diff --git a/pam-1.2.1-unix-get-authtok.patch b/pam-1.2.1-unix-get-authtok.patch
index ac142a0..46d8582 100644
--- a/pam-1.2.1-unix-get-authtok.patch
+++ b/pam-1.2.1-unix-get-authtok.patch
@@ -138,11 +138,8 @@ index fa29327..49dd831 100644
  
  			if (retval != PAM_SUCCESS) {
  				pam_syslog(pamh, LOG_NOTICE,
-@@ -723,14 +712,10 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
- 		if (retval != PAM_SUCCESS) {
- 			D(("Authentication failed"));
+@@ -725,12 +714,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
  			pass_old = NULL;
-+			pam_set_item(pamh, PAM_OLDAUTHTOK, NULL);
  			return retval;
  		}
 -		retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *) pass_old);
@@ -154,7 +151,7 @@ index fa29327..49dd831 100644
  		retval = _unix_verify_shadow(pamh,user, ctrl);
  		if (retval == PAM_AUTHTOK_ERR) {
  			if (off(UNIX__IAMROOT, ctrl))
-@@ -760,23 +745,14 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
+@@ -760,23 +744,14 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
  		 * previous call to this function].
  		 */
  
@@ -181,7 +178,7 @@ index fa29327..49dd831 100644
  
  		D(("get new password now"));
  
-@@ -785,7 +761,9 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
+@@ -785,7 +760,9 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
  		if (on(UNIX_USE_AUTHTOK, lctrl)) {
  			set(UNIX_USE_FIRST_PASS, lctrl);
  		}
@@ -192,7 +189,7 @@ index fa29327..49dd831 100644
  		retval = PAM_AUTHTOK_ERR;
  		while ((retval != PAM_SUCCESS) && (retry++ < MAX_PASSWD_TRIES)) {
  			/*
-@@ -793,12 +771,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
+@@ -793,12 +770,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
  			 * password -- needed for pluggable password strength checking
  			 */
  
@@ -206,7 +203,7 @@ index fa29327..49dd831 100644
  
  			if (retval != PAM_SUCCESS) {
  				if (on(UNIX_DEBUG, ctrl)) {
-@@ -822,7 +795,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
+@@ -822,7 +794,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
  			retval = _pam_unix_approve_pass(pamh, ctrl, pass_old,
  			                                pass_new, pass_min_len);
  
diff --git a/pam.spec b/pam.spec
index f418e8d..c599c56 100644
--- a/pam.spec
+++ b/pam.spec
@@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.2.1
-Release: 6%{?dist}
+Release: 7%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@@ -373,6 +373,9 @@ fi
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
+* Wed Apr  6 2016 Tomáš Mráz <tmraz@redhat.com> 1.2.1-7
+- do not drop PAM_OLDAUTHTOK if mismatched - can be used by further modules
+
 * Mon Apr  4 2016 Tomáš Mráz <tmraz@redhat.com> 1.2.1-6
 - pam_unix: use pam_get_authtok() and improve prompting