diff --git a/SOURCES/0067-ipaserver-dcerpc.py-if-search-of-a-closest-GC-failed.patch b/SOURCES/0067-ipaserver-dcerpc.py-if-search-of-a-closest-GC-failed.patch
new file mode 100644
index 0000000..8a6db38
--- /dev/null
+++ b/SOURCES/0067-ipaserver-dcerpc.py-if-search-of-a-closest-GC-failed.patch
@@ -0,0 +1,33 @@
+From f2acf0d67bab3f3797c387705f93c3a3d0164134 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 19 Aug 2014 16:19:45 +0300
+Subject: [PATCH] ipaserver/dcerpc.py: if search of a closest GC failed, try to
+ find any GC
+
+https://fedorahosted.org/freeipa/ticket/4458
+
+Reviewed-By: Sumit Bose <sbose@redhat.com>
+---
+ ipaserver/dcerpc.py | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
+index f1c75089b875787debcee22316a4898b424d923f..b11476a262ccce4315131b9ffbd93b625de940e7 100644
+--- a/ipaserver/dcerpc.py
++++ b/ipaserver/dcerpc.py
+@@ -588,7 +588,11 @@ class DomainValidator(object):
+         try:
+             result = netrc.finddc(domain=domain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_GC | nbt.NBT_SERVER_CLOSEST)
+         except RuntimeError, e:
+-            finddc_error = e
++            try:
++                # If search of closest GC failed, attempt to find any one
++                result = netrc.finddc(domain=domain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_GC)
++            except RuntimeError, e:
++                finddc_error = e
+ 
+         if not self._domains:
+             self._domains = self.get_trusted_domains()
+-- 
+1.9.3
+
diff --git a/SOURCES/0068-ipaserver-dcerpc.py-make-PDC-discovery-more-robust.patch b/SOURCES/0068-ipaserver-dcerpc.py-make-PDC-discovery-more-robust.patch
new file mode 100644
index 0000000..a1ba8b9
--- /dev/null
+++ b/SOURCES/0068-ipaserver-dcerpc.py-make-PDC-discovery-more-robust.patch
@@ -0,0 +1,80 @@
+From 41b252a5b47f57919bf98c41947d5927ed0d5aaf Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 19 Aug 2014 16:21:21 +0300
+Subject: [PATCH] ipaserver/dcerpc.py: make PDC discovery more robust
+
+Certain operations against AD domain controller can only be done if its
+FSMO role is primary domain controller. We need to use writable DC and
+PDC when creating trust and updating name suffix routing information.
+
+https://fedorahosted.org/freeipa/ticket/4479
+
+Reviewed-By: Sumit Bose <sbose@redhat.com>
+---
+ ipaserver/dcerpc.py | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
+index b11476a262ccce4315131b9ffbd93b625de940e7..78bfc5dbefc778519c5db0ac12d6551710257ba9 100644
+--- a/ipaserver/dcerpc.py
++++ b/ipaserver/dcerpc.py
+@@ -706,16 +706,19 @@ class TrustDomainInstance(object):
+         binding_template=lambda x,y,z: u'%s:%s[%s]' % (x, y, z)
+         return [binding_template(t, remote_host, o) for t in transports for o in options]
+ 
+-    def retrieve_anonymously(self, remote_host, discover_srv=False):
++    def retrieve_anonymously(self, remote_host, discover_srv=False, search_pdc=False):
+         """
+         When retrieving DC information anonymously, we can't get SID of the domain
+         """
+         netrc = net.Net(creds=self.creds, lp=self.parm)
++        flags = nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS | nbt.NBT_SERVER_WRITABLE
++        if search_pdc:
++            flags = flags | nbt.NBT_SERVER_PDC
+         try:
+             if discover_srv:
+-                result = netrc.finddc(domain=remote_host, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS)
++                result = netrc.finddc(domain=remote_host, flags=flags)
+             else:
+-                result = netrc.finddc(address=remote_host, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS)
++                result = netrc.finddc(address=remote_host, flags=flags)
+         except RuntimeError, e:
+             raise assess_dcerpc_exception(message=str(e))
+ 
+@@ -726,6 +729,7 @@ class TrustDomainInstance(object):
+         self.info['dns_forest'] = unicode(result.forest)
+         self.info['guid'] = unicode(result.domain_uuid)
+         self.info['dc'] = unicode(result.pdc_dns_name)
++        self.info['is_pdc'] = (result.server_type & nbt.NBT_SERVER_PDC) != 0
+ 
+         # Netlogon response doesn't contain SID of the domain.
