diff --git a/SOURCES/0011-krb5-respect-krb5_validate-for-PAC-checks.patch b/SOURCES/0011-krb5-respect-krb5_validate-for-PAC-checks.patch
new file mode 100644
index 0000000..d747ae3
--- /dev/null
+++ b/SOURCES/0011-krb5-respect-krb5_validate-for-PAC-checks.patch
@@ -0,0 +1,124 @@
+From 72132c413a2b19fbc21120ce51698978fd926360 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 20 Sep 2022 15:37:01 +0200
+Subject: [PATCH] krb5: respect krb5_validate for PAC checks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The first step of checking the PAC is the same as during the Kerberos
+ticket validation, requesting a service ticket for a service principal
+from the local keytab. By default ticket validation is enable for the
+IPA and AD provider where checking the PAC might become important. If
+ticket validation is disabled manually it is most probably because there
+are issues requesting the service ticket and fixing those is currently
+not possible.
+
+Currently when SSSD is configured to check the PAC it ignores the
+krb5_validate setting and tries to request a service ticket which would
+fail in the case ticket validation is disabled for a reason. To not
+cause regressions with this patch SSSD will skip the PAC checks if
+ticket validation is disabled.
+
+Resolves: https://github.com/SSSD/sssd/issues/6355
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+(cherry picked from commit f4dffaeaef16f146fc03970f62761fc335a3c7cc)
+---
+ src/man/include/krb5_options.xml | 11 ++++++++++-
+ src/man/sssd.conf.5.xml | 13 ++++++++++---
+ src/providers/krb5/krb5_child.c | 9 ++++-----
+ src/providers/krb5/krb5_init_shared.c | 10 ++++++++++
+ 4 files changed, 34 insertions(+), 9 deletions(-)
+
+diff --git a/src/man/include/krb5_options.xml b/src/man/include/krb5_options.xml
+index c3292d1bb..d82be7bfa 100644
+--- a/src/man/include/krb5_options.xml
++++ b/src/man/include/krb5_options.xml
+@@ -26,7 +26,16 @@
+ keytab entry as the last entry or the only entry in the keytab file.
+ </para>
+ <para>
+- Default: false
++ Default: false (IPA and AD provider: true)
++ </para>
++ <para>
++ Please note that the ticket validation is the first step when
++ checking the PAC (see 'pac_check' in the
++ <citerefentry>
++ <refentrytitle>sssd.conf</refentrytitle>
++ <manvolnum>5</manvolnum>
++ </citerefentry> manual page for details). If ticket
++ validation is disabled the PAC checks will be skipped as well.
+ </para>
+ </listitem>
+ </varlistentry>
+diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
+index 615b41550..7a9920815 100644
+--- a/src/man/sssd.conf.5.xml
++++ b/src/man/sssd.conf.5.xml
+@@ -2238,9 +2238,16 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
+ <para>
+ Apply additional checks on the PAC of the Kerberos
+ ticket which is available in Active Directory and
+- FreeIPA domains, if configured. The following
+- options can be used alone or in a comma-separated
+- list:
++ FreeIPA domains, if configured. Please note that
++ Kerberos ticket validation must be enabled to be
++ able to check the PAC, i.e. the krb5_validate option
++ must be set to 'True' which is the default for the
++ IPA and AD provider. If krb5_validate is set to
++ 'False' the PAC checks will be skipped.
++ </para>
++ <para>
++ The following options can be used alone or in a
++ comma-separated list:
+ <variablelist>
+ <varlistentry>
+ <term>no_check</term>
+diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
+index 0a592da00..8727b4202 100644
+--- a/src/providers/krb5/krb5_child.c
++++ b/src/providers/krb5/krb5_child.c
+@@ -3866,11 +3866,10 @@ int main(int argc, const char *argv[])
+ goto done;
+ }
+
+- /* To be able to read the PAC we have to request a service ticket where we
+- * have a key to decrypt it, this is the same step we use for validating
+- * the ticket. */
+- if (cli_opts.check_pac_flags != 0) {
+- kr->validate = true;
++ if (cli_opts.check_pac_flags != 0 && !kr->validate) {
++ DEBUG(SSSDBG_IMPORTANT_INFO,
++ "PAC check is requested but krb5_validate is set to false. "
++ "PAC checks will be skipped.\n");
+ }
+
+ kerr = privileged_krb5_setup(kr, offline);
+diff --git a/src/providers/krb5/krb5_init_shared.c b/src/providers/krb5/krb5_init_shared.c
+index ee48f459b..3e6ebe2ed 100644
+--- a/src/providers/krb5/krb5_init_shared.c
++++ b/src/providers/krb5/krb5_init_shared.c
+@@ -77,6 +77,16 @@ errno_t krb5_child_init(struct krb5_ctx *krb5_auth_ctx,
+ goto done;
+ }
+
++ if (krb5_auth_ctx->check_pac_flags != 0
++ && !dp_opt_get_bool(krb5_auth_ctx->opts, KRB5_VALIDATE)) {
++ DEBUG(SSSDBG_IMPORTANT_INFO,
++ "PAC check is requested but krb5_validate is set to false. "
++ "PAC checks will be skipped.\n");
++ sss_log(SSS_LOG_WARNING,
++ "PAC check is requested but krb5_validate is set to false. "
++ "PAC checks will be skipped.");
++ }
++
+ ret = parse_krb5_map_user(krb5_auth_ctx,
+ dp_opt_get_cstring(krb5_auth_ctx->opts,
+ KRB5_MAP_USER),
+--
+2.37.3
+
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index b315d03..2c7473b 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -27,7 +27,7 @@
Name: sssd
Version: 2.7.3
-Release: 4%{?dist}
+Release: 4%{?dist}.1
Summary: System Security Services Daemon
License: GPLv3+
URL: https://github.com/SSSD/sssd/
@@ -44,6 +44,7 @@ Patch0007: 0007-SSSCTL-Allow-analyzer-to-work-without-SSSD-setup.patch
Patch0008: 0008-RESPONDER-Fix-client-ID-tracking.patch
Patch0009: 0009-Analyzer-support-parallel-requests-parsing.patch
Patch0010: 0010-CLIENT-fix-client-fd-leak.patch
+Patch0011: 0011-krb5-respect-krb5_validate-for-PAC-checks.patch
### Dependencies ###
@@ -1068,6 +1069,9 @@ fi
%systemd_postun_with_restart sssd.service
%changelog
+* Fri Oct 14 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-4.1
+- Resolves: rhbz#2128902 - Cannot SSH with AD user to ipa-client (`krb5_validate` and `pac_check` settings conflict) [rhel-9.1.0.z]
+
* Fri Aug 26 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-4
- Related: rhbz#1978119 - [Improvement] avoid interlocking among threads that use `libsss_nss_idmap` API (or other sss_client libs)