2 files changed, 14 insertions, 4 deletions

diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml
index 1b629afc..a4d3419b 100644
--- a/modules/pam_access/access.conf.5.xml
+++ b/modules/pam_access/access.conf.5.xml
@@ -74,7 +74,12 @@
       not set and <origin> field is thus set from
       <emphasis>PAM_TTY</emphasis> or <emphasis>PAM_SERVICE</emphasis>".
       If supported by the system you can use
-      <emphasis>@netgroupname</emphasis> in host or user patterns.
+      <emphasis>@netgroupname</emphasis> in host or user patterns. The
+      <emphasis>@@netgroupname</emphasis> syntax is supported in the user
+      pattern only and it makes the local system hostname to be passed
+      to the netgroup match call in addition to the user name. This might not
+      work correctly on some libc implementations causing the match to
+      always fail.
     </para>
 
     <para>
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
index 963ce528..e9f0caa3 100644
--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
@@ -529,9 +529,14 @@ user_match (pam_handle_t *pamh, char *tok, struct login_info *item)
 	return (user_match (pamh, tok, item) &&
 		from_match (pamh, at + 1, &fake_item));
     } else if (tok[0] == '@') {			/* netgroup */
-	if (item->hostname == NULL)
-	    return NO;
-        return (netgroup_match (pamh, tok + 1, item->hostname, string, item->debug));
+	const char *hostname = NULL;
+	if (tok[1] == '@') {			/* add hostname to netgroup match */
+		if (item->hostname == NULL)
+		    return NO;
+		++tok;
+		hostname = item->hostname;
+	}
+        return (netgroup_match (pamh, tok + 1, hostname, string, item->debug));
     } else if (tok[0] == '(' && tok[strlen(tok) - 1] == ')')
       return (group_match (pamh, tok, string, item->debug));
     else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */