RHEL 9.0.0 Alpha bootstrap

The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/adcli#9b162ca3df4c49322bfac940ba0efb6a38544003

.gitignore

@@ -0,0 +1,17 @@
+/adcli-0.1.tar.gz
+/adcli-0.2.tar.gz
+/adcli-0.3.tar.gz
+/adcli-0.4.tar.gz
+/adcli-0.5.tar.gz
+/adcli-0.6.tar.gz
+/adcli-0.7.tar.gz
+/adcli-0.7.1.tar.gz
+/old
+/adcli-0.7.2.tar.gz
+/adcli-0.7.3.tar.gz
+/adcli-0.7.4.tar.gz
+/adcli-0.7.5.tar.gz
+/adcli-0.7.6.tar.gz
+/adcli-0.8.0.tar.gz
+/adcli-0.8.2.tar.gz
+/adcli-0.9.0.tar.gz

0001-delete-do-not-exit-if-keytab-cannot-be-read.patch

@@ -0,0 +1,32 @@
+From 40d3be22f6e518e4354aa7c3d0278291fcbed32f Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 5 Jun 2020 17:06:58 +0200
+Subject: [PATCH] delete: do not exit if keytab cannot be read
+
+Reading the keytab is not required when deleting a host object in AD. It
+is only needed in the case where the host was added with a manual set
+NetBIOS name (--computer-name option) which does not match the short
+hostname and no computer name was given at the delete-computer command
+line.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1840752
+---
+ tools/computer.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/tools/computer.c b/tools/computer.c
+index 292c4d8..a90c4b2 100644
+--- a/tools/computer.c
++++ b/tools/computer.c
+@@ -952,8 +952,6 @@ adcli_tool_computer_delete (adcli_conn *conn,
+ 	if (res != ADCLI_SUCCESS) {
+ 		warnx ("couldn't lookup domain info from keytab: %s",
+ 		       adcli_get_last_error ());
+-		adcli_enroll_unref (enroll);
+-		return -res;
+ 	}
+ 
+ 	res = adcli_conn_connect (conn);
+-- 
+2.26.2
+

0001-man-move-note-to-the-right-section.patch

@@ -0,0 +1,48 @@
+From d2d3879bdfcea70757a8b0527882e79e8b5c6e70 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 27 Nov 2019 18:26:44 +0100
+Subject: [PATCH 1/6] man: move note to the right section
+
+Unfortunately the note about the password lifetime was added to the join
+section. This patch move it to the update section where it belongs to.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1738573
+           https://bugzilla.redhat.com/show_bug.cgi?id=1745931
+           https://bugzilla.redhat.com/show_bug.cgi?id=1774622
+---
+ doc/adcli.xml | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index 4f201e0..9faf96a 100644
+--- a/doc/adcli.xml
++++ b/doc/adcli.xml
+@@ -330,11 +330,7 @@ Password for Administrator:
+ 			important here is currently the
+ 			<option>workgroup</option> option, see
+ 			<citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+-			for details.</para>
+-			<para>Note that if the machine account password is not
+-			older than 30 days, you have to pass
+-			<option>--computer-password-lifetime=0</option> to
+-			force the update.</para></listitem>
++			for details.</para></listitem>
+ 		</varlistentry>
+ 		<varlistentry>
+ 			<term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
+@@ -472,7 +468,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123
+ 			important here is currently the
+ 			<option>workgroup</option> option, see
+ 			<citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+-			for details.</para></listitem>
++			for details.</para>
++			<para>Note that if the machine account password is not
++			older than 30 days, you have to pass
++			<option>--computer-password-lifetime=0</option> to
++			force the update.</para></listitem>
+ 		</varlistentry>
+ 		<varlistentry>
+ 			<term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
+-- 
+2.25.1
+

0001-tools-disable-SSSD-s-locator-plugin.patch

@@ -0,0 +1,41 @@
+From 50d580c58dab5928cadfc6ca82aedccee58eaced Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 5 Jun 2020 17:28:28 +0200
+Subject: [PATCH] tools: disable SSSD's locator plugin
+
+MIT's libkrb5 checks available locator plugins first before checking the
+config file. This might cause issues when the locator plugin returns a
+different DC than the one used for the LDAP connection if some data must
+be replicated.
+
+This patch sets the SSSD_KRB5_LOCATOR_DISABLE environment variable to
+'true' to disable SSSD's locator plugin for adcli.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1762633
+---
+ tools/tools.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/tools.c b/tools/tools.c
+index 9d422f2..1b6d879 100644
+--- a/tools/tools.c
++++ b/tools/tools.c
+@@ -296,6 +296,7 @@ cleanup_krb5_conf_directory (void)
+ 	}
+ 
+ 	unsetenv ("KRB5_CONFIG");
++	unsetenv ("SSSD_KRB5_LOCATOR_DISABLE");
+ }
+ 
+ static void
+@@ -394,6 +395,7 @@ setup_krb5_conf_directory (adcli_conn *conn)
+ 		adcli_krb5_conf_filename = filename;
+ 		adcli_krb5_d_directory = snippets;
+ 		setenv ("KRB5_CONFIG", adcli_krb5_conf_filename, 1);
++		setenv ("SSSD_KRB5_LOCATOR_DISABLE", "true", 1);
+ 
+ 	} else {
+ 		free (filename);
+-- 
+2.26.2
+

0001-tools-fix-typo-in-show-password-help-output.patch

@@ -0,0 +1,26 @@
+From d70075c597e7ebc1683d407409c45b04110676a0 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 15 Jun 2020 15:41:53 +0200
+Subject: [PATCH 1/3] tools: fix typo in show-password help output
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791611
+---
+ tools/computer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/computer.c b/tools/computer.c
+index a90c4b2..24ea258 100644
+--- a/tools/computer.c
++++ b/tools/computer.c
+@@ -154,7 +154,7 @@ static adcli_tool_desc common_usages[] = {
+ 	                         "accounts" },
+ 	{ opt_show_details, "show information about joining the domain after\n"
+ 	                     "a successful join" },
+-	{ opt_show_password, "show computer account password after after a\n"
++	{ opt_show_password, "show computer account password after a\n"
+ 	                     "successful join" },
+ 	{ opt_add_samba_data, "add domain SID and computer account password\n"
+ 	                      "to the Samba specific configuration database" },
+-- 
+2.26.2
+

0002-man-explain-optional-parameter-of-login-ccache-bette.patch

@@ -0,0 +1,44 @@
+From 93a39bd12db11dd407676f428cfbc30406a88c36 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 15 Jun 2020 15:57:47 +0200
+Subject: [PATCH 2/3] man: explain optional parameter of login-ccache better
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791545
+---
+ doc/adcli.xml | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index acced25..ecf8726 100644
+--- a/doc/adcli.xml
++++ b/doc/adcli.xml
+@@ -155,13 +155,19 @@ $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.exa
+ 		<varlistentry>
+ 			<term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>
+ 			<listitem><para>Use the specified kerberos credential
+-                        cache to authenticate with the domain. If no credential
+-                        cache is specified, the default kerberos credential
+-                        cache will be used. Credential caches of type FILE can
+-                        be given with the path to the file. For other
+-                        credential cache types, e.g. DIR, KEYRING or KCM, the
+-                        type must be specified explicitly together with a
+-                        suitable identifier.</para></listitem>
++			cache to authenticate with the domain. If no credential
++			cache is specified, the default kerberos credential
++			cache will be used. Credential caches of type FILE can
++			be given with the path to the file. For other
++			credential cache types, e.g. DIR, KEYRING or KCM, the
++			type must be specified explicitly together with a
++			suitable identifier.</para>
++			<para>Please note that since the
++			<parameter>ccache_name</parameter> is optional the
++			=(equal) sign is mandatory. If = is missing the
++			parameter is treated as optionless extra argument. How
++			this is handled depends on the specific sub-command.
++			</para></listitem>
+ 		</varlistentry>
+ 		<varlistentry>
+ 			<term><option>-U, --login-user=<parameter>User</parameter></option></term>
+-- 
+2.26.2
+

