diff --git a/.gitignore b/.gitignore
index 01d0ddf..34c1a4e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/freeipa-4.9.2.tar.gz
+SOURCES/freeipa-4.9.6.tar.gz
diff --git a/.ipa.metadata b/.ipa.metadata
index 13b7ab7..ab790ce 100644
--- a/.ipa.metadata
+++ b/.ipa.metadata
@@ -1 +1 @@
-c7b37727ffbdebe311990f7d31ae3b8bf2d06792 SOURCES/freeipa-4.9.2.tar.gz
+b7b91082908db35e4acbcd0221b8df4044913dc1 SOURCES/freeipa-4.9.6.tar.gz
diff --git a/README.debrand b/README.debrand
deleted file mode 100644
index 01c46d2..0000000
--- a/README.debrand
+++ /dev/null
@@ -1,2 +0,0 @@
-Warning: This package was configured for automatic debranding, but the changes
-failed to apply.
diff --git a/SOURCES/0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch b/SOURCES/0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch
new file mode 100644
index 0000000..22f37ad
--- /dev/null
+++ b/SOURCES/0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch
@@ -0,0 +1,136 @@
+From e713c227bb420a841ce3ae146bca55a84a1b0dbf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Tue, 22 Jun 2021 14:36:51 +0200
+Subject: [PATCH] paths: add IPA_SERVER_CONF
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Related: https://pagure.io/freeipa/issue/8891
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Stanislav Levin <slev@altlinux.org>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipaplatform/base/paths.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
+index 91423b332..de217d9ef 100644
+--- a/ipaplatform/base/paths.py
++++ b/ipaplatform/base/paths.py
+@@ -71,6 +71,7 @@ class BasePathNamespace:
+     IPA_DEFAULT_CONF = "/etc/ipa/default.conf"
+     IPA_DNSKEYSYNCD_KEYTAB = "/etc/ipa/dnssec/ipa-dnskeysyncd.keytab"
+     IPA_ODS_EXPORTER_KEYTAB = "/etc/ipa/dnssec/ipa-ods-exporter.keytab"
++    IPA_SERVER_CONF = "/etc/ipa/server.conf"
+     DNSSEC_OPENSSL_CONF = "/etc/ipa/dnssec/openssl.cnf"
+     DNSSEC_SOFTHSM2_CONF = "/etc/ipa/dnssec/softhsm2.conf"
+     DNSSEC_SOFTHSM_PIN_SO = "/etc/ipa/dnssec/softhsm_pin_so"
+-- 
+2.31.1
+
+From ee4be290e1583834a573c3896ee1d97b3fbb6c24 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Tue, 22 Jun 2021 14:45:49 +0200
+Subject: [PATCH] ipatests: smoke test for server debug mode.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add a smoke test to make sure the server can be set in debug mode
+without issue.
+
+Related: https://pagure.io/freeipa/issue/8891
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Stanislav Levin <slev@altlinux.org>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ .../test_integration/test_installation.py     | 27 +++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
+index 301767b8d..0c96536f0 100644
+--- a/ipatests/test_integration/test_installation.py
++++ b/ipatests/test_integration/test_installation.py
+@@ -703,6 +703,33 @@ class TestInstallMaster(IntegrationTest):
+     def test_install_master(self):
+         tasks.install_master(self.master, setup_dns=False)
+ 
++    @pytest.mark.skip_if_platform(
++        "debian", reason="This test hardcodes the httpd service name"
++    )
++    def test_smoke_test_for_debug_mode(self):
++        """Test if an IPA server works in debug mode.
++        Related: https://pagure.io/freeipa/issue/8891
++
++        Note: this test hardcodes the "httpd" service name.
++        """
++
++        target_fname = paths.IPA_SERVER_CONF
++        assert not self.master.transport.file_exists(target_fname)
++
++        # set the IPA server in debug mode
++        server_conf = "[global]\ndebug=True"
++        self.master.put_file_contents(target_fname, server_conf)
++        self.master.run_command(["systemctl", "restart", "httpd"])
++
++        # smoke test in debug mode
++        tasks.kdestroy_all(self.master)
++        tasks.kinit_admin(self.master)
++        self.master.run_command(["ipa", "user-show", "admin"])
++
++        # rollback
++        self.master.run_command(["rm", target_fname])
++        self.master.run_command(["systemctl", "restart", "httpd"])
++
+     def test_schema_compat_attribute_and_tree_disable(self):
+         """Test if schema-compat-entry-attribute is set
+ 
+-- 
+2.31.1
+
+From 1539c7383116647ad9c5b125b343f972e9c9653b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Wed, 23 Jun 2021 06:35:19 +0200
+Subject: [PATCH] rpcserver.py: perf_counter_ns is Python 3.7+
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+perf_counter_ns is only available in Python 3.7 and later.
+Define a lambda for 3.6 and lower.
+
+Fixes: https://pagure.io/freeipa/issue/8891
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Stanislav Levin <slev@altlinux.org>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipaserver/rpcserver.py | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
+index b121316bf..e612528e0 100644
+--- a/ipaserver/rpcserver.py
++++ b/ipaserver/rpcserver.py
+@@ -31,6 +31,7 @@ import os
+ import time
+ import traceback
+ from io import BytesIO
++from sys import version_info
+ from urllib.parse import parse_qs
+ from xmlrpc.client import Fault
+ 
+@@ -72,6 +73,10 @@ from requests.auth import AuthBase
+ if six.PY3:
+     unicode = str
+ 
++# time.perf_counter_ns appeared in Python 3.7.
++if version_info < (3, 7):
++    time.perf_counter_ns = lambda: int(time.perf_counter() * 10**9)
++
+ logger = logging.getLogger(__name__)
+ 
+ HTTP_STATUS_SUCCESS = '200 Success'
+-- 
+2.31.1
+
