diff --git a/sys-auth/sssd/files/sssd-2.10.0_beta2-fix-systemd-systemconfdir.patch b/sys-auth/sssd/files/sssd-2.10.0_beta2-fix-systemd-systemconfdir.patch
new file mode 100644
index 0000000..9959199
--- /dev/null
+++ b/sys-auth/sssd/files/sssd-2.10.0_beta2-fix-systemd-systemconfdir.patch
@@ -0,0 +1,22 @@
+diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
+index c0efc3ad1..07fef0c1a 100644
+--- a/src/conf_macros.m4
++++ b/src/conf_macros.m4
+@@ -227,14 +227,14 @@ AC_DEFUN([WITH_SYSTEMD_CONF_DIR],
+   if test x"$with_systemdconfdir" != x; then
+     systemdconfdir=$with_systemdconfdir
+   else
+-    pkgconfigdir=${prefix}$($PKG_CONFIG --variable=systemdsystemconfdir systemd)
++    pkgconfigdir=$($PKG_CONFIG --variable=systemdsystemconfdir systemd)
+     if test x"$pkgconfigdir" = x; then
+       AC_MSG_ERROR([Could not detect systemd config directory])
+     fi
+-    if test "${pkgconfigdir:0:${#prefix}}" = "${prefix}"; then
++    if test "${pkgconfigdir:0:${#sysconfdir}}" = "${sysconfdir}"; then
+         systemdconfdir=${pkgconfigdir}
+     else
+-        systemdconfdir=${prefix}${pkgconfigdir}
++        systemdconfdir=${sysconfdir}${pkgconfigdir}
+     fi
+   fi
+   AC_SUBST(systemdconfdir, [$systemdconfdir/sssd.service.d])
diff --git a/sys-auth/sssd/files/sssd-2.9.7-kerberos-1-22.patch b/sys-auth/sssd/files/sssd-2.9.7-kerberos-1-22.patch
deleted file mode 100644
index 28475db..0000000
--- a/sys-auth/sssd/files/sssd-2.9.7-kerberos-1-22.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4
-index 90727185b..3501b6b71 100644
---- a/src/external/pac_responder.m4
-+++ b/src/external/pac_responder.m4
-@@ -23,7 +23,8 @@ then
-         Kerberos\ 5\ release\ 1.18* | \
-         Kerberos\ 5\ release\ 1.19* | \
-         Kerberos\ 5\ release\ 1.20* | \
--        Kerberos\ 5\ release\ 1.21*)
-+        Kerberos\ 5\ release\ 1.21* | \
-+        Kerberos\ 5\ release\ 1.22*)
-             krb5_version_ok=yes
-             AC_MSG_RESULT([yes])
-             ;;
diff --git a/sys-auth/sssd/sssd-2.9.8.ebuild b/sys-auth/sssd/sssd-2.12.0.ebuild
similarity index 80%
rename from sys-auth/sssd/sssd-2.9.8.ebuild
rename to sys-auth/sssd/sssd-2.12.0.ebuild
index 7225c19..d8ff425 100644
--- a/sys-auth/sssd/sssd-2.9.8.ebuild
+++ b/sys-auth/sssd/sssd-2.12.0.ebuild
@@ -3,14 +3,16 @@
 
 EAPI=8
 
-PLOCALES="ca de es fr ja ko pt_BR ru sv tr uk"
+# Ukrainian translation causes compile failure, so skip it for now
+#PLOCALES="ca de es fr ja ko pt_BR ru sv tr uk"
+PLOCALES="ca de es fr ja ko pt_BR ru sv tr"
 PLOCALES_BIN="${PLOCALES} bg cs eu fi hu id it ka nb nl pl pt tg zh_TW zh_CN"
 PLOCALE_BACKUP="sv"
-PYTHON_COMPAT=( python3_{10..13} )
+PYTHON_COMPAT=( python3_{11..14} )
 VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/sssd.asc
 
 inherit autotools linux-info multilib-minimal optfeature plocale \
-	python-single-r1 pam systemd toolchain-funcs verify-sig
+	python-single-r1 pam systemd tmpfiles udev toolchain-funcs verify-sig
 
 DESCRIPTION="System Security Services Daemon provides access to identity and authentication"
 HOMEPAGE="https://github.com/SSSD/sssd"
@@ -26,7 +28,7 @@ fi
 