0002-tools-add-show-computer-command.patch

@@ -0,0 +1,338 @@
+From 0a169bd9b2687293f74bb57694eb82f9769610c9 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 27 Nov 2019 12:34:45 +0100
+Subject: [PATCH 2/6] tools: add show-computer command
+
+The show-computer command prints the LDAP attributes of the related
+computer object from AD.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342
+---
+ doc/adcli.xml      | 28 ++++++++++++++
+ library/adenroll.c | 78 +++++++++++++++++++++++++++++---------
+ library/adenroll.h |  5 +++
+ tools/computer.c   | 93 ++++++++++++++++++++++++++++++++++++++++++++++
+ tools/tools.c      |  1 +
+ tools/tools.h      |  4 ++
+ 6 files changed, 191 insertions(+), 18 deletions(-)
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index 9faf96a..1f93186 100644
+--- a/doc/adcli.xml
++++ b/doc/adcli.xml
+@@ -93,6 +93,11 @@
+ 		<arg choice="opt">--domain=domain.example.com</arg>
+ 		<arg choice="plain">computer</arg>
+ 	</cmdsynopsis>
++	<cmdsynopsis>
++		<command>adcli show-computer</command>
++		<arg choice="opt">--domain=domain.example.com</arg>
++		<arg choice="plain">computer</arg>
++	</cmdsynopsis>
+ </refsynopsisdiv>
+ 
+ <refsect1 id='general_overview'>
+@@ -811,6 +816,29 @@ Password for Administrator:
+ 
+ </refsect1>
+ 
++<refsect1 id='show_computer_account'>
++	<title>Show Computer Account Attributes</title>
++
++	<para><command>adcli show-computer</command> show the computer account
++	attributes stored in AD. The account must already exist.</para>
++
++<programlisting>
++$ adcli show-computer --domain=domain.example.com host2
++Password for Administrator:
++</programlisting>
++
++	<para>If the computer name contains a dot, then it is
++	treated as fully qualified host name, otherwise it is treated
++	as short computer name.</para>
++
++	<para>If no computer name is specified, then the host name of the
++	computer adcli is running on is used, as returned by
++	<literal>gethostname()</literal>.</para>
++
++	<para>The various global options can be used.</para>
++
++</refsect1>
++
+ <refsect1 id='bugs'>
+ 	<title>Bugs</title>
+ 	<para>
+diff --git a/library/adenroll.c b/library/adenroll.c
+index 524663a..8d2adeb 100644
+--- a/library/adenroll.c
++++ b/library/adenroll.c
+@@ -71,6 +71,21 @@ static krb5_enctype v51_earlier_enctypes[] = {
+ 	0
+ };
+ 
++static char *default_ad_ldap_attrs[] =  {
++	"sAMAccountName",
++	"userPrincipalName",
++	"msDS-KeyVersionNumber",
++	"msDS-supportedEncryptionTypes",
++	"dNSHostName",
++	"servicePrincipalName",
++	"operatingSystem",
++	"operatingSystemVersion",
++	"operatingSystemServicePack",
++	"pwdLastSet",
++	"userAccountControl",
++	NULL,
++};
++
+ /* Some constants for the userAccountControl AD LDAP attribute, see e.g.
+  * https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro
+  * for details. */
+@@ -1213,19 +1228,6 @@ retrieve_computer_account (adcli_enroll *enroll)
+ 	char *end;
+ 	int ret;
+ 
+-	char *attrs[] =  {
+-		"msDS-KeyVersionNumber",
+-		"msDS-supportedEncryptionTypes",
+-		"dNSHostName",
+-		"servicePrincipalName",
+-		"operatingSystem",
+-		"operatingSystemVersion",
+-		"operatingSystemServicePack",
+-		"pwdLastSet",
+-		"userAccountControl",
+-		NULL,
+-	};
+-
+ 	assert (enroll->computer_dn != NULL);
+ 	assert (enroll->computer_attributes == NULL);
+ 
+@@ -1233,7 +1235,8 @@ retrieve_computer_account (adcli_enroll *enroll)
+ 	assert (ldap != NULL);
+ 
+ 	ret = ldap_search_ext_s (ldap, enroll->computer_dn, LDAP_SCOPE_BASE,
+-	                         "(objectClass=*)", attrs, 0, NULL, NULL, NULL, -1,
++	                         "(objectClass=*)", default_ad_ldap_attrs,
++	                         0, NULL, NULL, NULL, -1,
+ 	                         &enroll->computer_attributes);
+ 
+ 	if (ret != LDAP_SUCCESS) {
+@@ -2179,12 +2182,11 @@ adcli_enroll_load (adcli_enroll *enroll)
+ }
+ 
+ adcli_result
+-adcli_enroll_update (adcli_enroll *enroll,
+-		     adcli_enroll_flags flags)
++adcli_enroll_read_computer_account (adcli_enroll *enroll,
++		                    adcli_enroll_flags flags)
+ {
+ 	adcli_result res = ADCLI_SUCCESS;
+ 	LDAP *ldap;
+-	char *value;
+ 
+ 	return_unexpected_if_fail (enroll != NULL);
+ 
+@@ -2214,7 +2216,18 @@ adcli_enroll_update (adcli_enroll *enroll,
+ 	}
+ 
+ 	/* Get information about the computer account */
+-	res = retrieve_computer_account (enroll);
++	return retrieve_computer_account (enroll);
++}
++
++adcli_result
++adcli_enroll_update (adcli_enroll *enroll,
++		     adcli_enroll_flags flags)
++{
++	adcli_result res = ADCLI_SUCCESS;
++	LDAP *ldap;
++	char *value;
++
++	res = adcli_enroll_read_computer_account (enroll, flags);
+ 	if (res != ADCLI_SUCCESS)
+ 		return res;
+ 
+@@ -2242,6 +2255,35 @@ adcli_enroll_update (adcli_enroll *enroll,
+ 	return enroll_join_or_update_tasks (enroll, flags);
+ }
+ 
++adcli_result
++adcli_enroll_show_computer_attribute (adcli_enroll *enroll)
++{
++	LDAP *ldap;
++	size_t c;
++	char **vals;
++	size_t v;
++
++	ldap = adcli_conn_get_ldap_connection (enroll->conn);
++	assert (ldap != NULL);
++
++	for (c = 0; default_ad_ldap_attrs[c] != NULL; c++) {
++		vals = _adcli_ldap_parse_values (ldap,
++		                                 enroll->computer_attributes,
++		                                 default_ad_ldap_attrs[c]);
++		printf ("%s:\n", default_ad_ldap_attrs[c]);
++		if (vals == NULL) {
++			printf (" - not set -\n");
++		} else {
