diff --git a/pam-login_defs-check.sh b/pam-login_defs-check.sh
new file mode 100644
index 0000000..80ce8fd
--- /dev/null
+++ b/pam-login_defs-check.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+# Extract list of variables supported by su/runuser.
+#
+# If you edit this file, you will probably need to edit
+# shadow-login_defs-check.sh from shadow sources in a similar way.
+
+set -o errexit
+
+echo -n "Checking login.defs variables in pam... " >&2
+grep -rh LOGIN_DEFS . |
+	sed -n 's/^.*search_key *("\([A-Z0-9_]*\)", *LOGIN_DEFS).*$/\1/p' |
+	LC_ALL=C sort -u >pam-login_defs-vars.lst
+
+if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != 3e1ae01b1e928c53c828f64ab412be6267eb1018 ; then
+
+	echo "does not match!" >&2
+	echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')" >&2
+
+cat >&2 <<EOF
+
+You have to perform following steps:
+
+Check whether the error is false positive (script failed to extract
+variables) or true positive (variable list changed).
+
+If it is false positive:
+- Fix this script.
+- The same fix is needed in shadow package in shadow-login_defs-check.sh.
+
+If it is true positive:
+- Check-out shadow package and call shadow-login_defs-check.sh.
+- Compare its output shadow-login_defs-check-pam.lst with
+  pam-login_defs-vars.lst in the pam build directory.
+- Update shadow encryption_method_nis.patch, if needed.
+- If encryption_method_nis.patch was updated, update
+  login_defs-support-for-pam symbol version in both shadow and
+  pam spec files accordingly.
+- Update checksum in this script.
+
+EOF
+
+	exit 1
+else
+	echo "OK" >&2
+fi
diff --git a/pam.changes b/pam.changes
index baceee0..c84e094 100644
--- a/pam.changes
+++ b/pam.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu May  2 23:55:30 CEST 2019 - sbrabec@suse.com
+
+- Add virtual symbols for login.defs compatibility (bsc#1121197).
+- Add login.defs safety check pam-login_defs-check.sh
+  (bsc#1121197).
+
 -------------------------------------------------------------------
 Thu Nov 15 15:41:08 UTC 2018 - josef.moellers@suse.com
 
diff --git a/pam.spec b/pam.spec
index 47d4ba2..7fec94b 100644
--- a/pam.spec
+++ b/pam.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package pam
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
@@ -48,6 +48,11 @@ PreReq:         permissions
 Requires(pre):  group(shadow)
 Requires(pre):  user(root)
 %endif
+# All login.defs variables require support from shadow side.
+# Upgrade this symbol version only if new variables appear!
+# Verify by shadow-login_defs-check.sh from shadow source package.
+# Recent symbol includes variable from encryption_method_nis.diff.
+Requires:       login_defs-support-for-pam >= 1.3.1
 
 #DL-URL:	https://fedorahosted.org/releases/l/i/linux-pam/
 Source:         Linux-PAM-%{version}.tar.xz
@@ -62,6 +67,7 @@ Source8:        etc.environment
 Source9:        baselibs.conf
 Source10:       unix2_chkpwd.c
 Source11:       unix2_chkpwd.8
+Source12:       pam-login_defs-check.sh
 Patch0:         fix-man-links.dif
 Patch2:         pam-limit-nproc.patch
 Patch3:         encryption_method_nis.diff
@@ -115,6 +121,7 @@ building both PAM-aware applications and modules for use with PAM.
 
 %prep
 %setup -q -n Linux-PAM-%{version} -b 1
+cp -a %{S:12} .
 %patch0 -p1
 %patch2 -p1
 %patch3 -p0
@@ -122,6 +129,7 @@ building both PAM-aware applications and modules for use with PAM.
 %patch5 -p1
 
 %build
+bash ./pam-login_defs-check.sh
 autoreconf -fiv
 export CFLAGS="%optflags -DNDEBUG"
 %configure \