+         # We need to do rootDSE search with LDAP_SERVER_EXTENDED_DN_OID control to reveal the SID
+@@ -774,6 +778,13 @@ class TrustDomainInstance(object):
+         self.info['sid'] = unicode(result.sid)
+         self.info['dc'] = remote_host
+ 
++        try:
++            result = self._pipe.QueryInfoPolicy2(self._policy_handle, lsa.LSA_POLICY_INFO_ROLE)
++        except RuntimeError, (num, message):
++            raise assess_dcerpc_exception(num=num, message=message)
++
++        self.info['is_pdc'] = (result.role == lsa.LSA_ROLE_PRIMARY)
++
+     def generate_auth(self, trustdom_secret):
+         def arcfour_encrypt(key, data):
+             c = RC4.RC4(key)
+@@ -1069,9 +1080,9 @@ class TrustDomainJoins(object):
+         rd.creds.set_anonymous()
+         rd.creds.set_workstation(self.local_domain.hostname)
+         if realm_server is None:
+-            rd.retrieve_anonymously(realm, discover_srv=True)
++            rd.retrieve_anonymously(realm, discover_srv=True, search_pdc=True)
+         else:
+-            rd.retrieve_anonymously(realm_server, discover_srv=False)
++            rd.retrieve_anonymously(realm_server, discover_srv=False, search_pdc=True)
+         rd.read_only = True
+         if realm_admin and realm_passwd:
+             if 'name' in rd.info:
+-- 
+1.9.3
+
diff --git a/SOURCES/0069-ipaserver-dcerpc.py-be-more-open-to-what-domains-can.patch b/SOURCES/0069-ipaserver-dcerpc.py-be-more-open-to-what-domains-can.patch
new file mode 100644
index 0000000..595950a
--- /dev/null
+++ b/SOURCES/0069-ipaserver-dcerpc.py-be-more-open-to-what-domains-can.patch
@@ -0,0 +1,29 @@
+From 027f61099c63c91aaac95a6c2b9d9a75e7b1f83e Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 19 Aug 2014 16:23:58 +0300
+Subject: [PATCH] ipaserver/dcerpc.py: be more open to what domains can be seen
+ through the forest trust
+
+https://fedorahosted.org/freeipa/ticket/4463
+
+Reviewed-By: Sumit Bose <sbose@redhat.com>
+---
+ ipaserver/dcerpc.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
+index 78bfc5dbefc778519c5db0ac12d6551710257ba9..fcf1e4e775868f17220cac3c0203cc67dba2f839 100644
+--- a/ipaserver/dcerpc.py
++++ b/ipaserver/dcerpc.py
+@@ -1031,7 +1031,7 @@ def fetch_domains(api, mydomain, trustdomain, creds=None):
+ 
+     result = []
+     for t in domains.array:
+-        if ((t.trust_attributes & trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST']) and
++        if (not (t.trust_flags & trust_flags['NETR_TRUST_FLAG_PRIMARY']) and
+             (t.trust_flags & trust_flags['NETR_TRUST_FLAG_IN_FOREST'])):
+             res = dict()
+             res['cn'] = unicode(t.dns_name)
+-- 
+1.9.3
+
diff --git a/SOURCES/0070-ipaserver-dcerpc.py-Make-sure-trust-is-established-o.patch b/SOURCES/0070-ipaserver-dcerpc.py-Make-sure-trust-is-established-o.patch
new file mode 100644
index 0000000..29ca7e5
--- /dev/null
+++ b/SOURCES/0070-ipaserver-dcerpc.py-Make-sure-trust-is-established-o.patch
@@ -0,0 +1,67 @@
+From 079fdf41592559de96465080e81aa91252c01a3d Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 19 Aug 2014 16:24:27 +0300
+Subject: [PATCH] ipaserver/dcerpc.py: Make sure trust is established only to
+ forest root domain
+
+Part of https://fedorahosted.org/freeipa/ticket/4463
+
+Reviewed-By: Sumit Bose <sbose@redhat.com>
+---
+ ipalib/errors.py    | 16 ++++++++++++++++
+ ipaserver/dcerpc.py |  6 ++++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/ipalib/errors.py b/ipalib/errors.py
+index 716decb2b41baf5470a1dc23c0cfb5d1c995e5ff..405c5c3bfc25d9b024189be9fcf582052dd10dd3 100644
+--- a/ipalib/errors.py
++++ b/ipalib/errors.py
+@@ -810,6 +810,22 @@ class DeprecationError(InvocationError):
+     errno = 3015
+     format = _("Command '%(name)s' has been deprecated")
+ 
++class NotAForestRootError(InvocationError):
++    """
++    **3016** Raised when an attempt to establish trust is done against non-root domain
++             Forest root domain has the same name as the forest itself
++
++    For example:
++
++    >>> raise NotAForestRootError(forest='example.test', domain='jointops.test')
++    Traceback (most recent call last):
++      ...
