diff --git a/Add-KCM_OP_GET_CRED_LIST-for-faster-iteration.patch b/Add-KCM_OP_GET_CRED_LIST-for-faster-iteration.patch
index 237de35..060b039 100644
--- a/Add-KCM_OP_GET_CRED_LIST-for-faster-iteration.patch
+++ b/Add-KCM_OP_GET_CRED_LIST-for-faster-iteration.patch
@@ -1,4 +1,4 @@
-From dc92022ad26cec8085a852dec6aeba310fa7a751 Mon Sep 17 00:00:00 2001
+From a0ee8b02e56c65e5dcd569caed0e151cef004ef4 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
 Date: Thu, 11 Feb 2021 15:33:10 +0100
 Subject: [PATCH] Add KCM_OP_GET_CRED_LIST for faster iteration
diff --git a/Fix-KCM-flag-transmission-for-remove_cred.patch b/Fix-KCM-flag-transmission-for-remove_cred.patch
index 0542bfa..951be10 100644
--- a/Fix-KCM-flag-transmission-for-remove_cred.patch
+++ b/Fix-KCM-flag-transmission-for-remove_cred.patch
@@ -1,4 +1,4 @@
-From 1f160bee7ee2c6242fa2625b9f3e8fc211cec6c4 Mon Sep 17 00:00:00 2001
+From 04f0de4420508161ce439f262f2761ff51a07ab0 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Mon, 29 Mar 2021 14:32:56 -0400
 Subject: [PATCH] Fix KCM flag transmission for remove_cred
diff --git a/Fix-KCM-retrieval-support-for-sssd.patch b/Fix-KCM-retrieval-support-for-sssd.patch
new file mode 100644
index 0000000..5fb7c2b
--- /dev/null
+++ b/Fix-KCM-retrieval-support-for-sssd.patch
@@ -0,0 +1,62 @@
+From a5b2cff51808cd86fe8195e7ac074ecd25c3344d Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Tue, 11 May 2021 14:04:07 -0400
+Subject: [PATCH] Fix KCM retrieval support for sssd
+
+Commit 795ebba8c039be172ab93cd41105c73ffdba0fdb added a retrieval
+handler using KCM_OP_RETRIEVE, falling back on the same error codes as
+the previous KCM_OP_GET_CRED_LIST support.  But sssd (as of 2.4)
+returns KRB5_CC_NOSUPP instead of KRB5_CC_IO if it recognizes an
+opcode but does not implement it.  Add a helper function to recognize
+all known unsupported-opcode error codes, and use it in kcm_retrieve()
+and kcm_start_seq_get().
+
+ticket: 8997
+(cherry picked from commit da103e36e13f3c846bcddbe38dd518a21e5260a0)
+---
+ src/lib/krb5/ccache/cc_kcm.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/krb5/ccache/cc_kcm.c b/src/lib/krb5/ccache/cc_kcm.c
+index 23fcf13ea..18505cd3d 100644
+--- a/src/lib/krb5/ccache/cc_kcm.c
++++ b/src/lib/krb5/ccache/cc_kcm.c
+@@ -144,6 +144,20 @@ map_tcflags(krb5_flags mitflags)
+     return heimflags;
+ }
+ 
++/*
++ * Return true if code could indicate an unsupported operation.  Heimdal's KCM
++ * returns KRB5_FCC_INTERNAL.  sssd's KCM daemon (as of sssd 2.4) returns
++ * KRB5_CC_NO_SUPP if it recognizes the operation but does not implement it,
++ * and KRB5_CC_IO if it doesn't recognize the operation (which is unfortunate
++ * since it could also indicate a communication failure).
++ */
++static krb5_boolean
++unsupported_op_error(krb5_error_code code)
++{
++    return code == KRB5_FCC_INTERNAL || code == KRB5_CC_IO ||
++        code == KRB5_CC_NOSUPP;
++}
++
+ /* Begin a request for the given opcode.  If cache is non-null, supply the
+  * cache name as a request parameter. */
+ static void
+@@ -841,7 +855,7 @@ kcm_retrieve(krb5_context context, krb5_ccache cache, krb5_flags flags,
+     ret = cache_call(context, cache, &req);
+ 
+     /* Fall back to iteration if the server does not support retrieval. */
+-    if (ret == KRB5_FCC_INTERNAL || ret == KRB5_CC_IO) {
++    if (unsupported_op_error(ret)) {
+         ret = k5_cc_retrieve_cred_default(context, cache, flags, mcred,
+                                           cred_out);
+         goto cleanup;
+@@ -922,7 +936,7 @@ kcm_start_seq_get(krb5_context context, krb5_ccache cache,
+         ret = kcmreq_get_cred_list(&req, &creds);
+         if (ret)
+             goto cleanup;
+-    } else if (ret == KRB5_FCC_INTERNAL || ret == KRB5_CC_IO) {
++    } else if (unsupported_op_error(ret)) {
+         /* Fall back to GET_CRED_UUID_LIST. */
+         kcmreq_free(&req);
+         kcmreq_init(&req, KCM_OP_GET_CRED_UUID_LIST, cache);
diff --git a/Make-KCM-iteration-fallback-work-with-sssd-kcm.patch b/Make-KCM-iteration-fallback-work-with-sssd-kcm.patch
new file mode 100644
index 0000000..5fa3106
--- /dev/null
+++ b/Make-KCM-iteration-fallback-work-with-sssd-kcm.patch
@@ -0,0 +1,26 @@
+From 2dbca7e14c945d6394e0e05f285a068dcd541295 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Tue, 30 Mar 2021 14:35:28 +0200
+Subject: [PATCH] Make KCM iteration fallback work with sssd-kcm
+
+sssd-kcm returns KRB5_CC_IO if the operation code is not known.
+
+ticket: 8990
+(cherry picked from commit 06afae820a44c1dc96ad88a0b16c3e50bc938b2a)
+---
+ src/lib/krb5/ccache/cc_kcm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lib/krb5/ccache/cc_kcm.c b/src/lib/krb5/ccache/cc_kcm.c
+index 1f81a2190..46705f1da 100644
+--- a/src/lib/krb5/ccache/cc_kcm.c
++++ b/src/lib/krb5/ccache/cc_kcm.c
+@@ -876,7 +876,7 @@ kcm_start_seq_get(krb5_context context, krb5_ccache cache,
+         ret = kcmreq_get_cred_list(&req, &creds);
+         if (ret)
+             goto cleanup;
+-    } else if (ret == KRB5_FCC_INTERNAL) {
++    } else if (ret == KRB5_FCC_INTERNAL || ret == KRB5_CC_IO) {
+         /* Fall back to GET_CRED_UUID_LIST. */
+         kcmreq_free(&req);
+         kcmreq_init(&req, KCM_OP_GET_CRED_UUID_LIST, cache);
diff --git a/Use-KCM_OP_RETRIEVE-in-KCM-client.patch b/Use-KCM_OP_RETRIEVE-in-KCM-client.patch
index c0abcf3..401b363 100644
--- a/Use-KCM_OP_RETRIEVE-in-KCM-client.patch
+++ b/Use-KCM_OP_RETRIEVE-in-KCM-client.patch
@@ -1,4 +1,4 @@
-From 8f073717c0373bcd4d13e338273449f00325b00c Mon Sep 17 00:00:00 2001
+From c56d4b87de0f30a38dc61d374ad225d02d581eb3 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Fri, 26 Mar 2021 23:38:54 -0400
 Subject: [PATCH] Use KCM_OP_RETRIEVE in KCM client
@@ -33,7 +33,7 @@ index 9b66f1cbd..85c20d345 100644
      KCM_OP_GET_CRED_UUID_LIST,  /*                 (name) -> (uuid, ...) */
      KCM_OP_GET_CRED_BY_UUID,    /*           (name, uuid) -> (cred)      */
 diff --git a/src/lib/krb5/ccache/cc_kcm.c b/src/lib/krb5/ccache/cc_kcm.c
-index 1f81a2190..ef77ac216 100644
+index 46705f1da..23fcf13ea 100644
 --- a/src/lib/krb5/ccache/cc_kcm.c
 +++ b/src/lib/krb5/ccache/cc_kcm.c
 @@ -826,9 +826,55 @@ static krb5_error_code KRB5_CALLCONV
diff --git a/krb5.spec b/krb5.spec
index d571916..cbe0580 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -42,7 +42,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.19.1
-Release: %{?zdpd}7%{?dist}
+Release: %{?zdpd}8%{?dist}
 
 # rharwood has trust path to signing key and verifies on check-in
 Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz
@@ -75,7 +75,9 @@ Patch9: Add-hostname-canonicalization-helper-to-k5test.py.patch
 Patch10: Support-host-based-GSS-initiator-names.patch
 Patch11: Add-KCM_OP_GET_CRED_LIST-for-faster-iteration.patch
 Patch12: Fix-KCM-flag-transmission-for-remove_cred.patch
-Patch13: Use-KCM_OP_RETRIEVE-in-KCM-client.patch
+Patch13: Make-KCM-iteration-fallback-work-with-sssd-kcm.patch
+Patch14: Use-KCM_OP_RETRIEVE-in-KCM-client.patch
+Patch15: Fix-KCM-retrieval-support-for-sssd.patch
 
 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@@ -638,6 +640,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Thu May 20 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-8
+- Add all the sssd-kcm workarounds
+
 * Thu May 20 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-7
 - Fix context for previous backport