diff --git a/.gitignore b/.gitignore
index daedcd2..171cd00 100644
--- a/.gitignore
+++ b/.gitignore
@@ -74,3 +74,5 @@
 /freeipa-4.7.2.tar.gz.asc
 /freeipa-4.7.90.pre1.tar.gz
 /freeipa-4.7.90.pre1.tar.gz.asc
+/freeipa-4.8.0.tar.gz
+/freeipa-4.8.0.tar.gz.asc
diff --git a/0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch b/0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch
deleted file mode 100644
index 5d479d6..0000000
--- a/0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 486ba017ceab1fb240f2fc48fea6169bc8c97319 Mon Sep 17 00:00:00 2001
-From: Adam Williamson <awilliam@redhat.com>
-Date: Wed, 1 May 2019 16:19:53 -0700
-Subject: [PATCH] Correct default fontawesome path (broken by da2cf1c5)
-
-On Fedora/RHEL, it does not have a dash in it. The changes in
-da2cf1c5 inadvertently added a dash to the path in the 'base'
-paths definition (used on Fedora/RHEL), so the font wasn't found.
-
-Signed-off-by: Adam Williamson <awilliam@redhat.com>
----
- ipaplatform/base/paths.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
-index 1cd2591bc..e1d396690 100644
---- a/ipaplatform/base/paths.py
-+++ b/ipaplatform/base/paths.py
-@@ -249,7 +249,7 @@ class BasePathNamespace:
-     USERADD = "/usr/sbin/useradd"
-     FONTS_DIR = "/usr/share/fonts"
-     FONTS_OPENSANS_DIR = "/usr/share/fonts/open-sans"
--    FONTS_FONTAWESOME_DIR = "/usr/share/fonts/font-awesome"
-+    FONTS_FONTAWESOME_DIR = "/usr/share/fonts/fontawesome"
-     USR_SHARE_IPA_DIR = "/usr/share/ipa/"
-     USR_SHARE_IPA_CLIENT_DIR = "/usr/share/ipa/client"
-     CA_TOPOLOGY_ULDIF = "/usr/share/ipa/ca-topology.uldif"
--- 
-2.21.0
-
diff --git a/0001-revert-minssf-defaults.patch b/0001-revert-minssf-defaults.patch
deleted file mode 100644
index 777c13e..0000000
--- a/0001-revert-minssf-defaults.patch
+++ /dev/null
@@ -1,136 +0,0 @@
-From 8177734d3b6c141c251c74ee29d223a7d414ab13 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Wed, 1 May 2019 21:25:31 +0300
-Subject: [PATCH] Revert "Require a minimum SASL security factor of 56"
-
-This reverts commit 350954589774499d99bf87cb5631c664bb0707c4.
----
- install/share/Makefile.am       |  1 -
- install/share/min-ssf.ldif      | 14 --------------
- ipalib/constants.py             |  3 ---
- ipapython/ipaldap.py            | 17 ++---------------
- ipaserver/install/dsinstance.py |  5 -----
- 5 files changed, 2 insertions(+), 38 deletions(-)
- delete mode 100644 install/share/min-ssf.ldif
-
-diff --git a/install/share/Makefile.am b/install/share/Makefile.am
-index be83bdf75..8d039d95c 100644
---- a/install/share/Makefile.am
-+++ b/install/share/Makefile.am
-@@ -94,7 +94,6 @@ dist_app_DATA =				\
- 	ipa-kdc-proxy.conf.template	\
- 	ipa-pki-proxy.conf.template	\
- 	ipa-rewrite.conf.template	\
--	min-ssf.ldif			\
- 	ipaca_default.ini		\
- 	ipaca_customize.ini		\
- 	ipaca_softhsm2.ini		\
-diff --git a/install/share/min-ssf.ldif b/install/share/min-ssf.ldif
-deleted file mode 100644
-index 1c2566f84..000000000
---- a/install/share/min-ssf.ldif
-+++ /dev/null
-@@ -1,14 +0,0 @@
--# config
--# pretend SSF for LDAPI connections
--# nsslapd-localssf must be equal to or greater than nsslapd-minssf
--dn: cn=config
--changetype: modify
--replace: nsslapd-localssf
--nsslapd-localssf: 256
--
--# minimum security strength factor for SASL and TLS
--# 56 is considered weak, but some old clients announce wrong SSF.
--dn: cn=config
--changetype: modify
--replace: nsslapd-minssf
--nsslapd-minssf: 56
-diff --git a/ipalib/constants.py b/ipalib/constants.py
-index bcf6f3373..c22dd26ae 100644
---- a/ipalib/constants.py
-+++ b/ipalib/constants.py
-@@ -311,9 +311,6 @@ TLS_VERSIONS = [
- ]
- TLS_VERSION_MINIMAL = "tls1.0"
- 
--# minimum SASL secure strength factor for LDAP connections
--# 56 provides backwards compatibility with old libraries.
--LDAP_SSF_MIN_THRESHOLD = 56
- 
- # Use cache path
- USER_CACHE_PATH = (
-diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
-index d9d67be1d..9ff443fe4 100644
---- a/ipapython/ipaldap.py
-+++ b/ipapython/ipaldap.py
-@@ -43,9 +43,7 @@ import six
- 
- # pylint: disable=ipa-forbidden-import
- from ipalib import errors, x509, _
--from ipalib.constants import (
--    LDAP_GENERALIZED_TIME_FORMAT, LDAP_SSF_MIN_THRESHOLD
--)
-+from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT
- # pylint: enable=ipa-forbidden-import
- from ipaplatform.paths import paths
- from ipapython.ipautil import format_netloc, CIDict
-@@ -105,8 +103,7 @@ def realm_to_ldapi_uri(realm_name):
-     return 'ldapi://' + ldapurl.ldapUrlEscape(socketname)
- 
- 
--def ldap_initialize(uri, cacertfile=None,
--                    ssf_min_threshold=LDAP_SSF_MIN_THRESHOLD):
-+def ldap_initialize(uri, cacertfile=None):
-     """Wrapper around ldap.initialize()
- 
-     The function undoes global and local ldap.conf settings that may cause
-@@ -117,10 +114,6 @@ def ldap_initialize(uri, cacertfile=None,
-       locations, also known as system-wide trust store.
-     * Cert validation is enforced.
-     * SSLv2 and SSLv3 are disabled.
--    * Require a minimum SASL security factor of 56. That level ensures
--      data integrity and confidentiality. Although at least AES128 is
--      enforced pretty much everywhere, 56 is required for backwards
--      compatibility with systems that announce wrong SSF.
-     """
-     conn = ldap.initialize(uri)
- 
-@@ -128,12 +121,6 @@ def ldap_initialize(uri, cacertfile=None,
-     conn.set_option(ldap.OPT_X_SASL_NOCANON, ldap.OPT_ON)
- 
-     if not uri.startswith('ldapi://'):
--        # require a minimum SSF for TCP connections, but don't lower SSF_MIN
--        # if the current value is already larger.
--        cur_min_ssf = conn.get_option(ldap.OPT_X_SASL_SSF_MIN)
--        if cur_min_ssf < ssf_min_threshold:
--            conn.set_option(ldap.OPT_X_SASL_SSF_MIN, ssf_min_threshold)
--
-         if cacertfile:
-             if not os.path.isfile(cacertfile):
-                 raise IOError(errno.ENOENT, cacertfile)
-diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
-index 8240e3043..9f05db1db 100644
---- a/ipaserver/install/dsinstance.py
-+++ b/ipaserver/install/dsinstance.py
-@@ -324,8 +324,6 @@ class DsInstance(service.Service):
-         else:
-             self.step("importing CA certificates from LDAP",
-                       self.__import_ca_certs)
--        # set min SSF after DS is configured for TLS
--        self.step("require minimal SSF", self.__min_ssf)
-         self.step("restarting directory server", self.__restart_instance)
- 
-         self.start_creation()
-@@ -1243,9 +1241,6 @@ class DsInstance(service.Service):
-             dm_password=self.dm_password
-         )
- 
--    def __min_ssf(self):
--        self._ldap_mod("min-ssf.ldif")
--
-     def __add_sudo_binduser(self):
-         self._ldap_mod("sudobind.ldif", self.sub_dict)
- 
--- 
-2.21.0
-
diff --git a/0002-upgrade-adtrust-when-no-trusts.patch b/0002-upgrade-adtrust-when-no-trusts.patch
deleted file mode 100644
index b98c49f..0000000
--- a/0002-upgrade-adtrust-when-no-trusts.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 528a21996734467be193673e4f987e7e3acc3ad9 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sat, 11 May 2019 11:54:40 +0300
-Subject: [PATCH] upgrade: adtrust - catch empty result when retrieving list of
- trusts
-
-Upgrade failure when ipa-server-upgrade is being run on a system with no
-trust established but trust configured
-
-Fixes: https://pagure.io/freeipa/issue/7939
----
- ipaserver/install/plugins/adtrust.py | 16 +++++++++++-----
- 1 file changed, 11 insertions(+), 5 deletions(-)
-
-diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
-index 6b4e2caa2..cdc3a8b04 100644
---- a/ipaserver/install/plugins/adtrust.py
-+++ b/ipaserver/install/plugins/adtrust.py
-@@ -609,11 +609,17 @@ class update_tdo_to_new_layout(Updater):
- 
-         trusts_dn = self.api.env.container_adtrusts + self.api.env.basedn
- 
--        trusts = ldap.get_entries(
--            base_dn=trusts_dn,
--            scope=ldap.SCOPE_ONELEVEL,
--            filter=self.trust_filter,
--            attrs_list=self.trust_attrs)
-+        # We might be in a situation when no trusts exist yet
-+        # In such case there is nothing to upgrade but we have to catch
-+        # an exception or it will abort the whole upgrade process
-+        try:
-+            trusts = ldap.get_entries(
-+                base_dn=trusts_dn,
-+                scope=ldap.SCOPE_ONELEVEL,
-+                filter=self.trust_filter,
-+                attrs_list=self.trust_attrs)
-+        except errors.EmptyResult:
-+            trusts = []
- 
-         # For every trust, retrieve its principals and convert
-         for t_entry in trusts:
--- 
-2.21.0
-
diff --git a/freeipa.spec b/freeipa.spec
index 80dbb1e..ad7cdf3 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -101,7 +101,7 @@
 # 10.6.7 fixes UpdateNumberRange clone installation issue
 # https://pagure.io/freeipa/issue/7654 and empty token issue
 # and https://pagure.io/dogtagpki/issue/3073
-%global pki_version 10.6.8-3
+%global pki_version 10.7.0-1
 
 # https://pagure.io/certmonger/issue/90
 %global certmonger_version 0.79.7-1
@@ -114,7 +114,7 @@
 %global nss_version 3.41.0-1
 %endif
 
-%global sssd_version 2.1.0-2
+%global sssd_version 2.2.0-1
 
 %define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')
 
@@ -126,7 +126,7 @@
 
 # Work-around fact that RPM SPEC parser does not accept
 # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
-%define IPA_VERSION 4.7.90.pre1
+%define IPA_VERSION 4.8.0
 %define AT_SIGN @
 # redefine IPA_VERSION only if its value matches the Autoconf placeholder
 %if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}"
@@ -135,18 +135,13 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        6%{?dist}
+Release:        1%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
 URL:            http://www.freeipa.org/
 Source0:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
 Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.asc
-Patch0001:      0001-revert-minssf-defaults.patch
-# https://github.com/freeipa/freeipa/pull/3104
-# Fix an error in the path the webUI uses for fontawesome
-Patch0002:      0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch
-Patch0003:      0002-upgrade-adtrust-when-no-trusts.patch
 
 # For the timestamp trick in patch application
 BuildRequires:  diffstat
@@ -535,6 +530,23 @@ If your network uses IPA for authentication, this package should be
 installed on every client machine.
 This package provides command-line tools for IPA administrators.
 
