diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
index ab8934b..968a38c 100644
--- a/source3/winbindd/winbindd_cred_cache.c
+++ b/source3/winbindd/winbindd_cred_cache.c
@@ -490,6 +490,7 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
 			    const char *ccname,
 			    const char *service,
 			    const char *username,
+			    const char *pass,
 			    const char *realm,
 			    uid_t uid,
 			    time_t create_time,
@@ -591,6 +592,19 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
 			}
 
 			DEBUG(10,("add_ccache_to_list: added krb5_ticket handler\n"));
+
+			/*
+			 * If we're set up to renew our krb5 tickets, we must
+			 * cache the credentials in memory for the ticket
+			 * renew function. Fix inspired by patch from
+			 * Ian Gordon <ian.gordon@strath.ac.uk> for
+			 * bugid #9098.
+			 */
+
+			ntret = winbindd_add_memory_creds(username, uid, pass);
+			DEBUG(10, ("winbindd_add_memory_creds returned: %s\n",
+				nt_errstr(ntret)));
+
 		}
 
 		return NT_STATUS_OK;
@@ -675,6 +689,20 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
 		"added ccache [%s] for user [%s] to the list\n",
 		ccname, username));
 
+	if (entry->event) {
+		/*
+		 * If we're set up to renew our krb5 tickets, we must
+		 * cache the credentials in memory for the ticket
+		 * renew function. Fix inspired by patch from
+		 * Ian Gordon <ian.gordon@strath.ac.uk> for
+		 * bugid #9098.
+		 */
+
+		ntret = winbindd_add_memory_creds(username, uid, pass);
+		DEBUG(10, ("winbindd_add_memory_creds returned: %s\n",
+			nt_errstr(ntret)));
+	}
+
 	return NT_STATUS_OK;
 
  no_mem:
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 55069f6..619b632 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -640,6 +640,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
 					    cc,
 					    service,
 					    user,
+					    pass,
 					    realm,
 					    uid,
 					    time(NULL),
@@ -957,6 +958,7 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
 							    cc,
 							    service,
 							    state->request->data.auth.user,
+							    state->request->data.auth.pass,
 							    domain->alt_name,
 							    uid,
 							    time(NULL),
@@ -2105,6 +2107,13 @@ enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
 		goto process_result;
 	}
 
+	/*
+	 * Remove any mlock'ed memory creds in the child
+	 * we might be using for krb5 ticket renewal.
+	 */
+
+	winbindd_delete_memory_creds(state->request->data.logoff.user);
+
 #else
 	result = NT_STATUS_NOT_SUPPORTED;
 #endif
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index ab61223..41292d4 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -188,6 +188,7 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
 			    const char *ccname,
 			    const char *service,
 			    const char *username,
+			    const char *password,
 			    const char *realm,
 			    uid_t uid,
 			    time_t create_time,