Cannot log-in at locked screensaver, must log-in with "switch user.."

In theory you can walk through the contents of /etc/pam.d and compare against the output from /var/log/auth.log to see what is going on.

In case you're not aware, each file in pam.d is a potential entry point to ask pam if you can get authority. In your case lightdm. The log entries are fairly self explanatory as far as figuring out which lines in the log come from which lines in the pam file.

According to the docs I found you should be able to add 'debug' to lines in pam.d files to get extra info in the log.

In my setup, I'm using kde, and kdm and I get lots of lines containing (kdm:auth) when I lock my screen and attempt to unlock it (with the wrong password), but nothing when it unlocks successfully. The is next to no comparison between pam.d/kdm and pam.d/lightdm which makes no sense to me, so maybe you can try swapping things around to see if the issue is in the lightdm pam module.

The only other thought I had, is whether you have interesting symbols or characters in your password. If the lightdm lock screen box, isn't coded properly you might find it's not sending what you type to the back end. Try changing your password to something basic (like 1234) to see if it works, if it does, then (change your password back obviously, but) it probably means there is nothing wrong with your pam configuration at least.

Sorry if this doesn't help much, beyond looking at adding to various pam files (see, to see what happens, I'm not sure what else to suggest.

The lockscreen runs its authentication as a regular user, whereas user switching and the login screen run as root. Root has special privileges a regular user doesn't.

Usually when I've seen this problem, it's turned out that the permissions on the file /etc/shadow have been changed. The should look something like this.

$ ls -l /etc/shadow
-rw-r----- 1 root shadow 2202 Jun 23 12:39 /etc/shadow

If the perms, owner, or group are wrong, that's your problem right there.