diff --git a/SOURCES/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch b/SOURCES/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch
new file mode 100644
index 0000000..81b6c45
--- /dev/null
+++ b/SOURCES/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch
@@ -0,0 +1,272 @@
+From a5d2857297cfcf87ed8973df96e89ebcef22850d Mon Sep 17 00:00:00 2001
+From: Antonio Torres <antorres@redhat.com>
+Date: Mon, 8 Mar 2021 18:15:50 +0100
+Subject: [PATCH] Add checks to prevent adding auth indicators to internal IPA
+ services
+
+Authentication indicators should not be enforced against internal
+IPA services, since not all users of those services are able to produce
+Kerberos tickets with all the auth indicator options. This includes
+host, ldap, HTTP and cifs in IPA server and cifs in IPA clients.
+If a client that is being promoted to replica has an auth indicator
+in its host principal then the promotion is aborted.
+
+Fixes: https://pagure.io/freeipa/issue/8206
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+---
+ ipaserver/install/server/replicainstall.py | 13 ++++++++++++
+ ipaserver/plugins/host.py                  |  5 ++++-
+ ipaserver/plugins/service.py               | 24 ++++++++++++++++++++++
+ 3 files changed, 41 insertions(+), 1 deletion(-)
+
+diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
+index 73967a224..f1fb91036 100644
+--- a/ipaserver/install/server/replicainstall.py
++++ b/ipaserver/install/server/replicainstall.py
+@@ -770,6 +770,15 @@ def promotion_check_ipa_domain(master_ldap_conn, basedn):
+         ))
+ 
+ 
++def promotion_check_host_principal_auth_ind(conn, hostdn):
++    entry = conn.get_entry(hostdn, ['krbprincipalauthind'])
++    if 'krbprincipalauthind' in entry:
++        raise RuntimeError(
++            "Client cannot be promoted to a replica if the host principal "
++            "has an authentication indicator set."
++        )
++
++
+ @common_cleanup
+ @preserve_enrollment_state
+ def promote_check(installer):
+@@ -956,6 +965,10 @@ def promote_check(installer):
+                                      config.master_host_name, None)
+ 
+         promotion_check_ipa_domain(conn, remote_api.env.basedn)
++        hostdn = DN(('fqdn', api.env.host),
++                    api.env.container_host,
++                    api.env.basedn)
++        promotion_check_host_principal_auth_ind(conn, hostdn)
+ 
+         # Make sure that domain fulfills minimal domain level
+         # requirement
+diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
+index eb1f8ef04..41fa933e2 100644
+--- a/ipaserver/plugins/host.py
++++ b/ipaserver/plugins/host.py
+@@ -38,7 +38,7 @@ from .baseldap import (LDAPQuery, LDAPObject, LDAPCreate,
+                                      LDAPAddAttributeViaOption,
+                                      LDAPRemoveAttributeViaOption)
+ from .service import (
+-    validate_realm, normalize_principal,
++    validate_realm, validate_auth_indicator, normalize_principal,
+     set_certificate_attrs, ticket_flags_params, update_krbticketflags,
+     set_kerberos_attrs, rename_ipaallowedtoperform_from_ldap,
+     rename_ipaallowedtoperform_to_ldap, revoke_certs)
+@@ -735,6 +735,8 @@ class host_add(LDAPCreate):
+         update_krbticketflags(ldap, entry_attrs, attrs_list, options, False)
+         if 'krbticketflags' in entry_attrs:
+             entry_attrs['objectclass'].append('krbticketpolicyaux')
++        validate_auth_indicator(entry_attrs)
++
+         return dn
+ 
+     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+@@ -993,6 +995,7 @@ class host_mod(LDAPUpdate):
+             if 'krbprincipalaux' not in (item.lower() for item in
+                                          entry_attrs['objectclass']):
+                 entry_attrs['objectclass'].append('krbprincipalaux')
++            validate_auth_indicator(entry_attrs)
+ 
+         add_sshpubkey_to_attrs_pre(self.context, attrs_list)
+ 
+diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
+index 1c9347804..cfbbff3c6 100644
+--- a/ipaserver/plugins/service.py
++++ b/ipaserver/plugins/service.py
+@@ -201,6 +201,28 @@ def validate_realm(ugettext, principal):
+         raise errors.RealmMismatch()
+ 
+ 
++def validate_auth_indicator(entry):
++    new_value = entry.get('krbprincipalauthind', None)
++    if not new_value:
++        return
++    # The following services are considered internal IPA services
++    # and shouldn't be allowed to have auth indicators.
++    # https://pagure.io/freeipa/issue/8206
++    pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
++    principal = kerberos.Principal(pkey)
++    server = api.Command.server_find(principal.hostname)['result']
++    if server:
++        prefixes = ("host", "cifs", "ldap", "HTTP")
++    else:
++        prefixes = ("cifs",)
++    if principal.service_name in prefixes:
++        raise errors.ValidationError(
++            name='krbprincipalauthind',
++            error=_('authentication indicators not allowed '
++                    'in service "%s"' % principal.service_name)
++        )
++
++
+ def normalize_principal(value):
+     """
+     Ensure that the name in the principal is lower-case. The realm is
+@@ -652,6 +674,7 @@ class service_add(LDAPCreate):
+                     hostname)
+ 
+         self.obj.validate_ipakrbauthzdata(entry_attrs)
++        validate_auth_indicator(entry_attrs)
+ 
+         if not options.get('force', False):
