diff --git a/SOURCES/Add-an-option-for-minimum-lifetime.patch b/SOURCES/Add-an-option-for-minimum-lifetime.patch
new file mode 100644
index 0000000..c3c4e98
--- /dev/null
+++ b/SOURCES/Add-an-option-for-minimum-lifetime.patch
@@ -0,0 +1,140 @@
+From c6847f012b326a7e27dbe79d8df0faafdeb2dbef Mon Sep 17 00:00:00 2001
+From: Scott Mayhew <smayhew@redhat.com>
+Date: Thu, 2 Sep 2021 12:44:27 -0400
+Subject: [PATCH] Add an option for minimum lifetime
+
+It's possible for gssproxy to return a cached credential with a very
+small remaining lifetime. This can be problematic for NFS clients since
+it requires a round trip to the NFS server to establish a GSS context.
+Add a min_lifetime option that represents the lowest value that the
+lifetime of the cached credential can be. Any lower than that, and
+gp_check_cred() returns GSS_S_CREDENTIALS_EXPIRED, so that
+gp_add_krb5_creds() is forced to try to obtain a new credential.
+
+Signed-off-by: Scott Mayhew <smayhew@redhat.com>
+[antorres@redhat.com: adjusted lines number for man diff]
+---
+ examples/99-nfs-client.conf.in | 1 +
+ man/gssproxy.conf.5.xml | 15 +++++++++++++++
+ src/gp_config.c | 12 ++++++++++++
+ src/gp_creds.c | 12 ++++++++++--
+ src/gp_proxy.h | 1 +
+ 5 files changed, 39 insertions(+), 2 deletions(-)
+
+diff --git a/examples/99-nfs-client.conf.in b/examples/99-nfs-client.conf.in
+index c0985d9..9dd1891 100644
+--- a/examples/99-nfs-client.conf.in
++++ b/examples/99-nfs-client.conf.in
+@@ -7,3 +7,4 @@
+ allow_any_uid = yes
+ trusted = yes
+ euid = 0
++ min_lifetime = 60
+diff --git a/man/gssproxy.conf.5.xml b/man/gssproxy.conf.5.xml
+index de846b4..af6ca18 100644
+--- a/man/gssproxy.conf.5.xml
++++ b/man/gssproxy.conf.5.xml
+@@ -348,6 +348,21 @@
+ </listitem>
+ </varlistentry>
+
++ <varlistentry>
++ <term>min_lifetime (integer)</term>
++ <listitem>
++ <para>Minimum lifetime of a cached credential, in seconds.</para>
++ <para>If non-zero, when gssproxy is deciding whether to use
++ a cached credential, it will compare the lifetime of the
++ cached credential to this value. If the lifetime of the
++ cached credential is lower, gssproxy will treat the cached
++ credential as expired and will attempt to obtain a new
++ credential.
++ </para>
++ <para>Default: min_lifetime = 15</para>
++ </listitem>
++ </varlistentry>
++
+ <varlistentry>
+ <term>program (string)</term>
+ <listitem>
+diff --git a/src/gp_config.c b/src/gp_config.c
+index 4cda579..a0afa73 100644
+--- a/src/gp_config.c
++++ b/src/gp_config.c
+@@ -32,6 +32,7 @@ struct gp_flag_def flag_names[] = {
+
+ #define DEFAULT_FILTERED_FLAGS GSS_C_DELEG_FLAG
+ #define DEFAULT_ENFORCED_FLAGS 0
++#define DEFAULT_MIN_LIFETIME 15
+
+ static void free_str_array(const char ***a, int *count)
+ {
+@@ -538,6 +539,17 @@ static int load_services(struct gp_config *cfg, struct gp_ini_context *ctx)
+ goto done;
+ }
+ }
++
++ cfg->svcs[n]->min_lifetime = DEFAULT_MIN_LIFETIME;
++ ret = gp_config_get_int(ctx, secname, "min_lifetime", &valnum);
++ if (ret == 0) {
++ if (valnum >= 0) {
++ cfg->svcs[n]->min_lifetime = valnum;
++ } else {
++ GPDEBUG("Invalid value '%d' for min_lifetime in [%s], ignoring.\n",
++ valnum, secname);
++ }
++ }
+ }
+ safefree(secname);
+ }
+diff --git a/src/gp_creds.c b/src/gp_creds.c
+index 92a6f13..843d1a3 100644
+--- a/src/gp_creds.c
++++ b/src/gp_creds.c
+@@ -492,6 +492,7 @@ done:
+ }
+
+ static uint32_t gp_check_cred(uint32_t *min,
++ struct gp_service *svc,
+ gss_cred_id_t in_cred,
+ gssx_name *desired_name,
+ gss_cred_usage_t cred_usage)
+@@ -563,7 +564,14 @@ static uint32_t gp_check_cred(uint32_t *min,
+ if (lifetime == 0) {
+ ret_maj = GSS_S_CREDENTIALS_EXPIRED;
+ } else {
+- ret_maj = GSS_S_COMPLETE;
++ if (svc->min_lifetime && lifetime < svc->min_lifetime) {
++ GPDEBUG("%s: lifetime (%u) less than min_lifetime (%u) "
++ "for service \"%s\" - returning\n",
++ __func__, lifetime, svc->min_lifetime, svc->name);
++ ret_maj = GSS_S_CREDENTIALS_EXPIRED;
++ } else {
++ ret_maj = GSS_S_COMPLETE;
++ }
+ }
+
+ done:
+@@ -622,7 +630,7 @@ uint32_t gp_add_krb5_creds(uint32_t *min,
+ * function completely */
+
+ /* just check if it is a valid krb5 cred */
+- ret_maj = gp_check_cred(&ret_min, in_cred, desired_name, cred_usage);
++ ret_maj = gp_check_cred(&ret_min, gpcall->service, in_cred, desired_name, cred_usage);
+ if (ret_maj == GSS_S_COMPLETE) {
+ return GSS_S_COMPLETE;
+ } else if (ret_maj == GSS_S_CREDENTIALS_EXPIRED ||
+diff --git a/src/gp_proxy.h b/src/gp_proxy.h
+index 3f58a43..f56d640 100644
+--- a/src/gp_proxy.h
++++ b/src/gp_proxy.h
+@@ -45,6 +45,7 @@ struct gp_service {
+ gss_cred_usage_t cred_usage;
+ uint32_t filter_flags;
+ uint32_t enforce_flags;
++ uint32_t min_lifetime;
+ char *program;
+
+ uint32_t mechs;
+--
+2.31.1
+
diff --git a/SPECS/gssproxy.spec b/SPECS/gssproxy.spec
index 61737db..6b00f8f 100644
--- a/SPECS/gssproxy.spec
+++ b/SPECS/gssproxy.spec
@@ -1,7 +1,7 @@
Name: gssproxy
Version: 0.8.0
-Release: 19%{?dist}
+Release: 20%{?dist}
Summary: GSSAPI Proxy
Group: System Environment/Libraries
@@ -42,6 +42,7 @@ Patch25: Always-free-ciphertext-data-in-gp_encrypt_buffer.patch
Patch26: Return-static-oids-for-naming-functions.patch
Patch27: Avoid-unnecessary-allocation-in-gpm_inquire_mechs_fo.patch
Patch28: Use-static-OIDs-in-gss_inquire_context.patch
+Patch29: Add-an-option-for-minimum-lifetime.patch
### Dependencies ###
Requires: krb5-libs >= 1.12.0
@@ -136,6 +137,10 @@ mkdir -p %{buildroot}%{gpstatedir}/rcache
%systemd_postun_with_restart gssproxy.service
%changelog
+* Wed Nov 17 2021 Antonio Torres <antorres@redhat.com> - 0.8.0-20
+- Add an option for minimum lifetime
+- Resolves: #1721331
+
* Thu Oct 29 2020 Robbie Harwood <rharwood@redhat.com> - 0.8.0-19
- More leak fixes
- Resolves: #1813200