diff --git a/.gitignore b/.gitignore
index 8a41f90..0b21d2f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -85,3 +85,4 @@ sssd-1.2.91.tar.gz
 /sssd-2.2.0.tar.gz
 /sssd-2.2.1.tar.gz
 /sssd-2.2.2.tar.gz
+/sssd-2.2.3.tar.gz
diff --git a/0001-Fix-build-failure-against-samba-4.12.0rc1.patch b/0001-Fix-build-failure-against-samba-4.12.0rc1.patch
index 5ee36c0..5be3f41 100644
--- a/0001-Fix-build-failure-against-samba-4.12.0rc1.patch
+++ b/0001-Fix-build-failure-against-samba-4.12.0rc1.patch
@@ -1,19 +1,24 @@
-From 391dc02eafed23892c5752834b18174b6cd54e20 Mon Sep 17 00:00:00 2001
+From bc56b10aea999284458dcc293b54cf65288e325d Mon Sep 17 00:00:00 2001
 From: Stephen Gallagher <sgallagh@redhat.com>
 Date: Fri, 24 Jan 2020 15:17:39 +0100
 Subject: [PATCH] Fix build failure against samba 4.12.0rc1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
 
 The ndr_pull_get_switch() function was dropped, but it was just a wrapper
 around the ndr_token_peek() function, so we can use this approach on both
 old and new versions of libndr.
 
 Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
 ---
  src/providers/ad/ad_gpo_ndr.c | 6 +++---
  1 file changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c
-index d573033494bc5aa3b56bd698a6860261834e58fd..8f405aa62b1b65a5ab9e4e9131c37fda84c5ffba 100644
+index d57303349..8f405aa62 100644
 --- a/src/providers/ad/ad_gpo_ndr.c
 +++ b/src/providers/ad/ad_gpo_ndr.c
 @@ -105,7 +105,7 @@ ndr_pull_security_ace_object_type(struct ndr_pull *ndr,
@@ -44,5 +49,5 @@ index d573033494bc5aa3b56bd698a6860261834e58fd..8f405aa62b1b65a5ab9e4e9131c37fda
      if (ndr_flags & NDR_SCALARS) {
          NDR_CHECK(ndr_pull_union_align(ndr, 4));
 -- 
-2.24.1
+2.20.1
 
diff --git a/0001-KCM-Set-kdc_offset-to-zero-initially.patch b/0001-KCM-Set-kdc_offset-to-zero-initially.patch
deleted file mode 100644
index 7973969..0000000
--- a/0001-KCM-Set-kdc_offset-to-zero-initially.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 2c9bdcf579e430fa8f7e5595a17cf7242adb5216 Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Fri, 11 Oct 2019 09:20:20 +0200
-Subject: [PATCH] KCM: Set kdc_offset to zero initially
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Resolves: https://pagure.io/SSSD/sssd/issue/4100
-
-KCM assumed that the client library would always set the KDC offset, but
-that's not always the case, especially when using multiple krb contexts
-from the client application:
-    https://bugzilla.redhat.com/show_bug.cgi?id=1757224#c64
-
-Heimdal also creates ccaches with zero kdc_offset:
-    https://github.com/heimdal/heimdal/commit/9f58896af958ae5e6e3ebde8c48dad4eda841986
-so we should do the same..
-
-Reviewed-by: Michal Židek <mzidek@redhat.com>
-Reviewed-by: Robbie Harwood <rharwood@redhat.com>
----
- src/responder/kcm/kcmsrv_ccache.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c
-index e24da9aa2..66e2752ba 100644
---- a/src/responder/kcm/kcmsrv_ccache.c
-+++ b/src/responder/kcm/kcmsrv_ccache.c
-@@ -82,7 +82,7 @@ errno_t kcm_cc_new(TALLOC_CTX *mem_ctx,
- 
-     cc->owner.uid = cli_creds_get_uid(owner);
-     cc->owner.gid = cli_creds_get_gid(owner);
--    cc->kdc_offset = INT32_MAX;
-+    cc->kdc_offset = 0;
- 
-     talloc_set_destructor(cc, kcm_cc_destructor);
-     *_cc = cc;
--- 
-2.23.0
-
diff --git a/0001-SSS_CLIENT-got-rid-of-using-PRNG.patch b/0001-SSS_CLIENT-got-rid-of-using-PRNG.patch
deleted file mode 100644
index 51868fd..0000000
--- a/0001-SSS_CLIENT-got-rid-of-using-PRNG.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From e47f143bcb86d04aa053c17373f9d9991fc63913 Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Mon, 14 Oct 2019 11:38:06 +0200
-Subject: [PATCH] SSS_CLIENT: got rid of using PRNG
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-1) no reason to expect "thundering herd issue"
-2) randomization as it was done (strictly 1 or 2 secs)
-   would not help much anyway
-3) usage of PRNG might break app that depends on deterministic
-   PRNG behaviour
-
-Resolves: https://pagure.io/SSSD/sssd/issue/4094
-
-Reviewed-by: Michal Židek <mzidek@redhat.com>
----
- src/sss_client/common.c | 7 +------
- 1 file changed, 1 insertion(+), 6 deletions(-)
-
-diff --git a/src/sss_client/common.c b/src/sss_client/common.c
-index 930efe4a1..270ca8b54 100644
---- a/src/sss_client/common.c
-+++ b/src/sss_client/common.c
-@@ -566,11 +566,6 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout
-     /* this piece is adapted from winbind client code */
-     wait_time = 0;
-     sleep_time = 0;
--    /* This is not security relevant functionality and
--     * it is undesirable to pull unnecessary dependency (util/crypto)
--     * so plain srand() & rand() are used here.
--     */
--    srand(time(NULL) * getpid());
-     while (inprogress) {
-         int connect_errno = 0;
-         socklen_t errnosize;
-@@ -605,7 +600,7 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout
-             break;
-         case EAGAIN:
-             if (wait_time < timeout) {
--                sleep_time = rand() % 2 + 1;
-+                sleep_time = 1;
-                 sleep(sleep_time);
-             }
-             break;
--- 
-2.23.0
-
diff --git a/0002-BUILD-Accept-krb5-1.18-for-building-the-PAC-plugin.patch b/0002-BUILD-Accept-krb5-1.18-for-building-the-PAC-plugin.patch
new file mode 100644
index 0000000..5c40402
--- /dev/null
+++ b/0002-BUILD-Accept-krb5-1.18-for-building-the-PAC-plugin.patch
@@ -0,0 +1,29 @@
+From 399ee9d1af9cca4026ce50c58ce25c45a30c85c2 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Sat, 1 Feb 2020 17:39:07 +0000
+Subject: [PATCH] BUILD: Accept krb5 1.18 for building the PAC plugin
+
+Merges: https://pagure.io/SSSD/sssd/pull-request/4152
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/external/pac_responder.m4 | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4
+index dc986a1b8..114d8470f 100644
+--- a/src/external/pac_responder.m4
++++ b/src/external/pac_responder.m4
+@@ -19,7 +19,8 @@ then
+         Kerberos\ 5\ release\ 1.14* | \
+         Kerberos\ 5\ release\ 1.15* | \
+         Kerberos\ 5\ release\ 1.16* | \
+-        Kerberos\ 5\ release\ 1.17*)
++        Kerberos\ 5\ release\ 1.17* | \
++        Kerberos\ 5\ release\ 1.18*)
+             krb5_version_ok=yes
+             AC_MSG_RESULT([yes])
+             ;;
+-- 
+2.20.1
+
diff --git a/sources b/sources
index c747929..b7ad9a1 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (sssd-2.2.2.tar.gz) = 4cce8fdbcc05d1469dad5ba987cb0f9bc33702b37f85e8e248975461bb50b0740fec92ff213bdb640b506405be7ead936ff253ab02d4a27205ddf20cc0e54801
+SHA512 (sssd-2.2.3.tar.gz) = b61d52a53e26e8efa9cb799fc6efc2314bf9d174d3cacfe591a4ca77530637591eacc0dc70c0555252e04a9617e8b134b1ab2d9b0f7351b4228e7b61499e6a10
diff --git a/sssd.spec b/sssd.spec
index 4706a0c..c255207 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -35,28 +35,16 @@
 %endif
 
