diff --git a/sys-auth/sssd/Manifest b/sys-auth/sssd/Manifest
index 7b7121d..3303586 100644
--- a/sys-auth/sssd/Manifest
+++ b/sys-auth/sssd/Manifest
@@ -1,2 +1,2 @@
-DIST sssd-2.9.1.tar.gz 7943540 BLAKE2B 9113b63d54beb40ba85c5b5c75068197317b3b8088119cf6557c6b4aed113d2d67f0bc64fc68fb34f4dbef54cccdb8b32ef44112115930751fdec5ec92e0a09b SHA512 eb7345dcfbbd51f005f67ee5032364d369d24589111ded60701e2dbe09563f0b862d343f231dd2e9d548acd8c560a036c8b88a0601f9aa048a7202da8202cd9b
-DIST sssd-2.9.1.tar.gz.asc 833 BLAKE2B 08d3a6539e42dde4bd8dcfe3ceba3746fb579ed9703982d866d9fa2651a5ff99bf5553030cd5d932920a7737e3569d17d3120ffa384051ea81af190160aff446 SHA512 bf56a32d23aed2c85156427b10e42f1fe8f633316a81c2b416ba165a9548b4e830712968cf6690749637b674d983ff450dd8038a0f4ccfae25cc447c6ac6fa2e
+DIST sssd-2.9.2.tar.gz 7962081 BLAKE2B 35a098e699c1415982fb82483a7b127bf58a5b0123190b86be7e82be653efa6c999b1b3aa022276275024095260b131a3b23473de0633891820d99be2108e2dc SHA512 d3d05e2743cf3a31cd1952aeddf7500cf57e5b973bb4010a0a44472441ee0159db0021e0e37df4ce1a11e42c5eb8531f14a1a64a547f83f6958b39b9b9013084
+DIST sssd-2.9.2.tar.gz.asc 833 BLAKE2B 23b09b451662542b92aaaa551e803e1a706dd9eff753532f027a8935bab11d73e0f674308c3672dcfa529e1296be1fff7ead7bafb2f7d388df9f70a8bd65284e SHA512 018c23b899ef2691a74abbc96894dbf67f7afa3ba16f8c551520211660597cd3979231115814a8d3c9692d43b550bcb899c2255cbd1000928d84101467c367cf
diff --git a/sys-auth/sssd/files/sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch b/sys-auth/sssd/files/sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch
deleted file mode 100644
index c849fe7..0000000
--- a/sys-auth/sssd/files/sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 74d0f4538deb766592079b1abca0d949d6dea105 Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Thu, 15 Jun 2023 12:05:03 +0200
-Subject: [PATCH 1/1] BUILD: Accept krb5 1.21 for building the PAC plugin
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Reviewed-by: Alejandro López <allopez@redhat.com>
-Reviewed-by: Sumit Bose <sbose@redhat.com>
----
- src/external/pac_responder.m4 | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4
-index 3cbe3c9cfba03b59e26a8c5c2d73446eead2acea..90727185b574411bddd928f8d87efdc87076eba4 100644
---- a/src/external/pac_responder.m4
-+++ b/src/external/pac_responder.m4
-@@ -22,7 +22,8 @@ then
-         Kerberos\ 5\ release\ 1.17* | \
-         Kerberos\ 5\ release\ 1.18* | \
-         Kerberos\ 5\ release\ 1.19* | \
--        Kerberos\ 5\ release\ 1.20*)
-+        Kerberos\ 5\ release\ 1.20* | \
-+        Kerberos\ 5\ release\ 1.21*)
-             krb5_version_ok=yes
-             AC_MSG_RESULT([yes])
-             ;;
--- 
-2.41.0
-
diff --git a/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch b/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch
deleted file mode 100644
index 258940b..0000000
--- a/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From 11afa7a6ef7e15f1e98c7145ad5c80bbdfc520e2 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Tue, 4 Jul 2023 19:06:27 +0200
-Subject: [PATCH 3/3] certmap: fix partial string comparison
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If the formatting option of the certificate digest/hash function
-contained and additional specifier separated with a '_' the comparison
-of the provided digest name and the available ones was incomplete, the
-last character was ignored and the comparison was successful if even if
-there was only a partial match.
