Comment # 4 on bug 1209741 from Fabian Vogt

The issue is that the session keyring created by pam_keyinit is only inherited
through fork/execve/..., but all the session does is "systemctl start
plasma-workspace-(wayland/x11).target". The session itself (plasmashell,
krunner, all processes started by those) are actually children of the systemd
user instance, which is in turn a system service.

How is this meant to work in combination with session keyrings?

Can pam_systemd somehow forward the session keyring to the systemd user
instance it starts? If not, the only option I see is to have separate session
keyrings for systemd user services and other parts of the session.

That could be implemented simply by adding

session optional pam_keyinit.so force revoke

to /usr/lib/pam.d/systemd-user. That works in my testing, after logout and
login there is a session keyring visible in konsole instances and cifscreds
works as expected.