+%package client-samba
+Summary: Tools to configure Samba on IPA client
+Group: System Environment/Base
+Requires: %{name}-client = %{version}-%{release}
+Requires: python3-samba
+Requires: samba-client
+Requires: samba-winbind
+Requires: samba-common-tools
+Requires: samba
+Requires: sssd-winbind-idmap
+Requires: tdb-tools
+Requires: cifs-utils
+
+%description client-samba
+This package provides command-line tools to deploy Samba domain member
+on the machine enrolled into a FreeIPA environment
+
 %package -n python3-ipaclient
 Summary: Python libraries used by IPA client
 BuildArch: noarch
@@ -1014,6 +1026,7 @@ fi
 %{_sbindir}/ipa-winsync-migrate
 %{_sbindir}/ipa-pkinit-manage
 %{_sbindir}/ipa-crlgen-manage
+%{_sbindir}/ipa-cert-fix
 %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
 %{_libexecdir}/certmonger/ipa-server-guard
 %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap
@@ -1078,6 +1091,7 @@ fi
 %{_mandir}/man1/ipa-winsync-migrate.1*
 %{_mandir}/man1/ipa-pkinit-manage.1*
 %{_mandir}/man1/ipa-crlgen-manage.1*
+%{_mandir}/man1/ipa-cert-fix.1*
 
 
 %files -n python3-ipaserver
@@ -1211,6 +1225,7 @@ fi
 %{_sbindir}/ipa-join
 %{_bindir}/ipa
 %config %{_sysconfdir}/bash_completion.d
+%config %{_sysconfdir}/sysconfig/certmonger
 %{_mandir}/man1/ipa.1*
 %{_mandir}/man1/ipa-getkeytab.1*
 %{_mandir}/man1/ipa-rmkeytab.1*
@@ -1219,6 +1234,12 @@ fi
 %{_mandir}/man1/ipa-certupdate.1*
 %{_mandir}/man1/ipa-join.1*
 
+%files client-samba
+%doc README.md Contributors.txt
+%license COPYING
+%{_sbindir}/ipa-client-samba
+%{_mandir}/man1/ipa-client-samba.1*
+
 %files -n python3-ipaclient
 %doc README.md Contributors.txt
 %license COPYING
@@ -1312,6 +1333,10 @@ fi
 
 
 %changelog
+* Wed Jul 03 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.0-1
+- New upstream release 4.8.0
+- New subpackage: freeipa-client-samba
+
 * Sat May 11 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.90.pre1-6
 - Upgrade: handle situation when trusts were configured but not established yet
   Fixed: rhbz#1708808
diff --git a/sources b/sources
index 1f78d2f..05bd694 100644
--- a/sources
+++ b/sources
@@ -1,4 +1,2 @@
-SHA512 (freeipa-4.7.2.tar.gz) = 11d805fe0c085b285bace571912c3b541fc5aa9207c87ec31e22ac5fcfd2fa410e9a7ce4aafc88821e57c0be99a38d98d0c824e46bc85d968b4937f8599d9d5f
-SHA512 (freeipa-4.7.2.tar.gz.asc) = ab4215555eb6458ccefc0038976d39ed3f708eaa6bc7fe7eea3e72af285665501da6275c881897584d178f4a1ea290d23051a1591f1b14b30691fea1cc05b641
-SHA512 (freeipa-4.7.90.pre1.tar.gz) = 97c61d24f37b72aca838e6b67756af106329d8a933e6c8f7eaff362aae7943463b0efa5a6f99874513e95621666fc0a9adf58b44d5fa0be9b10e64c8ce2d9235
-SHA512 (freeipa-4.7.90.pre1.tar.gz.asc) = 0109dfa2846fbac79c7ef8b7427ce96d3d1a1aac8998d66616194fe30501e342bf6c1f251d460ddd4fd9d3f7d8ab100358adbd26c7bfc69e393a1a1c3ef1c016
+SHA512 (freeipa-4.8.0.tar.gz) = f1c0831d97adee4f951972b7a6096ba4458704514ac1ead4e6ed0072524ac320750d690315c0b8d3a51b2f51d66dea81cf224ce417bd5d2eeb65ffe0c45c9229
+SHA512 (freeipa-4.8.0.tar.gz.asc) = 8d8b3de2ea0eab4a2ce1a063b686927cb1e95b60d5da7c945633edc79252c113c2b44e98299be34efd32526c421335f4344b1a20b6483011c1319d4284af2934