diff --git a/krb5-1.8-pam.patch b/krb5-1.8-pam.patch
index f3036db..374a8c9 100644
--- a/krb5-1.8-pam.patch
+++ b/krb5-1.8-pam.patch
@@ -141,6 +141,33 @@ diff -up krb5-1.8/src/clients/ksu/main.c.pam krb5-1.8/src/clients/ksu/main.c
          /* Run authorization as target.*/
          if (krb5_seteuid(target_uid)) {
              com_err(prog_name, errno, "while switching to target for authorization check");
+@@ -651,6 +676,26 @@
+             sweep_up(ksu_context, cc_target);
+             exit(1);
+         }
++#ifdef USE_PAM
++    } else {
++        /* we always do PAM account management, even for root */
++        if (appl_pam_enabled(ksu_context, "ksu")) {
++            if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL,
++                                   NULL, source_user,
++                                   ttyname(STDERR_FILENO)) != 0) {
++                fprintf(stderr, "Access denied for %s.\n", target_user);
++                sweep_up(ksu_context, cc_target);
++                exit(1);
++            }
++            if (appl_pam_requires_chauthtok()) {
++                fprintf(stderr, "Password change required for %s.\n",
++                        target_user);
++                sweep_up(ksu_context, cc_target);
++                exit(1);
++            }
++            force_fork++;
++        }
++#endif
+     }
+ 
+     if( some_rest_copy){
 @@ -720,6 +745,32 @@
          exit(1);
      }
diff --git a/krb5.spec b/krb5.spec
index a24851d..afcc329 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -627,7 +627,8 @@ exit 0
 %changelog
 * Thu May 27 2010 Nalin Dahyabhai <nalin@redhat.com>
 - ksu: move session management calls to before we drop privileges, like
-  su does (#596887)
+  su does (#596887), and don't skip the PAM account check for root or the
+  same user (more of #477033)
 
 * Mon May 24 2010 Nalin Dahyabhai <nalin@redhat.com> 1.8.1-6
 - make krb5-server-ldap also depend on the same version-release of krb5-libs,