diff --git a/freeipa.spec b/freeipa.spec
index c3b07ef..ef21965 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -76,11 +76,12 @@
 %global package_name freeipa
 %global alt_name ipa
 # Fix for CVE-2018-20217
-%global krb5_version 1.17-17
-%global krb5_kdb_version 7.0
+%global krb5_version 1.18
+%global krb5_kdb_version 8.0
 # 0.7.16: https://github.com/drkjam/netaddr/issues/71
 %global python_netaddr_version 0.7.16
 # Require 4.7.0 which brings Python 3 bindings
+# Require 4.12 which has DsRGetForestTrustInformation access rights fixes
 %global samba_version 2:4.12
 # SELinux context for /etc/named directory, RHBZ#1759495
 %global selinux_policy_version 3.14.3-52
@@ -142,7 +143,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -153,6 +154,7 @@ Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.as
 # https://github.com/freeipa/freeipa/pull/4045
 # Fix bugs in the overlapping DNS zone check
 Patch0:         4045.patch
+Patch1:         krb5-1.18-support.patch
 
 # For the timestamp trick in patch application
 BuildRequires:  diffstat
@@ -1359,6 +1361,9 @@ fi
 
 
 %changelog
+* Tue Jan 28 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.4-4
+- Rebuild against krb5 1.18 beta
+
 * Sun Jan 26 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.4-3
 - Rebuild against Samba 4.12RC1
 
diff --git a/krb5-1.18-support.patch b/krb5-1.18-support.patch
new file mode 100644
index 0000000..1d921cc
--- /dev/null
+++ b/krb5-1.18-support.patch
@@ -0,0 +1,409 @@
+From b750e3f153ef97144ea6696672000f70da8d9bf1 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Thu, 9 Jan 2020 16:44:15 -0500
+Subject: [PATCH 1/3] [KDB] Handle the removal of KRB5_KDB_FLAG_ALIAS_OK
+
+In ac8865a22138ab0c657208c41be8fd6bc7968148 (between 1.17 and 1.18),
+krb5 removed this flag, and always accepts aliases.
+
+Related-to: https://pagure.io/freeipa/issue/7879
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_certauth.c   | 21 +++++++-------
+ daemons/ipa-kdb/ipa_kdb_kdcpolicy.c  | 11 +++++--
+ daemons/ipa-kdb/ipa_kdb_principals.c | 43 ++++++++++++++++------------
+ 3 files changed, 43 insertions(+), 32 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c
+index 47911aa3d..bc6b26578 100644
+--- a/daemons/ipa-kdb/ipa_kdb_certauth.c
++++ b/daemons/ipa-kdb/ipa_kdb_certauth.c
+@@ -261,16 +261,18 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
+                                               const krb5_db_entry *db_entry,
+                                               char ***authinds_out)
+ {
+-    char *cert_filter = NULL;
+-    char **domains = NULL;
+-    int ret;
++    char *cert_filter = NULL, **domains = NULL;
++    int ret, flags = 0;
+     size_t c;
+-    char *principal = NULL;
+-    char **auth_inds = NULL;
++    char *principal = NULL, **auth_inds = NULL;
+     LDAPMessage *res = NULL;
+     krb5_error_code kerr;
+     LDAPMessage *lentry;
+ 
++#ifdef KRB5_KDB_FLAG_ALIAS_OK
++    flags = KRB5_KDB_FLAG_ALIAS_OK;
++#endif
++
+     if (moddata == NULL) {
+         return KRB5_PLUGIN_NO_HANDLE;
+     }
+@@ -327,10 +329,8 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
+         }
+     }
+ 
+-    kerr = ipadb_fetch_principals_with_extra_filter(moddata->ipactx,
+-                                                    KRB5_KDB_FLAG_ALIAS_OK,
+-                                                    principal,
+-                                                    cert_filter,
++    kerr = ipadb_fetch_principals_with_extra_filter(moddata->ipactx, flags,
++                                                    principal, cert_filter,
+                                                     &res);
+     if (kerr != 0) {
+         krb5_klog_syslog(LOG_ERR, "Search failed [%d]", kerr);
+@@ -338,8 +338,7 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
+         goto done;
+     }
+ 
+-    kerr = ipadb_find_principal(context, KRB5_KDB_FLAG_ALIAS_OK, res,
+-                                &principal, &lentry);
++    kerr = ipadb_find_principal(context, flags, res, &principal, &lentry);
+     if (kerr == KRB5_KDB_NOENTRY) {
+         krb5_klog_syslog(LOG_INFO, "No matching entry found");
+         ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH;
+diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+index 9467b1ba1..8d2ad66f7 100644
+--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
++++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+@@ -22,9 +22,14 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
+     enum ipadb_user_auth ua;
+     struct ipadb_e_data *ied;
+     struct ipadb_e_pol_limits *pol_limits = NULL;
+-    int valid_auth_indicators = 0;
++    int valid_auth_indicators = 0, flags = 0;
+     krb5_db_entry *client_actual = NULL;
+ 
++#ifdef KRB5_KDB_FLAG_ALIAS_OK
++    flags = KRB5_KDB_FLAG_ALIAS_OK;
++#endif
++
++
+     *status = NULL;
+     *lifetime_out = 0;
+     *renew_lifetime_out = 0;
+@@ -33,8 +38,8 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
+     if (ied == NULL || ied->magic != IPA_E_DATA_MAGIC) {
+         /* e-data is not availble, getting user auth from LDAP */
