diff --git a/krb5-1.15-krb5_db_register_keytab.patch b/krb5-1.15-krb5_db_register_keytab.patch
new file mode 100644
index 0000000..bf35520
--- /dev/null
+++ b/krb5-1.15-krb5_db_register_keytab.patch
@@ -0,0 +1,69 @@
+From c9136272512a6158d77e74035d52869443403a10 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 7 Sep 2016 18:33:43 +0200
+Subject: [PATCH] Add krb5_db_register_keytab()
+
+Add a public libkdb5 function to register the KDB keytab type.  This
+functionality is needed for out-of-tree KDC servers such as the Samba
+kpasswd service.
+
+[ghudson@mit.edu: edited comments, whitespace, commit message]
+
+ticket: 8494 (new)
+(cherry picked from commit 2e99582062d9d6a70f2adb00fd8fe58a1f95b9b7)
+---
+ src/include/kdb.h           | 7 +++++++
+ src/lib/kdb/keytab.c        | 6 ++++++
+ src/lib/kdb/libkdb5.exports | 1 +
+ 3 files changed, 14 insertions(+)
+
+diff --git a/src/include/kdb.h b/src/include/kdb.h
+index 9d3bf9d..048327c 100644
+--- a/src/include/kdb.h
++++ b/src/include/kdb.h
+@@ -797,6 +797,13 @@ krb5_dbe_free_strings(krb5_context, krb5_string_attr *, int count);
+ void
+ krb5_dbe_free_string(krb5_context, char *);
+ 
++/*
++ * Register the KDB keytab type, allowing "KDB:" to be used as a keytab name.
++ * For this type to work, the context used for keytab operations must have an
++ * associated database handle (via krb5_db_open()).
++ */
++krb5_error_code krb5_db_register_keytab(krb5_context context);
++
+ #define KRB5_KDB_DEF_FLAGS      0
+ 
+ #define KDB_MAX_DB_NAME                 128
+diff --git a/src/lib/kdb/keytab.c b/src/lib/kdb/keytab.c
+index b85b67d..c6aa100 100644
+--- a/src/lib/kdb/keytab.c
++++ b/src/lib/kdb/keytab.c
+@@ -66,6 +66,12 @@ typedef struct krb5_ktkdb_data {
+ } krb5_ktkdb_data;
+ 
+ krb5_error_code
++krb5_db_register_keytab(krb5_context context)
++{
++    return krb5_kt_register(context, &krb5_kt_kdb_ops);
++}
++
++krb5_error_code
+ krb5_ktkdb_resolve(context, name, id)
+     krb5_context          context;
+     const char          * name;
+diff --git a/src/lib/kdb/libkdb5.exports b/src/lib/kdb/libkdb5.exports
+index cb4c3df..e5d1045 100644
+--- a/src/lib/kdb/libkdb5.exports
++++ b/src/lib/kdb/libkdb5.exports
+@@ -85,6 +85,7 @@ krb5_db_delete_policy
+ krb5_db_free_policy
+ krb5_def_store_mkey_list
+ krb5_db_promote
++krb5_db_register_keytab
+ ulog_add_update
+ ulog_init_header
+ ulog_map
+-- 
+2.9.3
+
diff --git a/krb5.spec b/krb5.spec
index d217417..bceb489 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -13,7 +13,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.14.3
-Release: 8%{?dist}
+Release: 9%{?dist}
 # - Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
 # - The sources below are stored in a lookaside cache. Upload with
@@ -71,6 +71,7 @@ Patch169: krb5-1.15-kdc-error-encrypted-timestamp.patch
 Patch170: krb5-1.14.4-samba-client-mutual-flag.patch
 
 Patch171: krb5-1.14.4-responder-non-preauth.patch
+Patch172: krb5-1.15-krb5_db_register_keytab.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -287,6 +288,7 @@ ln NOTICE LICENSE
 %patch170 -p1 -b .samba-client-mutual-flag
 
 %patch171 -p1 -b .responder-non-preauth
+%patch172 -p1 -b .krb5_db_register_keytab
 
 # Take the execute bit off of documentation.
 chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@@ -756,6 +758,10 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Mon Sep 19 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-9
+- Add krb5_db_register_keytab
+- Resolves: #1376812
+
 * Mon Aug 29 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-8
 - Use responder for non-preauth AS requests
 - Resolves: #1370622