diff --git a/SOURCES/authconfig-6.2.8-ipav2join.patch b/SOURCES/authconfig-6.2.8-ipav2join.patch
index b2965ad..8e128b6 100644
--- a/SOURCES/authconfig-6.2.8-ipav2join.patch
+++ b/SOURCES/authconfig-6.2.8-ipav2join.patch
@@ -168,7 +168,7 @@ diff -up authconfig-6.2.8/authinfo.py.ipav2join authconfig-6.2.8/authinfo.py
  		return status == 0
  
  	def joinIPADomain(self, echo):
-@@ -4258,18 +4287,26 @@ class AuthInfo:
+@@ -4258,22 +4287,30 @@ class AuthInfo:
  				realm and "--realm=" or "", realm,
  				principal and "--principal=" or "", principal,
  				nontp,
@@ -201,3 +201,8 @@ diff -up authconfig-6.2.8/authinfo.py.ipav2join authconfig-6.2.8/authinfo.py
  		return status == 0
  
  	def uninstallIPA(self):
+-		cmd = PATH_IPA_CLIENT_INSTALL + " --uninstall --noac"
++		cmd = PATH_IPA_CLIENT_INSTALL + " --uninstall --noac --unattended"
+ 		os.system(cmd)
+ 
+ 	def toggleCachingService(self, nostart):
diff --git a/SOURCES/authconfig-6.2.8-joinpassword.patch b/SOURCES/authconfig-6.2.8-joinpassword.patch
new file mode 100644
index 0000000..70ccaf5
--- /dev/null
+++ b/SOURCES/authconfig-6.2.8-joinpassword.patch
@@ -0,0 +1,18 @@
+diff -up authconfig-6.2.8/authinfo.py.joinpassword authconfig-6.2.8/authinfo.py
+--- authconfig-6.2.8/authinfo.py.joinpassword	2015-07-03 12:47:44.993864700 +0200
++++ authconfig-6.2.8/authinfo.py	2015-07-03 12:53:21.451618592 +0200
+@@ -4296,11 +4296,12 @@ class AuthInfo:
+ 			
+ 			if echo:
+ 				sys.stderr.write("[%s]\n" % cmd)
++			if self.joinPassword or not echo:
++				status, error = feedFork(cmd, echo, "sword:", self.joinPassword)
++			else:
+ 				child = Popen([cmd], shell=True)
+ 				child.communicate()
+ 				status = child.returncode
+-			else:
+-				status, error = feedFork(cmd, echo, "sword:", self.joinPassword)
+ 			if echo:
+ 				if status != 0:
+ 					self.messageCB(_("Winbind domain join was not successful."))
diff --git a/SOURCES/authconfig-6.2.8-jointitle.patch b/SOURCES/authconfig-6.2.8-jointitle.patch
new file mode 100644
index 0000000..cef6743
--- /dev/null
+++ b/SOURCES/authconfig-6.2.8-jointitle.patch
@@ -0,0 +1,12 @@
+diff -up authconfig-6.2.8/authconfig.glade.jointitle authconfig-6.2.8/authconfig.glade
+--- authconfig-6.2.8/authconfig.glade.jointitle	2015-07-03 10:59:22.000000000 +0200
++++ authconfig-6.2.8/authconfig.glade	2015-07-03 11:00:56.654927234 +0200
+@@ -1025,7 +1025,7 @@
+   <widget class="GtkDialog" id="joinipadomain">
+     <property name="visible">True</property>
+     <property name="can_focus">False</property>
+-    <property name="title" translatable="yes">Joining Winbind Domain</property>
++    <property name="title" translatable="yes">Joining IPA Domain</property>
+     <property name="resizable">False</property>
+     <property name="modal">True</property>
