Comment # 10 on bug 1209741 from 
Hi Fabian, 

> Ok, so we definitely need pam_keyinit.so in the systemd-user PAM service
> then?
> Upstream did that ages ago:
> https://github.com/systemd/systemd/commit/
> ab79099d1684457d040ee7c28b2012e8c1ea9a4f

I would say YES since that seems to fix the cifscreds problem and since
upstream has made that change and I've seen it in some other distros I test
with too.

The question is what to do about the pam_cifscreds.so issue ???

pam_cifscreds just adds the users login credentials to the keyring at login so
that the user does not need to call cifscreds after logging in.

I have been playing around with various attempts to get it working again with 
systemd-user now including pam_keyinit.so but have been unsuccessful.

If you are unfamiliar with pamcifs_creds.so the settings that used to work are
quite easy.

The following needs to be in the pam config files and the CIFS mounts need to
use the multiuser mount option.

  auth optional pam_cifscreds.so

  session optional pam_keyinit.so revoke force
  session optional pam_cifscreds.so host=FILESERVER

One important point is that the session optional pam_cifscreds.so
host=FILESERVER
line was finicky and has wanted to be right after pam_keyinit.so.

I tried adding the auth line as the 2nd auth line in systemd-user and adding
the session pam_cifscreds.so line to systemd-user after pam_keyinit.so so but
that no longer is working.

On difference in what used to work is that you are adding pam_keyinit before
common-session and the sequence that used to work for me with pam_keyinit AFTer
common session:

   session include common-session
   session optional pam_keyinit.so revoke force
   session optional pam_cifscreds.so host=FILESERVER

however I tried switching that sequence and it does not work either.

I got pretty far with debugging before I reported this bug but we are now
getting past my point of my understanding the authentication process and
keyrings.

Since the pam_cifscreds.so issue is directly related to the pam_keyinit.so
issue and the fix you are doing, could we please get someone to debug what is
going on with pam_cifscreds after this fix is made?

I will do anything that I can to help or answer questions, but debugging that
part really needs someone that understands the chain of authentication and the
keyrings better than I do.

Please let me know what I can do to assist.

You are receiving this mail because: