diff --git a/pam-xauth_ownership.patch b/pam-xauth_ownership.patch
new file mode 100644
index 0000000..737af6f
--- /dev/null
+++ b/pam-xauth_ownership.patch
@@ -0,0 +1,106 @@
+Index: Linux-PAM-1.4.0/modules/pam_xauth/pam_xauth.c
+===================================================================
+--- Linux-PAM-1.4.0.orig/modules/pam_xauth/pam_xauth.c
++++ Linux-PAM-1.4.0/modules/pam_xauth/pam_xauth.c
+@@ -355,11 +355,13 @@ pam_sm_open_session (pam_handle_t *pamh,
+ 	char *cookiefile = NULL, *xauthority = NULL,
+ 	     *cookie = NULL, *display = NULL, *tmp = NULL,
+ 	     *xauthlocalhostname = NULL;
+-	const char *user, *xauth = NULL;
++	const char *user, *xauth = NULL, *login_name;
+ 	struct passwd *tpwd, *rpwd;
+ 	int fd, i, debug = 0;
+ 	int retval = PAM_SUCCESS;
+-	uid_t systemuser = 499, targetuser = 0;
++	uid_t systemuser = 499, targetuser = 0, uid;
++	gid_t gid;
++	struct stat st;
+ 
+ 	/* Parse arguments.  We don't understand many, so no sense in breaking
+ 	 * this into a separate function. */
+@@ -429,7 +431,16 @@ pam_sm_open_session (pam_handle_t *pamh,
+ 		retval = PAM_SESSION_ERR;
+ 		goto cleanup;
+ 	}
+-	rpwd = pam_modutil_getpwuid(pamh, getuid());
++
++	login_name = pam_modutil_getlogin(pamh);
++	if (login_name == NULL) {
++		login_name = "";
++	}
++	if (*login_name)
++		rpwd = pam_modutil_getpwnam(pamh, login_name);
++	else
++		rpwd = pam_modutil_getpwuid(pamh, getuid());
++
+ 	if (rpwd == NULL) {
+ 		pam_syslog(pamh, LOG_ERR,
+ 			   "error determining invoking user's name");
+@@ -518,18 +529,26 @@ pam_sm_open_session (pam_handle_t *pamh,
+ 			   cookiefile);
+ 	}
+ 
++	/* Get owner and group of the cookiefile */
++	uid = getuid();
++	gid = getgid();
++	if (stat(cookiefile, &st) == 0) {
++		uid = st.st_uid;
++		gid = st.st_gid;
++	}
++
+ 	/* Read the user's .Xauthority file.  Because the current UID is
+ 	 * the original user's UID, this will only fail if something has
+ 	 * gone wrong, or we have no cookies. */
+ 	if (debug) {
+ 		pam_syslog(pamh, LOG_DEBUG,
+-			   "running \"%s %s %s %s %s\" as %lu/%lu",
+-			   xauth, "-f", cookiefile, "nlist", display,
+-			   (unsigned long) getuid(), (unsigned long) getgid());
++			   "running \"%s %s %s %s %s %s\" as %lu/%lu",
++			   xauth, "-i", "-f", cookiefile, "nlist", display,
++			   (unsigned long) uid, (unsigned long) gid);
+ 	}
+ 	if (run_coprocess(pamh, NULL, &cookie,
+-			  getuid(), getgid(),
+-			  xauth, "-f", cookiefile, "nlist", display,
++			  uid, gid,
++			  xauth, "-i", "-f", cookiefile, "nlist", display,
+ 			  NULL) == 0) {
+ #ifdef WITH_SELINUX
+ 		security_context_t context = NULL;
+@@ -583,12 +602,12 @@ pam_sm_open_session (pam_handle_t *pamh,
+ 						       cookiefile,
+ 						       "nlist",
+ 						       t,
+-						       (unsigned long) getuid(),
+-						       (unsigned long) getgid());
++						       (unsigned long) uid,
++						       (unsigned long) gid);
+ 					}
+ 					run_coprocess(pamh, NULL, &cookie,
+-						      getuid(), getgid(),
+-						      xauth, "-f", cookiefile,
++						      uid, gid,
++						      xauth, "-i", "-f", cookiefile,
+ 						      "nlist", t, NULL);
+ 				}
+ 				free(t);
+@@ -673,13 +692,17 @@ pam_sm_open_session (pam_handle_t *pamh,
+ 			goto cleanup;
+ 		}
+ 
++		if (debug) {
++			pam_syslog(pamh, LOG_DEBUG, "set environment variable '%s'",
++				   xauthority);
++		}
+ 		/* Set the new variable in the environment. */
+ 		if (pam_putenv (pamh, xauthority) != PAM_SUCCESS)
+ 			pam_syslog(pamh, LOG_ERR,
+ 				   "can't set environment variable '%s'",
+ 				   xauthority);
+ 		putenv (xauthority); /* The environment owns this string now. */
+-		xauthority = NULL; /* Don't free environment variables. */
++		/* Don't free environment variables nor set them to NULL. */
+ 
+ 		/* set $DISPLAY in pam handle to make su - work */
+ 		{
diff --git a/pam.changes b/pam.changes
index a7a0279..f8ad70f 100644
--- a/pam.changes
+++ b/pam.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Oct  8 13:31:39 UTC 2020 - Josef Möllers <josef.moellers@suse.com>
+
+- /usr/bin/xauth chokes on the old user's $HOME being on an NFS
+  file system. Run /usr/bin/xauth using the old user's uid/gid
+  Patch courtesy of Dr. Werner Fink.
+  [bsc#1174593, pam-xauth_ownership.patch]
+
 -------------------------------------------------------------------
 Thu Oct  8 02:33:16 UTC 2020 - Stanislav Brabec <sbrabec@suse.com>
 
diff --git a/pam.spec b/pam.spec
index cff51f0..6fc5819 100644
--- a/pam.spec
+++ b/pam.spec
@@ -47,6 +47,7 @@ Source11:       unix2_chkpwd.8
 Source12:       pam-login_defs-check.sh
 Patch2:         pam-limit-nproc.patch
 Patch4:         pam-hostnames-in-access_conf.patch
+Patch5:         pam-xauth_ownership.patch
 BuildRequires:  audit-devel
 BuildRequires:  bison
 BuildRequires:  cracklib-devel
@@ -139,6 +140,7 @@ removed with one of the next releases.
 cp -a %{SOURCE12} .
 %patch2 -p1
 %patch4 -p1
+%patch5 -p1
 
 %build
 bash ./pam-login_defs-check.sh