+     <property name="icon_name">system-config-authentication</property>
diff --git a/SOURCES/authconfig-6.2.8-krb5-include.patch b/SOURCES/authconfig-6.2.8-krb5-include.patch
new file mode 100644
index 0000000..6102859
--- /dev/null
+++ b/SOURCES/authconfig-6.2.8-krb5-include.patch
@@ -0,0 +1,44 @@
+diff -up authconfig-6.2.8/authinfo.py.krb5-include authconfig-6.2.8/authinfo.py
+--- authconfig-6.2.8/authinfo.py.krb5-include	2015-07-03 11:52:58.000000000 +0200
++++ authconfig-6.2.8/authinfo.py	2015-07-03 12:47:44.993864700 +0200
+@@ -109,6 +109,8 @@ PATH_PAM_SSS = AUTH_MODULE_DIR + "/pam_s
+ 
+ PATH_LIBSSS_AUTOFS = "/usr" + LIBDIR + "/sssd/modules/libsss_autofs.so"
+ 
++PATH_KRB5_INCLUDEDIR = "/var/lib/sss/pubconf/krb5.include.d/"
++
+ PATH_WINBIND_NET = "/usr/bin/net"
+ PATH_IPA_CLIENT_INSTALL = "/usr/sbin/ipa-client-install"
+ 
+@@ -3022,6 +3024,8 @@ class AuthInfo:
+ 		wroteourdomrealm = False
+ 		wrotedomrealm = False
+ 		wrotedomrealm2 = False
++		# No dir -> no incdir line, set as if already written
++		wroteincdir = not os.access(PATH_KRB5_INCLUDEDIR, os.R_OK)		
+ 		section = ""
+ 		subsection = ""
+ 		f = None
+@@ -3043,6 +3047,12 @@ class AuthInfo:
+ 			for line in f.file:
+ 				ls = line.strip()
+ 
++				if matchLine(ls, "includedir " + PATH_KRB5_INCLUDEDIR):
++					if not wroteincdir:
++						wroteincdir = True
++					else:
++						# already written or should be removed
++						continue
+ 				# If this is the "kdc" in our realm, replace it with
+ 				# the values we now have.
+ 				if (section == "realms" and subsection and subsection == self.kerberosRealm
+@@ -3132,6 +3142,9 @@ class AuthInfo:
+ 					continue
+ 				# If it's the beginning of a section, record its name.
+ 				if matchLine(ls, "["):
++					if not wroteincdir:
++						output += "includedir " + PATH_KRB5_INCLUDEDIR + "\n"
++						wroteincdir = True
+ 					# If the previous section was "realms", and we didn't
+ 					# see ours, write our realm out.
+ 					if (section == "realms" and self.kerberosRealm
diff --git a/SOURCES/authconfig-6.2.8-krb5comment.patch b/SOURCES/authconfig-6.2.8-krb5comment.patch
new file mode 100644
index 0000000..5fa0a97
--- /dev/null
+++ b/SOURCES/authconfig-6.2.8-krb5comment.patch
@@ -0,0 +1,29 @@
+diff -up authconfig-6.2.8/authinfo.py.krb5comment authconfig-6.2.8/authinfo.py
+--- authconfig-6.2.8/authinfo.py.krb5comment	2015-07-03 11:04:01.174220956 +0200
++++ authconfig-6.2.8/authinfo.py	2015-07-03 11:09:29.329857063 +0200
+@@ -1701,6 +1701,7 @@ class AuthInfo:
+ 			return False
+ 	
+ 		for line in f:
++			line = line.split('#')[0]
+ 			line = line.strip()
+ 
+ 			# If it's a new section, note which one we're "in".
+@@ -3203,7 +3204,7 @@ class AuthInfo:
+ 					output += str(bool(self.kerberosKDCviaDNS)).lower()
+ 					output += "\n"
+ 			# If we haven't encountered a realms section yet...
