[Samba] Private Key Unavailable After Domain Password Change

Bill Baird Bill.Baird at phoenixmi.com
Mon Sep 14 16:11:36 UTC 2020

Hi All!

We are currently running one AD DC on 4.11.12 and one on 4.10.17 (scheduled
for replacement later this month). Sometimes when a user changes their
domain password, we are seeing an issue where the private key is no longer
available.  Users on Windows 10 v1909 or v2004. This does not happen to all

We have users connecting to one of our environments using OpenVPN. We have
been using the cryptoapicert option in the OpenVPN config and having it
reference a certificate/key we import to the user's account using certutil
(ex. "certutil -user -importpfx mycertkeypair.p12 NoExport") with the
NoExport option (or via mmc). (NoExport is so they can't export private key
and move to another system).

When the user changes their domain password then tries to connect to the
VPN, they get these errors below. If we manually re-import the certificate,
everything works properly. Because of this, I don't believe this is an
issue with OpenVPN.

*- OpenSSL:error:C5066064:microsoft
cryptoapi:CryptAcquireCertificatePrivateKey:Keyset does not exist*
*- Cannot load certificate: SUBJ:mycertkeypair" from Microsoft Certificate

I found this old bug which looks very similar, but was supposed to be fixed
as of 4.2.0?


Has anyone else seen this, or have any ideas on how to allow private keys
to persist password changes for all users?


Bill Baird

This electronic message, including its attachments (if any), is 
If you are not the intended recipient, you are hereby notified that any 
use, disclosure, copying, or distribution of this message, its attachments, 
or any of the information included therein, is unauthorized and strictly 
prohibited. If you have received this message in error, please immediately 
notify the sender by reply e-mail and permanently delete this message and 
its attachments, along with any copies thereof.

More information about the samba mailing list