Thank you for the detailed bug report. I am not an expert with keyring and even less with cisfcred tool. Nevertheless I did some research and this is what I found: Looking on the code of cifscreds [1], it cannot work properly if the user session key is the same as the specific session key. `if (ses_key == uses_key)` And that is the case when you login from GUI: keyctl show @s # login from consol 115341363 --alswrv 1000 1000 keyring: _ses <<< independant session key [...] keyctl show @s #login from gui 115341363 --alswrv 1000 1000 keyring: _uid_ses.1000 <<< session key = user key [...] key sessions are managed by the module pam_keyinit.so already mentioned. But when you log from a GUI, dbus-daemon will change the session user keyring. Each Display Manager (gdm for gnome, sddm for KDE, etc...) will used systemd-user in the PAM stack. This is why, the login session keyring is different from the condole login to the gui login. It was previously discussed here [2], by our previous pam maintainer. To fix that, you can add the module pam_keyinit.so to revoke the key settings manage by d-bus in pam.d/systemd-user. (/usr/lib/pam.d/systemd-user) ``` session required pam_selinux.so close session required pam_selinux.so nottys open session required pam_loginuid.so session optional pam_keyinit.so revoke force debug <<< NEW session include common-session ``` I made a test and it looks to work in session from GUI login. Can you confirm if it works for you also ? What do you think Thorsten about this kind of change ? I don't know what it would involve to change the pam configuration of systemd in our distribution. I will inform our systemd maintainer if he has more information. BTW a previous bug was reported here [3] and closed as WONTFIX [1] https://github.com/Distrotech/cifs-utils/blob/distrotech-cifs-utils/cifscreds.c#L491 [2] https://lists.freedesktop.org/archives/systemd-devel/2019-June/042872.html [3] https://bugzilla.opensuse.org/show_bug.cgi?id=1128835