+             # We know the host exists if we've gotten this far but we
+@@ -846,6 +869,7 @@ class service_mod(LDAPUpdate):
+         assert isinstance(dn, DN)
+ 
+         self.obj.validate_ipakrbauthzdata(entry_attrs)
++        validate_auth_indicator(entry_attrs)
+ 
+         # verify certificates
+         certs = entry_attrs.get('usercertificate') or []
+-- 
+2.31.1
+
+From 28484c3dee225662e41acc691bfe6b1c1cee99c8 Mon Sep 17 00:00:00 2001
+From: Antonio Torres <antorres@redhat.com>
+Date: Mon, 8 Mar 2021 18:20:35 +0100
+Subject: [PATCH] ipatests: ensure auth indicators can't be added to internal
+ IPA services
+
+Authentication indicators should not be added to internal IPA services,
+since this can lead to a broken IPA setup. In case a client with
+an auth indicator set in its host principal, promoting it to a replica
+should fail.
+
+Related: https://pagure.io/freeipa/issue/8206
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+---
+ .../test_replica_promotion.py                 | 38 +++++++++++++++++++
+ ipatests/test_xmlrpc/test_host_plugin.py      | 10 +++++
+ ipatests/test_xmlrpc/test_service_plugin.py   | 21 ++++++++++
+ 3 files changed, 69 insertions(+)
+
+diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
+index 0a137dbdc..b9c56f775 100644
+--- a/ipatests/test_integration/test_replica_promotion.py
++++ b/ipatests/test_integration/test_replica_promotion.py
+@@ -101,6 +101,44 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
+         assert result.returncode == 1
+         assert expected_err in result.stderr_text
+ 
++    @replicas_cleanup
++    def test_install_with_host_auth_ind_set(self):
++        """ A client shouldn't be able to be promoted if it has
++        any auth indicator set in the host principal.
++        https://pagure.io/freeipa/issue/8206
++        """
++
++        client = self.replicas[0]
++        # Configure firewall first
++        Firewall(client).enable_services(["freeipa-ldap",
++                                          "freeipa-ldaps"])
++
++        client.run_command(['ipa-client-install', '-U',
++                            '--domain', self.master.domain.name,
++                            '--realm', self.master.domain.realm,
++                            '-p', 'admin',
++                            '-w', self.master.config.admin_password,
++                            '--server', self.master.hostname,
++                            '--force-join'])
++
++        tasks.kinit_admin(client)
++
++        client.run_command(['ipa', 'host-mod', '--auth-ind=otp',
++                            client.hostname])
++
++        res = client.run_command(['ipa-replica-install', '-U', '-w',
++                                  self.master.config.dirman_password],
++                                 raiseonerr=False)
++
++        client.run_command(['ipa', 'host-mod', '--auth-ind=',
++                            client.hostname])
++
++        expected_err = ("Client cannot be promoted to a replica if the host "
++                        "principal has an authentication indicator set.")
++        assert res.returncode == 1
++        assert expected_err in res.stderr_text
++
++
+     @replicas_cleanup
+     def test_one_command_installation(self):
+         """
+diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
+index c66bbc865..9cfde3565 100644
+--- a/ipatests/test_xmlrpc/test_host_plugin.py
++++ b/ipatests/test_xmlrpc/test_host_plugin.py
+@@ -605,6 +605,16 @@ class TestProtectedMaster(XMLRPC_test):
+                 error=u'An IPA master host cannot be deleted or disabled')):
+             command()
+ 
++    def test_try_add_auth_ind_master(self, this_host):
++        command = this_host.make_update_command({
++            u'krbprincipalauthind': u'radius'})
++        with raises_exact(errors.ValidationError(
++            name='krbprincipalauthind',
++            error=u'authentication indicators not allowed '
++                'in service "host"'
++        )):
++            command()
++
+ 
+ @pytest.mark.tier1
+ class TestValidation(XMLRPC_test):
+diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
+index 4c845938c..ed634a045 100644
+--- a/ipatests/test_xmlrpc/test_service_plugin.py
++++ b/ipatests/test_xmlrpc/test_service_plugin.py
+@@ -25,6 +25,7 @@ from ipalib import api, errors
+ from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash
+ from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer
+ from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex, XMLRPC_test
++from ipatests.test_xmlrpc.xmlrpc_test import raises_exact
+ from ipatests.test_xmlrpc import objectclasses
+ from ipatests.test_xmlrpc.testcert import get_testcert, subject_base
+ from ipatests.test_xmlrpc.test_user_plugin import get_user_result, get_group_dn
+@@ -1552,6 +1553,15 @@ def indicators_host(request):
+     return tracker.make_fixture(request)
+ 
+ 
++@pytest.fixture(scope='function')
++def this_host(request):
++    """Fixture for the current master"""
++    tracker = HostTracker(name=api.env.host.partition('.')[0],
++                          fqdn=api.env.host)
++    tracker.exists = True
++    return tracker
++
++
+ @pytest.fixture(scope='function')
+ def indicators_service(request):
+     tracker = ServiceTracker(
+@@ -1587,6 +1597,17 @@ class TestAuthenticationIndicators(XMLRPC_test):
+             expected_updates={u'krbprincipalauthind': [u'radius']}
+         )
+ 
++    def test_update_indicator_internal_service(self, this_host):
