diff --git a/pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif b/pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif
new file mode 100644
index 0000000..b103147
--- /dev/null
+++ b/pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif
@@ -0,0 +1,141 @@
+--- src/auth.c
++++ src/auth.c	2007/03/15 10:55:36
+@@ -418,9 +418,13 @@
+ 		return pam_sm_open_session(pamh, flags, argc, argv);
+ 	}
+ 	if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) {
+-		if (_pam_krb5_sly_looks_unsafe() == 0) {
++		int unsave = _pam_krb5_sly_looks_unsafe();
++
++		/* unsave == 2 or 3 can be fixed inside of
++		   _pam_krb5_sly_maybe_refresh */
++		if (unsave == 0 || unsave == 2 || unsave == 3) {
+ 			return _pam_krb5_sly_maybe_refresh(pamh, flags,
+-							   argc, argv);
++			                                   argc, argv);
+ 		} else {
+ 			return PAM_IGNORE;
+ 		}
+--- src/sly.c
++++ src/sly.c	2007/03/15 10:46:36
+@@ -146,6 +146,21 @@
+ 	return 0;
+ }
+ 
++/* restore dropped privileges */
++int
++_restore_privs(uid_t save_euid, gid_t save_egid)
++{
++	int retuid = 0, retgid = 0;
++	
++	retuid = setresuid(getuid(), save_euid, getuid());
++	retgid = setresgid(getgid(), save_egid, getgid());
++	
++	debug("restore privileges: UID = %u, EUID = %u\n", getuid(), geteuid());
++	debug("restore privileges: GID = %u, EGID = %u\n", getgid(), getegid());
++	
++	return (retuid == -1 || retgid == -1)?-1:0;
++}
++
+ int
+ _pam_krb5_sly_maybe_refresh(pam_handle_t *pamh, int flags,
+ 			    int argc, PAM_KRB5_MAYBE_CONST char **argv)
+@@ -159,6 +174,20 @@
+ 	int i, retval, stored;
+ 	char *v5ccname, *v4tktfile;
+ 
++	uid_t save_euid = geteuid();
++	gid_t save_egid = getegid();
++	
++
++	if(_pam_krb5_sly_looks_unsafe() == 2 || _pam_krb5_sly_looks_unsafe() == 3)
++	{
++		/* drop privileges temporarily; restore them on every return from this function */
++		setresuid(getuid(), getuid(), geteuid());
++		setresgid(getgid(), getgid(), getegid());
++		
++		debug("drop privileges temporarily: UID = %u, EUID = %u\n", getuid(), geteuid());
++		debug("drop privileges temporarily: GID = %u, EGID = %u\n", getgid(), getegid());
++	}
++
+ 	/* Inexpensive checks. */
+ 	switch (_pam_krb5_sly_looks_unsafe()) {
+ 	case 0:
+@@ -166,18 +195,22 @@
+ 		break;
+ 	case 1:
+ 		warn("won't refresh credentials while running under sudo");
++		_restore_privs(save_euid, save_egid);
+ 		return PAM_SERVICE_ERR;
+ 		break;
+ 	case 2:
+ 		warn("won't refresh credentials while running setuid");
++		_restore_privs(save_euid, save_egid);
+ 		return PAM_SERVICE_ERR;
+ 		break;
+ 	case 3:
+ 		warn("won't refresh credentials while running setgid");
++		_restore_privs(save_euid, save_egid);
+ 		return PAM_SERVICE_ERR;
+ 		break;
+ 	default:
+ 		warn("not safe to refresh credentials");
++		_restore_privs(save_euid, save_egid);
+ 		return PAM_SERVICE_ERR;
+ 		break;
+ 	}
+@@ -185,6 +218,7 @@
+ 	/* Initialize Kerberos. */
+ 	if (_pam_krb5_init_ctx(&ctx, argc, argv) != 0) {
+ 		warn("error initializing Kerberos");
++		_restore_privs(save_euid, save_egid);
+ 		return PAM_SERVICE_ERR;
+ 	}
+ 
+@@ -193,6 +227,7 @@
+ 	if (i != PAM_SUCCESS) {
+ 		warn("could not identify user name");
+ 		krb5_free_context(ctx);
++		_restore_privs(save_euid, save_egid);
+ 		return i;
+ 	}
+ 
+@@ -201,6 +236,7 @@
+ 	if (options == NULL) {
+ 		warn("error parsing options (shouldn't happen)");
+ 		krb5_free_context(ctx);
++		_restore_privs(save_euid, save_egid);
+ 		return PAM_SERVICE_ERR;
+ 	}
+ 	if (options->debug) {
+@@ -222,6 +258,7 @@
+ 		}
+ 		_pam_krb5_options_free(pamh, ctx, options);
+ 		krb5_free_context(ctx);
++		_restore_privs(save_euid, save_egid);
+ 		return retval;
+ 	}
+ 
+@@ -233,6 +270,7 @@
+ 		_pam_krb5_user_info_free(ctx, userinfo);
+ 		_pam_krb5_options_free(pamh, ctx, options);
+ 		krb5_free_context(ctx);
++		_restore_privs(save_euid, save_egid);
+ 		return PAM_IGNORE;
+ 	}
+ 
+@@ -244,6 +282,7 @@
+ 		_pam_krb5_user_info_free(ctx, userinfo);
+ 		_pam_krb5_options_free(pamh, ctx, options);
+ 		krb5_free_context(ctx);
++		_restore_privs(save_euid, save_egid);
+ 		return PAM_SERVICE_ERR;
+ 	}
+ 
+@@ -331,5 +370,6 @@
+ 		      pam_strerror(pamh, retval));
+ 	}
+ 
++	_restore_privs(save_euid, save_egid);
+ 	return retval;
+ }
diff --git a/pam_krb5.changes b/pam_krb5.changes
index 93a7702..eabeb28 100644
--- a/pam_krb5.changes
+++ b/pam_krb5.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Thu Mar 15 12:34:55 CET 2007 - mc@suse.de
+
+- drop privileges in _pam_krb5_sly_maybe_refresh when
+  running in set uid and restore them on exit of this
+  function. This enables us to refresh the ticket 
+  after screen un-lock.
+  [#124611]
+
 -------------------------------------------------------------------
 Mon Sep 25 10:45:53 CEST 2006 - mc@suse.de
 
