diff --git a/0006-util-watchdog-fixed-watchdog-implementation.patch b/0006-util-watchdog-fixed-watchdog-implementation.patch
new file mode 100644
index 0000000..55e38db
--- /dev/null
+++ b/0006-util-watchdog-fixed-watchdog-implementation.patch
@@ -0,0 +1,52 @@
+From 2c13d8bd00f1e8ff30e9fc81f183f6450303ac30 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Wed, 11 Dec 2019 18:42:49 +0100
+Subject: [PATCH] util/watchdog: fixed watchdog implementation
+
+In case watchdog detected locked process and this process was parent
+process it just sent SIGTERM to the whole group of processes, including
+itself.
+This handling was wrong: generic `server_setup()` installs custom
+libtevent handler for SIGTERM signal so this signal is only processed
+in the context of tevent mainloop. But if tevent mainloop is stuck
+(exactly the case that triggers WD) then event is not processed
+and this made watchdog useless.
+`watchdog_handler()` and `watchdog_detect_timeshift()` were amended to do
+unconditional `_exit()` after optionally sending a signal to the group.
+
+Resolves: https://pagure.io/SSSD/sssd/issue/4089
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/util/util_watchdog.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c
+index a07275b19..38c248271 100644
+--- a/src/util/util_watchdog.c
++++ b/src/util/util_watchdog.c
+@@ -54,9 +54,8 @@ static void watchdog_detect_timeshift(void)
+         if (write(watchdog_ctx.pipefd[1], "1", 1) != 1) {
+             if (getpid() == getpgrp()) {
+                 kill(-getpgrp(), SIGTERM);
+-            } else {
+-                _exit(1);
+             }
++            _exit(1);
+         }
+     }
+ }
+@@ -75,9 +74,8 @@ static void watchdog_handler(int sig)
+     if (__sync_add_and_fetch(&watchdog_ctx.ticks, 1) > WATCHDOG_MAX_TICKS) {
+         if (getpid() == getpgrp()) {
+             kill(-getpgrp(), SIGTERM);
+-        } else {
+-            _exit(1);
+         }
++        _exit(1);
+     }
+ }
+ 
+-- 
+2.20.1
+
diff --git a/sssd.spec b/sssd.spec
index 5421646..bc3617f 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -36,7 +36,7 @@
 
 Name: sssd
 Version: 2.2.3
-Release: 4%{?dist}
+Release: 5%{?dist}
 Summary: System Security Services Daemon
 License: GPLv3+
 URL: https://pagure.io/SSSD/sssd/
@@ -48,6 +48,7 @@ Patch0002: 0002-BUILD-Accept-krb5-1.18-for-building-the-PAC-plugin.patch
 Patch0003: 0003-INI-sssctl-config-check-command-error-messages.patch
 Patch0004: 0004-certmap-mention-special-regex-characters-in-man-page.patch
 Patch0005: 0005-ldap_child-do-not-try-PKINIT.patch
+Patch0006: 0006-util-watchdog-fixed-watchdog-implementation.patch
 
 ### Downstream only patches ###
 Patch0502: 0502-SYSTEMD-Use-capabilities.patch
@@ -1076,6 +1077,9 @@ fi
                                 %{_libdir}/%{name}/modules/libwbclient.so
 
 %changelog
+* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-5
+- Resolves: upstream##4089 Watchdog implementation or usage is incorrect
+
 * Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-4
 - Resolves: upstream#4126 pcscd rejecting sssd ldap_child as unauthorized