++        command = this_host.make_command('service_mod',
++                                         'ldap/' + this_host.fqdn,
++                                         **dict(krbprincipalauthind='otp'))
++        with raises_exact(errors.ValidationError(
++            name='krbprincipalauthind',
++            error=u'authentication indicators not allowed '
++                 'in service "ldap"'
++        )):
++            command()
++
+ 
+ @pytest.fixture(scope='function')
+ def managing_host(request):
+-- 
+2.31.1
+
diff --git a/SOURCES/0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch b/SOURCES/0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch
new file mode 100644
index 0000000..7934afd
--- /dev/null
+++ b/SOURCES/0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch
@@ -0,0 +1,89 @@
+From 06468b2f604c56b02231904072cb57412966a701 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Mon, 5 Jul 2021 09:51:41 +0200
+Subject: [PATCH] stageuser: add ipauserauthtypeclass when required
+
+The command
+ipa stageuser-add --user-auth-type=xxx
+is currently failing because the objectclass ipauserauthtypeclass
+is missing from the created entry.
+
+There is code adding the missing objectclass in the
+pre_common_callback method of user_add, and this code should
+be common to user_add and stageuser_add. In order to avoid code
+duplication, it makes more sense to move the existing code to
+pre_common_callback of baseuser_add, that is called by both
+classes.
+
+Fixes: https://pagure.io/freeipa/issue/8909
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ ipaserver/plugins/baseuser.py | 3 +++
+ ipaserver/plugins/user.py     | 4 ----
+ 2 files changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
+index ae16a978a..6035228f1 100644
+--- a/ipaserver/plugins/baseuser.py
++++ b/ipaserver/plugins/baseuser.py
+@@ -539,6 +539,9 @@ class baseuser_add(LDAPCreate):
+         if entry_attrs.get('ipatokenradiususername', None):
+             add_missing_object_class(ldap, u'ipatokenradiusproxyuser', dn,
+                                      entry_attrs, update=False)
++        if entry_attrs.get('ipauserauthtype', None):
++            add_missing_object_class(ldap, u'ipauserauthtypeclass', dn,
++                                     entry_attrs, update=False)
+ 
+     def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
+         assert isinstance(dn, DN)
+diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
+index 6f7facb53..e4ee572b2 100644
+--- a/ipaserver/plugins/user.py
++++ b/ipaserver/plugins/user.py
+@@ -617,10 +617,6 @@ class user_add(baseuser_add):
+            'ipauser' not in entry_attrs['objectclass']:
+             entry_attrs['objectclass'].append('ipauser')
+ 
+-        if 'ipauserauthtype' in entry_attrs and \
+-           'ipauserauthtypeclass' not in entry_attrs['objectclass']:
+-            entry_attrs['objectclass'].append('ipauserauthtypeclass')
+-
+         rcl = entry_attrs.get('ipatokenradiusconfiglink', None)
+         if rcl:
+             if 'ipatokenradiusproxyuser' not in entry_attrs['objectclass']:
+-- 
+2.31.1
+
+From 4a5a0fe7d25209a41a2eadd159f7f4c771e5d7fc Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Mon, 5 Jul 2021 10:22:31 +0200
+Subject: [PATCH] XMLRPC test: add a test for stageuser-add --user-auth-type
+
+Related: https://pagure.io/freeipa/issue/8909
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ ipatests/test_xmlrpc/test_stageuser_plugin.py | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
+index 5586fc607..bc606b093 100644
+--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
++++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
+@@ -343,6 +343,12 @@ class TestStagedUser(XMLRPC_test):
+         result = command()
+         assert result['count'] == 1
+ 
++    def test_create_withuserauthtype(self, stageduser):
++        stageduser.ensure_missing()
++        command = stageduser.make_create_command(
++            options={u'ipauserauthtype': u'password'})
++        command()
++
+ 
+ @pytest.mark.tier1
+ class TestCreateInvalidAttributes(XMLRPC_test):
+-- 
+2.31.1
+
diff --git a/SOURCES/0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch b/SOURCES/0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch
new file mode 100644
index 0000000..83182ce
--- /dev/null
+++ b/SOURCES/0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch
@@ -0,0 +1,35 @@
+From 195035cef51a132b2b80df57ed50f2fe620244e6 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Wed, 7 Jul 2021 14:11:40 +0200
+Subject: [PATCH] man page: update ipa-server-upgrade.1
+
+The man page needs to clarify in which case the command needs
+to be run.
+
+Fixes: https://pagure.io/freeipa/issue/8913
+Reviewed-By: Francois Cami <fcami@redhat.com>
+---
+ install/tools/man/ipa-server-upgrade.1 | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/install/tools/man/ipa-server-upgrade.1 b/install/tools/man/ipa-server-upgrade.1
+index 3db19b0f1..f01e21c6b 100644
+--- a/install/tools/man/ipa-server-upgrade.1
++++ b/install/tools/man/ipa-server-upgrade.1
+@@ -8,7 +8,12 @@ ipa\-server\-upgrade \- upgrade IPA server
+ .SH "SYNOPSIS"
+ ipa\-server\-upgrade [options]
+ .SH "DESCRIPTION"
+-ipa\-server\-upgrade is used to upgrade IPA server when the IPA packages are being updated. It is not intended to be executed by end\-users.
++ipa\-server\-upgrade is executed automatically to upgrade IPA server when
++the IPA packages are being updated. It is not intended to be executed by
++end\-users, unless the automatic execution reports an error. In this case,
++the administrator needs to identify and fix the issue that is causing the
++upgrade failure (with the help of /var/log/ipaupgrade.log)
++and manually re\-run ipa\-server\-upgrade.
+ 
+ ipa\-server\-upgrade will:
+ 
+-- 
+2.31.1
+
diff --git a/SOURCES/0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch b/SOURCES/0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch
new file mode 100644
index 0000000..069d106
--- /dev/null
+++ b/SOURCES/0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch
@@ -0,0 +1,69 @@
+From 8ad535b618d60fa016061212ff85d0ad28ccae59 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Mon, 12 Jul 2021 11:02:10 -0400
+Subject: [PATCH] Fall back to krbprincipalname when validating host auth
+ indicators
+
+When adding a new host the principal cannot be determined because it
+relies on either:
+
+a) an entry to already exist
+b) krbprincipalname be a component of the dn
+
+As a result the full dn is being passed into ipapython.Kerberos
+which can't parse it.
+
+Look into the entry in validate_validate_auth_indicator() for
+krbprincipalname in this case.
+
+https://pagure.io/freeipa/issue/8206
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ ipaserver/plugins/service.py             |  5 +++++
+ ipatests/test_xmlrpc/test_host_plugin.py | 11 +++++++++++
+ 2 files changed, 16 insertions(+)
+
+diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
+index cfbbff3c6..498f5e444 100644
+--- a/ipaserver/plugins/service.py
++++ b/ipaserver/plugins/service.py
+@@ -209,6 +209,11 @@ def validate_auth_indicator(entry):
+     # and shouldn't be allowed to have auth indicators.
+     # https://pagure.io/freeipa/issue/8206
+     pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
++    if pkey == str(entry.dn):
++        # krbcanonicalname may not be set yet if this is a host entry,
++        # try krbprincipalname
++        if 'krbprincipalname' in entry:
++            pkey = entry['krbprincipalname']
+     principal = kerberos.Principal(pkey)
+     server = api.Command.server_find(principal.hostname)['result']
+     if server:
+diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
+index 9cfde3565..ff50e796c 100644
+--- a/ipatests/test_xmlrpc/test_host_plugin.py
++++ b/ipatests/test_xmlrpc/test_host_plugin.py
+@@ -615,6 +615,17 @@ class TestProtectedMaster(XMLRPC_test):
+         )):
+             command()
+ 
++    def test_add_non_master_with_auth_ind(self, host5):
++        host5.ensure_missing()
++        command = host5.make_command(
++            'host_add', host5.fqdn, krbprincipalauthind=['radius'],
++            force=True
++        )
++        result = command()
++        # The fact that the command succeeds exercises the change but
++        # let's check the indicator as well.
++        assert result['result']['krbprincipalauthind'] == ('radius',)
++
+ 
+ @pytest.mark.tier1
+ class TestValidation(XMLRPC_test):
+-- 
+2.31.1
+
diff --git a/SOURCES/freeipa-4.9.2.tar.gz.asc b/SOURCES/freeipa-4.9.2.tar.gz.asc
deleted file mode 100644
index b84ced9..0000000
--- a/SOURCES/freeipa-4.9.2.tar.gz.asc
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmAqwW4ACgkQRxniuKu/
-YhoqEw/+J2+fMEF4qYDnb6LPs0h/xbiMU+WG5SI0Ybcy6FUrCp2utFqO6N8r7K3J
-k9WTcAXweqwEO5aP1fjvbQiIc55lQgN1rlJc+GtnBbPPKabrJB0xgx2VpP2MI8Jl
-JRSAdSNvSghaR1v0MYL3ly7GPRLUrb1+Avln+eJIHRfAuUjf9j4MWh7VNDsSp7pQ
-vMqz8OHEvSSRQYGKyJ5vQlcHRQNot2pZoWHVfEcRXMD6qn2N7yUU4o9wNOYvJMw8
-YEyInE24D13UV33F9K5QrLEaJ7lpIwJ9lmhAFuZoDUC81s5aAmLtNzUWcdwlOSzk
-tY4T+ucpq+0eH1gUiDm6bME7Uw87nc9KuNS3+Q+P2Y7RdUrrbLj8BIsz30VSk8n1
-rH2DZo/1NOFwQ5qDN92QjTeGotqCjwK/j+uRB12HkRgOHkouoZjqwcYRfdxmBhKd
-wk6BdDtvSP4voqqoeuZNCbeOKCYsqE2HlGZE9YiLbBAQs081Ir9Tajpn8sgMVURi
-7kQN7Xq9/jEl7sQ14VkRMQP8A+rRkmLM1sW3vqhMFDSOyi+qQNnzAnR28qxDBXC3
-4gG/yFGgqX7mSXsfvTVrjhcVEO6IsqkkPAcFR3Xivpy146LoONSlIGgtA8mGMIeO
-Zd3awH4T8kAt3d9RBI+R34sZm//uKQgOKDrAx0VjekFkK0tj2qU=
-=XC/f
------END PGP SIGNATURE-----
diff --git a/SOURCES/freeipa-4.9.6.tar.gz.asc b/SOURCES/freeipa-4.9.6.tar.gz.asc
new file mode 100644
index 0000000..f71d351
--- /dev/null
+++ b/SOURCES/freeipa-4.9.6.tar.gz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmDbPRQACgkQRxniuKu/
+Yhr7uBAAnpF70nH8Cn/HhKKpfafPoN3B9fDNIfAa+jsJ52OyeNMKVNi4MEob32iN
+1aMGGFCJUMle/M7v1+w8WH59eiHs1jKHcFZnl2R4Ap5SxVtypYT+ewXbNnSHII2w
+qWS5PvLkJwjh6Bw/HlyBwDRSrw9Yah4oZZbJt3zE06+Imr8BpB3IWqyhuAi7FjYO
+J9hHCwCvtJvWK4yplZSXCt8OS1JA68/Djgjecm5lUSamuqKaBVhDb+ZAPLDJpBf5
+Pz2JpUF/W/rplt+Q9wAFdhDB9iC0vd3MBkgs4KPsjuyS9+GGNu8LyXs0C1Wm/VgX
+liX2pjZmpnTrhH3QQ2nufwH784ZpinXxS2fcbvCfX1Utgr77wNHjwqDt2NBffJl1
+BM7JJr1ZwGOGSki6yjRDXbeSAsiEX9l7f2mv2t/8ZjHMRJ7mJmBbmh5Qhk5qsMou
+BptNDE20cG77xcjBtTCDpii/UatETuNAyMd/l2smfe76z8y61fQrvScxRwOCHckw
+u/ERChpBZOUlQt59Efj3ja313oXZMxXRw01n/72Hh5rnk+XZf75zQ1zUDBYnwzAr
+4cdqyrfpFkQu1sRQvgjT8ZLkP8istjRdVEI/Oj61zb5+6+scQ/Zh/R/mYGCV4/h+
+RzojBwUAXuwUMrj1jTbb5Lkz58+vY3Lk4xNOY2hSAc8rCcDVRZY=
+=TQFs
+-----END PGP SIGNATURE-----
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index 784cd9a..9b6f2eb 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -2,7 +2,7 @@
 %bcond_without ipatests
 # default to not use XML-RPC in Rawhide, can be turned around with --with ipa_join_xml
 # On RHEL 8 we should use --with ipa_join_xml
-%bcond_without ipa_join_xml
+%bcond_with ipa_join_xml
 
