diff --git a/security/sssd2/Makefile b/security/sssd2/Makefile
index 0a2a9527d468..5c7cd1f4cce4 100644
--- a/security/sssd2/Makefile
+++ b/security/sssd2/Makefile
@@ -1,203 +1,202 @@
 PORTNAME=	sssd
-PORTVERSION=	2.9.4
-PORTREVISION=	6
+PORTVERSION=	2.9.5
 CATEGORIES=	security
 PKGNAMESUFFIX=	2
 
 MAINTAINER=	jhixson@FreeBSD.org
 COMMENT=	System Security Services Daemon
 WWW=		https://sssd.io/
 
 LICENSE=	GPLv3+
 LICENSE_FILE=	${WRKSRC}/COPYING
 
 CONFLICTS_INSTALL?=	sssd*
 
 BUILD_DEPENDS=	bash:shells/bash \
 		docbook-xsl>=1:textproc/docbook-xsl \
 		krb5>=1.20:security/krb5 \
 		p11-kit:security/p11-kit \
 		nsupdate:dns/bind-tools \
 		xmlcatalog:textproc/libxml2 \
 		xmlcatmgr:textproc/xmlcatmgr \
 		xsltproc:textproc/libxslt
 
 LIB_DIRS+=	${LOCALBASE}/lib ${LOCALBASE}/lib/sasl2
 LIB_DEPENDS=	libcares.so:dns/c-ares \
 		libcom_err.so:security/krb5 \
 		libcurl.so:ftp/curl \
 		libdbus-1.so:devel/dbus \
 		libdhash.so:devel/ding-libs \
 		libfido2.so:security/libfido2 \
 		libgssapi_krb5.so:security/krb5 \
 		libinotify.so:devel/libinotify \
 		libjansson.so:devel/jansson \
 		libjose.so:net/jose \
 		libkrb5.so:security/krb5 \
 		libldb.so:databases/ldb22 \
 		libndr-krb5pac.so:net/samba416 \
 		libndr-nbt.so:net/samba416 \
 		libndr-standard.so:net/samba416 \
 		libndr.so:net/samba416 \
 		libnfs.so:net/libnfs \
 		libnss3.so:security/nss \
 		libp11-kit.so:security/p11-kit \
 		libpcre2-posix.so:devel/pcre2 \
 		libplds4.so:devel/nspr \
 		libpopt.so:devel/popt \
 		libsamba-util.so:net/samba416 \
 		libsasl2.so:security/cyrus-sasl2 \
 		libsmbclient.so:net/samba416 \
 		libtalloc.so:devel/talloc \
 		libtdb.so:databases/tdb \
 		libtevent.so:devel/tevent \
 		libunistring.so:devel/libunistring \
 		libuuid.so:misc/e2fsprogs-libuuid
 
 RUN_DEPENDS=	adcli:net-mgmt/adcli \
 		cyrus-sasl-gssapi>0:security/cyrus-sasl2-gssapi
 
 USES=	autoreconf cpe gettext gmake gssapi:bootstrap,flags,mit iconv ldap \
 	libtool localbase:ldflags pathfix pkgconfig python:3.9+ shebangfix ssl
 