++			for (v = 0; vals[v] != NULL; v++) {
++				printf (" %s\n", vals[v]);
++			}
++		}
++		_adcli_strv_free (vals);
++	}
++
++	return ADCLI_SUCCESS;
++}
++
+ adcli_result
+ adcli_enroll_delete (adcli_enroll *enroll,
+                      adcli_enroll_flags delete_flags)
+diff --git a/library/adenroll.h b/library/adenroll.h
+index 1d5d00d..11eb517 100644
+--- a/library/adenroll.h
++++ b/library/adenroll.h
+@@ -46,6 +46,11 @@ adcli_result       adcli_enroll_join                    (adcli_enroll *enroll,
+ adcli_result       adcli_enroll_update                  (adcli_enroll *enroll,
+ 		                                         adcli_enroll_flags flags);
+ 
++adcli_result       adcli_enroll_read_computer_account   (adcli_enroll *enroll,
++                                                         adcli_enroll_flags flags);
++
++adcli_result       adcli_enroll_show_computer_attribute (adcli_enroll *enroll);
++
+ adcli_result       adcli_enroll_delete                  (adcli_enroll *enroll,
+                                                          adcli_enroll_flags delete_flags);
+ 
+diff --git a/tools/computer.c b/tools/computer.c
+index ac8a203..c8b96a4 100644
+--- a/tools/computer.c
++++ b/tools/computer.c
+@@ -964,3 +964,96 @@ adcli_tool_computer_delete (adcli_conn *conn,
+ 	adcli_enroll_unref (enroll);
+ 	return 0;
+ }
++
++int
++adcli_tool_computer_show (adcli_conn *conn,
++                          int argc,
++                          char *argv[])
++{
++	adcli_enroll *enroll;
++	adcli_result res;
++	int opt;
++
++	struct option options[] = {
++		{ "domain", required_argument, NULL, opt_domain },
++		{ "domain-realm", required_argument, NULL, opt_domain_realm },
++		{ "domain-controller", required_argument, NULL, opt_domain_controller },
++		{ "login-user", required_argument, NULL, opt_login_user },
++		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
++		{ "login-type", required_argument, NULL, opt_login_type },
++		{ "no-password", no_argument, 0, opt_no_password },
++		{ "stdin-password", no_argument, 0, opt_stdin_password },
++		{ "prompt-password", no_argument, 0, opt_prompt_password },
++		{ "verbose", no_argument, NULL, opt_verbose },
++		{ "help", no_argument, NULL, 'h' },
++		{ 0 },
++	};
++
++	static adcli_tool_desc usages[] = {
++		{ 0, "usage: adcli show-computer --domain=xxxx host1.example.com" },
++		{ 0 },
++	};
++
++	enroll = adcli_enroll_new (conn);
++	if (enroll == NULL) {
++		warnx ("unexpected memory problems");
++		return -1;
++	}
++
++	while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) {
++		switch (opt) {
++		case 'h':
++		case '?':
++		case ':':
++			adcli_tool_usage (options, usages);
++			adcli_tool_usage (options, common_usages);
++			adcli_enroll_unref (enroll);
++			return opt == 'h' ? 0 : 2;
++		default:
++			res = parse_option ((Option)opt, optarg, conn, enroll);
++			if (res != ADCLI_SUCCESS) {
++				adcli_enroll_unref (enroll);
++				return res;
++			}
++			break;
++		}
++	}
++
++	argc -= optind;
++	argv += optind;
++
++	res = adcli_conn_connect (conn);
++	if (res != ADCLI_SUCCESS) {
++		warnx ("couldn't connect to %s domain: %s",
++		       adcli_conn_get_domain_name (conn),
++		       adcli_get_last_error ());
++		adcli_enroll_unref (enroll);
++		return -res;
++	}
++
++	if (argc == 1) {
++		parse_fqdn_or_name (enroll, argv[0]);
++	}
++
++	res = adcli_enroll_read_computer_account (enroll, 0);
++	if (res != ADCLI_SUCCESS) {
++		warnx ("couldn't read data for %s: %s",
++		       adcli_enroll_get_host_fqdn (enroll) != NULL
++		           ? adcli_enroll_get_host_fqdn (enroll)
++		           : adcli_enroll_get_computer_name (enroll),
++		       adcli_get_last_error ());
++		adcli_enroll_unref (enroll);
++		return -res;
++	}
++
++	res = adcli_enroll_show_computer_attribute (enroll);
++	if (res != ADCLI_SUCCESS) {
++		warnx ("couldn't print data for %s: %s",
++		       argv[0], adcli_get_last_error ());
++		adcli_enroll_unref (enroll);
++		return -res;
++	}
++
++	adcli_enroll_unref (enroll);
++	return 0;
++}
+diff --git a/tools/tools.c b/tools/tools.c
+index fc9fa9a..9d422f2 100644
+--- a/tools/tools.c
++++ b/tools/tools.c
+@@ -59,6 +59,7 @@ struct {
+ 	{ "preset-computer", adcli_tool_computer_preset, "Pre setup computers accounts", },
+ 	{ "reset-computer", adcli_tool_computer_reset, "Reset a computer account", },
+ 	{ "delete-computer", adcli_tool_computer_delete, "Delete a computer account", },
++	{ "show-computer", adcli_tool_computer_show, "Show computer account attributes stored in AD", },
+ 	{ "create-user", adcli_tool_user_create, "Create a user account", },
+ 	{ "delete-user", adcli_tool_user_delete, "Delete a user account", },
+ 	{ "create-group", adcli_tool_group_create, "Create a group", },
+diff --git a/tools/tools.h b/tools/tools.h
+index 8cebbf9..3702875 100644
+--- a/tools/tools.h
++++ b/tools/tools.h
+@@ -78,6 +78,10 @@ int       adcli_tool_computer_delete   (adcli_conn *conn,
+                                         int argc,
+                                         char *argv[]);
+ 
++int       adcli_tool_computer_show     (adcli_conn *conn,
++                                        int argc,
++                                        char *argv[]);
++
+ int       adcli_tool_user_create       (adcli_conn *conn,
+                                         int argc,
+                                         char *argv[]);
+-- 
+2.25.1
+