-
-Resolves: https://github.com/SSSD/sssd/issues/6802
-
-Reviewed-by: Alejandro López <allopez@redhat.com>
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-(cherry picked from commit 0817ca3b366f51510705ab77d7900c0b65b7d2fc)
----
- src/lib/certmap/sss_certmap_ldap_mapping.c |  9 ++++++++-
- src/tests/cmocka/test_certmap.c            | 22 ++++++++++++++++++++++
- 2 files changed, 30 insertions(+), 1 deletion(-)
-
-diff --git a/src/lib/certmap/sss_certmap_ldap_mapping.c b/src/lib/certmap/sss_certmap_ldap_mapping.c
-index 2f16837a1..354b0310b 100644
---- a/src/lib/certmap/sss_certmap_ldap_mapping.c
-+++ b/src/lib/certmap/sss_certmap_ldap_mapping.c
-@@ -228,14 +228,21 @@ int check_digest_conversion(const char *inp, const char **digest_list,
-     bool colon = false;
-     bool reverse = false;
-     char *c;
-+    size_t len = 0;
- 
-     sep = strchr(inp, '_');
-+    if (sep != NULL) {
-+        len = sep - inp;
-+    }
- 
-     for (d = 0; digest_list[d] != NULL; d++) {
-         if (sep == NULL) {
-             cmp = strcasecmp(digest_list[d], inp);
-         } else {
--            cmp = strncasecmp(digest_list[d], inp, (sep - inp -1));
-+            if (strlen(digest_list[d]) != len) {
-+                continue;
-+            }
-+            cmp = strncasecmp(digest_list[d], inp, len);
-         }
- 
-         if (cmp == 0) {
-diff --git a/src/tests/cmocka/test_certmap.c b/src/tests/cmocka/test_certmap.c
-index da312beaf..a15984d60 100644
---- a/src/tests/cmocka/test_certmap.c
-+++ b/src/tests/cmocka/test_certmap.c
-@@ -2183,6 +2183,28 @@ static void test_sss_certmap_ldapu1_cert(void **state)
-     assert_non_null(ctx);
-     assert_null(ctx->prio_list);
- 
-+    /* cert!sha */
-+    ret = sss_certmap_add_rule(ctx, 91,
-+                            "KRB5:<ISSUER>.*",
-+                            "LDAP:rule91={cert!sha}", NULL);
-+    assert_int_equal(ret, EINVAL);
-+
-+    ret = sss_certmap_add_rule(ctx, 91,
-+                            "KRB5:<ISSUER>.*",
-+                            "LDAPU1:rule91={cert!sha}", NULL);
-+    assert_int_equal(ret, EINVAL);
-+
-+    /* cert!sha_u */
-+    ret = sss_certmap_add_rule(ctx, 90,
-+                            "KRB5:<ISSUER>.*",
-+                            "LDAP:rule90={cert!sha_u}", NULL);
-+    assert_int_equal(ret, EINVAL);
-+
-+    ret = sss_certmap_add_rule(ctx, 99,
-+                            "KRB5:<ISSUER>.*",
-+                            "LDAPU1:rule90={cert!sha_u}", NULL);
-+    assert_int_equal(ret, EINVAL);
-+
-     /* cert!sha555 */
-     ret = sss_certmap_add_rule(ctx, 89,
-                             "KRB5:<ISSUER>.*",
--- 
-2.38.1
-
diff --git a/sys-auth/sssd/files/sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch b/sys-auth/sssd/files/sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch
deleted file mode 100644
index 3a72436..0000000
--- a/sys-auth/sssd/files/sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 15d7d34b20219e2fd45c43881088f5d542e9603e Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Tue, 4 Jul 2023 18:56:35 +0200
-Subject: [PATCH 2/3] sssct: allow cert-show and cert-eval-rule as non-root
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The cert-show and cert-eval-rule sub-commands do not need root access and
-do not require SSSD to be configured on the host.