 USE_LDCONFIG=	yes
 GNU_CONFIGURE=	yes
 
 INSTALL_TARGET=	install-strip
 CPE_VENDOR=	fedoraproject
 
 DEBUG_FLAGS=	-g
 STRIP=
 
 CONFIGURE_ARGS=	--disable-dependency-tracking \
 		--datadir=${DATADIR} \
 		--docdir=${DOCSDIR} \
 		--localstatedir=/var \
 		--disable-silent-rules \
 		--disable-nls \
 		--disable-cifs-idmap-plugin \
 		--disable-valgrind \
 		--disable-systemtap \
 		--enable-pammoddir=${PREFIX}/lib \
 		--enable-ldb-version-check \
 		--enable-pac-responder \
 		--with-db-path=/var/db/sss/db \
 		--with-os=freebsd \
 		--with-plugin-path=${LOCALBASE}/lib/sssd \
 		--with-pubconf-path=/var/db/sss/pubconf  \
 		--with-pid-path=/var/run \
 		--with-pipe-path=/var/run/sss/pipes \
 		--with-mcache-path=/var/db/sss/mc \
 		--with-environment-file=${LOCALBASE}/etc/sssd \
 		--with-init-dir=no \
 		--with-manpages \
 		--with-xml-catalog-path=${LOCALBASE}/share/xml/catalog \
 		--with-krb5-plugin-path=${LOCALBASE}/lib/krb5/plugins/libkrb5 \
 		--with-krb5authdata-plugin-path=${LOCALBASE}/lib/krb5/plugins/authdata \
 		--with-krb5-conf=/etc/krb5.conf \
 		--without-python2-bindings \
 		--with-winbind-plugin-path=${LOCALBASE}/lib/samba4/modules/idmap \
 		--without-selinux \
 		--with-gpo-cache-path=/var/db/sss/gpo_cache  \
 		--without-semanage \
 		--with-app-libs=${LOCALBASE}/lib/sssd/modules \
 		--without-autofs \
 		--with-files-provider \
 		--with-passkey \
 		--with-libsifp \
 		--without-libsifp \
 		--with-syslog=syslog \
 		--with-samba \
 		--without-nfsv4-idmapd-plugin \
 		--with-nfs-lib-path=${LOCALBASE}/lib \
 		--with-secrets-db-path=/var/lib/sss/secrets \
 		--with-kcm \
 		--with-oidc-child \
 		--with-ldb-lib-dir=${LOCALBASE}/lib/shared-modules/ldb \
 		--with-smb-idmap-interface-version=6 \
 		--without-libnl \
 		--with-nscd-conf=/etc/nscd.conf \
 		--with-python_prefix=${PREFIX} \
 		--with-unicode-lib=libunistring
 
 CPPFLAGS+=	-DRENEWAL_PROG_PATH='\"${LOCALBASE}/sbin/adcli\"'
 CFLAGS+=	-fstack-protector-all
 CFLAGS+=	-I${LOCALBASE}/include/samba4
 
 LIBS+=	-L${LOCALBASE}/lib \
 	-L${LOCALBASE}/lib/samba4/private \
 	-L${LOCALBASE}/lib/sasl2  \
 	-linotify -lintl
 
 KRB5_HOME=	${LOCALBASE}
 KRB5_CONFIG=	${LOCALBASE}/bin/krb5-config
 KRB5_CFLAGS=	-I${LOCALBASE}/include
 KRB5_LIBS=	-L${LOCALBAse}/lib -lkrb5 -lk5crypto -lcom_err
 
 GSSAPI_KRB5_CFLAGS=	-I${LOCALBASE}/include
 GSSAPI_KRB5_LIBS=	-L${LOCALBASE}/lib -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err
 
 LDFLAGS+=	-lgssapi
 LDFLAGS_SL+=	-lgssapi
 
 INCLUDES+=	-I${LOCALBASE}/include
 CONFIGURE_ENV+=	INCLUDES="${INCLUDES}" \
 		LDFLAGS_SL="${LDFLAGS_SL}"
 MAKE_ENV=	MAKELEVEL=0
 
 PLIST_SUB=	PYTHON_VER=${PYTHON_VER}
 MAKE_ENV+=	LINGUAS="bg de eu es fr hu id it ja nb nl pl pt ru sv tg tr uk zh_CN zh_TW"
 SUB_FILES=	pkg-message
 
 BINARY_ALIAS=	python3=python${PYTHON_VER}
 SHEBANG_FILES=	sbus_generate.sh.in \
 		src/tools/analyzer/sss_analyze \
 		src/tools/sss_obfuscate \
 		src/config/SSSDConfigTest.py \
 		src/tests/python-test.py \
 		src/tests/pysss-test.py \
 		src/tests/cwrap/cwrap_test_setup.sh \
 		src/tests/whitespace_test \
 		src/tests/pyhbac-test.py \
 		src/tests/multihost/data/memcachesize.py \
 		src/tests/double_semicolon_test \
 		src/tests/pysss_murmur-test.py \
 		scripts/release.sh \
 		contrib/git/pre-push \
 		contrib/ci/rpm-spec-builddeps \
 		contrib/ci/clean \
 		contrib/ci/valgrind-condense \
 		contrib/ci/run-multihost \
 		contrib/ci/run \
 		contrib/ci/get-matrix.py \
 		contrib/vagrant/bootstrap.sh \
 		contrib/fedora/make_srpm.sh
 