0003-add-description-option-to-join-and-update.patch

@@ -0,0 +1,183 @@
+From 3937a2a7db90611aa7a93248233b0c5d31e85a3e Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 27 Nov 2019 14:48:32 +0100
+Subject: [PATCH 3/6] add description option to join and update
+
+This new option allows to set the description LDAP attribute for the AD
+computer object.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342
+---
+ doc/adcli.xml      | 10 ++++++++++
+ library/adenroll.c | 29 +++++++++++++++++++++++++++++
+ library/adenroll.h |  4 ++++
+ tools/computer.c   |  7 +++++++
+ 4 files changed, 50 insertions(+)
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index 1f93186..dd30435 100644
+--- a/doc/adcli.xml
++++ b/doc/adcli.xml
+@@ -275,6 +275,11 @@ Password for Administrator:
+ 			<listitem><para>Set the operating system version on the computer
+ 			account. Not set by default.</para></listitem>
+ 		</varlistentry>
++		<varlistentry>
++			<term><option>--description=<parameter>description</parameter></option></term>
++			<listitem><para>Set the description attribute on the computer
++			account. Not set by default.</para></listitem>
++		</varlistentry>
+ 		<varlistentry>
+ 			<term><option>--service-name=<parameter>service</parameter></option></term>
+ 			<listitem><para>Additional service name for a kerberos
+@@ -416,6 +421,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123
+ 			<listitem><para>Set the operating system version on the computer
+ 			account. Not set by default.</para></listitem>
+ 		</varlistentry>
++		<varlistentry>
++			<term><option>--description=<parameter>description</parameter></option></term>
++			<listitem><para>Set the description attribute on the computer
++			account. Not set by default.</para></listitem>
++		</varlistentry>
+ 		<varlistentry>
+ 			<term><option>--service-name=<parameter>service</parameter></option></term>
+ 			<listitem><para>Additional service name for a Kerberos
+diff --git a/library/adenroll.c b/library/adenroll.c
+index 8d2adeb..246f658 100644
+--- a/library/adenroll.c
++++ b/library/adenroll.c
+@@ -83,6 +83,7 @@ static char *default_ad_ldap_attrs[] =  {
+ 	"operatingSystemServicePack",
+ 	"pwdLastSet",
+ 	"userAccountControl",
++	"description",
+ 	NULL,
+ };
+ 
+@@ -143,6 +144,7 @@ struct _adcli_enroll {
+ 	char *samba_data_tool;
+ 	bool trusted_for_delegation;
+ 	int trusted_for_delegation_explicit;
++	char *description;
+ };
+ 
+ static adcli_result
+@@ -756,6 +758,8 @@ create_computer_account (adcli_enroll *enroll,
+ 	char *vals_userPrincipalName[] = { enroll->user_principal, NULL };
+ 	LDAPMod userPrincipalName = { LDAP_MOD_ADD, "userPrincipalName", { vals_userPrincipalName, }, };
+ 	LDAPMod servicePrincipalName = { LDAP_MOD_ADD, "servicePrincipalName", { enroll->service_principals, } };
++	char *vals_description[] = { enroll->description, NULL };
++	LDAPMod description = { LDAP_MOD_ADD, "description", { vals_description, }, };
+ 
+ 	char *val = NULL;
+ 
+@@ -774,6 +778,7 @@ create_computer_account (adcli_enroll *enroll,
+ 		&operatingSystemServicePack,
+ 		&userPrincipalName,
+ 		&servicePrincipalName,
++		&description,
+ 		NULL
+ 	};
+ 
+@@ -1460,6 +1465,14 @@ update_computer_account (adcli_enroll *enroll)
+ 		res |= update_computer_attribute (enroll, ldap, mods);
+ 	}
+ 
++	if (res == ADCLI_SUCCESS && enroll->description != NULL) {
++		char *vals_description[] = { enroll->description, NULL };
++		LDAPMod description = { LDAP_MOD_REPLACE, "description", { vals_description, }, };
++		LDAPMod *mods[] = { &description, NULL, };
++
++		res |= update_computer_attribute (enroll, ldap, mods);
++	}
++
+ 	if (res != 0)
+ 		_adcli_info ("Updated existing computer account: %s", enroll->computer_dn);
+ }
+@@ -2899,6 +2912,22 @@ adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll,
+ 	enroll->trusted_for_delegation_explicit = 1;
+ }
+ 
++void
++adcli_enroll_set_description (adcli_enroll *enroll, const char *value)
++{
++	return_if_fail (enroll != NULL);
++	if (value != NULL && value[0] != '\0') {
++		_adcli_str_set (&enroll->description, value);
++	}
++}
++
++const char *
++adcli_enroll_get_desciption (adcli_enroll *enroll)
++{
++	return_val_if_fail (enroll != NULL, NULL);
++	return enroll->description;
++}
++
+ const char **
+ adcli_enroll_get_service_principals_to_add (adcli_enroll *enroll)
+ {
+diff --git a/library/adenroll.h b/library/adenroll.h
+index 11eb517..0606169 100644
+--- a/library/adenroll.h
++++ b/library/adenroll.h
+@@ -126,6 +126,10 @@ bool               adcli_enroll_get_trusted_for_delegation (adcli_enroll *enroll
+ void               adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll,
+                                                             bool value);
+ 
++const char *       adcli_enroll_get_desciption          (adcli_enroll *enroll);
++void               adcli_enroll_set_description         (adcli_enroll *enroll,
++                                                         const char *value);
++
+ krb5_kvno          adcli_enroll_get_kvno                (adcli_enroll *enroll);
+ 
+ void               adcli_enroll_set_kvno                (adcli_enroll *enroll,
+diff --git a/tools/computer.c b/tools/computer.c
+index c8b96a4..840e334 100644
+--- a/tools/computer.c
++++ b/tools/computer.c
+@@ -112,6 +112,7 @@ typedef enum {
+ 	opt_trusted_for_delegation,
+ 	opt_add_service_principal,
+ 	opt_remove_service_principal,
++	opt_description,
+ } Option;
+ 
+ static adcli_tool_desc common_usages[] = {
+@@ -142,6 +143,7 @@ static adcli_tool_desc common_usages[] = {
+ 	                              "in the userAccountControl attribute", },
+ 	{ opt_add_service_principal, "add the given service principal to the account\n" },
+ 	{ opt_remove_service_principal, "remove the given service principal from the account\n" },
++	{ opt_description, "add a description to the account\n" },
+ 	{ opt_no_password, "don't prompt for or read a password" },
+ 	{ opt_prompt_password, "prompt for a password if necessary" },
+ 	{ opt_stdin_password, "read a password from stdin (until EOF) if\n"
+@@ -306,6 +308,9 @@ parse_option (Option opt,
+ 	case opt_remove_service_principal:
+ 		adcli_enroll_add_service_principal_to_remove (enroll, optarg);
+ 		return ADCLI_SUCCESS;
++	case opt_description:
++		adcli_enroll_set_description (enroll, optarg);
++		return ADCLI_SUCCESS;
+ 	case opt_verbose:
+ 		return ADCLI_SUCCESS;
+ 
+@@ -369,6 +374,7 @@ adcli_tool_computer_join (adcli_conn *conn,
+ 		{ "os-name", required_argument, NULL, opt_os_name },
+ 		{ "os-version", required_argument, NULL, opt_os_version },
+ 		{ "os-service-pack", optional_argument, NULL, opt_os_service_pack },
++		{ "description", optional_argument, NULL, opt_description },
+ 		{ "user-principal", optional_argument, NULL, opt_user_principal },
+ 		{ "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation },
+ 		{ "add-service-principal", required_argument, NULL, opt_add_service_principal },
+@@ -487,6 +493,7 @@ adcli_tool_computer_update (adcli_conn *conn,
+ 		{ "os-name", required_argument, NULL, opt_os_name },
+ 		{ "os-version", required_argument, NULL, opt_os_version },
+ 		{ "os-service-pack", optional_argument, NULL, opt_os_service_pack },
++		{ "description", optional_argument, NULL, opt_description },
+ 		{ "user-principal", optional_argument, NULL, opt_user_principal },
+ 		{ "computer-password-lifetime", optional_argument, NULL, opt_computer_password_lifetime },
+ 		{ "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation },
+-- 
+2.25.1
+

0003-man-make-handling-of-optional-credential-cache-more-.patch

@@ -0,0 +1,42 @@
+From 88fbb7e2395dec20b37697a213a097909870c21f Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 13 Aug 2020 17:10:01 +0200
+Subject: [PATCH 3/3] man: make handling of optional credential cache more
+ clear
+
+The optional Kerberos credential cache can only be used with the long
+option name --login-ccache and not with the short version -C. To make
+this more clear each option get its own entry.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791545
+---
+ doc/adcli.xml | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index ecf8726..1437679 100644
+--- a/doc/adcli.xml
++++ b/doc/adcli.xml
+@@ -153,10 +153,16 @@ $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.exa
+ 			</para></listitem>
+ 		</varlistentry>
+ 		<varlistentry>
+-			<term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>
+-			<listitem><para>Use the specified kerberos credential
++			<term><option>-C</option></term>
++			<listitem><para>Use the default Kerberos credential
++			cache to authenticate with the domain.
++			</para></listitem>
++		</varlistentry>
++		<varlistentry>
++			<term><option>--login-ccache<parameter>[=ccache_name]</parameter></option></term>
++			<listitem><para>Use the specified Kerberos credential
+ 			cache to authenticate with the domain. If no credential
+-			cache is specified, the default kerberos credential
++			cache is specified, the default Kerberos credential
+ 			cache will be used. Credential caches of type FILE can
+ 			be given with the path to the file. For other
+ 			credential cache types, e.g. DIR, KEYRING or KCM, the
+-- 
+2.26.2
+

