diff --git a/Refresh-manually-acquired-creds-from-client-keytab.patch b/Refresh-manually-acquired-creds-from-client-keytab.patch
new file mode 100644
index 0000000..fe2588f
--- /dev/null
+++ b/Refresh-manually-acquired-creds-from-client-keytab.patch
@@ -0,0 +1,78 @@
+From e67aca9a77d78efa798237b43e177caf9e79f64a Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Wed, 26 Feb 2020 18:27:17 -0500
+Subject: [PATCH] Refresh manually acquired creds from client keytab
+
+If a client keytab is present but credentials are acquired manually,
+the credentials would not be refreshed because no refresh_time config
+var is set in the cache.  Change kg_cred_time_to_refresh() to attempt
+a refresh from the client keytab on any credentials which will expire
+in the next 30 seconds.
+
+[ghudson@mit.edu: adjused code and added test case]
+
+ticket: 7976
+(cherry picked from commit 729896467e3c77904666019d6cbbda583ae49b95)
+---
+ src/lib/gssapi/krb5/acquire_cred.c  | 14 +++++++++++---
+ src/tests/gssapi/t_client_keytab.py | 18 ++++++++++++++++++
+ 2 files changed, 29 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
+index acc1868f8..4062f4741 100644
+--- a/src/lib/gssapi/krb5/acquire_cred.c
++++ b/src/lib/gssapi/krb5/acquire_cred.c
+@@ -557,15 +557,23 @@ set_refresh_time(krb5_context context, krb5_ccache ccache,
+ krb5_boolean
+ kg_cred_time_to_refresh(krb5_context context, krb5_gss_cred_id_rec *cred)
+ {
+-    krb5_timestamp now;
++    krb5_timestamp now, soon;
+ 
+     if (krb5_timeofday(context, &now))
+         return FALSE;
++    soon = ts_incr(now, 30);
+     if (cred->refresh_time != 0 && !ts_after(cred->refresh_time, now)) {
+-        set_refresh_time(context, cred->ccache,
+-                         ts_incr(cred->refresh_time, 30));
++        set_refresh_time(context, cred->ccache, soon);
+         return TRUE;
+     }
++
++    /* If the creds will expire soon, try to refresh even if they weren't
++     * acquired with a client keytab. */
++    if (ts_after(soon, cred->expire)) {
++        set_refresh_time(context, cred->ccache, soon);
++        return TRUE;
++    }
++
+     return FALSE;
+ }
+ 
+diff --git a/src/tests/gssapi/t_client_keytab.py b/src/tests/gssapi/t_client_keytab.py
+index e474a27c7..7847b3ecd 100755
+--- a/src/tests/gssapi/t_client_keytab.py
++++ b/src/tests/gssapi/t_client_keytab.py
+@@ -124,4 +124,22 @@ realm.kinit(realm.user_princ, password('user'))
+ realm.run(['./t_ccselect', phost], env=bad_cktname,
+           expected_msg=realm.user_princ)
+ 
++mark('refresh of manually acquired creds')
++
++# Test 17: no name/ccache specified, manually acquired creds which
++# will expire soon.  Verify that creds are refreshed using the current
++# client name, with refresh_time set in the refreshed ccache.
++realm.kinit('bob', password('bob'), ['-l', '15s'])
++realm.run(['./t_ccselect', phost], expected_msg='bob')
++realm.run([klist, '-C'], expected_msg='refresh_time = ')
++
++# Test 18: no name/ccache specified, manually acquired creds with a
++# client principal not present in the client keytab.  A refresh is
++# attempted but fails, and an expired ticket error results.
++realm.kinit(realm.admin_princ, password('admin'), ['-l', '-1s'])
++msgs = ('Getting initial credentials for user/admin@KRBTEST.COM',
++        '/Matching credential not found')
++realm.run(['./t_ccselect', phost], expected_code=1,
++          expected_msg='Ticket expired', expected_trace=msgs)
++
+ success('Client keytab tests')
diff --git a/krb5.spec b/krb5.spec
index 1114076..55a9f87 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.18
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 4%{?dist}
+Release: 5%{?dist}
 
 # rharwood has trust path to signing key and verifies on check-in
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
@@ -53,6 +53,7 @@ Patch7: downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
 Patch8: Fix-AS-REQ-checking-of-KDB-modified-indicators.patch
 Patch9: Allow-certauth-modules-to-set-hw-authent-flag.patch
 Patch10: Allow-deletion-of-require_auth-with-LDAP-KDB.patch
+Patch11: Refresh-manually-acquired-creds-from-client-keytab.patch
 
 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@@ -626,6 +627,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Tue Mar 03 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-5
+- Refresh manually acquired creds from client keytab
+
 * Fri Feb 28 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-4
 - Allow deletion of require_auth with LDAP KDB