 # Linting is disabled by default, needed for upstream testing
 %bcond_with lint
@@ -49,9 +49,9 @@
 # lint is not executed during rpmbuild
 # %%global with_lint 1
 %if %{with lint}
-    %global linter_options --enable-pylint --with-jslint
+    %global linter_options --enable-pylint --without-jslint --enable-rpmlint
 %else
-    %global linter_options --disable-pylint --without-jslint
+    %global linter_options --disable-pylint --without-jslint --disable-rpmlint
 %endif
 
 # Include SELinux subpackage
@@ -73,10 +73,13 @@
 %global selinux_policy_version 3.14.3-52
 %global slapi_nis_version 0.56.4
 %global python_ldap_version 3.1.0-1
-# python3-lib389
-# Fix for "Installation fails: Replica Busy"
-# https://pagure.io/389-ds-base/issue/49818
-%global ds_version 1.4.2.4-6
+%if 0%{?rhel} < 9
+# Bug 1929067 - PKI instance creation failed with new 389-ds-base build
+%global ds_version 1.4.3.16-12
+%else
+%global ds_version 2.0.3-3
+%endif
+
 # Fix for TLS 1.3 PHA, RHBZ#1775158
 %global httpd_version 2.4.37-21
 %global bind_version 9.11.20-6
@@ -101,9 +104,13 @@
 
 # fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324
 %global python_ldap_version 3.1.0-1
-# 1.4.3 moved nsslapd-db-locks to cn=bdb sub-entry
-# https://pagure.io/freeipa/issue/8515
-%global ds_version 1.4.3
+
+# Make sure to use 389-ds-base versions that fix https://github.com/389ds/389-ds-base/issues/4609
+%if 0%{?fedora} < 34
+%global ds_version %{lua: local v={}; v['32']='1.4.3.20-2'; v['33']='1.4.4.13-2'; print(v[rpm.expand('%{fedora}')])}
+%else
+%global ds_version 2.0.4-1
+%endif
 
 # Fix for TLS 1.3 PHA, RHBZ#1775146
 %global httpd_version 2.4.41-9
@@ -126,13 +133,11 @@
 %endif
 
 %if 0%{?rhel} == 8
-# PKIConnection has been modified to always validate certs.
-# https://pagure.io/freeipa/issue/8379
-%global pki_version 10.9.0-0.4
+# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609
+%global pki_version 10.10.5
 %else
-# New KRA profile, ACME support
-# https://pagure.io/freeipa/issue/8545
-%global pki_version 10.10.0-2
+# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609
+%global pki_version 10.10.5
 %endif
 
 # RHEL 8.3+, F32+ has 0.79.13
@@ -155,6 +160,16 @@
 %global systemd_version 239
 %endif
 
+# augeas support for new chrony options
+# see https://pagure.io/freeipa/issue/8676
+# Note: will need to be updated for RHEL9 when a fix is available for
+# https://bugzilla.redhat.com/show_bug.cgi?id=1931787
+%if 0%{?fedora} >= 33
+%global augeas_version 1.12.0-6
+%else
+%global augeas_version 1.12.0-3
+%endif
+
 %global plugin_dir %{_libdir}/dirsrv/plugins
 %global etc_systemd_dir %{_sysconfdir}/systemd/system
 %global gettext_domain ipa
@@ -163,7 +178,7 @@
 
 # Work-around fact that RPM SPEC parser does not accept
 # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
-%define IPA_VERSION 4.9.2
+%define IPA_VERSION 4.9.6
 # Release candidate version -- uncomment with one percent for RC versions
 #%%global rc_version %%nil
 %define AT_SIGN @
@@ -176,7 +191,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        1%{?rc_version:.%rc_version}%{?dist}
+Release:        3%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -196,12 +211,16 @@ Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
 # RHEL spec file only: START
 %if %{NON_DEVELOPER_BUILD}
 %if 0%{?rhel} >= 8
+Patch0001:      0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch
+Patch0002:      0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch
+Patch0003:      0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch
+Patch0004:      0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch
+Patch0005:      0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 %endif
 %endif
 # RHEL spec file only: END
 
-
 # For the timestamp trick in patch application
 BuildRequires:  diffstat
 
@@ -305,7 +324,10 @@ BuildRequires: python3-m2r
 #
 %if %{with lint}
 BuildRequires:  git
+%if 0%{?fedora} < 34
+# jsl is orphaned in Fedora 34+
 BuildRequires:  jsl
+%endif
 BuildRequires:  nss-tools
 BuildRequires:  rpmlint
 BuildRequires:  softhsm
@@ -337,12 +359,8 @@ BuildRequires:  python3-polib
 BuildRequires:  python3-pyasn1
 BuildRequires:  python3-pyasn1-modules
 BuildRequires:  python3-pycodestyle
-%if 0%{?fedora} || 0%{?rhel} > 8
-# https://bugzilla.redhat.com/show_bug.cgi?id=1648299
-BuildRequires:  python3-pylint >= 2.1.1-2
-%else
-BuildRequires:  python3-pylint >= 1.7
-%endif
+# .wheelconstraints.in limits pylint version in Azure and tox tests
+BuildRequires:  python3-pylint
 BuildRequires:  python3-pytest-multihost
 BuildRequires:  python3-pytest-sourceorder
 BuildRequires:  python3-qrcode-core >= 5.0.0
@@ -429,7 +447,12 @@ Requires(pre): certmonger >= %{certmonger_version}
 Requires(pre): 389-ds-base >= %{ds_version}
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
+%if 0%{?fedora} >= 32 || 0%{?rhel} >= 9
+# https://pagure.io/freeipa/issue/8632
+Requires: openssl > 1.1.1i
+%else
 Requires: openssl
+%endif
 Requires: softhsm >= 2.0.0rc1-1
 Requires: p11-kit
 Requires: %{etc_systemd_dir}
@@ -481,6 +504,7 @@ Requires: %{name}-common = %{version}-%{release}
 # we need pre-requires since earlier versions may break upgrade
 Requires(pre): python3-ldap >= %{python_ldap_version}
 Requires: python3-augeas
+Requires: augeas-libs >= %{augeas_version}
 Requires: python3-custodia >= 0.3.1
 Requires: python3-dbus
 Requires: python3-dns >= 1.15
@@ -516,8 +540,8 @@ Requires: %{name}-client-common = %{version}-%{release}
 Requires: httpd >= %{httpd_version}
 Requires: systemd-units >= %{systemd_version}
 Requires: custodia >= 0.3.1
-%if 0%{?rhel} >= 8
-Requires: redhat-logos-ipa >= 80.4
+%if 0%{?rhel} >= 8 && ! 0%{?eln}
+Requires: system-logos-ipa >= 80.4
 %endif
 
