diff --git a/SOURCES/0063-Consider-configured-servers-as-valid.patch b/SOURCES/0063-Consider-configured-servers-as-valid.patch
new file mode 100644
index 0000000..71b417b
--- /dev/null
+++ b/SOURCES/0063-Consider-configured-servers-as-valid.patch
@@ -0,0 +1,107 @@
+From ad3022b24462cc7bc33f810c2d20b4b00006a14c Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Mon, 29 Apr 2019 11:12:30 +0200
+Subject: [PATCH] Consider configured servers as valid
+
+Under some conditions, ipa config-show and several other commands were
+failing with error message:
+
+ ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled
+
+Amongst others the issue can be caused by a broken installation, when
+some services are left in state 'configuredServices'. The problem even
+block uninstallation or removal of replicas. Now configured servers are
+also consider valid providers for associated roles.
+
+A new test verifies that config-show works with hidden and configured HTTP
+service.
+
+Remark: The original intent of the sanity check is no longer clear to me. I
+think it was used to very that all services can be started by ipactl.
+Since ipactl starts hidden, configured, and enabled services, the new
+logic reflect the fact, too.
+
+Fixes: https://pagure.io/freeipa/issue/7929
+Signed-off-by: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ ipaserver/servroles.py | 12 +++++---
+ ipatests/test_integration/test_commands.py | 33 ++++++++++++++++++++++
+ 2 files changed, 41 insertions(+), 4 deletions(-)
+
+diff --git a/ipaserver/servroles.py b/ipaserver/servroles.py
+index bf33923ded4ca6559fba504e1b447086e87d2083..756ce91a8164144978363f04f6abd8de18b93524 100644
+--- a/ipaserver/servroles.py
++++ b/ipaserver/servroles.py
+@@ -338,12 +338,16 @@ class ServerAttribute(LDAPBasedProperty):
+ ldap.update_entry(service_entry)
+
+ def _get_assoc_role_providers(self, api_instance):
+- """
+- get list of all servers on which the associated role is enabled
++ """get list of all servers on which the associated role is enabled
++
++ Consider a configured server as a valid provider for a
++ role, as all services are started.
+ """
+ return [
+- r[u'server_server'] for r in self.associated_role.status(
+- api_instance) if r[u'status'] == ENABLED]
++ r[u'server_server']
++ for r in self.associated_role.status(api_instance)
++ if r[u'status'] in {ENABLED,CONFIGURED}
++ ]
+
+ def _remove(self, api_instance, masters):
+ """
+diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
+index b2c0d5c710c9810cfd74216983f793808f4cf3c4..4237de4eea2981c52ecb664d132e6607cb2ac25d 100644
+--- a/ipatests/test_integration/test_commands.py
++++ b/ipatests/test_integration/test_commands.py
+@@ -6,6 +6,11 @@
+ from __future__ import absolute_import
+
+ from ipatests.test_integration.base import IntegrationTest
++from ipapython.dn import DN
++
++from ipaserver.masters import (
++ CONFIGURED_SERVICE, ENABLED_SERVICE, HIDDEN_SERVICE
++)
+
+
+ class TestIPACommand(IntegrationTest):
+@@ -46,3 +51,31 @@ class TestIPACommand(IntegrationTest):
+ assert result.returncode == 0
+ assert "SELinux user map order: {}".format(
+ maporder) in result.stdout_text
++
++ def test_config_show_configured_services(self):
++ # https://pagure.io/freeipa/issue/7929
++ states = {CONFIGURED_SERVICE, ENABLED_SERVICE}
++ dn = DN(
++ ('cn', 'HTTP'), ('cn', self.master.hostname), ('cn', 'masters'),
++ ('cn', 'ipa'), ('cn', 'etc'),
++ self.master.domain.basedn # pylint: disable=no-member
++ )
++
++ conn = self.master.ldap_connect()
++ entry = conn.get_entry(dn) # pylint: disable=no-member
++
++ # original setting and all settings without state
++ orig_cfg = list(entry['ipaConfigString'])
++ other_cfg = [item for item in orig_cfg if item not in states]
++
++ try:
++ # test with configured
++ cfg = [CONFIGURED_SERVICE]
++ cfg.extend(other_cfg)
++ entry['ipaConfigString'] = cfg
++ conn.update_entry(entry) # pylint: disable=no-member
++ self.master.run_command(['ipa', 'config-show'])
++ finally:
++ # reset
++ entry['ipaConfigString'] = orig_cfg
++ conn.update_entry(entry) # pylint: disable=no-member
+--
+2.20.1
+
diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
index df4ee0b..85463af 100644
--- a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
+++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
@@ -1,4 +1,4 @@
-From e443dc9390ead872bfa0c7ae35323023f21cebc9 Mon Sep 17 00:00:00 2001
+From 230a9128ebe8e7a18b11e1b922e63b9e0acf9973 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 14 Mar 2017 15:48:07 +0000
Subject: [PATCH] Change branding to IPA and Identity Management
@@ -1023,5 +1023,5 @@ index 6037938330f13a30d0ccfbedcaac59c567bda0d6..b8a0c82d394edb8744de34394895b86f
""") + _("""
To enable the binddn run the following command to set the password:
--
-2.17.2
+2.20.1
diff --git a/SOURCES/1002-Package-copy-schema-to-ca.py.patch b/SOURCES/1002-Package-copy-schema-to-ca.py.patch
index 1579d1d..617dba8 100644
--- a/SOURCES/1002-Package-copy-schema-to-ca.py.patch
+++ b/SOURCES/1002-Package-copy-schema-to-ca.py.patch
@@ -1,4 +1,4 @@
-From ddd951ba70e11fb6332f57e94a3b1a22ded08a39 Mon Sep 17 00:00:00 2001
+From aca4b01ab02eb6da70c37c55bac15ff4e56d3bb8 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 14 Mar 2017 16:07:15 +0000
Subject: [PATCH] Package copy-schema-to-ca.py
@@ -40,5 +40,5 @@ index d6e467097808594756d947fa721b8cf10fe7d043..a52336fd71ffb44e3f7dfcc95656bd82
--
-2.17.2
+2.20.1
diff --git a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
index aa68b30..041d2c9 100644
--- a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
+++ b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
@@ -1,4 +1,4 @@
-From 6f6d25da7a5e93de9f8c80e7fe3419d4b0c60a72 Mon Sep 17 00:00:00 2001
+From 18b3392fd5a43ffddf5662ead763835df59e1377 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 22 Jun 2016 13:53:46 +0200
Subject: [PATCH] Revert "Increased mod_wsgi socket-timeout"
@@ -24,5 +24,5 @@ index 912a63c2240e0681dfbeeac223a902b15b304716..c5fc518f803d379287043b405efeb46d
WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
--
-2.17.2
+2.20.1
diff --git a/SOURCES/1004-Remove-csrgen.patch b/SOURCES/1004-Remove-csrgen.patch
index 5f47da2..6bc8a5e 100644
--- a/SOURCES/1004-Remove-csrgen.patch
+++ b/SOURCES/1004-Remove-csrgen.patch
@@ -1,4 +1,4 @@
-From bbe70ea811007cf8426ac14565e7da47b3ae1ced Mon Sep 17 00:00:00 2001
+From c9c12213e6c72512177009bf73bd966f13d2ed30 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Thu, 16 Mar 2017 09:44:21 +0000
Subject: [PATCH] Remove csrgen
@@ -403,5 +403,5 @@ index 79111ab686b4fe25227796509b3cd3fcb54af728..00000000000000000000000000000000
@@ -1 +0,0 @@
-{{ options|join(";") }}
--
-2.17.2
+2.20.1
diff --git a/SOURCES/1005-Removing-filesystem-encoding-check.patch b/SOURCES/1005-Removing-filesystem-encoding-check.patch
index 4ebfa79..21a7ec0 100644
--- a/SOURCES/1005-Removing-filesystem-encoding-check.patch
+++ b/SOURCES/1005-Removing-filesystem-encoding-check.patch
@@ -1,4 +1,4 @@
-From eaa2dd2de04147dbca127673d3c2473955b9289c Mon Sep 17 00:00:00 2001
+From ed8ee0c41555e42f1a62edca231d116890b36b2d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= <tdudlak@redhat.com>
Date: Fri, 10 Aug 2018 13:16:38 +0200
Subject: [PATCH] Removing filesystem encoding check
@@ -123,5 +123,5 @@ index 8211c03515bf70b681da49d27ae11a4e8cb3b44d..a40b5d45ff8406c3ebbb69465e8d71d7
- assert p.returncode > 0, (out, err)
- assert b'System encoding must be UTF-8' in err, (out, err)
--
-2.17.2
+2.20.1
diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch
deleted file mode 100644
index 673cd2f..0000000
--- a/SOURCES/ipa-centos-branding.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001
-From: Jim Perrin <jperrin@centos.org>
-Date: Wed, 11 Mar 2015 10:37:03 -0500
-Subject: [PATCH] update for new ntp server method
-
----
