diff --git a/files/pam.d/lightdm b/files/pam.d/lightdm
new file mode 100644
index 0000000..c623247
--- /dev/null
+++ b/files/pam.d/lightdm
@@ -0,0 +1,36 @@
+#%PAM-1.0
+
+# Block login if they are globally disabled
+auth      requisite pam_nologin.so
+
+@include common-auth
+
+-auth  optional pam_gnome_keyring.so
+
+@include common-account
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without out this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session  [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+session  required        pam_limits.so
+session  required        pam_loginuid.so
+@include common-session
+
+# Load environment from /etc/environment and ~/.pam_environment
+session      required pam_env.so readenv=1
+session      required pam_env.so readenv=1 envfile=/etc/default/locale
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+
+-session optional        pam_gnome_keyring.so auto_start
+
+@include common-password
diff --git a/tasks/main.yml b/tasks/main.yml
index 6a07492..5f1ea0a 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -49,6 +49,11 @@
   when: display_setup_commands is defined
   notify: restart lightdm
 
+- name: lightdm pam.d configuration fix
+  copy:
+    src: pam.d/lightdm
+    dest: /etc/pam.d/lightdm
+
 - name: background image directory
   file:
     path: /opt/backgrounds