diff --git a/at-3.1.13-pam.patch b/at-3.1.13-pam.patch
index e4cae11..0bb3116 100644
--- a/at-3.1.13-pam.patch
+++ b/at-3.1.13-pam.patch
@@ -1,6 +1,6 @@
 diff -up at-3.1.13/at.c.pam at-3.1.13/at.c
---- at-3.1.13/at.c.pam	2011-07-29 13:51:50.234127938 +0200
-+++ at-3.1.13/at.c	2011-07-29 13:51:50.245127883 +0200
+--- at-3.1.13/at.c.pam	2012-04-19 16:50:57.491000001 +0200
++++ at-3.1.13/at.c	2012-04-19 16:50:57.505000001 +0200
 @@ -141,18 +141,13 @@ sigc(int signo)
  /* If the user presses ^C, remove the spool file and exit 
   */
@@ -52,7 +52,7 @@ diff -up at-3.1.13/at.c.pam at-3.1.13/at.c
      /* We've successfully created the file; let's set the flag so it 
       * gets removed in case of an interrupt or error.
       */
-@@ -661,7 +649,7 @@ process_jobs(int argc, char **argv, int 
+@@ -661,7 +649,7 @@ process_jobs(int argc, char **argv, int
                      We need the unprivileged uid here since the file is owned by the real
                      (not effective) uid.
                      */
@@ -61,7 +61,7 @@ diff -up at-3.1.13/at.c.pam at-3.1.13/at.c
  
  		    if (queue == '=') {
  			fprintf(stderr, "Warning: deleting running job\n");
-@@ -670,8 +658,8 @@ process_jobs(int argc, char **argv, int 
+@@ -670,8 +658,8 @@ process_jobs(int argc, char **argv, int
  			perr("Cannot unlink %.500s", dirent->d_name);
  			rc = EXIT_FAILURE;
  		    }
@@ -71,7 +71,7 @@ diff -up at-3.1.13/at.c.pam at-3.1.13/at.c
  		    done = 1;
  
  		    break;
-@@ -681,7 +669,7 @@ process_jobs(int argc, char **argv, int 
+@@ -681,7 +669,7 @@ process_jobs(int argc, char **argv, int
  			FILE *fp;
  			int ch;
  
@@ -80,7 +80,7 @@ diff -up at-3.1.13/at.c.pam at-3.1.13/at.c
  			fp = fopen(dirent->d_name, "r");
  
  			if (fp) {
-@@ -694,7 +682,7 @@ process_jobs(int argc, char **argv, int 
+@@ -694,7 +682,7 @@ process_jobs(int argc, char **argv, int
  			    perr("Cannot open %.500s", dirent->d_name);
  			    rc = EXIT_FAILURE;
  			}
@@ -90,8 +90,8 @@ diff -up at-3.1.13/at.c.pam at-3.1.13/at.c
  		    break;
  
 diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c
---- at-3.1.13/atd.c.pam	2011-07-29 13:51:50.240127908 +0200
-+++ at-3.1.13/atd.c	2011-07-29 13:54:35.805384873 +0200
+--- at-3.1.13/atd.c.pam	2012-04-19 16:50:57.498000001 +0200
++++ at-3.1.13/atd.c	2012-04-19 16:52:37.209000138 +0200
 @@ -111,7 +111,7 @@ static int run_as_daemon = 0;
  
  static volatile sig_atomic_t term_signal = 0;
@@ -127,7 +127,7 @@ diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c
      int retcode;
  #endif
  
-@@ -395,17 +387,10 @@ run_file(const char *filename, uid_t uid
+@@ -395,17 +387,11 @@ run_file(const char *filename, uid_t uid
      fstat(fd_out, &buf);
      size = buf.st_size;
  
@@ -143,13 +143,14 @@ diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c
 -    PAM_FAIL_CHECK;
 -    PRIV_END
 +#ifdef WITH_PAM
-+    PAM_HANDLING;
++    AT_START_PAM;
++    AT_OPEN_PAM_SESSION;
 +    closelog(); 
 +    openlog("atd", LOG_PID, LOG_ATD);
  #endif
  
      close(STDIN_FILENO);
-@@ -419,7 +404,14 @@ run_file(const char *filename, uid_t uid
+@@ -419,7 +405,14 @@ run_file(const char *filename, uid_t uid
      else if (pid == 0) {
  	char *nul = NULL;
  	char **nenvp = &nul;
@@ -164,7 +165,7 @@ diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c
  	/* Set up things for the child; we want standard input from the
  	 * input file, and standard output and error sent to our output file.
  	 */
-@@ -438,8 +430,6 @@ run_file(const char *filename, uid_t uid
+@@ -438,8 +431,6 @@ run_file(const char *filename, uid_t uid
  	close(fd_in);
  	close(fd_out);
  
@@ -173,7 +174,7 @@ diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c
  	    nice((tolower((int) queue) - 'a' + 1) * 2);
  
  	    if (initgroups(pentry->pw_name, pentry->pw_gid))
-@@ -458,7 +448,16 @@ run_file(const char *filename, uid_t uid
+@@ -458,7 +449,16 @@ run_file(const char *filename, uid_t uid
  
  	    if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)
  		perr("Exec failed for /bin/sh");
@@ -191,7 +192,7 @@ diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c
  	PRIV_END
      }
      /* We're the parent.  Let's wait.
-@@ -471,14 +470,6 @@ run_file(const char *filename, uid_t uid
+@@ -471,14 +471,6 @@ run_file(const char *filename, uid_t uid
       */
      waitpid(pid, (int *) NULL, 0);
  
@@ -206,7 +207,7 @@ diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c
      /* Send mail.  Unlink the output file after opening it, so it
       * doesn't hang around after the run.
       */
-@@ -509,8 +500,19 @@ run_file(const char *filename, uid_t uid
+@@ -509,8 +501,20 @@ run_file(const char *filename, uid_t uid
      unlink(newname);
      free(newname);
  
@@ -214,7 +215,8 @@ diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c
      if (((send_mail != -1) && (buf.st_size != size)) || (send_mail == 1)) {
 +       int mail_pid = -1;
 +#ifdef WITH_PAM
-+       PAM_HANDLING;
++       AT_START_PAM;
++       AT_OPEN_PAM_SESSION;
 +       closelog();
 +       openlog("atd", LOG_PID, LOG_ATD);
 +#endif
@@ -226,7 +228,7 @@ diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c
  	PRIV_START
  
  	    if (initgroups(pentry->pw_name, pentry->pw_gid))
-@@ -535,7 +537,23 @@ run_file(const char *filename, uid_t uid
+@@ -535,7 +539,21 @@ run_file(const char *filename, uid_t uid
  	    perr("Exec failed for mail command");
  
  	PRIV_END
@@ -239,9 +241,7 @@ diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c
 +           waitpid(mail_pid, (int *) NULL, 0);
 +   }
 +#ifdef WITH_PAM
-+   pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT );
-+   pam_close_session(pamh, PAM_SILENT);
-+   pam_end(pamh, PAM_ABORT);
++   AT_CLOSE_PAM;
 +   closelog();
 +   openlog("atd", LOG_PID, LOG_ATD);
 +#endif
@@ -252,7 +252,7 @@ diff -up at-3.1.13/atd.c.pam at-3.1.13/atd.c
  
 diff -up at-3.1.13/config.h.in.pam at-3.1.13/config.h.in
 --- at-3.1.13/config.h.in.pam	2011-06-25 14:43:14.000000000 +0200
-+++ at-3.1.13/config.h.in	2011-07-29 13:51:50.246127878 +0200
++++ at-3.1.13/config.h.in	2012-04-19 16:50:57.506000001 +0200
 @@ -68,8 +68,8 @@
  /* Define to 1 if you have the <nlist.h> header file. */
  #undef HAVE_NLIST_H
@@ -266,7 +266,7 @@ diff -up at-3.1.13/config.h.in.pam at-3.1.13/config.h.in
  #undef HAVE_PSTAT_GETDYNAMIC
 diff -up at-3.1.13/configure.ac.pam at-3.1.13/configure.ac
 --- at-3.1.13/configure.ac.pam	2011-06-25 14:43:14.000000000 +0200
-+++ at-3.1.13/configure.ac	2011-07-29 13:51:50.247127873 +0200
++++ at-3.1.13/configure.ac	2012-04-19 16:50:57.506000001 +0200
 @@ -84,7 +84,7 @@ AC_FUNC_GETLOADAVG
  AC_CHECK_FUNCS(getcwd mktime strftime setreuid setresuid sigaction waitpid)
  AC_CHECK_HEADERS(security/pam_appl.h, [
@@ -292,7 +292,7 @@ diff -up at-3.1.13/configure.ac.pam at-3.1.13/configure.ac
  [ --with-daemon_groupname=DAEMON_GROUPNAME	Groupname to run under (default daemon) ],
 diff -up at-3.1.13/perm.c.pam at-3.1.13/perm.c
 --- at-3.1.13/perm.c.pam	2011-06-25 14:43:14.000000000 +0200
-+++ at-3.1.13/perm.c	2011-07-29 13:51:50.248127868 +0200
++++ at-3.1.13/perm.c	2012-04-19 16:53:09.192001742 +0200
 @@ -51,6 +51,14 @@
  #define PRIV_END while(0)
  #endif
@@ -308,7 +308,7 @@ diff -up at-3.1.13/perm.c.pam at-3.1.13/perm.c
  /* Structures and unions */
  