- ipaplatform/base/paths.py | 1 +
- ipaserver/install/ntpinstance.py | 2 ++
- 2 files changed, 3 insertions(+)
-
-diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
-index af50262..5090062 100644
---- a/ipaplatform/base/paths.py
-+++ b/ipaplatform/base/paths.py
-@@ -99,6 +99,7 @@ class BasePathNamespace(object):
- PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/"
- PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"
- ETC_REDHAT_RELEASE = "/etc/redhat-release"
-+ ETC_CENTOS_RELEASE = "/etc/centos-release"
- RESOLV_CONF = "/etc/resolv.conf"
- SAMBA_KEYTAB = "/etc/samba/samba.keytab"
- SMB_CONF = "/etc/samba/smb.conf"
-diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py
-index c653525..4b0578b 100644
---- a/ipaserver/install/ntpinstance.py
-+++ b/ipaserver/install/ntpinstance.py
-@@ -44,6 +44,8 @@ class NTPInstance(service.Service):
- os = ""
- if ipautil.file_exists(paths.ETC_FEDORA_RELEASE):
- os = "fedora"
-+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE):
-+ os = "centos"
- elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE):
- os = "rhel"
-
---
-1.8.3.1
-
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index a4185c4..7c3b557 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -93,7 +93,7 @@
Name: ipa
Version: %{IPA_VERSION}
-Release: 10%{?dist}.3
+Release: 10%{?dist}.6
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -101,10 +101,10 @@ License: GPLv3+
URL: http://www.freeipa.org/
Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity Management
-#Source1: header-logo.png
-#Source2: login-screen-background.jpg
-#Source3: login-screen-logo.png
-#Source4: product-name.png
+Source1: header-logo.png
+Source2: login-screen-background.jpg
+Source3: login-screen-logo.png
+Source4: product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity Management
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -171,6 +171,7 @@ Patch0059: 0059-ipatests-add-test-for-replica-in-forward-zone.patch
Patch0060: 0060-Add-workaround-for-slow-host-service-del.patch
Patch0061: 0061-Optimize-cert-remove-case.patch
Patch0062: 0062-Update-mod_nss-cipher-list-so-there-is-overlap-with-.patch
+Patch0063: 0063-Consider-configured-servers-as-valid.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002: 1002-Package-copy-schema-to-ca.py.patch
Patch1003: 1003-Revert-Increased-mod_wsgi-socket-timeout.patch
@@ -981,10 +982,10 @@ cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3
%endif # with_python3
# RHEL spec file only: START: Change branding to IPA and Identity Management
-#cp %SOURCE1 install/ui/images/header-logo.png
-#cp %SOURCE2 install/ui/images/login-screen-background.jpg
-#cp %SOURCE3 install/ui/images/login-screen-logo.png
-#cp %SOURCE4 install/ui/images/product-name.png
+cp %SOURCE1 install/ui/images/header-logo.png
+cp %SOURCE2 install/ui/images/login-screen-background.jpg
+cp %SOURCE3 install/ui/images/login-screen-logo.png
+cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity Management
@@ -1008,8 +1009,7 @@ find \
%configure --with-vendor-suffix=-%{release} \
%{enable_server_option} \
%{with_ipatests_option} \
- %{linter_options} \
- --with-ipaplatform=rhel
+ %{linter_options}
%make_build
@@ -1030,8 +1030,7 @@ find \
%configure --with-vendor-suffix=-%{release} \
%{enable_server_option} \
%{with_ipatests_option} \
- %{linter_options} \
- --with-ipaplatform=rhel
+ %{linter_options}
popd
%endif # with_python3
@@ -1747,8 +1746,9 @@ fi
%changelog
-* Tue Mar 12 2019 CentOS Sources <bugs@centos.org> - 4.6.4-10.el7.centos.3
-- Roll in CentOS Branding
+* Thu Jun 6 2019 Florence Blanc-Renaud <frenaud@redhat.com> - 4.6.4-10.el7_6.6
+- Resolves: 1716882 - ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled
+ - Consider configured servers as valid
* Mon Feb 4 2019 Florence Blanc-Renaud <frenaud@redhat.com> - 4.6.4-10.el7_6.3
- Resolves: 1672343 pki spawn fails for IPA replica install from RHEL6 IPA master