diff --git a/freeipa.spec b/freeipa.spec
index f552cd0..2a6434d 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -74,7 +74,7 @@
 %global package_name freeipa
 %global alt_name ipa
 # Fix for CVE-2018-20217
-%global krb5_version 1.17
+%global krb5_version 1.17-17
 %global krb5_kdb_version 7.0
 # 0.7.16: https://github.com/drkjam/netaddr/issues/71
 %global python_netaddr_version 0.7.16
@@ -304,6 +304,7 @@ Requires: nss >= %{nss_version}
 Requires: nss-tools >= %{nss_version}
 Requires(post): krb5-server >= %{krb5_version}
 Requires(post): krb5-server >= %{krb5_base_version}
+Requires: krb5-kdb-version = %{krb5_kdb_version}
 Requires: krb5-pkinit-openssl >= %{krb5_version}
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: chrony
@@ -1312,7 +1313,7 @@ fi
 %changelog
 * Fri May  3 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.90.pre1-4
 - Rebuild to drop upper limit for Kerberos package
-  After krb5-server will provide krb5-kdb-version, we'll switch to it
+  Add krb5-kdb-server dependency provided by krb5-server >= 1.17-17
 
 * Wed May  1 2019 Adam Williamson <awilliam@redhat.com> - 4.7.90.pre1-3
 - Backport PR #3104 to fix a font path error