diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 55069f6..e776107 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -651,6 +651,20 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
 			DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
 				nt_errstr(result)));
 		}
+
+		/*
+		 * If we're set up to renew our krb5 tickets, we must
+		 * cache the credentials in memory for the ticket
+		 * renew function. Fix inspired by patch from
+		 * Ian Gordon <ian.gordon@strath.ac.uk> for
+		 & bugid #9098.
+		 */
+
+		if (lp_winbind_refresh_tickets() && renewal_until > 0) {
+			NTSTATUS status = winbindd_add_memory_creds( user, uid, pass);
+			DEBUG(10, ("winbindd_add_memory_creds returned: %s\n",
+				nt_errstr(status)));
+		}
 	} else {
 
 		/* need to delete the memory cred cache, it is not used anymore */
@@ -2105,6 +2119,13 @@ enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
 		goto process_result;
 	}
 
+	/*
+	 * Remove any mlock'ed memory creds in the child
+	 * we might be using for krb5 ticket renewal.
+	 */
+
+	winbindd_delete_memory_creds(state->request->data.logoff.user);
+
 #else
 	result = NT_STATUS_NOT_SUPPORTED;
 #endif