0004-Use-GSS-SPNEGO-if-available.patch

@@ -0,0 +1,124 @@
+From a6f795ba3d6048b32d7863468688bf7f42b2cafd Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 11 Oct 2019 16:39:25 +0200
+Subject: [PATCH 4/6] Use GSS-SPNEGO if available
+
+Currently adcli uses the GSSAPI SASL mechanism for LDAP authentication
+and to establish encryption. While this works in general it does not
+handle some of the more advanced features which can be required by AD
+DCs.
+
+The GSS-SPNEGO mechanism can handle them and is used with this patch by
+adcli if the AD DC indicates that it supports it.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
+---
+ library/adconn.c | 35 ++++++++++++++++++++++++++++++++++-
+ library/adconn.h |  3 +++
+ 2 files changed, 37 insertions(+), 1 deletion(-)
+
+diff --git a/library/adconn.c b/library/adconn.c
+index bcaced8..ffb54f9 100644
+--- a/library/adconn.c
++++ b/library/adconn.c
+@@ -77,6 +77,7 @@ struct _adcli_conn_ctx {
+ 	char *default_naming_context;
+ 	char *configuration_naming_context;
+ 	char **supported_capabilities;
++	char **supported_sasl_mechs;
+ 
+ 	/* Connect state */
+ 	LDAP *ldap;
+@@ -845,6 +846,7 @@ connect_and_lookup_naming (adcli_conn *conn,
+ 		"defaultNamingContext",
+ 		"configurationNamingContext",
+ 		"supportedCapabilities",
++		"supportedSASLMechanisms",
+ 		NULL
+ 	};
+ 
+@@ -897,6 +899,11 @@ connect_and_lookup_naming (adcli_conn *conn,
+ 		                                                         "supportedCapabilities");
+ 	}
+ 
++	if (conn->supported_sasl_mechs == NULL) {
++		conn->supported_sasl_mechs = _adcli_ldap_parse_values (ldap, results,
++		                                                       "supportedSASLMechanisms");
++	}
++
+ 	ldap_msgfree (results);
+ 
+ 	if (conn->default_naming_context == NULL) {
+@@ -1022,6 +1029,7 @@ authenticate_to_directory (adcli_conn *conn)
+ 	OM_uint32 minor;
+ 	ber_len_t ssf;
+ 	int ret;
++	const char *mech = "GSSAPI";
+ 
+ 	if (conn->ldap_authenticated)
+ 		return ADCLI_SUCCESS;
+@@ -1038,7 +1046,11 @@ authenticate_to_directory (adcli_conn *conn)
+ 	ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
+ 	return_unexpected_if_fail (ret == 0);
+ 
+-	ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, "GSSAPI", NULL, NULL,
++	if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")) {
++		mech =  "GSS-SPNEGO";
++	}
++
++	ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, mech, NULL, NULL,
+ 	                                    LDAP_SASL_QUIET, sasl_interact, NULL);
+ 
+ 	/* Clear the credential cache GSSAPI to use (for this thread) */
+@@ -1231,6 +1243,7 @@ conn_free (adcli_conn *conn)
+ 	free (conn->default_naming_context);
+ 	free (conn->configuration_naming_context);
+ 	_adcli_strv_free (conn->supported_capabilities);
++	_adcli_strv_free (conn->supported_sasl_mechs);
+ 
+ 	free (conn->computer_name);
+ 	free (conn->host_fqdn);
+@@ -1606,6 +1619,26 @@ adcli_conn_server_has_capability (adcli_conn *conn,
+ 	return 0;
+ }
+ 
++bool
++adcli_conn_server_has_sasl_mech (adcli_conn *conn,
++                                 const char *mech)
++{
++	int i;
++
++	return_val_if_fail (conn != NULL, false);
++	return_val_if_fail (mech != NULL, false);
++
++	if (!conn->supported_sasl_mechs)
++		return false;
++
++	for (i = 0; conn->supported_sasl_mechs[i] != NULL; i++) {
++		if (strcasecmp (mech, conn->supported_sasl_mechs[i]) == 0)
++			return true;
++	}
++
++	return false;
++}
++
+ bool adcli_conn_is_writeable (adcli_conn *conn)
+ {
+ 	disco_dance_if_necessary (conn);
+diff --git a/library/adconn.h b/library/adconn.h
+index 1ad5715..37ebdd9 100644
+--- a/library/adconn.h
++++ b/library/adconn.h
+@@ -149,6 +149,9 @@ void                adcli_conn_set_krb5_conf_dir     (adcli_conn *conn,
+ int                 adcli_conn_server_has_capability (adcli_conn *conn,
+                                                       const char *capability);
+ 
++bool                adcli_conn_server_has_sasl_mech  (adcli_conn *conn,
++                                                      const char *mech);
++
+ bool                adcli_conn_is_writeable          (adcli_conn *conn);
+ 
+ #endif /* ADCONN_H_ */
+-- 
+2.25.1
+

