diff --git a/freeipa.spec b/freeipa.spec
index 40b5d3e..218c55a 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -143,7 +143,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        6%{?dist}
+Release:        7%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -157,6 +157,7 @@ Patch0:         4045.patch
 Patch1:         krb5-kdb-fixes.patch
 Patch2:         krb5-1.18-support.patch
 Patch3:         krb5-1.18-support-constraint-delegation.patch
+Patch4:         krb5-pg8200.patch
 
 # For the timestamp trick in patch application
 BuildRequires:  diffstat
@@ -1363,6 +1364,10 @@ fi
 
 
 %changelog
+* Mon Feb 17 2020 François Cami <fcami@redhat.com> - 4.8.4-7
+- Fix audit_as_req() callback usage
+- Resolves: #1803786
+
 * Sat Feb 01 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.4-6
 - Fix constraint delegation for krb5 1.18 update
 - Resolves: #1797096
diff --git a/krb5-pg8200.patch b/krb5-pg8200.patch
new file mode 100644
index 0000000..c6d8480
--- /dev/null
+++ b/krb5-pg8200.patch
@@ -0,0 +1,44 @@
+From 30b8c8b9985a5eb41e700b80fd03f95548e45fba Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Feb 17 2020 15:40:16 +0000
+Subject: kdb: make sure audit_as_req callback signature change is preserved
+
+
+audit_as_req() callback has changed its signature with MIT krb5 commit
+20991d55efbe1f987c1dbc1065f2d58c8f34031b in 2017, we should preserve the
+change for any newer DAL versions. Otherwise audit_as_req() callback
+would reference wrong data and we might crash.
+
+Fixes: https://pagure.io/freeipa/issue/8200
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+
+---
+
+diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
+index 7519f26..ae37a5a 100644
+--- a/daemons/ipa-kdb/ipa_kdb.h
++++ b/daemons/ipa-kdb/ipa_kdb.h
+@@ -345,7 +345,7 @@ krb5_error_code ipadb_check_allowed_to_delegate(krb5_context kcontext,
+ 
+ void ipadb_audit_as_req(krb5_context kcontext,
+                         krb5_kdc_req *request,
+-#if (KRB5_KDB_DAL_MAJOR_VERSION == 7)
++#if (KRB5_KDB_DAL_MAJOR_VERSION >= 7)
+                         const krb5_address *local_addr,
+                         const krb5_address *remote_addr,
+ #endif
+diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c
+index 77748a7..a60bc82 100644
+--- a/daemons/ipa-kdb/ipa_kdb_audit_as.c
++++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c
+@@ -25,7 +25,7 @@
+ 
+ void ipadb_audit_as_req(krb5_context kcontext,
+                         krb5_kdc_req *request,
+-#if (KRB5_KDB_DAL_MAJOR_VERSION == 7)
++#if (KRB5_KDB_DAL_MAJOR_VERSION >= 7)
+                         const krb5_address *local_addr,
+                         const krb5_address *remote_addr,
+ #endif
+