 Provides: %{alt_name}-server-common = %{version}
@@ -571,6 +595,7 @@ Requires: %{name}-common = %{version}-%{release}
 
 Requires: samba >= %{samba_version}
 Requires: samba-winbind
+Requires: sssd-winbind-idmap
 Requires: libsss_idmap
 %if 0%{?rhel}
 Obsoletes: ipa-idoverride-memberof-plugin <= 0.1
@@ -635,6 +660,11 @@ Requires: nfs-utils
 Requires: sssd-tools >= %{sssd_version}
 Requires(post): policycoreutils
 
+# https://pagure.io/freeipa/issue/8530
+Recommends: libsss_sudo
+Recommends: sudo
+Requires: (libsss_sudo if sudo)
+
 Provides: %{alt_name}-client = %{version}
 Conflicts: %{alt_name}-client
 Obsoletes: %{alt_name}-client < %{version}
@@ -699,6 +729,7 @@ Requires: %{name}-client-common = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python3-ipalib = %{version}-%{release}
 Requires: python3-augeas
+Requires: augeas-libs >= %{augeas_version}
 Requires: python3-dns >= 1.15
 Requires: python3-jinja2
 
@@ -793,7 +824,7 @@ Requires: python3-requests
 Requires: python3-six
 Requires: python3-sss-murmur
 Requires: python3-yubico >= 1.3.2-7
-%if 0%{?rhel} && 0%{?rhel} >= 8
+%if 0%{?rhel} && 0%{?rhel} == 8
 Requires: platform-python-setuptools
 %else
 Requires: python3-setuptools
@@ -1670,6 +1701,57 @@ fi
 
 
 %changelog
+* Thu Jul 15 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-3
+- man page: update ipa-server-upgrade.1
+  Resolves: RHBZ#1973273
+- Fall back to krbprincipalname when validating host auth indicators
+  Resolves: RHBZ#1979625
+- Add dependency for sssd-winbind-idmap to server-trust-ad
+  Resolves: RHBZ#1982211
+
+* Thu Jul  8 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-2
+- IPA server in debug mode fails to run because time.perf_counter_ns is
+  Python 3.7+
+  Resolves: RHBZ#1974822
+- Add checks to prevent assigning authentication indicators to internal IPA
+  services
+  Resolves: RHBZ#1979625
+- Unable to set ipaUserAuthType with stageuser-add
+  Resolves: RHBZ#1979605
+
+* Thu Jul  1 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-1
+- Upstream release FreeIPA 4.9.6
+  Related: RHBZ#1945038
+- Revise PKINIT upgrade code
+  Resolves: RHBZ#1886837
+- ipa-cert-fix man page: add note about certmonger renewal
+  Resolves: RHBZ#1780317
+- Certificate Serial Number issue
+  Resolves: RHBZ#1919384
+
+* Mon Jun 14 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.5-1
+- Upstream release FreeIPA 4.9.5
+  Related: RHBZ#1945038
+- IPA to allow setting a new range type
+  Resolves: RHBZ#1688267
+- ipa-server-install displays debug output when --debug output is not
+  specified.
+  Resolves: RHBZ#1943151
+- ACME fails to generate a cert on migrated RHEL8.4 server
+  Resolves: RHBZ#1934991
+- Switch ipa-client to use the JSON API
+  Resolves: RHBZ#1937856
+- IDM - Allow specifying permanent logging settings for BIND
+  Resolves: RHBZ#1951511
+- Cache LDAP data within a request
+  Resolves: RHBZ#1953656
+- ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4
+  Resolves: RHBZ#1957768
+
+* Wed Mar 31 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.3-1
+- Upstream release FreeIPA 4.9.3
+  Resolves: RHBZ#1945038
+
 * Mon Feb 15 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.2-1
 - Upstream release FreeIPA 4.9.2
   Related: RHBZ#1891832