+         krb5_klog_syslog(LOG_INFO, "IPA kdcpolicy: client e_data not availble. Try fetching...");
+-        kerr = ipadb_get_principal(context, request->client,
+-                                   KRB5_KDB_FLAG_ALIAS_OK, &client_actual);
++        kerr = ipadb_get_principal(context, request->client, flags,
++                                   &client_actual);
+         if (kerr != 0) {
+             krb5_klog_syslog(LOG_ERR, "IPA kdcpolicy: ipadb_find_principal failed.");
+             return kerr;
+diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
+index 47e44f090..da0b841a1 100644
+--- a/daemons/ipa-kdb/ipa_kdb_principals.c
++++ b/daemons/ipa-kdb/ipa_kdb_principals.c
+@@ -964,8 +964,7 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
+                                          LDAPMessage **result)
+ {
+     krb5_error_code kerr;
+-    char *src_filter = NULL;
+-    char *esc_original_princ = NULL;
++    char *src_filter = NULL, *esc_original_princ = NULL;
+     int ret;
+ 
+     if (!ipactx->lcontext) {
+@@ -976,28 +975,33 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
+         }
+     }
+ 
+-    /* escape filter but do not touch '*' as this function accepts
+-     * wildcards in names */
++    /* Escape filter but do not touch '*' as this function accepts
++     * wildcards in names. */
+     esc_original_princ = ipadb_filter_escape(principal, false);
+     if (!esc_original_princ) {
+         kerr = KRB5_KDB_INTERNAL_ERROR;
+         goto done;
+     }
+ 
+-    if (filter == NULL) {
+-        if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
++    /* Starting in DAL 8.0, aliases are always okay. */
++#ifdef KRB5_KDB_FLAG_ALIAS_OK
++    if (!(flags & KRB5_KDB_FLAG_ALIAS_OK)) {
++        if (filter == NULL) {
++            ret = asprintf(&src_filter, PRINC_SEARCH_FILTER,
++                           esc_original_princ);
++        } else {
++            ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA,
++                           esc_original_princ, filter);
++        }
++    } else
++#endif
++    {
++        if (filter == NULL) {
+             ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER,
+                            esc_original_princ, esc_original_princ);
+         } else {
+-            ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ);
+-        }
+-    } else {
+-        if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
+             ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA,
+                            esc_original_princ, esc_original_princ, filter);
+-        } else {
+-            ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA,
+-                           esc_original_princ, filter);
+         }
+     }
+ 
+@@ -1006,11 +1010,8 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
+         goto done;
+     }
+ 
+-    kerr = ipadb_simple_search(ipactx,
+-                               ipactx->base, LDAP_SCOPE_SUBTREE,
+-                               src_filter, std_principal_attrs,
+-                               result);
+-
++    kerr = ipadb_simple_search(ipactx, ipactx->base, LDAP_SCOPE_SUBTREE,
++                               src_filter, std_principal_attrs, result);
+ done:
+     free(src_filter);
+     free(esc_original_princ);
+@@ -1054,6 +1055,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext,
+         /* We need to check for a strict match as a '*' in the name may have
+          * caused the ldap server to return multiple entries. */
+         for (int i = 0; vals[i]; i++) {
++#ifdef KRB5_KDB_FLAG_ALIAS_OK
+             if ((flags & KRB5_KDB_FLAG_ALIAS_OK) == 0) {
+                 found = strcmp(vals[i]->bv_val, *principal) == 0;
+                 if (found)
+@@ -1061,6 +1063,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext,
+ 
+                 continue;
+             }
++#endif
+ 
+             /* The KDC will accept aliases when doing TGT lookup
+              * (ref_tgt_again in do_tgs_req.c), so use case-insensitive
+@@ -1094,6 +1097,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext,
+         if (vals == NULL)
+             break;
+ 
++#ifdef KRB5_KDB_FLAG_ALIAS_OK
+         /* If aliases aren't accepted by the KDC, use case-sensitive
+          * comparison. */
+         if ((flags & KRB5_KDB_FLAG_ALIAS_OK) == 0) {
+@@ -1103,6 +1107,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext,
+                 continue;
+             }
+         }
++#endif
+ 
+         free(*principal);
+         *principal = strdup(vals[0]->bv_val);
+@@ -2601,7 +2606,9 @@ krb5_error_code ipadb_delete_principal(krb5_context kcontext,
+         goto done;
+     }
+ 
++#ifdef KRB5_KDB_FLAG_ALIAS_OK
+     flags = KRB5_KDB_FLAG_ALIAS_OK;
++#endif
+     kerr = ipadb_find_principal(kcontext, flags, res, &canonicalized, &lentry);
+     if (kerr != 0) {
+         goto done;
+-- 
+2.24.1
+
+
+From 0dfebd690dc79db8f4fdcd663508e5d7e095eb20 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Thu, 9 Jan 2020 17:02:44 -0500
+Subject: [PATCH 2/3] [KDB] Support DAL version 8.0
+
+Provide stubs for backward compatibility.  DAL 8.0 was released with
+krb5-1.18.