 LICENSE="GPL-3"
 SLOT="0"
-IUSE="acl doc +netlink nfsv4 nls passkey python samba selinux systemd systemtap test"
+IUSE="doc +netlink nfsv4 nls passkey python samba selinux systemd systemtap test"
 REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
 RESTRICT="!test? ( test )"
 
@@ -43,15 +45,16 @@ DEPEND="
 	>=net-dns/bind-9.9[gssapi]
 	>=net-dns/c-ares-1.10.0-r1:=[${MULTILIB_USEDEP}]
 	>=net-nds/openldap-2.4.30:=[sasl,experimental]
+	net-fs/cifs-utils[acl]
 	>=sys-apps/dbus-1.6
 	>=sys-apps/keyutils-1.5:=
+	sys-libs/libcap
 	>=sys-libs/pam-0-r1[${MULTILIB_USEDEP}]
 	>=sys-libs/talloc-2.0.7
 	>=sys-libs/tdb-1.2.9
 	>=sys-libs/tevent-0.9.16
 	virtual/ldb:=
 	virtual/libintl
-	acl? ( net-fs/cifs-utils[acl] )
 	netlink? ( dev-libs/libnl:3 )
 	nfsv4? ( >=net-fs/nfs-utils-2.3.1-r2 )
 	nls? ( >=sys-devel/gettext-0.18 )
@@ -75,18 +78,21 @@ DEPEND="
 	)
 	systemtap? ( dev-debug/systemtap )"
 RDEPEND="${DEPEND}
+	acct-user/sssd
+	acct-group/sssd
 	passkey? ( sys-apps/pcsc-lite[policykit] )
 	selinux? ( >=sec-policy/selinux-sssd-2.20120725-r9 )"
 DEPEND+="
 	sys-apps/shadow"
 BDEPEND="
+	acct-user/sssd
+	acct-group/sssd
+	sys-libs/libcap
 	virtual/pkgconfig
-	app-text/docbook-xml-dtd:4.4
-	>=dev-libs/libxslt-1.1.26
 	${PYTHON_DEPS}
 	doc? ( app-text/doxygen )
-	nls? ( sys-devel/gettext
-	       app-text/po4a )
+	nls? (	app-text/po4a
+		sys-devel/gettext )
 	test? (
 		dev-libs/check
 		dev-libs/softhsm:2
@@ -98,6 +104,8 @@ BDEPEND="
 		sys-libs/uid_wrapper
 	)
 	verify-sig? ( sec-keys/openpgp-keys-sssd )
+	app-text/docbook-xml-dtd:4.4
+	>=dev-libs/libxslt-1.1.26
 "
 
 CONFIG_CHECK="~KEYS"
@@ -105,7 +113,7 @@ CONFIG_CHECK="~KEYS"
 PATCHES=(
 	"${FILESDIR}/${PN}-2.8.2-krb5_pw_locked.patch"
 	"${FILESDIR}/${PN}-2.9.6-conditional-python-install.patch"
-	"${FILESDIR}/${PN}-2.9.7-kerberos-1-22.patch"
+	"${FILESDIR}/${PN}-2.10.0_beta2-fix-systemd-systemconfdir.patch"
 )
 
 MULTILIB_WRAPPED_HEADERS=(
@@ -119,9 +127,41 @@ MULTILIB_WRAPPED_HEADERS=(
 	/usr/include/sss_certmap.h
 )
 
+sssd_migrate_files() {
+	if has_version "<=sys-auth/sssd-2.9.9999"
+	then
+		einfo "Checking if sssd is running"
+		if [ -f /run/sssd.pid ]
+		then
+			elog "Please stop sssd after installing before"
+			elog "performing the migration process"
+		fi
+		einfo "Checking if /var/lib/sss ownership"
+		if [ -d /var/lib/sss ] && [ $(stat -c "%U:%G" /var/lib/sss) != "sssd:sssd" ]
+		then
+			elog "After installing, please execute"
+			elog "chown -R sssd:sssd /var/lib/sss"
+		fi
+		einfo "Checking if /var/log/sssd ownership"
+		if [ -d /var/log/sssd ] && [ $(stat -c "%U:%G" /var/log/sssd) != "sssd:sssd" ]
+		then
+			elog "After installing, please execute"
+			elog "chown -R sssd:sssd /var/log/sssd"
+		fi
+		einfo "Checking if /etc/sssd ownership"
+		if ! use systemd && [ -d /etc/sssd ] && [ $(stat -c "%U:%G" /etc/sssd) != "root:sssd" ]
+		then
+			elog "After installing, please execute"
+			elog "chown -R root:sssd /etc/sssd"
+		fi
+	fi
+}
+
 pkg_setup() {
 	linux-info_pkg_setup
 	python-single-r1_pkg_setup
+
+	sssd_migrate_files
 }
 