+-			if not wroterealms2:
++			if not wroterealms2 and (self.kerberosRealm or self.smbRealm):
+ 				if not wroterealms:
+ 					output += "[realms]\n"
+ 				if not wroterealm:
+@@ -3211,7 +3212,7 @@ class AuthInfo:
+ 						self.kerberosAdminServer)
+ 				if not wrotesmbrealm:
+ 					output += krbRealm(self.smbRealm, self.smbServers, "")
+-			if not wrotedomrealm2:
++			if not wrotedomrealm2 and self.kerberosRealm:
+ 				if not wrotedomrealm:
+ 					output += "[domain_realm]\n"
+ 				if self.kerberosRealm and not wroteourdomrealm:
diff --git a/SOURCES/authconfig-6.2.8-localetb.patch b/SOURCES/authconfig-6.2.8-localetb.patch
new file mode 100644
index 0000000..27beec3
--- /dev/null
+++ b/SOURCES/authconfig-6.2.8-localetb.patch
@@ -0,0 +1,31 @@
+diff -up authconfig-6.2.8/authconfig-gtk.py.localetb authconfig-6.2.8/authconfig-gtk.py
+--- authconfig-6.2.8/authconfig-gtk.py.localetb	2015-07-03 10:59:22.000000000 +0200
++++ authconfig-6.2.8/authconfig-gtk.py	2015-07-03 11:14:22.666532393 +0200
+@@ -30,7 +30,10 @@ _ = gettext.lgettext
+ import locale
+ import dbus
+ 
+-locale.setlocale(locale.LC_ALL, '')
++try:
++	locale.setlocale(locale.LC_ALL, '')
++except locale.Error:
++	sys.stderr.write('Warning: Unsupported locale setting.\n')
+ 
+ firstbootservices = [
+ 	"autofs",
+diff -up authconfig-6.2.8/authconfig.py.localetb authconfig-6.2.8/authconfig.py
+--- authconfig-6.2.8/authconfig.py.localetb	2015-07-03 10:59:22.000000000 +0200
++++ authconfig-6.2.8/authconfig.py	2015-07-03 11:14:01.694065135 +0200
+@@ -28,7 +28,11 @@ import gettext, os, signal, sys
+ _ = gettext.lgettext
+ from optparse import OptionParser, IndentedHelpFormatter
+ import locale
+-locale.setlocale(locale.LC_ALL, '')
++
++try:
++	locale.setlocale(locale.LC_ALL, '')
++except locale.Error:
++	sys.stderr.write('Warning: Unsupported locale setting.\n')
+ 
+ def runsAs(name):
+ 	return sys.argv[0].find(name) >= 0
diff --git a/SOURCES/authconfig-6.2.8-sssd-prompting.patch b/SOURCES/authconfig-6.2.8-sssd-prompting.patch
new file mode 100644
index 0000000..b7c9e55
--- /dev/null
+++ b/SOURCES/authconfig-6.2.8-sssd-prompting.patch
@@ -0,0 +1,60 @@
+diff -up authconfig-6.2.8/authinfo.py.sssd-prompting authconfig-6.2.8/authinfo.py
+--- authconfig-6.2.8/authinfo.py.sssd-prompting	2015-07-03 11:09:29.329857063 +0200
++++ authconfig-6.2.8/authinfo.py	2015-07-03 11:52:58.462677742 +0200
+@@ -132,6 +132,7 @@ LOGIC_FORCE_PKCS11_KRB5 = "[success=ok i
+ LOGIC_SKIPNEXT = "[success=1 default=ignore]"
+ LOGIC_SKIPNEXT3 = "[success=3 default=ignore]"
+ LOGIC_ALWAYS_SKIP = "[default=1]"
++LOGIC_SKIPNEXT_ON_FAILURE = "[default=1 success=ok]"
+ 
+ # Snip off line terminators and final whitespace from a passed-in string.
+ def snipString(s):
+@@ -460,6 +461,8 @@ pam_modules[STANDARD] = [
+ 	 "permit",		[]],
+ 	[False,  AUTH,          LOGIC_SUFFICIENT,
+ 	 "fprintd",		[]],
++	[False, AUTH,		LOGIC_SKIPNEXT_ON_FAILURE,
++	 "localuser",		[]],
+ 	[True,  AUTH,		LOGIC_SUFFICIENT,
+ 	 "unix",		argv_unix_auth],
+ 	[False, AUTH,		LOGIC_REQUISITE,
+@@ -583,6 +586,8 @@ pam_modules[PASSWORD_ONLY] = [
+ 	 "env",			[]],
+ 	[False, AUTH,		LOGIC_REQUIRED,
+ 	 "deny",		[]],
++	[False, AUTH,		LOGIC_SKIPNEXT_ON_FAILURE,
++	 "localuser",		[]],
+ 	[True,  AUTH,		LOGIC_SUFFICIENT,
+ 	 "unix",		argv_unix_auth],
+ 	[False, AUTH,		LOGIC_REQUISITE,
+@@ -3791,6 +3796,10 @@ class AuthInfo:
+ 						argv = module[ARGV][0:] # shallow copy
+ 						argv[1] = self.uidMin
+ 						args = " ".join(argv)
++			# do not continue to following modules if authentication fails
++			if name == "unix" and stack == "auth" and (self.enableSSSDAuth or
++				self.implicitSSSDAuth or self.enableIPAv2) and (not self.enableNIS):
++				logic = LOGIC_FORCE_PKCS11 # make it or break it logic
+ 			# use oddjob_mkhomedir if available
+ 			if name == "mkhomedir" and os.access("%s/pam_%s.so"
+ 				% (AUTH_MODULE_DIR, "oddjob_mkhomedir"), os.X_OK):
+@@ -3818,6 +3827,8 @@ class AuthInfo:
+ 				args = self.mkhomedirArgs
+ 			if name == "systemd":
+ 				args = self.systemdArgs
++			if name == "sss" and stack == "auth" and not self.enableNIS:
++				args = "forward_pass"
+ 			if not args and module[ARGV]:
+ 				args = " ".join(module[ARGV])
+ 			if name == "winbind" and self.winbindOffline and stack != "password":
+@@ -3922,7 +3933,9 @@ class AuthInfo:
+ 					(self.enablePasswdQC and module[NAME] == "passwdqc") or
+ 					(self.enableWinbindAuth and module[NAME] == "winbind") or
+ 					((self.enableSSSDAuth or self.implicitSSSDAuth or self.enableIPAv2) and module[NAME] == "sss") or
+-					(self.enableLocAuthorize and module[NAME] == "localuser") or
++					((self.enableSSSDAuth or self.implicitSSSDAuth or self.enableIPAv2) and
++						(not self.enableNIS) and module[NAME] == "localuser" and module[STACK] == AUTH) or
++					(self.enableLocAuthorize and module[NAME] == "localuser" and module[STACK] == ACCOUNT) or
+ 					(self.enablePAMAccess and module[NAME] == "access") or
+ 					(self.enableMkHomeDir and module[NAME] == "mkhomedir") or
+ 					(not self.enableSysNetAuth and module[STACK] == AUTH and
diff --git a/SOURCES/authconfig-6.2.8-winbind-client.patch b/SOURCES/authconfig-6.2.8-winbind-client.patch
index e1150d7..74b442e 100644
--- a/SOURCES/authconfig-6.2.8-winbind-client.patch
+++ b/SOURCES/authconfig-6.2.8-winbind-client.patch
@@ -10,3 +10,17 @@ diff -up authconfig-6.2.8/authconfig-gtk.py.winbind-client authconfig-6.2.8/auth
  			"IPAv2":
  			(_("IPAv2"), ("IPAv2Auth",),
  			 "ipav2options", "ipav2_map", authinfo.PATH_IPA_CLIENT_INSTALL, "freeipa-client")
+diff -up authconfig-6.2.8/authconfig.py.winbind-client authconfig-6.2.8/authconfig.py
+--- authconfig-6.2.8/authconfig.py.winbind-client	2015-07-03 11:34:59.798789958 +0200
++++ authconfig-6.2.8/authconfig.py	2015-07-03 11:33:00.363034242 +0200
+@@ -704,8 +704,8 @@ class AuthconfigTUI(Authconfig):
+ 		warnNIS = [authinfo.PATH_YPBIND, _("NIS"), "ypbind", None]
+ 		warnShadow = [authinfo.PATH_PWCONV, _("shadow password"), "shadow-utils", None]
