diff --git a/krb5-master-keyring-kdcsync.patch b/krb5-master-keyring-kdcsync.patch
new file mode 100644
index 0000000..d0c9f7c
--- /dev/null
+++ b/krb5-master-keyring-kdcsync.patch
@@ -0,0 +1,108 @@
+commit 2ac550e648ff88f84cc2da3c573202845f14e655
+Author: Greg Hudson <ghudson@mit.edu>
+Date:   Thu Jan 16 17:48:54 2014 -0500
+
+    Get time offsets for all keyring ccaches
+    
+    Move the time offset lookup from krb5_krcc_resolve to make_cache, so
+    that we fetch time offsets for caches created by
+    krb5_krcc_ptcursor_next.
+    
+    ticket: 7820
+    target_version: 1.12.2
+    tags: pullup
+
+diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c
+index a0c8035..27bad9d 100644
+--- a/src/lib/krb5/ccache/cc_keyring.c
++++ b/src/lib/krb5/ccache/cc_keyring.c
+@@ -1077,11 +1077,13 @@ krb5_krcc_destroy(krb5_context context, krb5_ccache id)
+ 
+ /* Create a cache handle for a cache ID. */
+ static krb5_error_code
+-make_cache(key_serial_t collection_id, key_serial_t cache_id,
+-           const char *anchor_name, const char *collection_name,
+-           const char *subsidiary_name, krb5_ccache *cache_out)
++make_cache(krb5_context context, key_serial_t collection_id,
++           key_serial_t cache_id, const char *anchor_name,
++           const char *collection_name, const char *subsidiary_name,
++           krb5_ccache *cache_out)
+ {
+     krb5_error_code ret;
++    krb5_os_context os_ctx = &context->os_context;
+     krb5_ccache ccache = NULL;
+     krb5_krcc_data *d;
+     key_serial_t pkey = 0;
+@@ -1108,6 +1110,18 @@ make_cache(key_serial_t collection_id, key_serial_t cache_id,
+     ccache->data = d;
+     ccache->magic = KV5M_CCACHE;
+     *cache_out = ccache;
++
++    /* Lookup time offsets if necessary. */
++    if ((context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) &&
++        !(os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)) {
++        if (krb5_krcc_get_time_offsets(context, ccache,
++                                       &os_ctx->time_offset,
++                                       &os_ctx->usec_offset) == 0) {
++            os_ctx->os_flags &= ~KRB5_OS_TOFFSET_TIME;
++            os_ctx->os_flags |= KRB5_OS_TOFFSET_VALID;
++        }
++    }
++
+     return 0;
+ }
+ 
+@@ -1134,7 +1148,6 @@ make_cache(key_serial_t collection_id, key_serial_t cache_id,
+ static krb5_error_code KRB5_CALLCONV
+ krb5_krcc_resolve(krb5_context context, krb5_ccache *id, const char *residual)
+ {
+-    krb5_os_context os_ctx = &context->os_context;
+     krb5_error_code ret;
+     key_serial_t collection_id, cache_id;
+     char *anchor_name = NULL, *collection_name = NULL, *subsidiary_name = NULL;
+@@ -1161,22 +1174,11 @@ krb5_krcc_resolve(krb5_context context, krb5_ccache *id, const char *residual)
+     if (cache_id < 0)
+         cache_id = 0;
+ 
+-    ret = make_cache(collection_id, cache_id, anchor_name, collection_name,
+-                     subsidiary_name, id);
++    ret = make_cache(context, collection_id, cache_id, anchor_name,
++                     collection_name, subsidiary_name, id);
+     if (ret)
+         goto cleanup;
+ 
+-    /* Lookup time offsets if necessary. */
+-    if ((context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) &&
+-        !(os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)) {
+-        if (krb5_krcc_get_time_offsets(context, *id,
+-                                       &os_ctx->time_offset,
+-                                       &os_ctx->usec_offset) == 0) {
+-            os_ctx->os_flags &= ~KRB5_OS_TOFFSET_TIME;
+-            os_ctx->os_flags |= KRB5_OS_TOFFSET_VALID;
+-        }
+-    }
+-
+ cleanup:
+     free(anchor_name);
+     free(collection_name);
+@@ -1928,8 +1930,9 @@ krb5_krcc_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor,
+         cache_id = keyctl_search(data->collection_id, KRCC_KEY_TYPE_KEYRING,
+                                  first_name, 0);
+         if (cache_id != -1) {
+-            return make_cache(data->collection_id, cache_id, data->anchor_name,
+-                              data->collection_name, first_name, cache_out);
++            return make_cache(context, data->collection_id, cache_id,
++                              data->anchor_name, data->collection_name,
++                              first_name, cache_out);
+         }
+     }
+ 
+@@ -1967,7 +1970,7 @@ krb5_krcc_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor,
+ 
+         /* We found a valid key */
+         data->next_key++;
+-        ret = make_cache(data->collection_id, key, data->anchor_name,
++        ret = make_cache(context, data->collection_id, key, data->anchor_name,
+                          data->collection_name, subsidiary_name, cache_out);
+         free(description);
+         return ret;
diff --git a/krb5.spec b/krb5.spec
index 4680343..db829f6 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -90,6 +90,7 @@ Patch86: krb5-1.9-debuginfo.patch
 Patch105: krb5-kvno-230379.patch
 Patch129: krb5-1.11-run_user_0.patch
 Patch134: krb5-1.11-kpasswdtest.patch
+Patch135: krb5-master-keyring-kdcsync.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -315,6 +316,8 @@ ln -s NOTICE LICENSE
 
 %patch134 -p1 -b .kpasswdtest
 
+%patch135 -p1 -b .keyring-kdcsync
+
 # Take the execute bit off of documentation.
 chmod -x doc/krb5-protocol/*.txt
 
@@ -971,6 +974,9 @@ exit 0
   - drop patch for RT#7807, included now
   - drop patch for RT#7045, included now
   - drop patches for RT#7813 and RT#7815, included now
+  - add patch to always retrieve the KDC time offsets from keyring caches,
+    so that we don't mistakenly interpret creds as expired before their
+    time when our clock is ahead of the KDC's (RT#7820, #1030607)
 
 * Mon Jan 13 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12-11
 - update the PIC patch for iaesx86.s to not use ELF relocations to the version