0005-add-option-use-ldaps.patch

@@ -0,0 +1,378 @@
+From 85097245b57f190337225dbdbf6e33b58616c092 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 19 Dec 2019 07:22:33 +0100
+Subject: [PATCH 5/6] add option use-ldaps
+
+In general using the LDAP port with GSS-SPNEGO should satifiy all
+requirements an AD DC should have for authentication on an encrypted
+LDAP connection.
+
+But if e.g. the LDAP port is blocked by a firewall using the LDAPS port
+with TLS encryption might be an alternative. For this use case the
+--use-ldaps option is added.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
+---
+ doc/adcli.xml    | 24 +++++++++++++++
+ library/adconn.c | 79 ++++++++++++++++++++++++++++++++++++++++++------
+ library/adconn.h |  4 +++
+ tools/computer.c | 10 ++++++
+ tools/entry.c    | 11 +++++++
+ 5 files changed, 119 insertions(+), 9 deletions(-)
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index dd30435..acced25 100644
+--- a/doc/adcli.xml
++++ b/doc/adcli.xml
+@@ -128,6 +128,30 @@
+ 			If not specified, then an appropriate domain controller
+ 			is automatically discovered.</para></listitem>
+ 		</varlistentry>
++		<varlistentry>
++			<term><option>--use-ldaps</option></term>
++			<listitem><para>Connect to the domain controller
++			with LDAPS. By default the LDAP port is used and SASL
++			GSS-SPNEGO or GSSAPI is used for authentication and to
++			establish encryption. This should satisfy all
++			requirements set on the server side and LDAPS should
++			only be used if the LDAP port is not accessible due to
++			firewalls or other reasons.</para>
++			<para> Please note that the place where CA certificates
++			can be found to validate the AD DC certificates
++			must be configured in the OpenLDAP configuration
++			file, e.g. <filename>/etc/openldap/ldap.conf</filename>.
++			As an alternative it can be specified with the help of
++			an environment variable, e.g.
++<programlisting>
++$ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com
++...
++</programlisting>
++			Please see
++			<citerefentry><refentrytitle>ldap.conf</refentrytitle>
++			<manvolnum>5</manvolnum></citerefentry> for details.
++			</para></listitem>
++		</varlistentry>
+ 		<varlistentry>
+ 			<term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>
+ 			<listitem><para>Use the specified kerberos credential
+diff --git a/library/adconn.c b/library/adconn.c
+index ffb54f9..7bab852 100644
+--- a/library/adconn.c
++++ b/library/adconn.c
+@@ -70,6 +70,7 @@ struct _adcli_conn_ctx {
+ 	char *domain_name;
+ 	char *domain_realm;
+ 	char *domain_controller;
++	bool use_ldaps;
+ 	char *canonical_host;
+ 	char *domain_short;
+ 	char *domain_sid;
+@@ -773,7 +774,8 @@ int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap
+ 
+ static LDAP *
+ connect_to_address (const char *host,
+-                    const char *canonical_host)
++                    const char *canonical_host,
++                    bool use_ldaps)
+ {
+ 	struct addrinfo *res = NULL;
+ 	struct addrinfo *ai;
+@@ -783,6 +785,16 @@ connect_to_address (const char *host,
+ 	char *url;
+ 	int sock;
+ 	int rc;
++	int opt_rc;
++	const char *port = "389";
++	const char *proto = "ldap";
++	const char *errmsg = NULL;
++
++	if (use_ldaps) {
++		port = "636";
++		proto = "ldaps";
++		_adcli_info ("Using LDAPS to connect to %s", host);
++	}
+ 
+ 	memset (&hints, '\0', sizeof(hints));
+ #ifdef AI_ADDRCONFIG
+@@ -794,7 +806,7 @@ connect_to_address (const char *host,
+ 	if (!canonical_host)
+ 		canonical_host = host;
+ 
+-	rc = getaddrinfo (host, "389", &hints, &res);
++	rc = getaddrinfo (host, port, &hints, &res);
+ 	if (rc != 0) {
+ 		_adcli_err ("Couldn't resolve host name: %s: %s", host, gai_strerror (rc));
+ 		return NULL;
+@@ -810,7 +822,7 @@ connect_to_address (const char *host,
+ 			close (sock);
+ 		} else {
+ 			error = 0;
+-			if (asprintf (&url, "ldap://%s", canonical_host) < 0)
++			if (asprintf (&url, "%s://%s", proto, canonical_host) < 0)
+ 				return_val_if_reached (NULL);
+ 			rc = ldap_init_fd (sock, 1, url, &ldap);
+ 			free (url);
+@@ -820,6 +832,25 @@ connect_to_address (const char *host,
+ 				            ldap_err2string (rc));
+ 				break;
+ 			}
++
++			if (use_ldaps) {
++				rc = ldap_install_tls (ldap);
++				if (rc != LDAP_SUCCESS) {
++					opt_rc = ldap_get_option (ldap,
++					                          LDAP_OPT_DIAGNOSTIC_MESSAGE,
++					                          (void *) &errmsg);
++					if (opt_rc != LDAP_SUCCESS) {
++						errmsg = NULL;
++					}
++					_adcli_err ("Couldn't initialize TLS [%s]: %s",
++					            ldap_err2string (rc),
++					            errmsg == NULL ? "- no details -"
++					                           : errmsg);
++					ldap_unbind_ext_s (ldap, NULL, NULL);
++					ldap = NULL;
++					break;
++				}
++			}
+ 		}
+ 	}
+ 
+@@ -856,7 +887,8 @@ connect_and_lookup_naming (adcli_conn *conn,
+ 	if (!canonical_host)
+ 		canonical_host = disco->host_addr;
+ 
+-	ldap = connect_to_address (disco->host_addr, canonical_host);
++	ldap = connect_to_address (disco->host_addr, canonical_host,
++	                           adcli_conn_get_use_ldaps (conn));
+ 	if (ldap == NULL)
+ 		return ADCLI_ERR_DIRECTORY;
+ 
+@@ -1041,14 +1073,28 @@ authenticate_to_directory (adcli_conn *conn)
+ 	status = gss_krb5_ccache_name (&minor, conn->login_ccache_name, NULL);
+ 	return_unexpected_if_fail (status == 0);
+ 
+-	/* Clumsily tell ldap + cyrus-sasl that we want encryption */
+-	ssf = 1;
+-	ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
+-	return_unexpected_if_fail (ret == 0);
++	if (adcli_conn_get_use_ldaps (conn)) {
++		/* do not use SASL encryption on LDAPS connection */
++		ssf = 0;
++		ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
++		return_unexpected_if_fail (ret == 0);
++		ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MAX, &ssf);
++		return_unexpected_if_fail (ret == 0);
++	} else {
++		/* Clumsily tell ldap + cyrus-sasl that we want encryption */
++		ssf = 1;
++		ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
++		return_unexpected_if_fail (ret == 0);
++	}
+ 
+-	if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")) {
++	/* There are issues with cryrus-sasl and GSS-SPNEGO with TLS even if
++	 * ssf_max is set to 0. To be on the safe side GSS-SPNEGO is only used
++	 * without LDAPS. */
++	if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")
++	                     && !adcli_conn_get_use_ldaps (conn)) {
+ 		mech =  "GSS-SPNEGO";
+ 	}
++	_adcli_info ("Using %s for SASL bind", mech);
+ 
+ 	ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, mech, NULL, NULL,
+ 	                                    LDAP_SASL_QUIET, sasl_interact, NULL);
+@@ -1230,6 +1276,7 @@ adcli_conn_new (const char *domain_name)
+ 	conn->refs = 1;
+ 	conn->logins_allowed = ADCLI_LOGIN_COMPUTER_ACCOUNT | ADCLI_LOGIN_USER_ACCOUNT;
+ 	adcli_conn_set_domain_name (conn, domain_name);
++	adcli_conn_set_use_ldaps (conn, false);
+ 	return conn;
+ }
+ 
+@@ -1389,6 +1436,20 @@ adcli_conn_set_domain_controller (adcli_conn *conn,
+ 	no_more_disco (conn);
+ }
+ 
++bool
++adcli_conn_get_use_ldaps (adcli_conn *conn)
++{
++	return_val_if_fail (conn != NULL, NULL);
++	return conn->use_ldaps;
++}
++
++void
++adcli_conn_set_use_ldaps (adcli_conn *conn, bool value)
++{
++	return_if_fail (conn != NULL);
++	conn->use_ldaps = value;
++}
++
+ const char *
+ adcli_conn_get_domain_short (adcli_conn *conn)
+ {
