diff --git a/0007-Always-update-cached-upn-if-enterprise-principals-ar.patch b/0007-Always-update-cached-upn-if-enterprise-principals-ar.patch
new file mode 100644
index 0000000..9b8ce53
--- /dev/null
+++ b/0007-Always-update-cached-upn-if-enterprise-principals-ar.patch
@@ -0,0 +1,39 @@
+From 517ba52c518eb747ccb2a76d75a7ec88fc870cf4 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 13 May 2013 14:25:15 +0200
+Subject: [PATCH] Always update cached upn if enterprise principals are used
+
+Instead of continuing to use the initial upn if enterprise principals
+are used if should always be replaced. The enterprise principal
+is stored in the credential cache and without knowing it the
+ccache_for_princ() calls to determine the location of the credential
+cache will fail.
+
+Fixes https://fedorahosted.org/sssd/ticket/1921
+---
+ src/providers/krb5/krb5_auth.c |    7 ++++---
+ 1 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
+index 6d7494c..f65e599 100644
+--- a/src/providers/krb5/krb5_auth.c
++++ b/src/providers/krb5/krb5_auth.c
+@@ -913,11 +913,12 @@ static void krb5_auth_done(struct tevent_req *subreq)
+                                                KRB5_USE_ENTERPRISE_PRINCIPAL);
+ 
+     /* Check if the cases of our upn are correct and update it if needed.
+-     * Fail if the upn differs by more than just the case. */
++     * Fail if the upn differs by more than just the case for non-enterprise
++     * principals. */
+     if (res->correct_upn != NULL &&
+-        use_enterprise_principal == false &&
+         strcmp(kr->upn, res->correct_upn) != 0) {
+-        if (strcasecmp(kr->upn, res->correct_upn) == 0) {
++        if (strcasecmp(kr->upn, res->correct_upn) == 0 ||
++            use_enterprise_principal == true) {
+             talloc_free(kr->upn);
+             kr->upn = talloc_strdup(kr, res->correct_upn);
+             if (kr->upn == NULL) {
+-- 
+1.7.7.6
+
diff --git a/0008-Enable-the-AD-dynamic-DNS-updates-by-default.patch b/0008-Enable-the-AD-dynamic-DNS-updates-by-default.patch
new file mode 100644
index 0000000..86ef52a
--- /dev/null
+++ b/0008-Enable-the-AD-dynamic-DNS-updates-by-default.patch
@@ -0,0 +1,40 @@
+From ad1be6fd04234f61f108773ff39aa7485abda47c Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Thu, 9 May 2013 16:41:47 +0200
+Subject: [PATCH] Enable the AD dynamic DNS updates by default
+
+https://fedorahosted.org/sssd/ticket/1915
+---
+ src/man/sssd-ad.5.xml      | 2 +-
+ src/providers/ad/ad_opts.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
+index 71e8a2075bc83bc814987f2ca738ddb138c14e5a..589dfd0b5f7514a8e17c9f04407476ccf7c33e88 100644
+--- a/src/man/sssd-ad.5.xml
++++ b/src/man/sssd-ad.5.xml
+@@ -170,7 +170,7 @@ ldap_id_mapping = False
+                             realm must be set properly in /etc/krb5.conf
+                         </para>
+                         <para>
+-                            Default: false
++                            Default: true
+                         </para>
+                     </listitem>
+                 </varlistentry>
+diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
+index 32bbe3db2f4048056c7e96619eaf53ce22bf52f8..6e9d843c1f0a619fc3da26ae82bb15fe80eb4420 100644
+--- a/src/providers/ad/ad_opts.h
++++ b/src/providers/ad/ad_opts.h
+@@ -239,7 +239,7 @@ struct sdap_attr_map ad_autofs_entry_map[] = {
+ };
+ 
+ struct dp_option ad_dyndns_opts[] = {
+-    { "dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
++    { "dyndns_update", DP_OPT_BOOL, BOOL_TRUE, BOOL_FALSE },
+     { "dyndns_refresh_interval", DP_OPT_NUMBER, { .number = 86400 }, NULL_NUMBER },
+     { "dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+     { "dyndns_ttl", DP_OPT_NUMBER, { .number = 3600 }, NULL_NUMBER },
+-- 
+1.8.2.1
+
diff --git a/sssd.spec b/sssd.spec
index f0e0173..18c9b0c 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -16,7 +16,7 @@
 
 Name: sssd
 Version: 1.10.0
-Release: 4%{?dist}.beta1
+Release: 5%{?dist}.beta1
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@@ -31,6 +31,8 @@ Patch0003: 0003-UTIL-Add-function-sss_names_init_from_args.patch
 Patch0004: 0004-SSH-Fix-parsing-of-names-from-client-requests.patch
 Patch0005: 0005-SSH-Use-separate-field-for-domain-name-in-client-req.patch
 Patch0006: 0006-SSH-Do-not-skip-domains-with-use_fully_qualified_nam.patch
+Patch0007: 0007-Always-update-cached-upn-if-enterprise-principals-ar.patch
+Patch0008: 0008-Enable-the-AD-dynamic-DNS-updates-by-default.patch
 
 Patch0501:  0501-FEDORA-Switch-the-default-ccache-location.patch
 
@@ -603,6 +605,14 @@ fi
 %postun -n libsss_sudo -p /sbin/ldconfig
 
 %changelog
+* Tue May 14 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.10.0-5.beta1
+- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during
+                          realm join
+- Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by
+                          default for AD Provider
+- Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file
+                          parent directory when logging in
+
 * Tue May  7 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.10.0-4.beta1
 - Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug
   in ding-libs