-
-Resolves: https://github.com/SSSD/sssd/issues/6802
-
-Reviewed-by: Alejandro López <allopez@redhat.com>
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-(cherry picked from commit 8466f0e4d0c6cd2b98d2789970847b9adc01d7d4)
----
- src/tools/sssctl/sssctl.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
-index 855260aed..04c41aa9a 100644
---- a/src/tools/sssctl/sssctl.c
-+++ b/src/tools/sssctl/sssctl.c
-@@ -340,9 +340,9 @@ int main(int argc, const char **argv)
-         SSS_TOOL_COMMAND_FLAGS("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check, SSS_TOOL_FLAG_SKIP_CMD_INIT),
- #endif
-         SSS_TOOL_DELIMITER("Certificate related tools:"),
--        SSS_TOOL_COMMAND("cert-show", "Print information about the certificate", 0, sssctl_cert_show),
-+        SSS_TOOL_COMMAND_FLAGS("cert-show", "Print information about the certificate", 0, sssctl_cert_show, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK),
-         SSS_TOOL_COMMAND("cert-map", "Show users mapped to the certificate", 0, sssctl_cert_map),
--        SSS_TOOL_COMMAND("cert-eval-rule", "Check mapping and matching rule with a certificate", 0, sssctl_cert_eval_rule),
-+        SSS_TOOL_COMMAND_FLAGS("cert-eval-rule", "Check mapping and matching rule with a certificate", 0, sssctl_cert_eval_rule, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK),
- #ifdef BUILD_PASSKEY
-         SSS_TOOL_DELIMITER("Passkey related tools:"),
-         SSS_TOOL_COMMAND_FLAGS("passkey-register", "Perform passkey registration", 0, sssctl_passkey_register, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK),
--- 
-2.38.1
-
diff --git a/sys-auth/sssd/files/sssd-2.9.2-SSSDConfig-use-setuptools-instead-of-distutils.patch b/sys-auth/sssd/files/sssd-2.9.2-SSSDConfig-use-setuptools-instead-of-distutils.patch
new file mode 100644
index 0000000..cebe397
--- /dev/null
+++ b/sys-auth/sssd/files/sssd-2.9.2-SSSDConfig-use-setuptools-instead-of-distutils.patch
@@ -0,0 +1,44 @@
+From 9efd79b010dbb46d9968c3d3ab073b8e585cb2ad Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Sat, 18 Feb 2023 16:11:10 +0100
+Subject: [PATCH] SSSDConfig: use 'setuptools' instead of 'distutils'
+
+The Python standard library distutils module will be removed from Python 3.12+
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Justin Stephenson <jstephen@redhat.com>
+---
+ contrib/sssd.spec.in   | 2 +-
+ src/config/setup.py.in | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
+index 6431fc9d79..21571bd976 100644
+--- a/contrib/sssd.spec.in
++++ b/contrib/sssd.spec.in
+@@ -144,7 +144,7 @@ BuildRequires: pcre2-devel
+ BuildRequires: pkgconfig
+ BuildRequires: popt-devel
+ BuildRequires: python3-devel
+-BuildRequires: (python3-setuptools if python3 >= 3.12)
++BuildRequires: python3-setuptools
+ BuildRequires: samba-devel
+ # required for idmap_sss.so
+ BuildRequires: samba-winbind
+diff --git a/src/config/setup.py.in b/src/config/setup.py.in
+index 27f63c4061..613b050d53 100644
+--- a/src/config/setup.py.in
++++ b/src/config/setup.py.in
+@@ -19,10 +19,10 @@
+ #
+ 
+ """
+-Python-level packaging using distutils.
++Python-level packaging using setuptools.
+ """
+ 
+-from distutils.core import setup
++from setuptools import setup
+ 
+ setup(
+     name='SSSDConfig',
diff --git a/sys-auth/sssd/sssd-2.9.1.ebuild b/sys-auth/sssd/sssd-2.9.2.ebuild
similarity index 96%
rename from sys-auth/sssd/sssd-2.9.1.ebuild
rename to sys-auth/sssd/sssd-2.9.2.ebuild
index 557ba82..6203fc0 100644
--- a/sys-auth/sssd/sssd-2.9.1.ebuild
+++ b/sys-auth/sssd/sssd-2.9.2.ebuild
@@ -6,7 +6,7 @@ EAPI=8
 PLOCALES="ca de es fr ja ko pt_BR ru sv tr uk"
 PLOCALES_BIN="${PLOCALES} bg cs eu fi hu id it ka nb nl pl pt tg zh_TW zh_CN"
 PLOCALE_BACKUP="sv"
-PYTHON_COMPAT=( python3_{10..11} )
+PYTHON_COMPAT=( python3_{10..12} )
 VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/sssd.asc
 
 inherit autotools linux-info multilib-minimal optfeature plocale \
@@ -84,6 +84,11 @@ RDEPEND="${DEPEND}
 BDEPEND="
 	virtual/pkgconfig
 	${PYTHON_DEPS}
+	python? (
+			$(python_gen_cond_dep '
+				dev-python/setuptools[${PYTHON_USEDEP}]
+			')
+		)
 	doc? ( app-doc/doxygen )
 	man? (
 		app-text/docbook-xml-dtd:4.4
@@ -108,10 +113,8 @@ CONFIG_CHECK="~KEYS"
 
 PATCHES=(
 	"${FILESDIR}/${PN}-2.8.2-krb5_pw_locked.patch"
-	"${FILESDIR}/${PN}-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch"
-	"${FILESDIR}/${PN}-2.9.1-certmap-fix-partial-string-comparison.patch"
-	"${FILESDIR}/${PN}-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch"
 	"${FILESDIR}/${PN}-2.9.1-conditional-python-install.patch"
+	"${FILESDIR}/${PN}-2.9.2-SSSDConfig-use-setuptools-instead-of-distutils.patch"
 )
 
 MULTILIB_WRAPPED_HEADERS=(