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb.c | 61 ++++++++++++++++++++++++++++++++++++++-
+ freeipa.spec.in           |  2 +-
+ 2 files changed, 61 insertions(+), 2 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
+index 612857b38..9a5c29b13 100644
+--- a/daemons/ipa-kdb/ipa_kdb.c
++++ b/daemons/ipa-kdb/ipa_kdb.c
+@@ -751,8 +751,67 @@ kdb_vftabl kdb_function_table = {
+ };
+ #endif
+ 
++#if (KRB5_KDB_DAL_MAJOR_VERSION == 8)
++/* Version 8 adds several arguments here.  However, if we want to actually use
++ * them in mspac, we really ought to drop support for older DAL versions. */
++static inline krb5_error_code
++stub_sign_authdata(krb5_context context, unsigned int flags,
++                   krb5_const_principal client_princ,
++                   krb5_const_principal server_princ, krb5_db_entry *client,
++                   krb5_db_entry *server, krb5_db_entry *header_server,
++                   krb5_db_entry *local_tgt, krb5_keyblock *client_key,
++                   krb5_keyblock *server_key, krb5_keyblock *header_key,
++                   krb5_keyblock *local_tgt_key, krb5_keyblock *session_key,
++                   krb5_timestamp authtime, krb5_authdata **tgt_auth_data,
++                   void *ad_info, krb5_data ***auth_indicators,
++                   krb5_authdata ***signed_auth_data)
++{
++    krb5_db_entry *krbtgt = header_server ? header_server : server;
++    krb5_keyblock *krbtgt_key = header_key ? header_key : server_key;
++
++    return ipadb_sign_authdata(context, flags, client_princ, client, server,
++                               krbtgt, client_key, server_key, krbtgt_key,
++                               session_key, authtime, tgt_auth_data,
++                               signed_auth_data);
++}
++
++kdb_vftabl kdb_function_table = {
++    .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
++    .min_ver = 0,
++    .init_library = ipadb_init_library,
++    .fini_library = ipadb_fini_library,
++    .init_module = ipadb_init_module,
++    .fini_module = ipadb_fini_module,
++    .create = ipadb_create,
++    .get_age = ipadb_get_age,
++    .get_principal = ipadb_get_principal,
++    .put_principal = ipadb_put_principal,
++    .delete_principal = ipadb_delete_principal,
++    .iterate = ipadb_iterate,
++    .create_policy = ipadb_create_pwd_policy,
++    .get_policy = ipadb_get_pwd_policy,
++    .put_policy = ipadb_put_pwd_policy,
++    .iter_policy = ipadb_iterate_pwd_policy,
++    .delete_policy = ipadb_delete_pwd_policy,
++    .fetch_master_key = ipadb_fetch_master_key,
++    .store_master_key_list = ipadb_store_master_key_list,
++    .change_pwd = ipadb_change_pwd,
++    .sign_authdata = stub_sign_authdata,
++    .check_transited_realms = ipadb_check_transited_realms,
++    .check_policy_as = ipadb_check_policy_as,
++    .audit_as_req = ipadb_audit_as_req,
++    .check_allowed_to_delegate = ipadb_check_allowed_to_delegate,
++    .free_principal_e_data = ipadb_free_principal_e_data,
++    .get_s4u_x509_principal = NULL,
++    .allowed_to_delegate_from = NULL,
++    .get_authdata_info = NULL,
++    .free_authdata_info = NULL,
++};
++#endif
++
+ #if (KRB5_KDB_DAL_MAJOR_VERSION != 5) && \
+     (KRB5_KDB_DAL_MAJOR_VERSION != 6) && \
+-    (KRB5_KDB_DAL_MAJOR_VERSION != 7)
++    (KRB5_KDB_DAL_MAJOR_VERSION != 7) && \
++    (KRB5_KDB_DAL_MAJOR_VERSION != 8)
+ #error unsupported DAL major version
+ #endif
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index 502ac2499..7617c935a 100755
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -61,7 +61,7 @@
+ %global alt_name ipa
+ # Fix for CVE-2018-20217
+ %global krb5_version 1.16.1-24
+-%global krb5_kdb_version 7.0
++%global krb5_kdb_version 8.0
+ # 0.7.16: https://github.com/drkjam/netaddr/issues/71
+ %global python_netaddr_version 0.7.16
+ # Require 4.7.0 which brings Python 3 bindings
+-- 
+2.24.1
+
+
+From fb48a25c43c2110c27d36f09ac533403738328e2 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Thu, 9 Jan 2020 17:08:07 -0500
+Subject: [PATCH 3/3] [KDB] Drop support for DAL version 5.0
+
+No supported Linux distro packages a version of krb5 with this DAL, so
+we don't lose anything by removing it.
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb.c | 49 +--------------------------------------
+ 1 file changed, 1 insertion(+), 48 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
+index 9a5c29b13..3982c131b 100644
+--- a/daemons/ipa-kdb/ipa_kdb.c
++++ b/daemons/ipa-kdb/ipa_kdb.c
+@@ -635,57 +635,11 @@ static krb5_error_code ipadb_get_age(krb5_context kcontext,
+     return 0;
+ }
+ 
+-#if KRB5_KDB_DAL_MAJOR_VERSION == 5
+-static void *ipadb_alloc(krb5_context context, void *ptr, size_t size)
+-{
+-    return realloc(ptr, size);
+-}
+-
+-static void ipadb_free(krb5_context context, void *ptr)
+-{
+-    free(ptr);
+-}
+-#endif
+-
+ /* KDB Virtual Table */
+ 
+ /* We explicitly want to keep different ABI tables below separate. */
+ /* Do not merge them together. Older ABI does not need to be updated */
+ 
+-#if KRB5_KDB_DAL_MAJOR_VERSION == 5
+-kdb_vftabl kdb_function_table = {
+-    .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
+-    .min_ver = 0,
+-    .init_library = ipadb_init_library,
+-    .fini_library = ipadb_fini_library,
+-    .init_module = ipadb_init_module,
+-    .fini_module = ipadb_fini_module,
+-    .create = ipadb_create,
+-    .get_age = ipadb_get_age,
+-    .get_principal = ipadb_get_principal,
+-    .free_principal = ipadb_free_principal,
+-    .put_principal = ipadb_put_principal,
+-    .delete_principal = ipadb_delete_principal,
+-    .iterate = ipadb_iterate,
+-    .create_policy = ipadb_create_pwd_policy,
+-    .get_policy = ipadb_get_pwd_policy,
+-    .put_policy = ipadb_put_pwd_policy,
+-    .iter_policy = ipadb_iterate_pwd_policy,
+-    .delete_policy = ipadb_delete_pwd_policy,
+-    .free_policy = ipadb_free_pwd_policy,
+-    .alloc = ipadb_alloc,
+-    .free = ipadb_free,
+-    .fetch_master_key = ipadb_fetch_master_key,
+-    .store_master_key_list = ipadb_store_master_key_list,
+-    .change_pwd = ipadb_change_pwd,
+-    .sign_authdata = ipadb_sign_authdata,
+-    .check_transited_realms = ipadb_check_transited_realms,
+-    .check_policy_as = ipadb_check_policy_as,
+-    .audit_as_req = ipadb_audit_as_req,
+-    .check_allowed_to_delegate = ipadb_check_allowed_to_delegate
+-};
+-#endif
+-
+ #if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && !defined(HAVE_KDB_FREEPRINCIPAL_EDATA)
+ kdb_vftabl kdb_function_table = {
+     .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
+@@ -809,8 +763,7 @@ kdb_vftabl kdb_function_table = {
+ };
+ #endif
+ 
+-#if (KRB5_KDB_DAL_MAJOR_VERSION != 5) && \
+-    (KRB5_KDB_DAL_MAJOR_VERSION != 6) && \
++#if (KRB5_KDB_DAL_MAJOR_VERSION != 6) && \
+     (KRB5_KDB_DAL_MAJOR_VERSION != 7) && \
+     (KRB5_KDB_DAL_MAJOR_VERSION != 8)
+ #error unsupported DAL major version
+-- 
+2.24.1
+