  
-@@ -108,18 +116,51 @@ user_in_file(const char *path, const cha
+@@ -108,18 +116,45 @@ user_in_file(const char *path, const cha
  int
  check_permission()
  {
@@ -342,14 +342,8 @@ diff -up at-3.1.13/perm.c.pam at-3.1.13/perm.c
 +      exit(1);
 +  }
 +
-+    pam_close_session(pamh,PAM_SILENT);
-+
-+    PAM_HANDLING;
-+
-+    pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT );
-+    pam_close_session(pamh,PAM_SILENT);
-+    pam_end(pamh, PAM_ABORT);
-+
++    AT_START_PAM;
++    AT_CLOSE_PAM;
 +    if (setregid(gid,egid) != 0) {
 +        fprintf(stderr, "cannot set egid: %s", strerror(errno));
 +        exit(1);
@@ -365,8 +359,8 @@ diff -up at-3.1.13/perm.c.pam at-3.1.13/perm.c
      return allow;
 diff -up at-3.1.13/privs.h.pam at-3.1.13/privs.h
 --- at-3.1.13/privs.h.pam	2011-06-25 14:43:14.000000000 +0200
-+++ at-3.1.13/privs.h	2011-07-29 13:51:50.248127868 +0200
-@@ -144,3 +144,61 @@ extern gid_t real_gid, effective_gid, da
++++ at-3.1.13/privs.h	2012-04-19 16:53:46.296016675 +0200
+@@ -144,3 +144,63 @@ extern gid_t real_gid, effective_gid, da
  #error "Cannot implement user ID swapping without setreuid or setresuid"
  #endif
  #endif
@@ -400,31 +394,33 @@ diff -up at-3.1.13/privs.h.pam at-3.1.13/privs.h
 +           } \
 +       } while (0) \
 +
-+/* PAM - check after every operation whether they passed */
-+#define PAM_HANDLING \
-+       do { pamh = NULL; \
-+       retcode = pam_start("atd", pentry->pw_name, &conv, &pamh); \
-+       PAM_FAIL_CHECK; \
-+       retcode = pam_set_item(pamh, PAM_TTY, "atd"); \
-+       PAM_FAIL_CHECK; \
-+       retcode = pam_acct_mgmt(pamh, PAM_SILENT); \
-+       PAM_FAIL_CHECK; \
-+       retcode = pam_open_session(pamh, PAM_SILENT); \
-+       PAM_FAIL_CHECK; \
-+       retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT); \
-+       PAM_SESSION_FAIL; \
-+       PAM_FAIL_CHECK; \
-+       } while (0)
++static int pam_session_opened = 0;      //global for open session
 +
-+/* OLD FAIL_CHECK ONLY FOR perm.c
-+ * define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \
-+ *         fprintf(stderr,"\nPAM failure %s\n",pam_strerror(pamh, retcode)); \
-+ *         syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \
-+ *         if (pamh) \
-+ *               pam_end(pamh, retcode); \
-+ *         exit(1); \
-+ * }
-+ */
++#define AT_START_PAM { \
++        retcode = pam_start("atd", pentry->pw_name, &conv, &pamh); \
++        PAM_FAIL_CHECK; \
++        retcode = pam_set_item(pamh, PAM_TTY, "atd"); \
++        PAM_FAIL_CHECK; \
++        retcode = pam_acct_mgmt(pamh, PAM_SILENT); \
++        PAM_FAIL_CHECK; \
++} 
++
++#define AT_OPEN_PAM_SESSION { \
++        retcode = pam_open_session(pamh, PAM_SILENT); \
++        PAM_FAIL_CHECK; \
++        retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT); \
++        PAM_FAIL_CHECK; \
++        if (retcode == PAM_SUCCESS) \
++                pam_session_opened = 1; \
++}
++
++#define AT_CLOSE_PAM { \
++        if (pam_session_opened != 0) { \
++                pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT); \
++                pam_close_session(pamh, PAM_SILENT); \
++        } \
++        pam_end(pamh, PAM_SUCCESS); \
++}
 +
 +#endif
 +
diff --git a/at.spec b/at.spec
index 890ec28..1f6f242 100644
--- a/at.spec
+++ b/at.spec
@@ -3,7 +3,7 @@
 Summary:	Job spooling tools
 Name:		at
 Version:	3.1.13
-Release:	7%{dist}
+Release:	8%{dist}
 License:	GPLv2+
 Group:		System Environment/Daemons
 URL:		http://ftp.debian.org/debian/pool/main/a/at
@@ -189,13 +189,14 @@ fi
 %attr(0755,root,root)		%{_initrddir}/atd
 
 %changelog
-* Tue Apr 17 2012 Marcela Mašláňová <mmaslano@redhat.com> - 3.1.13-7
+* Tue Apr 17 2012 Marcela Mašláňová <mmaslano@redhat.com> - 3.1.13-8
 - at-3.1.13-mailwithhostname.patch in email mention also hostname address
 - at-3.1.13-usePOSIXtimers.patch use POSIX timers, so we won't need
   pm-utils hack anymore
 - at-3.1.13-help.patch update usage
 - systemd-user-sessions.service is used in unit file, so the atd should be
   started after almost all services are up and running
+- 812682 pam support work with new systemd defaults
 
 * Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.1.13-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild