diff --git a/SOURCES/0009-ad-add-required-cn-attribute-to-subdomain-object.patch b/SOURCES/0009-ad-add-required-cn-attribute-to-subdomain-object.patch
new file mode 100644
index 0000000..2ff9888
--- /dev/null
+++ b/SOURCES/0009-ad-add-required-cn-attribute-to-subdomain-object.patch
@@ -0,0 +1,42 @@
+From bf6059eb55c8caa3111ef718db1676c96a67c084 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 16 Dec 2021 11:14:18 +0100
+Subject: [PATCH] ad: add required 'cn' attribute to subdomain object
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If the forest root is not part of the return trusted domain objects
+from the local domain controller we generate an object for further
+processing. During this processing it is expected that the 'cn'
+attribute is set and contains the name of the forest root. So far this
+attribute was missing and it is now added by this patch.
+
+Resolves: https://github.com/SSSD/sssd/issues/5926
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/providers/ad/ad_subdomains.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
+index 0353de76f..0c3f8ac31 100644
+--- a/src/providers/ad/ad_subdomains.c
++++ b/src/providers/ad/ad_subdomains.c
+@@ -1646,6 +1646,13 @@ static void ad_check_root_domain_done(struct tevent_req *subreq)
+         goto done;
+     }
+ 
++    ret = sysdb_attrs_add_string(state->reply[0], AD_AT_DOMAIN_NAME,
++                                 state->forest);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n");
++        goto done;
++    }
++
+     err = sss_idmap_sid_to_bin_sid(state->idmap_ctx->map, id,
+                                    &id_val.data, &id_val.length);
+     if (err != IDMAP_SUCCESS) {
+-- 
+2.26.3
+
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index d947ab6..8aeedd5 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -19,7 +19,7 @@
 
 Name: sssd
 Version: 2.5.2
-Release: 2%{?dist}.3
+Release: 2%{?dist}.4
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@@ -35,6 +35,7 @@ Patch0005: 0005-MONITOR-reduce-logs-severity-around-signalling-and-t.patch
 Patch0006: 0006-DEBUG-avoid-backtrace-dups.patch
 Patch0007: 0007-cache_req-cache_first-fix-for-fully-qualified-names.patch
 Patch0008: 0008-utils-ignore-systemd-and-sd-pam-process-in-get_activ.patch
+Patch0009: 0009-ad-add-required-cn-attribute-to-subdomain-object.patch
 
 ### Downstream Patches ###
 
@@ -87,6 +88,7 @@ BuildRequires: libxslt
 BuildRequires: libxml2
 BuildRequires: docbook-style-xsl
 BuildRequires: krb5-devel
+BuildRequires: krb5-libs >= 1.18.2-11
 BuildRequires: c-ares-devel
 BuildRequires: python3-devel
 BuildRequires: check-devel
@@ -535,6 +537,7 @@ Summary: An implementation of a Kerberos KCM server
 Group:  Applications/System
 License: GPLv3+
 Requires: sssd-common = %{version}-%{release}
+Requires: krb5-libs >= 1.18.2-11
 %{?systemd_requires}
 
 %description kcm
@@ -1151,6 +1154,10 @@ fi
 %systemd_postun_with_restart sssd.service
 
 %changelog
+* Mon Jan 17 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-2.4
+- Resolves: rhbz#2030651 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries [rhel-8.5.0.z]
+- Resolves: rhbz#2035285 - AD Domain in the AD Forest Missing after sssd latest update [rhel-8.5.0.z]
+
 * Tue Dec 07 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-2.3
 - Resolves: rhbz#2028828 - pam responder does not call initgroups to refresh the user entry [rhel-8.5.0.z]