diff --git a/krb5-master-init_referral.patch b/krb5-master-init_referral.patch
new file mode 100644
index 0000000..32660b2
--- /dev/null
+++ b/krb5-master-init_referral.patch
@@ -0,0 +1,47 @@
+commit 7265334161620af3797c4431eeb5c7a2a9aeba89
+Author: Greg Hudson <ghudson@mit.edu>
+Date:   Thu May 30 11:39:54 2013 -0400
+
+    Properly handle use_master in k5_init_creds_get
+    
+    If we make multiple requests in an initial creds exchange, the
+    krb5_sendto_kdc call in k5_init_creds_get may flip the use_master
+    value from 0 to 1 if it detects that the response was from a master
+    KDC.  Don't turn this into a requirement for future requests during
+    the same exchange, or we may have trouble following AS referrals.
+    Reported by Sumit Bose.
+    
+    ticket: 7650
+
+diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
+index 20bc689..ff455d3 100644
+--- a/src/lib/krb5/krb/get_in_tkt.c
++++ b/src/lib/krb5/krb/get_in_tkt.c
+@@ -521,7 +521,7 @@ k5_init_creds_get(krb5_context context, krb5_init_creds_context ctx,
+     krb5_data reply;
+     krb5_data realm;
+     unsigned int flags = 0;
+-    int tcp_only = 0;
++    int tcp_only = 0, master = *use_master;
+ 
+     request.length = 0;
+     request.data = NULL;
+@@ -545,8 +545,9 @@ k5_init_creds_get(krb5_context context, krb5_init_creds_context ctx,
+ 
+         krb5_free_data_contents(context, &reply);
+ 
++        master = *use_master;
+         code = krb5_sendto_kdc(context, &request, &realm,
+-                               &reply, use_master, tcp_only);
++                               &reply, &master, tcp_only);
+         if (code != 0)
+             break;
+ 
+@@ -558,6 +559,7 @@ k5_init_creds_get(krb5_context context, krb5_init_creds_context ctx,
+     krb5_free_data_contents(context, &reply);
+     krb5_free_data_contents(context, &realm);
+ 
++    *use_master = master;
+     return code;
+ }
+ 
diff --git a/krb5.spec b/krb5.spec
index 9405d2a..b059fa1 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -86,6 +86,7 @@ Patch126: krb5-1.11.2-skew2.patch
 Patch127: krb5-master-test_gss_no_udp.patch
 Patch128: krb5-master-test_no_pmap.patch 
 Patch129: krb5-1.11-run_user_0.patch
+Patch130: krb5-master-init_referral.patch
 
 # Patches for otp plugin backport
 Patch201: krb5-1.11.2-keycheck.patch
@@ -314,6 +315,7 @@ ln -s NOTICE LICENSE
 %patch127 -p1 -b .test_gss_no_udp
 %patch128 -p1 -b .test_no_pmap
 %patch129 -p1 -b .run_user_0
+%patch130 -p1 -b .init_referral
 
 %patch201 -p1 -b .keycheck
 %patch202 -p1 -b .otp
@@ -846,6 +848,9 @@ exit 0
   directory cache below it fails due to ENOENT and we find that it doesn't
   already exist, either, before attempting to create the directory cache
   (maybe helping, maybe just making things more confusing for #961235)
+- pull in proposed fix for attempts to get initial creds, which end up
+  following referrals, incorrectly trying to always use master KDCs if
+  they talked to a master at any point (should fix RT#7650)
 
 * Thu May 30 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.2-8
 - pull in patches from master to not test GSSRPC-over-UDP and to not