diff --git a/SOURCES/pam_krb5-2.4.10-ignore_afs_options.patch b/SOURCES/pam_krb5-2.4.10-ignore_afs_options.patch
new file mode 100644
index 0000000..773d232
--- /dev/null
+++ b/SOURCES/pam_krb5-2.4.10-ignore_afs_options.patch
@@ -0,0 +1,28 @@
+From 1b829affcbca761e17f38f69a85bbb79354c270e Mon Sep 17 00:00:00 2001
+From: Jan Chaloupka <jchaloup@redhat.com>
+Date: Thu, 21 Aug 2014 15:12:52 +0200
+Subject: [PATCH] pam_krb5.8 missing ignore_afs options
+
+[nalin: apply to pam_krb5.8.in instead]
+---
+ src/pam_krb5.8.in | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/pam_krb5.8.in b/src/pam_krb5.8.in
+index f2640e1..e0eba4a 100644
+--- a/src/pam_krb5.8.in
++++ b/src/pam_krb5.8.in
+@@ -130,6 +130,10 @@ tells pam_krb5.so to use Kerberos credentials provided by the calling
+ application during session setup.
+ @MAN_AFS@This is most often useful for obtaining AFS tokens.
+ 
++@MAN_AFS@.IP "ignore_afs=\fItrue\fR|\fIfalse\fR|\fIservice [...]\fR"
++@MAN_AFS@tells pam_krb5.so to completely ignore the presence of AFS, preventing
++@MAN_AFS@any attempts to obtain new tokens on behalf of the calling application.
++@MAN_AFS@
+ .IP ignore_k5login
+ specifies that pam_krb5 should skip checking the user's .k5login
+ file to verify that the principal name of the client being authenticated is
+-- 
+2.7.0
+
diff --git a/SOURCES/pam_krb5-no_close_fork-without-exec.patch b/SOURCES/pam_krb5-no_close_fork-without-exec.patch
new file mode 100644
index 0000000..1908e41
--- /dev/null
+++ b/SOURCES/pam_krb5-no_close_fork-without-exec.patch
@@ -0,0 +1,42 @@
+From 9f4419bdd64702bd02195215143ab5514138eac8 Mon Sep 17 00:00:00 2001
+From: Nalin Dahyabhai <nalin@redhat.com>
+Date: Tue, 15 Sep 2015 12:44:08 -0400
+Subject: Don't close descriptors for fork-without-exec
+
+When we fork to call kuserok() with target user privs, don't close all
+of our open file descriptors, since library APIs that are using them
+(like nsswitch) won't know that we've done that to any that they have
+open.  Based on a report from Roshni Pattath.
+---
+ src/kuserok.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/src/kuserok.c b/src/kuserok.c
+index 4925f29..ae15b38 100644
+--- a/src/kuserok.c
++++ b/src/kuserok.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright 2008,2009,2010,2012 Red Hat, Inc.
++ * Copyright 2008,2009,2010,2012,2015 Red Hat, Inc.
+  *
+  * Redistribution and use in source and binary forms, with or without
+  * modification, are permitted provided that the following conditions
+@@ -119,14 +119,6 @@ _pam_krb5_kuserok(krb5_context ctx,
+ 	case 0:
+ 		/* We're the child. */
+ 		close(outpipe[0]);
+-		for (i = 0; i < sysconf(_SC_OPEN_MAX); i++) {
+-			if ((i != outpipe[1]) &&
+-			    (i != STDIN_FILENO) &&
+-			    (i != STDOUT_FILENO) &&
+-			    (i != STDERR_FILENO)) {
+-				close(i);
+-			}
+-		}
+ 		setgroups(0, NULL);
+ 		/* Now, attempt to assume the desired uid/gid pair.  Note that
+ 		 * if we're not root, this is allowed to fail. */
+-- 
+cgit v0.11.2
+
diff --git a/SPECS/pam_krb5.spec b/SPECS/pam_krb5.spec
index ed8fc7b..9311835 100644
--- a/SPECS/pam_krb5.spec
+++ b/SPECS/pam_krb5.spec
@@ -7,7 +7,7 @@
 Summary: A Pluggable Authentication Module for Kerberos 5
 Name: pam_krb5
 Version: 2.4.8
-Release: 4%{?dist}
+Release: 6%{?dist}
 Source0: https://fedorahosted.org/released/pam_krb5/pam_krb5-%{version}.tar.gz
 Source1: https://fedorahosted.org/released/pam_krb5/pam_krb5-%{version}.tar.gz.sig
 License: BSD or LGPLv2+
@@ -15,6 +15,8 @@ Group: System Environment/Base
 URL: https://fedorahosted.org/pam_krb5/
 BuildRequires: keyutils-libs-devel, krb5-devel, pam-devel, libselinux-devel
 Patch0: no_subsequent_on_chauthtok.patch
+Patch1: pam_krb5-no_close_fork-without-exec.patch
+Patch2: pam_krb5-2.4.10-ignore_afs_options.patch
 # Needed by tests.
 # BuildRequires: krb5-server, krb5-workstation
 
@@ -26,6 +28,8 @@ using Kerberos 5, and to change user passwords.
 %prep
 %setup -q
 %patch0 -p1 -b .no_subsequent_on_chauthtok
+%patch1 -p1 -b .no_close_fork-without-exec
+%patch2 -p1 -b .ignore_afs_options
 
 %build
 configure_flags=
@@ -69,6 +73,14 @@ sed -ri -e 's|/lib(64)?/|/\$LIB/|g' $RPM_BUILD_ROOT/%{_mandir}/man*/pam_krb5*.8*
 %{_mandir}/man8/*
 
 %changelog
+* Fri Feb 19 2016 Robbie Harwood <rharwood@redhat.com> - 2.4.8-5
+- Add pam_krb5(8) documentation for ignore_afs
+- Resolves: #1147552
+
+* Mon Feb 15 2016 Robbie Harwood <rharwood@redhat.com> - 2.4.8-5
+- Fix use of kerberized sudo with smartcard
+- Resolves: #1263745
+
 * Thu Mar  6 2014 Nalin Dahyabhai <nalin@redhat.com> - 2.4.8-4
 - fix to only prompt for passwords when obtaining credentials for performing
   password changes by toggling the subsequent_prompt default to off when