 USE_RC_SUBR=	${PORTNAME}
 
 USE_GITHUB=yes
 GH_ACCOUNT=sssd
 
 post-patch:
 	@${REINPLACE_CMD} -e 's|/usr/bin/|${PREFIX}/bin/|g' \
 		-e 's|/var/lib/sss/pubconf/|/var/db/sss/pubconf/|g' \
 		${WRKSRC}/src/man/sss_ssh_knownhostsproxy.1.xml \
 		${WRKSRC}/src/man/po/*.po || true
 	@${REINPLACE_CMD} -e 's|/etc/sssd/|${ETCDIR}/|g' \
 		-e 's|/etc/openldap/|${LOCALBASE}/etc/openldap/|g' \
 		${WRKSRC}/src/man/*xml || true
 	@${CP} ${FILESDIR}/sss_bsd_errno.h ${WRKSRC}/src/util/sss_bsd_errno.h
 	@${CP} ${FILESDIR}/bsdnss.c ${WRKSRC}/src/sss_client/bsdnss.c
 
 post-install:
 	${INSTALL_DATA} ${WRKSRC}/src/examples/sssd-example.conf \
 		${STAGEDIR}${ETCDIR}/sssd.conf.sample
 	${MKDIR} ${STAGEDIR}${PREFIX}/share/dbus-1/system.d
 	${INSTALL_DATA} ${WRKSRC}/src/responder/ifp/org.freedesktop.sssd.infopipe.conf \
 		${STAGEDIR}${PREFIX}/share/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
 	${MKDIR} ${STAGEDIR}${PREFIX}/share/dbus-1/system-services
 	${INSTALL_DATA} ${WRKSRC}/src/responder/ifp/org.freedesktop.sssd.infopipe.service \
 		${STAGEDIR}${PREFIX}/share/dbus-1/system-services/org.freedesktop.sssd.infopipe.service
 	${LN} -sf libnss_sss.so.2 ${STAGEDIR}${PREFIX}/lib/nss_sss.so.1
 
 .include <bsd.port.mk>
diff --git a/security/sssd2/distinfo b/security/sssd2/distinfo
index 249e6345bf1c..2d4cce561829 100644
--- a/security/sssd2/distinfo
+++ b/security/sssd2/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1706926059
-SHA256 (sssd-sssd-2.9.4_GH0.tar.gz) = 074f4e00283def250d26d3331332cffc8acb61e51282645faf40490eb93a30c4
-SIZE (sssd-sssd-2.9.4_GH0.tar.gz) = 6745896
+TIMESTAMP = 1719240176
+SHA256 (sssd-sssd-2.9.5_GH0.tar.gz) = e63a66da95e62a97466f9e04ec6dd9b0c50d82452e6fb031b333c5125172ffbd
+SIZE (sssd-sssd-2.9.5_GH0.tar.gz) = 6764418
diff --git a/security/sssd2/files/patch-src__external__samba.m4 b/security/sssd2/files/patch-src__external__samba.m4
index 7c6b25138b58..7e8a8dfc5d40 100644
--- a/security/sssd2/files/patch-src__external__samba.m4
+++ b/security/sssd2/files/patch-src__external__samba.m4
@@ -1,32 +1,32 @@
---- src/external/samba.m4.orig	2023-05-05 08:11:07 UTC
+--- src/external/samba.m4.orig	2024-05-16 11:35:27 UTC
 +++ src/external/samba.m4
-@@ -64,7 +64,7 @@ --without-samba
+@@ -63,7 +63,7 @@ --without-samba
+             AC_MSG_ERROR([Illegal value -$with_smb_idmap_interface_version- for option --with-smb-idmap-interface-version])
+         fi
      else
- 
-         AC_MSG_CHECKING([Samba's idmap plugin interface version])
 -        sambalibdir="`$PKG_CONFIG --variable=libdir smbclient`"/samba
 +        sambalibdir="`$PKG_CONFIG --variable=libdir smbclient`"/private
-         SAVE_CFLAGS=$CFLAGS
-         SAVE_LIBS=$LIBS
-         CFLAGS="$CFLAGS $SMBCLIENT_CFLAGS $NDR_NBT_CFLAGS $NDR_KRB5PAC_CFLAGS"
-@@ -157,12 +157,16 @@ AC_CHECK_MEMBERS([struct PAC_LOGON_INFO.resource_group
+         AC_MSG_CHECKING([Samba's idmap library])
+         if test -f "${sambalibdir}/libidmap-private-samba.so"; then
+                 IDMAP_SAMBA_LIBS=idmap-private-samba
+@@ -166,12 +166,16 @@ AC_CHECK_MEMBERS([struct PAC_LOGON_INFO.resource_group
  SAVE_CFLAGS=$CFLAGS
  CFLAGS="$CFLAGS $SMBCLIENT_CFLAGS $NDR_NBT_CFLAGS $NDR_KRB5PAC_CFLAGS"
  AC_CHECK_MEMBERS([struct PAC_LOGON_INFO.resource_groups], , ,
 -                 [[ #include <ndr.h>
 -                    #include <gen_ndr/krb5pac.h>
 +                 [[ #include <sys/types.h>
 +                    #include <sys/time.h>
 +                    #include <time.h>
 +                    #include <ndr.h>
                      #include <gen_ndr/krb5pac.h>]])
  AC_CHECK_MEMBERS([struct PAC_UPN_DNS_INFO.ex], ,
                   [AC_MSG_NOTICE([union PAC_UPN_DNS_INFO_EX is not available, PAC checks will be limited])],
 -                 [[ #include <ndr.h>
 -                    #include <gen_ndr/krb5pac.h>
 +                 [[ #include <sys/types.h>
 +                    #include <sys/time.h>
 +                    #include <time.h>
 +                    #include <ndr.h>
                      #include <gen_ndr/krb5pac.h>]])
  CFLAGS=$SAVE_CFLAGS
diff --git a/security/sssd2/pkg-plist b/security/sssd2/pkg-plist
index 7385a85c8d28..0c68fe94adc4 100644