 Name: sssd
-Version: 2.2.2
-Release: 6%{?dist}
+Version: 2.2.3
+Release: 1%{?dist}
 Summary: System Security Services Daemon
 License: GPLv3+
 URL: https://pagure.io/SSSD/sssd/
 Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz
 
 ### Patches ###
-
-# Fix KCM cached tickets behaving as if expired shortly after issue
-# https://github.com/SSSD/sssd/pull/904
-# https://bugzilla.redhat.com/show_bug.cgi?id=1757224
-Patch0: 0001-KCM-Set-kdc_offset-to-zero-initially.patch
-# Workaround a problem setting up replica in containers
-# https://github.com/SSSD/sssd/pull/900
-# https://bugzilla.redhat.com/show_bug.cgi?id=1755643
-Patch1: 0001-SSS_CLIENT-got-rid-of-using-PRNG.patch
-
-
-# Work around samba 4.12.0rc1 dropping a function we use
-Patch2: 0001-Fix-build-failure-against-samba-4.12.0rc1.patch
-
+Patch0001: 0001-Fix-build-failure-against-samba-4.12.0rc1.patch
+Patch0002: 0002-BUILD-Accept-krb5-1.18-for-building-the-PAC-plugin.patch
 
 ### Downstream only patches ###
 Patch0502: 0502-SYSTEMD-Use-capabilities.patch
@@ -86,6 +74,7 @@ Suggests: sssd-dbus = %{version}-%{release}
 
 ### Build Dependencies ###
 
+BuildRequires: make
 BuildRequires: autoconf
 BuildRequires: automake
 BuildRequires: libtool
@@ -788,6 +777,7 @@ done
 %{_datadir}/sssd/systemtap/id_perf.stp
 %{_datadir}/sssd/systemtap/nested_group_perf.stp
 %{_datadir}/sssd/systemtap/dp_request.stp
+%{_datadir}/sssd/systemtap/ldap_perf.stp
 %dir %{_datadir}/systemtap
 %dir %{_datadir}/systemtap/tapset
 %{_datadir}/systemtap/tapset/sssd.stp
@@ -799,6 +789,7 @@ done
 %license COPYING
 %{_libdir}/%{name}/libsss_ldap.so
 %{_mandir}/man5/sssd-ldap.5*
+%{_mandir}/man5/sssd-ldap-attributes.5*
 
 %files krb5-common
 %license COPYING
@@ -1082,6 +1073,10 @@ fi
                                 %{_libdir}/%{name}/modules/libwbclient.so
 
 %changelog
+* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-1
+- Update to latest released upstream version
+- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_2_2_3.htm
+
 * Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.2-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild