0001-Configuration-make-sure-etc-sssd-and-everything.patch is added ahead of the stack because it is an upstream-accepted patch. harden_sssd-kcm.service.patch then needs a refresh for reasons of fuzz 2.