diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 55069f6..5f861ef 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1104,6 +1104,21 @@ try_login:
 		state->request->data.auth.krb5_cc_type,
 		get_uid_from_request(state->request),
 		info3, state->response->data.auth.krb5ccname);
+
+	if (NT_STATUS_IS_OK(result) &&
+			(state->request->flags & WBFLAG_PAM_CACHED_LOGIN)) {
+		/*
+		 * Store in-memory creds in the child for krb5 ticket renewal.
+		 */
+
+		NTSTATUS status = winbindd_add_memory_creds(
+					state->request->data.auth.user,
+					get_uid_from_request(state->request),
+					state->request->data.auth.pass);
+		DEBUG(10, ("winbindd_add_memory_creds returned: %s\n",
+			nt_errstr(status)));
+	}
+
 done:
 	return result;
 }
@@ -2105,6 +2120,13 @@ enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
 		goto process_result;
 	}
 
+	/*
+	 * Remove any mlock'ed memory creds in the child
+	 * we might be using for krb5 ticket renewal.
+	 */
+
+	winbindd_delete_memory_creds(state->request->data.logoff.user);
+
 #else
 	result = NT_STATUS_NOT_SUPPORTED;
 #endif