+diff --git a/library/adconn.h b/library/adconn.h
+index 37ebdd9..1d5faa8 100644
+--- a/library/adconn.h
++++ b/library/adconn.h
+@@ -89,6 +89,10 @@ const char *        adcli_conn_get_domain_controller (adcli_conn *conn);
+ void                adcli_conn_set_domain_controller (adcli_conn *conn,
+                                                       const char *value);
+ 
++bool                adcli_conn_get_use_ldaps         (adcli_conn *conn);
++void                adcli_conn_set_use_ldaps         (adcli_conn *conn,
++                                                      bool value);
++
+ const char *        adcli_conn_get_domain_short      (adcli_conn *conn);
+ 
+ const char *        adcli_conn_get_domain_sid        (adcli_conn *conn);
+diff --git a/tools/computer.c b/tools/computer.c
+index 840e334..292c4d8 100644
+--- a/tools/computer.c
++++ b/tools/computer.c
+@@ -113,12 +113,14 @@ typedef enum {
+ 	opt_add_service_principal,
+ 	opt_remove_service_principal,
+ 	opt_description,
++	opt_use_ldaps,
+ } Option;
+ 
+ static adcli_tool_desc common_usages[] = {
+ 	{ opt_domain, "active directory domain name" },
+ 	{ opt_domain_realm, "kerberos realm for the domain" },
+ 	{ opt_domain_controller, "domain controller to connect to" },
++	{ opt_use_ldaps, "use LDAPS port for communication" },
+ 	{ opt_host_fqdn, "override the fully qualified domain name of the\n"
+ 	                 "local machine" },
+ 	{ opt_host_keytab, "filename for the host kerberos keytab" },
+@@ -311,6 +313,9 @@ parse_option (Option opt,
+ 	case opt_description:
+ 		adcli_enroll_set_description (enroll, optarg);
+ 		return ADCLI_SUCCESS;
++	case opt_use_ldaps:
++		adcli_conn_set_use_ldaps (conn, true);
++		return ADCLI_SUCCESS;
+ 	case opt_verbose:
+ 		return ADCLI_SUCCESS;
+ 
+@@ -357,6 +362,7 @@ adcli_tool_computer_join (adcli_conn *conn,
+ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
+ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
+ 		{ "domain-server", required_argument, NULL, opt_domain_controller }, /* compat */
++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
+ 		{ "login-user", required_argument, NULL, opt_login_user },
+ 		{ "user", required_argument, NULL, opt_login_user }, /* compat */
+ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
+@@ -688,6 +694,7 @@ adcli_tool_computer_preset (adcli_conn *conn,
+ 		{ "domain", required_argument, NULL, opt_domain },
+ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
+ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
+ 		{ "domain-ou", required_argument, NULL, opt_domain_ou },
+ 		{ "login-user", required_argument, NULL, opt_login_user },
+ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
+@@ -800,6 +807,7 @@ adcli_tool_computer_reset (adcli_conn *conn,
+ 		{ "domain", required_argument, NULL, opt_domain },
+ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
+ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
+ 		{ "login-user", required_argument, NULL, opt_login_user },
+ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
+ 		{ "login-type", required_argument, NULL, opt_login_type },
+@@ -888,6 +896,7 @@ adcli_tool_computer_delete (adcli_conn *conn,
+ 		{ "domain", required_argument, NULL, opt_domain },
+ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
+ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
+ 		{ "login-user", required_argument, NULL, opt_login_user },
+ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
+ 		{ "no-password", no_argument, 0, opt_no_password },
+@@ -985,6 +994,7 @@ adcli_tool_computer_show (adcli_conn *conn,
+ 		{ "domain", required_argument, NULL, opt_domain },
+ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
+ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
+ 		{ "login-user", required_argument, NULL, opt_login_user },
+ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
+ 		{ "login-type", required_argument, NULL, opt_login_type },
+diff --git a/tools/entry.c b/tools/entry.c
+index f361845..05e4313 100644
+--- a/tools/entry.c
++++ b/tools/entry.c
+@@ -53,6 +53,7 @@ typedef enum {
+ 	opt_unix_gid,
+ 	opt_unix_shell,
+ 	opt_nis_domain,
++	opt_use_ldaps,
+ } Option;
+ 
+ static adcli_tool_desc common_usages[] = {
+@@ -67,6 +68,7 @@ static adcli_tool_desc common_usages[] = {
+ 	{ opt_domain, "active directory domain name" },
+ 	{ opt_domain_realm, "kerberos realm for the domain" },
+ 	{ opt_domain_controller, "domain directory server to connect to" },
++	{ opt_use_ldaps, "use LDAPS port for communication" },
+ 	{ opt_login_ccache, "kerberos credential cache file which contains\n"
+ 	                    "ticket to used to connect to the domain" },
+ 	{ opt_login_user, "user (usually administrative) login name of\n"
+@@ -136,6 +138,9 @@ parse_option (Option opt,
+ 			stdin_password = 1;
+ 		}
+ 		return ADCLI_SUCCESS;
++	case opt_use_ldaps:
++		adcli_conn_set_use_ldaps (conn, true);
++		return ADCLI_SUCCESS;
+ 	case opt_verbose:
+ 		return ADCLI_SUCCESS;
+ 	default:
+@@ -172,6 +177,7 @@ adcli_tool_user_create (adcli_conn *conn,
+ 		{ "domain", required_argument, NULL, opt_domain },
+ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
+ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
+ 		{ "login-user", required_argument, NULL, opt_login_user },
+ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
+ 		{ "no-password", no_argument, 0, opt_no_password },
+@@ -306,6 +312,7 @@ adcli_tool_user_delete (adcli_conn *conn,
+ 		{ "domain", required_argument, NULL, opt_domain },
+ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
+ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
+ 		{ "login-user", required_argument, NULL, opt_login_user },
+ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
+ 		{ "no-password", no_argument, 0, opt_no_password },
+@@ -394,6 +401,7 @@ adcli_tool_group_create (adcli_conn *conn,
+ 		{ "domain", required_argument, NULL, opt_domain },
+ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
+ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
+ 		{ "domain-ou", required_argument, NULL, opt_domain_ou },
+ 		{ "login-user", required_argument, NULL, opt_login_user },
+ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
+@@ -496,6 +504,7 @@ adcli_tool_group_delete (adcli_conn *conn,
+ 		{ "domain", required_argument, NULL, opt_domain },
+ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
+ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
+ 		{ "login-user", required_argument, NULL, opt_login_user },
+ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
+ 		{ "no-password", no_argument, 0, opt_no_password },
+@@ -622,6 +631,7 @@ adcli_tool_member_add (adcli_conn *conn,
+ 		{ "domain", required_argument, NULL, opt_domain },
+ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
+ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
+ 		{ "login-user", required_argument, NULL, opt_login_user },
+ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
+ 		{ "no-password", no_argument, 0, opt_no_password },
+@@ -722,6 +732,7 @@ adcli_tool_member_remove (adcli_conn *conn,
+ 		{ "domain", required_argument, NULL, opt_domain },
+ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
+ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
+ 		{ "login-user", required_argument, NULL, opt_login_user },
+ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
+ 		{ "no-password", no_argument, 0, opt_no_password },
+-- 
+2.25.1
+

0006-discovery-fix.patch

@@ -0,0 +1,27 @@
+From 08bac0946de29f3e5de90743ce6dfc7118d4ad20 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 11 Feb 2020 17:42:03 +0100
+Subject: [PATCH 6/6] discovery fix
+
+Do not continue processing on closed connection.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1802258
+---
+ library/addisco.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/library/addisco.c b/library/addisco.c
+index 6e73ead..f3b3546 100644
+--- a/library/addisco.c
++++ b/library/addisco.c
+@@ -622,6 +622,7 @@ ldap_disco (const char *domain,
+ 			                            "Couldn't perform discovery search");
+ 			ldap_unbind_ext_s (ldap[i], NULL, NULL);
+ 			ldap[i] = NULL;
++			continue;
+ 		}
+ 
+ 		/* From https://msdn.microsoft.com/en-us/library/ff718294.aspx first
+-- 
+2.25.1
+

adcli.spec

@@ -0,0 +1,236 @@
+Name:		adcli
+Version:	0.9.0
+Release:	5%{?dist}
+Summary:	Active Directory enrollment
+License:	LGPLv2+
+URL:		http://cgit.freedesktop.org/realmd/adcli
+Source0:	https://gitlab.freedesktop.org/realmd/adcli/uploads/02d8757266c24fdc10822306582287bf/adcli-%{version}.tar.gz
+
+Patch1:		0001-man-move-note-to-the-right-section.patch
+Patch2:		0002-tools-add-show-computer-command.patch
+Patch3:		0003-add-description-option-to-join-and-update.patch
+Patch4:		0004-Use-GSS-SPNEGO-if-available.patch
+Patch5:		0005-add-option-use-ldaps.patch
+Patch6:		0006-discovery-fix.patch
+Patch7:		0001-delete-do-not-exit-if-keytab-cannot-be-read.patch
+Patch8:		0001-tools-disable-SSSD-s-locator-plugin.patch
+Patch9:		0001-tools-fix-typo-in-show-password-help-output.patch
+Patch10:	0002-man-explain-optional-parameter-of-login-ccache-bette.patch
+Patch11:	0003-man-make-handling-of-optional-credential-cache-more-.patch
+
+
+BuildRequires:	gcc
+BuildRequires:	intltool pkgconfig
+BuildRequires:	libtool
+BuildRequires:	gettext-devel
+BuildRequires:	krb5-devel
+BuildRequires:	openldap-devel
+BuildRequires:	libxslt
+BuildRequires:	xmlto
+
+Requires:	cyrus-sasl-gssapi
+
+# adcli no longer has a library of development files
+# the adcli tool itself is to be used by callers
+Obsoletes:	adcli-devel < 0.5
+
+%description
+adcli is a tool for joining an Active Directory domain using
+standard LDAP and Kerberos calls.
+
+%define _hardened_build 1
+
+%prep
+%autosetup -p1
+
+%build
+autoreconf --force --install --verbose
+%configure --disable-static --disable-silent-rules
+make %{?_smp_mflags}
+
+%check
+make check
+
+%install
+make install DESTDIR=%{buildroot}
+find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
+
+%ldconfig_scriptlets
+
+%files
+%{_sbindir}/adcli
+%doc AUTHORS COPYING ChangeLog NEWS README
+%doc %{_mandir}/*/*
+
+%package doc
+Summary: adcli documentation
+BuildArch: noarch
+
+%description doc
+adcli is a tool for joining an Active Directory domain using
+standard LDAP and Kerberos calls. This package contains its
+documentation.
+
+%files doc
+%doc %{_datadir}/doc/adcli/*
+
+%changelog
+* Thu Aug 13 2020 Sumit Bose <sbose@redhat.com> - 0.9.0-5
+- man page and help output fixes
+
+* Fri Jul 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.0-4
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jun 08 2020 Sumit Bose <sbose@redhat.com> - 0.9.0-2
+- Include the latest upstream patches
+
+* Wed Mar 18 2020 Sumit Bose <sbose@redhat.com> - 0.9.0-1
+- Update to upstream release 0.9.0 and latest patches
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.2-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Mon Aug 26 2019 Sumit Bose <sbose@redhat.com> - 0.8.2-8
+- various fixes and improvements
+  Resolves: rhbz#1683745, rhbz#1738573
+
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.2-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri Jul  5 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.8.2-6
+- Resolves: rhbz#1727144 - adcli join fails with new krb5-libs; adcli
+                           needs to backport patches to only use permitted
+                           enctypes from upstream
+
+* Tue Apr 30 2019 Sumit Bose <sbose@redhat.com> - 0.8.2-5
+- addition patch for rhbz#1630187 and new ones for rhbz#1588596
+  Resolves: rhbz#1630187, rhbz#1588596
+
+* Fri Mar 22 2019 Sumit Bose <sbose@redhat.com> - 0.8.2-4
+- various fixes and improvements
+  Resolves: rhbz#1593240, rhbz#1608212, rhbz#1547014, rhbz#1547014,
+            rhbz#1649868, rhbz#1588596, rhbz#1642546, rhbz#1595911,
+            rhbz#1644311, rhbz#1337489, rhbz#1630187, rhbz#1622583
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu Jul 05 2018 Sumit Bose <sbose@redhat.com> - 0.8.0-1
+- Update to upstream release 0.8.2
+- various other fixes and improvements
+- add option to enable "Trust this computer for delegation"
+  Resolves: rhbz#988349
+- fix typos in the adcli man page
+  Resolves: rhbz#1440533
+
+* Wed Mar 07 2018 Sumit Bose <sbose@redhat.com> - 0.8.0-7
+- Added BuildRequires gcc
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.0-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Thu Dec 17 2015 Sumit Bose <sbose@redhat.com> - 0.8.0-1
+- Update to upstream release 0.8.0
+
+* Mon Oct 19 2015 Stef Walter <stefw@redhat.com> - 0.7.6-1
+- Fix issue with keytab use with sshd
+- Resolves: rhbz#1267319
+- Put documentation in a subpackage
+
+* Tue Jun 16 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7.5-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Fri Aug 15 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7.5-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7.5-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Thu Jan 30 2014 Stef Walter <stefw@redhat.com> - 0.7.5-2
+- Fix incorrect ownership of manual page directory
+
+* Fri Sep 13 2013 Stef Walter <stefw@redhat.com> - 0.7.5-1
+- Update to upstream point release 0.7.5
+- Workaround for discovery via IPv6 address
+- Correctly put IPv6 addresses in temporary krb5.conf
+
+* Mon Sep 09 2013 Stef Walter <stefw@redhat.com> - 0.7.4-1
+- Update to upstream point release 0.7.4
+- Correctly handle truncating long host names
+- Try to contact all available addresses for discovery
+- Build fixes
+
+* Wed Aug 07 2013 Stef Walter <stefw@redhat.com> - 0.7.3-1
+- Update to upstream point release 0.7.3
+- Don't try to set encryption types on Windows 2003
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Mon Jul 22 2013 Stef Walter <stefw@redhat.com> - 0.7.2-1
+- Update to upstream point release 0.7.2
+- Part of fix for bug [#961244]
+
+* Mon Jul 15 2013 Stef Walter <stefw@redhat.com> - 0.7.1-4
+- Build with verbose output logging
+
+* Tue Jun 11 2013 Stef Walter <stefw@redhat.com> - 0.7.1-3
+- Run 'make check' when building the package
+
+* Mon May 13 2013 Stef Walter <stefw@redhat.com> - 0.7.1-2
+- Bump version to get around botched update
+
+* Mon May 13 2013 Stef Walter <stefw@redhat.com> - 0.7.1-1
+- Update to upstream 0.7.1 release
+- Fix problems with salt discovery [#961399]
+
+* Mon May 06 2013 Stef Walter <stefw@redhat.com> - 0.7-1
+- Work around broken krb5 with empty passwords [#960001]
+- Fix memory corruption issue [#959999]
+- Update to 0.7, fixing various bugs
+
+* Mon Apr 29 2013 Stef Walter <stefw@redhat.com> - 0.6-1
+- Update to 0.6, fixing various bugs
+
+* Wed Apr 10 2013 Stef walter <stefw@redhat.com> - 0.5-2
+- Add appropriate Obsoletes line for libadcli removal
+
+* Wed Apr 10 2013 Stef Walter <stefw@redhat.com> - 0.5-1
+- Update to upstream 0.5 version
+- No more libadcli, and thus no adcli-devel
+- Many new adcli commands
+- Documentation
+
+* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Mon Nov 12 2012 Stef Walter <stefw@redhat.com> - 0.4-1
+- Update for 0.4 version, fixing various bugs
+
+* Sat Oct 20 2012 Stef Walter <stefw@redhat.com> - 0.3-1
+- Update for 0.3 version
+
+* Tue Sep 4 2012 Stef Walter <stefw@redhat.com> - 0.2-1
+- Update for 0.2 version
+
+* Wed Aug 15 2012 Stef Walter <stefw@redhat.com> - 0.1-1
+- Initial 0.1 package

sources

@@ -0,0 +1 @@
+SHA512 (adcli-0.9.0.tar.gz) = e9b210bf7a932750fc838d6f027ca1fbeca1bd6a0028b551c9a72c0fe3ee680d47031c614b74447613d06bd41462c489e8572d49e60b344d575ebb572c022344