++    NotAForestRootError: Domain 'jointops.test' is not a root domain for forest 'example.test'
++    """
++
++    errno = 3016
++    format = _("Domain '%(domain)s' is not a root domain for forest '%(forest)s'")
++
+ 
+ ##############################################################################
+ # 4000 - 4999: Execution errors
+diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
+index fcf1e4e775868f17220cac3c0203cc67dba2f839..41f373df3cc4365727200f3ca4667faac2f9e19c 100644
+--- a/ipaserver/dcerpc.py
++++ b/ipaserver/dcerpc.py
+@@ -1143,6 +1143,9 @@ class TrustDomainJoins(object):
+                 realm_passwd
+             )
+ 
++        if self.remote_domain.info['dns_domain'] != self.remote_domain.info['dns_forest']:
++            raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], domain=self.remote_domain.info['dns_domain'])
++
+         if not self.remote_domain.read_only:
+             trustdom_pass = samba.generate_random_password(128, 128)
+             self.get_realmdomains()
+@@ -1159,5 +1162,8 @@ class TrustDomainJoins(object):
+         if not(isinstance(self.remote_domain, TrustDomainInstance)):
+             self.populate_remote_domain(realm, realm_server, realm_passwd=None)
+ 
++        if self.remote_domain.info['dns_domain'] != self.remote_domain.info['dns_forest']:
++            raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], domain=self.remote_domain.info['dns_domain'])
++
+         self.local_domain.establish_trust(self.remote_domain, trustdom_passwd)
+         return dict(local=self.local_domain, remote=self.remote_domain, verified=False)
+-- 
+1.9.3
+
diff --git a/SOURCES/0071-ipaserver-dcerpc.py-Avoid-hitting-issue-with-transit.patch b/SOURCES/0071-ipaserver-dcerpc.py-Avoid-hitting-issue-with-transit.patch
new file mode 100644
index 0000000..565c6ec
--- /dev/null
+++ b/SOURCES/0071-ipaserver-dcerpc.py-Avoid-hitting-issue-with-transit.patch
@@ -0,0 +1,54 @@
+From ba2a63da8bada8af988d8fb8931c0cdba2c7ceee Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 19 Aug 2014 16:22:54 +0300
+Subject: [PATCH] ipaserver/dcerpc.py: Avoid hitting issue with transitive
+ trusts on Windows Server prior to 2012
+
+http://msdn.microsoft.com/en-us/library/2a769a08-e023-459f-aebe-4fb3f595c0b7#id83
+
+Reviewed-By: Sumit Bose <sbose@redhat.com>
+---
+ ipaserver/dcerpc.py | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
+index 41f373df3cc4365727200f3ca4667faac2f9e19c..e779a12bae52ec8dac52e4a43854a8a3c601a043 100644
+--- a/ipaserver/dcerpc.py
++++ b/ipaserver/dcerpc.py
+@@ -900,7 +900,7 @@ class TrustDomainInstance(object):
+         info.sid = security.dom_sid(another_domain.info['sid'])
+         info.trust_direction = lsa.LSA_TRUST_DIRECTION_INBOUND | lsa.LSA_TRUST_DIRECTION_OUTBOUND
+         info.trust_type = lsa.LSA_TRUST_TYPE_UPLEVEL
+-        info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
++        info.trust_attributes = 0
+ 
+         try:
+             dname = lsa.String()
+@@ -917,8 +917,6 @@ class TrustDomainInstance(object):
+         except RuntimeError, (num, message):
+             raise assess_dcerpc_exception(num=num, message=message)
+ 
+-        self.update_ftinfo(another_domain)
+-
+         # We should use proper trustdom handle in order to modify the
+         # trust settings. Samba insists this has to be done with LSA
+         # OpenTrustedDomain* calls, it is not enough to have a handle
+@@ -937,6 +935,15 @@ class TrustDomainInstance(object):
+             # server as that one doesn't support AES encryption types
+             pass
+ 
++        try:
++            info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
++            self._pipe.SetInformationTrustedDomain(trustdom_handle, lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX, info)
++        except RuntimeError, e:
++            root_logger.error('unable to set trust to transitive: %s' % (str(e)))
++            pass
++        if self.info['is_pdc']:
++            self.update_ftinfo(another_domain)
++
+     def verify_trust(self, another_domain):
+         def retrieve_netlogon_info_2(domain, function_code, data):
+             try:
+-- 
+1.9.3
+
diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch
deleted file mode 100644
index 33b4609..0000000
--- a/SOURCES/ipa-centos-branding.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -uNrp freeipa-3.3.3.orig/ipaserver/install/ntpinstance.py freeipa-3.3.3/ipaserver/install/ntpinstance.py
---- freeipa-3.3.3.orig/ipaserver/install/ntpinstance.py	2013-11-01 10:34:30.000000000 -0500
-+++ freeipa-3.3.3/ipaserver/install/ntpinstance.py	2014-06-26 07:27:19.644718099 -0500
-@@ -43,6 +43,8 @@ class NTPInstance(service.Service):
-         os = ""
-         if ipautil.file_exists("/etc/fedora-release"):
-             os = "fedora"
-+        elif ipautil.file_exists("/etc/centos-release"):
-+            os = "centos"
-         elif ipautil.file_exists("/etc/redhat-release"):
-             os = "rhel"
- 
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index 6d5bc80..b732bd2 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -18,7 +18,7 @@
 
 Name:           ipa
 Version:        3.3.3
-Release:        28%{?dist}.1
+Release:        28%{?dist}.3
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -94,6 +94,11 @@ Patch0063:      0063-extdom-do-not-return-results-from-the-wrong-domain.patch
 Patch0064:      0064-Proxy-PKI-clone-ca-ee-ca-profileSubmit-URI.patch
 Patch0065:      0065-Make-ipa-client-automount-backwards-compatible.patch
 Patch0066:      0066-Convert-external-CA-chain-to-PKCS-7-before-passing-i.patch
+Patch0067:      0067-ipaserver-dcerpc.py-if-search-of-a-closest-GC-failed.patch
+Patch0068:      0068-ipaserver-dcerpc.py-make-PDC-discovery-more-robust.patch
+Patch0069:      0069-ipaserver-dcerpc.py-be-more-open-to-what-domains-can.patch
+Patch0070:      0070-ipaserver-dcerpc.py-Make-sure-trust-is-established-o.patch
+Patch0071:      0071-ipaserver-dcerpc.py-Avoid-hitting-issue-with-transit.patch
 
 Patch1001:      1001-Hide-pkinit-functionality-from-production-version.patch
 Patch1002:      1002-Remove-pkinit-plugin.patch
@@ -102,7 +107,6 @@ Patch1004:      1004-Change-branding-to-IPA-and-Identity-Management.patch
 Patch1005:      1005-Remove-pylint-from-build-process.patch
 Patch1006:      1006-Remove-i18test-from-build-process.patch
 Patch1007:      1007-Remove-ipa-backup-and-ipa-restore-functionality.patch
-Patch1008:      ipa-centos-branding.patch
 
 %if ! %{ONLY_CLIENT}
 BuildRequires:  389-ds-base-devel >= 1.3.1
@@ -209,6 +213,9 @@ Requires: selinux-policy >= 3.12.1-65
 Requires(post): selinux-policy-base
 Requires: slapi-nis >= 0.47.7
 Requires: pki-ca >= 10.0.4
+%if 0%{?rhel}
+Requires: subscription-manager
+%endif
 Requires(preun): python systemd-units
 Requires(postun): python systemd-units
 Requires: python-dns
@@ -844,8 +851,15 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 
 %changelog
-* Tue Sep 02 2014 CentOS Sources <bugs@centos.org> - 3.3.3-28.el7.centos.1
-- Roll in CentOS Branding
+* Fri Sep 19 2014 Jan Cholasta <jcholast@redhat.com> - 3.3.3-28.3
+- Add one missing patch for #1144031
+
+* Fri Sep 19 2014 Jan Cholasta <jcholast@redhat.com> - 3.3.3-28.2
+- Implement a fallback for situation where no closest server available during
+  trust setup (#1143779)
+- trust-add should not be run with DCs without PDC role (#1144030)
+- Improve handling of forest trust domains when establishing a cross-forest
+  trust (#1144031)
 
 * Thu Aug 14 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-28.1
 - Server installation fails using external signed certificates with