+ 		warnWinbindNet = [authinfo.PATH_WINBIND_NET, _("Winbind"), "samba-client", None]
+-		warnWinbindAuth = [authinfo.PATH_PAM_WINBIND, _("Winbind authentication"), "samba-common", warnWinbindNet]
+-		warnWinbind = [authinfo.PATH_LIBNSS_WINBIND, _("Winbind"), "samba-common", warnWinbindAuth]
++		warnWinbindAuth = [authinfo.PATH_PAM_WINBIND, _("Winbind authentication"), "samba-winbind", warnWinbindNet]
++		warnWinbind = [authinfo.PATH_LIBNSS_WINBIND, _("Winbind"), "samba-winbind", warnWinbindAuth]
+ 
+ 		# Information
+ 		infoGrid = snack.Grid(1, 6)
diff --git a/SPECS/authconfig.spec b/SPECS/authconfig.spec
index 9431ed0..1b22094 100644
--- a/SPECS/authconfig.spec
+++ b/SPECS/authconfig.spec
@@ -1,7 +1,7 @@
 Summary: Command line tool for setting up authentication from network services
 Name: authconfig
 Version: 6.2.8
-Release: 9%{?dist}
+Release: 10%{?dist}
 License: GPLv2+
 ExclusiveOS: Linux
 Group: System Environment/Base
@@ -22,6 +22,12 @@ Patch12: authconfig-6.2.8-altfiles.patch
 Patch13: authconfig-6.2.8-winbind-client.patch
 Patch14: authconfig-6.2.8-services.patch
 Patch15: authconfig-6.2.8-multiple-ldap-uris.patch
+Patch16: authconfig-6.2.8-jointitle.patch
+Patch17: authconfig-6.2.8-krb5comment.patch
+Patch18: authconfig-6.2.8-localetb.patch
+Patch19: authconfig-6.2.8-sssd-prompting.patch
+Patch20: authconfig-6.2.8-krb5-include.patch
+Patch21: authconfig-6.2.8-joinpassword.patch
 Requires: newt-python, pam >= 0.99.10.0, python, libpwquality > 0.9
 Conflicts: pam_krb5 < 1.49, samba-common < 3.0, samba-client < 3.0
 Conflicts: nss_ldap < 254, sssd < 0.99.1
@@ -66,6 +72,12 @@ authentication schemes.
 %patch13 -p1 -b .winbind-client
 %patch14 -p1 -b .services
 %patch15 -p1 -b .ldap-uris
+%patch16 -p1 -b .jointitle
+%patch17 -p1 -b .krb5comment
+%patch18 -p1 -b .localetb
+%patch19 -p1 -b .sssd-prompting
+%patch20 -p1 -b .krb5-include
+%patch21 -p1 -b .joinpassword
 
 %build
 %configure
@@ -96,7 +108,7 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %files -f %{name}.lang
 %defattr(-,root,root,-)
 %doc COPYING NOTES TODO README.samba3
-%ghost %config(noreplace) %{_sysconfdir}/sysconfig/authconfig
+%config(noreplace) %{_sysconfdir}/sysconfig/authconfig
 %ghost %config(noreplace) %{_sysconfdir}/pam.d/system-auth-ac
 %ghost %config(noreplace) %{_sysconfdir}/pam.d/password-auth-ac
 %ghost %config(noreplace) %{_sysconfdir}/pam.d/fingerprint-auth-ac
@@ -148,6 +160,17 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %{_datadir}/icons/hicolor/256x256/apps/system-config-authentication.*
 
 %changelog
+* Fri Jul  3 2015 Tomáš Mráz <tmraz@redhat.com> - 6.2.8-10
+- fix title of IPA domain join window (#1166119)
+- add --unattended to IPA uninstall command (#1166131)
+- do not mistake comment for krb5 realm name (#1184639)
+- do not traceback with incorrect locales (#1187020)
+- correct the package needed for winbind (#1190226)
+- install empty /etc/sysconfig/authconfig file (#1194698)
+- let SSSD prompt non-local users for passwords (#1204864)
+- add includedir /var/lib/sss/pubconf/krb5.include.d/ to krb5.conf (#1207552)
+- pass the password provided by --winbindjoin to net join (#1225089)
+
 * Mon Sep 29 2014 Tomáš Mráz <tmraz@redhat.com> - 6.2.8-9
 - do not overwrite special ldap base values
 - display error message if winbind or IPA domain join fails