 src_prepare() {
@@ -158,6 +198,13 @@ src_prepare() {
 		Makefile.am \
 		|| die
 
+	# requires valgrind headers installed, see
+	# https://github.com/SSSD/sssd/pull/7845
+	sed -i \
+		-e '/^\s*test_iobuf[ \\]*$/d' \
+		Makefile.am \
+		|| die
+
 	eautoreconf
 
 	multilib_copy_sources
@@ -166,11 +213,6 @@ src_prepare() {
 src_configure() {
 	local native_dbus_cflags=$($(tc-getPKG_CONFIG) --cflags dbus-1 || die)
 
-	# Workaround for bug #938302
-	if use systemtap && has_version "dev-debug/systemtap[-dtrace-symlink(+)]" ; then
-		export DTRACE="${BROOT}"/usr/bin/stap-dtrace
-	fi
-
 	multilib-minimal_src_configure
 }
 
@@ -182,9 +224,9 @@ multilib_src_configure() {
 		--localstatedir="${EPREFIX}"/var
 		--runstatedir="${EPREFIX}"/run
 		--sbindir="${EPREFIX}"/usr/sbin
-		--with-pid-path="${EPREFIX}"/run
+		--with-pid-path="${EPREFIX}"/run/sssd
 		--with-plugin-path="${EPREFIX}"/usr/$(get_libdir)/sssd
-		--enable-pammoddir="${EPREFIX}$(getpam_mod_dir)"
+		--enable-pammoddir="${EPREFIX}"/$(getpam_mod_dir)
 		--with-ldb-lib-dir="${EPREFIX}"/usr/$(get_libdir)/samba/ldb
 		--with-db-path="${EPREFIX}"/var/lib/sss/db
 		--with-gpo-cache-path="${EPREFIX}"/var/lib/sss/gpo_cache
@@ -193,6 +235,8 @@ multilib_src_configure() {
 		--with-mcache-path="${EPREFIX}"/var/lib/sss/mc
 		--with-secrets-db-path="${EPREFIX}"/var/lib/sss/secrets
 		--with-log-path="${EPREFIX}"/var/log/sssd
+		--with-tmpfilesdir=/usr/lib/tmpfiles.d
+		--with-udevrulesdir="$(get_udevdir)/rules.d"
 		--with-kcm
 		--enable-kcm-renewal
 		--with-os=gentoo
@@ -202,9 +246,8 @@ multilib_src_configure() {
 		--disable-valgrind
 		$(use_with samba)
 		--with-smb-idmap-interface-version=6
-		$(multilib_native_use_enable acl cifs-idmap-plugin)
+		--enable-cifs-idmap-plugin
 		$(multilib_native_use_with selinux)
-		$(multilib_native_use_with selinux semanage)
 		--enable-krb5-locator-plugin
 		$(use_enable samba pac-responder)
 		$(multilib_native_use_with nfsv4 nfsv4-idmapd-plugin)
@@ -222,8 +265,8 @@ multilib_src_configure() {
 		$(multilib_native_use_with python python3-bindings)
 		# Annoyingly configure requires that you pick systemd XOR sysv
 		--with-initscript=$(usex systemd systemd sysv)
+		--with-sssd-user=sssd
 		KRB5_CONFIG="${ESYSROOT}"/usr/bin/krb5-config
-		# Needed for Samba 4.21
 		CPPFLAGS="${CPPFLAGS} -I${ESYSROOT}/usr/include/samba-4.0"
 	)
 
@@ -319,6 +362,8 @@ multilib_src_install_all() {
 	keepdir /var/lib/sss/pubconf/krb5.include.d
 	keepdir /var/lib/sss/secrets
 	keepdir /var/log/sssd
+	keepdir /etc/sssd/conf.d
+	keepdir /etc/sssd/pki
 
 	# strip empty dirs
 	if ! use doc; then
@@ -331,6 +376,8 @@ multilib_src_install_all() {
 }
 
 pkg_postinst() {
+	tmpfiles_process sssd-tmpfiles.conf
+	echo
 	elog "You must set up sssd.conf (default installed into /etc/sssd)"
 	elog "and (optionally) configuration in /etc/pam.d in order to use SSSD"
 	elog "features."