diff --git a/pam_krb5.spec b/pam_krb5.spec
index 3aa3866..a56c264 100644
--- a/pam_krb5.spec
+++ b/pam_krb5.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package pam_krb5 (Version 2.2.11)
 #
-# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
 # This file and all modifications and additions to the pristine
 # package are under the same license as the package itself.
 #
@@ -13,17 +13,18 @@
 Name:           pam_krb5
 BuildRequires:  krb5-client krb5-devel krb5-server openssl-devel pam-devel
 %define       PAM_RELEASE 1
-License:        GPL
+License:        GNU General Public License (GPL)
 Group:          Productivity/Networking/Security
 Provides:       pam_krb
 Autoreqprov:    on
 Version:        2.2.11
-Release:        1
+Release:        27
 Summary:        PAM Module for Kerberos Authentication
 URL:            http://sourceforge.net/projects/pam-krb5/
 Source:         pam_krb5-%{version}-%{PAM_RELEASE}.tar.bz2
 Patch1:         pam_krb5-2.2.0-0.5-configure_ac.dif
 Patch2:         pam_krb5-2.2.0-2-noafsonarm.patch
+Patch3:         pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -41,6 +42,7 @@ Authors:
 %setup -q -n pam_krb5-%{version}-%{PAM_RELEASE}
 %patch1
 %patch2
+%patch3
 
 %build
 %{suse_update_config -f}
@@ -72,12 +74,18 @@ rm -rf $RPM_BUILD_ROOT
 %attr(444,root,root) %_mandir/man*/*.*
 %attr(755,root,root) /usr/bin/afs5log
 
-%changelog -n pam_krb5
+%changelog
+* Thu Mar 15 2007 - mc@suse.de
+- drop privileges in _pam_krb5_sly_maybe_refresh when
+  running in set uid and restore them on exit of this
+  function. This enables us to refresh the ticket
+  after screen un-lock.
+  [#124611]
 * Mon Sep 25 2006 - mc@suse.de
 - version 2.2.11
 - remove two patches with are upstream now
-- pam_krb5-2.2.10-0-oldauthtok.dif
-- pam_krb5-2.2.10-0-testfix.dif
+  - pam_krb5-2.2.10-0-oldauthtok.dif
+  - pam_krb5-2.2.10-0-testfix.dif
 - make use of --with-os-distribution
 * Thu Sep 14 2006 - mc@suse.de
 - fix pam_set_item call for AUTHTOK and OLDAUTHTOK