Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
* What exactly did you do (or not do) that was effective (or
ineffective)?
* What was the outcome of this action?
* What outcome did you expect instead?
*** End of the template - remove these template lines ***
Hi Ruan, Thanks for reporting this. Please could you send the logs? Does the problem occur all the time? If not, please explain the circumstances in which it happens. The bug template gives some helpful prompts - the idea is that you answer them and delete the template: Andrew
[adding the bug report back in] That's great to start with, thanks! This means the session was (deemed) never to have been closed before shutdown. It doesn't actually mean the machine crashed, just that a closure of the login session was not recorded with wtmpdb. It looks like console logins *do* normally get recorded. It's presumably just when you shutdown that there's a problem. If you have a syslogger it might be good to take a look at the logging from PAM with an extract from /var/log/auth. I see you are running systemd so if you don't have a syslogger you might have to find out how to get this information using journalctl: Do you get both of these lines before shutdown in this log file for the user login on tty1? Mar 17 00:12:02 [login] pam_unix(login:session): session opened for user andy(uid=1000) by andy(uid=0) Mar 17 00:12:06 [login] pam_unix(login:session): session closed for user andy If you only get the 'open' message then it seems something about how systemd terminates your virtual console logins means the PAM routines (which cause the logout entry to be written) are not getting a chance to run. I see this is not an issue for pseudo ttys as the session on pts/1 above is closed OK. If you *do* get the 'close' message then we will need to look into what happens when wtmpdb'd pam routine gets called in these conditions. What getty are you running?
In no case did my installation fail to generate the /var/log/auth file. The auth file does not exist in this case. I only have basic sudo or sddm-helper logs, and they don't show any errors, only the correct closure. My tty is still 1. ruan seat0 2026-03-17 11:23 ruan tty1 2026-03-17 11:23 When I search for PAM in KsystemLog, I only get the following outputs. 17/03/2026 11:23 sddm-helper pam_kwallet5(sddm:auth): pam_kwallet5: pam_sm_authenticate 17/03/2026 11:23 sddm-helper pam_kwallet5(sddm:setcred): pam_kwallet5: pam_sm_setcred 17/03/2026 11:23 sddm-helper pam_unix(sddm:session): session opened for user ruan(uid=1000) by ruan(uid=0) 17/03/2026 11:23 (systemd) pam_unix(systemd-user:session): session opened for user ruan(uid=1000) by ruan(uid=0) 17/03/2026 11:23 sddm-helper pam_unix(sddm-greeter:session): session closed for user sddm 17/03/2026 11:23 sddm-helper gkr-pam: unlocked login keyring 17/03/2026 11:23 sddm-helper pam_kwallet5(sddm:session): pam_kwallet5: pam_sm_open_session 17/03/2026 11:23 sddm-helper pam_kwallet5: final socket path: /run/user/1000/kwallet5.socket 17/03/2026 11:23 sddm-helper pam_env(sddm:session): deprecated reading of user environment enabled 17/03/2026 11:23 sddm-helper [PAM] Closing session 17/03/2026 11:23 sddm-helper [PAM] Ended. 17/03/2026 11:23 systemd Started plasma-kwallet-pam.service - Unlock kwallet from pam credentials. 17/03/2026 11:23 pam_kwallet_init 2026/03/17 11:23:21 socat[1822] W address is opened in read-write mode but only supports read-only 17/03/2026 11:23 (sd-pam) pam_unix(systemd-user:session): session closed for user sddm 17/03/2026 11:30 CRON pam_unix(cron:session): session opened for user root(uid=0) by root(uid=0) 17/03/2026 11:30 CRON pam_unix(cron:session): session closed for user root 17/03/2026 11:31 sudo pam_unix(sudo:session): session opened for user root(uid=0) by ruan(uid=1000) 17/03/2026 11:31 sudo pam_unix(sudo:session): session closed for user root 17/03/2026 11:31 sudo pam_unix(sudo:session): session opened for user root(uid=0) by ruan(uid=1000)