--- a/security/sssd2/pkg-plist
+++ b/security/sssd2/pkg-plist
@@ -1,166 +1,166 @@
 bin/sss_ssh_authorizedkeys
 bin/sss_ssh_knownhostsproxy
 etc/pam.d/sssd-shadowutils
 %%ETCDIR%%/sssd.conf.sample
 include/ipa_hbac.h
 include/sss_certmap.h
 include/sss_idmap.h
 include/sss_nss_idmap.h
 lib/krb5/plugins/authdata/sssd_pac_plugin.so
 lib/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
 lib/libipa_hbac.so
 lib/libipa_hbac.so.0
 lib/libipa_hbac.so.0.1.0
 lib/libnss_sss.so.2
 lib/libsss_certmap.so
 lib/libsss_certmap.so.0
 lib/libsss_certmap.so.0.2.0
 lib/libsss_idmap.so
 lib/libsss_idmap.so.0
 lib/libsss_idmap.so.0.5.1
 lib/libsss_nss_idmap.so
 lib/libsss_nss_idmap.so.0
 lib/libsss_nss_idmap.so.0.6.0
 lib/libsss_sudo.so
 lib/nss_sss.so.1
 lib/pam_sss.so
 lib/pam_sss_gss.so
-%%PYTHON_SITELIBDIR%%/SSSDConfig-2.9.4-py%%PYTHON_VER%%.egg-info/PKG-INFO
-%%PYTHON_SITELIBDIR%%/SSSDConfig-2.9.4-py%%PYTHON_VER%%.egg-info/SOURCES.txt
-%%PYTHON_SITELIBDIR%%/SSSDConfig-2.9.4-py%%PYTHON_VER%%.egg-info/dependency_links.txt
-%%PYTHON_SITELIBDIR%%/SSSDConfig-2.9.4-py%%PYTHON_VER%%.egg-info/top_level.txt
+%%PYTHON_SITELIBDIR%%/SSSDConfig-2.9.5-py%%PYTHON_VER%%.egg-info/PKG-INFO
+%%PYTHON_SITELIBDIR%%/SSSDConfig-2.9.5-py%%PYTHON_VER%%.egg-info/SOURCES.txt
+%%PYTHON_SITELIBDIR%%/SSSDConfig-2.9.5-py%%PYTHON_VER%%.egg-info/dependency_links.txt
+%%PYTHON_SITELIBDIR%%/SSSDConfig-2.9.5-py%%PYTHON_VER%%.egg-info/top_level.txt
 %%PYTHON_SITELIBDIR%%/SSSDConfig/__init__.py
 %%PYTHON_SITELIBDIR%%/SSSDConfig/__pycache__/__init__%%PYTHON_EXT_SUFFIX%%.pyc
 %%PYTHON_SITELIBDIR%%/SSSDConfig/__pycache__/ipachangeconf%%PYTHON_EXT_SUFFIX%%.pyc
 %%PYTHON_SITELIBDIR%%/SSSDConfig/__pycache__/sssdoptions%%PYTHON_EXT_SUFFIX%%.pyc
 %%PYTHON_SITELIBDIR%%/SSSDConfig/ipachangeconf.py
 %%PYTHON_SITELIBDIR%%/SSSDConfig/sssdoptions.py
 %%PYTHON_SITELIBDIR%%/pyhbac.so
 %%PYTHON_SITELIBDIR%%/pysss.so
 %%PYTHON_SITELIBDIR%%/pysss_murmur.so
 %%PYTHON_SITELIBDIR%%/pysss_nss_idmap.so
 %%PYTHON_SITELIBDIR%%/sssd/__init__.py
 %%PYTHON_SITELIBDIR%%/sssd/modules/__init__.py
 %%PYTHON_SITELIBDIR%%/sssd/modules/request.py
 %%PYTHON_SITELIBDIR%%/sssd/parser.py
 %%PYTHON_SITELIBDIR%%/sssd/source_files.py
 %%PYTHON_SITELIBDIR%%/sssd/source_journald.py
 %%PYTHON_SITELIBDIR%%/sssd/source_reader.py
 %%PYTHON_SITELIBDIR%%/sssd/sss_analyze.py
 lib/samba4/modules/idmap/sss.so
 lib/shared-modules/ldb/memberof.so
 lib/sssd/conf/sssd.conf
 lib/sssd/libifp_iface.so
 lib/sssd/libifp_iface_sync.so
 lib/sssd/libsss_ad.so
 lib/sssd/libsss_cert.so
 lib/sssd/libsss_child.so
 lib/sssd/libsss_crypt.so
 lib/sssd/libsss_debug.so
 lib/sssd/libsss_files.so
 lib/sssd/libsss_iface.so
 lib/sssd/libsss_iface_sync.so
 lib/sssd/libsss_ipa.so
 lib/sssd/libsss_krb5.so
 lib/sssd/libsss_krb5_common.so
 lib/sssd/libsss_ldap.so
 lib/sssd/libsss_ldap_common.so
 lib/sssd/libsss_proxy.so
 lib/sssd/libsss_sbus.so
 lib/sssd/libsss_sbus_sync.so
 lib/sssd/libsss_semanage.so
 lib/sssd/libsss_simple.so
 lib/sssd/libsss_util.so
 lib/sssd/modules/sssd_krb5_idp_plugin.so
 lib/sssd/modules/sssd_krb5_localauth_plugin.so
 lib/sssd/modules/sssd_krb5_passkey_plugin.so
 libdata/pkgconfig/ipa_hbac.pc
 libdata/pkgconfig/sss_certmap.pc
 libdata/pkgconfig/sss_idmap.pc
 libdata/pkgconfig/sss_nss_idmap.pc
 libexec/sssd/gpo_child
 libexec/sssd/krb5_child
 libexec/sssd/ldap_child
 libexec/sssd/oidc_child
 libexec/sssd/p11_child
 libexec/sssd/passkey_child
 libexec/sssd/proxy_child
 libexec/sssd/sss_analyze
 libexec/sssd/sss_signal
 libexec/sssd/sssd_be
 libexec/sssd/sssd_ifp
 libexec/sssd/sssd_kcm
 libexec/sssd/sssd_nss
 libexec/sssd/sssd_pac
 libexec/sssd/sssd_pam
 libexec/sssd/sssd_ssh
 libexec/sssd/sssd_sudo
 sbin/sss_cache
 sbin/sss_debuglevel
 sbin/sss_obfuscate
 sbin/sss_override
 sbin/sss_seed
 sbin/sssctl
 sbin/sssd
 share/dbus-1/system-services/org.freedesktop.sssd.infopipe.service
 share/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
 share/man/man1/sss_ssh_authorizedkeys.1.gz
 share/man/man1/sss_ssh_knownhostsproxy.1.gz
 share/man/man5/sss-certmap.5.gz
 share/man/man5/sssd-ad.5.gz
 share/man/man5/sssd-files.5.gz
 share/man/man5/sssd-ifp.5.gz
 share/man/man5/sssd-ipa.5.gz
 share/man/man5/sssd-krb5.5.gz
 share/man/man5/sssd-ldap-attributes.5.gz
 share/man/man5/sssd-ldap.5.gz
 share/man/man5/sssd-session-recording.5.gz
 share/man/man5/sssd-simple.5.gz
 share/man/man5/sssd-sudo.5.gz
 share/man/man5/sssd.conf.5.gz
 share/man/man8/idmap_sss.8.gz
 share/man/man8/pam_sss.8.gz
 share/man/man8/pam_sss_gss.8.gz
 share/man/man8/sss_cache.8.gz
 share/man/man8/sss_debuglevel.8.gz
 share/man/man8/sss_obfuscate.8.gz
 share/man/man8/sss_override.8.gz
 share/man/man8/sss_seed.8.gz
 share/man/man8/sssctl.8.gz
 share/man/man8/sssd-kcm.8.gz
 share/man/man8/sssd.8.gz
 share/man/man8/sssd_krb5_localauth_plugin.8.gz
 share/man/man8/sssd_krb5_locator_plugin.8.gz
 %%DATADIR%%/dbus-1/system-services/org.freedesktop.sssd.infopipe.service
 %%DATADIR%%/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
 %%DATADIR%%/sssd-kcm/kcm_default_ccache
 %%DATADIR%%/sssd/cfg_rules.ini
 %%DATADIR%%/sssd/krb5-snippets/enable_sssd_conf_dir
 %%DATADIR%%/sssd/krb5-snippets/sssd_enable_idp
 %%DATADIR%%/sssd/krb5-snippets/sssd_enable_passkey
 %%DATADIR%%/sssd/sssd.api.conf
 %%DATADIR%%/sssd/sssd.api.d/sssd-ad.conf
 %%DATADIR%%/sssd/sssd.api.d/sssd-files.conf
 %%DATADIR%%/sssd/sssd.api.d/sssd-ipa.conf
 %%DATADIR%%/sssd/sssd.api.d/sssd-krb5.conf
 %%DATADIR%%/sssd/sssd.api.d/sssd-ldap.conf
 %%DATADIR%%/sssd/sssd.api.d/sssd-proxy.conf
 %%DATADIR%%/sssd/sssd.api.d/sssd-simple.conf
 @dir %%ETCDIR%%/conf.d
 @dir %%ETCDIR%%/pki
 @dir lib/ldb
 @dir /var/db/sss/db
 @dir /var/db/sss/deskprofile
 @dir /var/db/sss/gpo_cache
 @dir /var/db/sss/keytabs
 @dir /var/db/sss/mc
 @dir /var/db/sss/pubconf/krb5.include.d
 @dir /var/db/sss/pubconf
 @dir /var/db/sss
 @dir /var/lib/sss/secrets
 @dir /var/lib/sss
 @dir /var/lib
 @dir /var/log/sssd
 @dir /var/run/sss/pipes/private
 @dir /var/run/sss/pipes
 @dir /var/run/sss