diff --git a/krb5-cccol-primary.patch b/krb5-cccol-primary.patch
new file mode 100644
index 0000000..5f1d2cf
--- /dev/null
+++ b/krb5-cccol-primary.patch
@@ -0,0 +1,106 @@
+commit b874882dc93e5ece4f7218617ed7942656985471
+Author: Greg Hudson <ghudson@mit.edu>
+Date:   Mon Apr 22 17:00:35 2013 -0400
+
+    Include default DIR::file ccache in collection
+    
+    If the context's default ccache name is a subsidiary file of a
+    directory collection, include that single cache in the cursor walk
+    over the DIR type.
+    
+    ticket: 7172
+
+diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c
+index cee21ac..b8231ed 100644
+--- a/src/lib/krb5/ccache/cc_dir.c
++++ b/src/lib/krb5/ccache/cc_dir.c
+@@ -266,6 +266,28 @@ get_context_default_dir(krb5_context context, char **dirname_out)
+     return 0;
+ }
+ 
++/*
++ * If the default ccache name for context is a subsidiary file in a directory
++ * collection, set *subsidiary_out to the residual value.  Otherwise set
++ * *subsidiary_out to NULL.
++ */
++static krb5_error_code
++get_context_subsidiary_file(krb5_context context, char **subsidiary_out)
++{
++    const char *defname;
++    char *residual;
++
++    *subsidiary_out = NULL;
++    defname = krb5_cc_default_name(context);
++    if (defname == NULL || strncmp(defname, "DIR::", 5) != 0)
++        return 0;
++    residual = strdup(defname + 4);
++    if (residual == NULL)
++        return ENOMEM;
++    *subsidiary_out = residual;
++    return 0;
++}
++
+ static const char * KRB5_CALLCONV
+ dcc_get_name(krb5_context context, krb5_ccache cache)
+ {
+@@ -562,6 +584,18 @@ dcc_ptcursor_new(krb5_context context, krb5_cc_ptcursor *cursor_out)
+ 
+     *cursor_out = NULL;
+ 
++    /* If the default cache is a subsidiary file, make a cursor with the
++     * specified file as the primary but with no directory collection. */
++    ret = get_context_subsidiary_file(context, &primary);
++    if (ret)
++        goto cleanup;
++    if (primary != NULL) {
++        ret = make_cursor(NULL, primary, NULL, cursor_out);
++        if (ret)
++            free(primary);
++        return ret;
++    }
++
+     /* Open the directory for the context's default cache. */
+     ret = get_context_default_dir(context, &dirname);
+     if (ret || dirname == NULL)
+@@ -607,16 +641,17 @@ dcc_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor,
+     struct stat sb;
+ 
+     *cache_out = NULL;
+-    if (data->dir == NULL)      /* Empty cursor */
+-        return 0;
+ 
+-    /* Return the primary cache if we haven't yet. */
++    /* Return the primary or specified subsidiary cache if we haven't yet. */
+     if (data->first) {
+         data->first = FALSE;
+         if (data->primary != NULL && stat(data->primary + 1, &sb) == 0)
+             return dcc_resolve(context, cache_out, data->primary);
+     }
+ 
++    if (data->dir == NULL)      /* No directory collection */
++        return 0;
++
+     /* Look for the next filename of the correct form, without repeating the
+      * primary cache. */
+     while ((ent = readdir(data->dir)) != NULL) {
+diff --git a/src/lib/krb5/ccache/t_cccol.py b/src/lib/krb5/ccache/t_cccol.py
+index acd2b6e..f0792e9 100644
+--- a/src/lib/krb5/ccache/t_cccol.py
++++ b/src/lib/krb5/ccache/t_cccol.py
+@@ -11,6 +11,7 @@ dccname = 'DIR:%s' % ccdir
+ duser = 'DIR::%s/tkt1' % ccdir
+ dalice = 'DIR::%s/tkt2' % ccdir
+ dbob = 'DIR::%s/tkt3' % ccdir
++dnoent = 'DIR::%s/noent' % ccdir
+ realm.kinit('user', password('user'), flags=['-c', duser])
+ realm.kinit('alice', password('alice'), flags=['-c', dalice])
+ realm.kinit('bob', password('bob'), flags=['-c', dbob])
+@@ -30,6 +31,8 @@ cursor_test('file-default2', [realm.ccache], [fccname])
+ cursor_test('file-default3', [fccname], [fccname])
+ 
+ cursor_test('dir', [dccname], [duser, dalice, dbob])
++cursor_test('dir-subsidiary', [duser], [duser])
++cursor_test('dir-nofile', [dnoent], [])
+ 
+ mfoo = 'MEMORY:foo'
+ mbar = 'MEMORY:bar'
diff --git a/krb5.spec b/krb5.spec
index 0d0d5b5..d1b4c52 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -30,7 +30,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.11.2
-Release: 5%{?dist}
+Release: 6%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.2-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -78,6 +78,7 @@ Patch117: krb5-1.11-gss-client-keytab.patch
 Patch118: krb5-1.11.1-rpcbind.patch
 Patch119: krb5-fast-msg_type.patch
 Patch120: krb5-1.11.2-kpasswd_pingpong.patch
+Patch121: krb5-cccol-primary.patch
 
 # Patches for otp plugin backport
 Patch201: krb5-1.11.2-keycheck.patch
@@ -298,6 +299,7 @@ ln -s NOTICE LICENSE
 %patch118 -p1 -b .rpcbind
 %patch119 -p1 -b .fast-msg_type
 %patch120 -p1 -b .kpasswd_pingpong
+%patch121 -p1 -b .cccol-primary
 
 %patch201 -p1 -b .keycheck
 %patch202 -p1 -b .otp
@@ -823,6 +825,11 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Tue May 21 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.2-6
+- pull in upstream fix to start treating a KRB5CCNAME value that begins
+  with DIR:: the same as it would a DIR: value with just one ccache file
+  in it (RT#7172, #965574)
+
 * Mon May 13 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.2-5
 - pull up fix for UDP ping-pong flaw in kpasswd service (CVE-2002-2443,
   #962531,#962534)