with_restart sssd.service
 
 %changelog
+* Sun Jun 15 2025 Funda Wang <fundawang@yeah.net> - 2.11.0-1
+- update to 2.11.0
+- use sssd user rather than root
+
 * Wed Dec 18 2024 wangjiang <app@cameyan.com> - 2.9.5-5
 - Type:bugfix
 - ID:NA
diff --git a/sssd.sysusers b/sssd.sysusers
new file mode 100644
index 0000000000000000000000000000000000000000..ee8a05d6ade6eecb3f15d3c9edc9a9a3ee185e6f
--- /dev/null
+++ b/sssd.sysusers
@@ -0,0 +1 @@
+u     sssd   -   "User for sssd"     /run/sssd/      /sbin/nologin
diff --git a/sssd.yaml b/sssd.yaml
index 64abac2dff13e61a3cae7f14a032b2c7847fd171..ab20b640de944d6ec554f58a9baf67bb4d510920 100644
--- a/sssd.yaml
+++ b/sssd.yaml
@@ -1,4 +1,4 @@
 version_control: github
 src_repo: SSSD/sssd
-tag_prefix: ^sssd-
-seperator: "_"
+tag_prefix:
+separator: .