import adcli-0.8.2-4.el8

SOURCES/0001-Do-not-use-arcfour-hmac-md5-when-discovering-the-sal.patch

@@ -0,0 +1,63 @@
+From 158468507bb723aa62196846749c23c121d4b298 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 8 Apr 2019 10:55:39 +0200
+Subject: [PATCH] Do not use arcfour-hmac-md5 when discovering the salt
+
+Since the arcfour-hmac-md5 encryption types does not use salts it cannot
+be used to discover the right salt.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1683745
+---
+ library/adkrb5.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/library/adkrb5.c b/library/adkrb5.c
+index da835d7..be3ede5 100644
+--- a/library/adkrb5.c
++++ b/library/adkrb5.c
+@@ -395,15 +395,33 @@ _adcli_krb5_keytab_discover_salt (krb5_context k5,
+ 	krb5_keytab scratch;
+ 	krb5_error_code code;
+ 	int i;
++	krb5_enctype *salt_enctypes = NULL;
++	size_t c;
++	size_t s;
+ 
+ 	/* TODO: This should be a unique name */
+ 
+ 	code = krb5_kt_resolve (k5, "MEMORY:adcli-discover-salt", &scratch);
+ 	return_val_if_fail (code == 0, code);
+ 
++	for (c = 0; enctypes[c] != 0; c++); /* count enctypes */
++	salt_enctypes = calloc (c + 1, sizeof (krb5_enctype));
++	return_val_if_fail (salt_enctypes != NULL, ENOMEM);
++
++	/* ENCTYPE_ARCFOUR_HMAC does not use salts, so it cannot be used to
++	 * discover the right salt. */
++	s = 0;
++	for (c = 0; enctypes[c] != 0; c++) {
++		if (enctypes[c] == ENCTYPE_ARCFOUR_HMAC) {
++			continue;
++		}
++
++		salt_enctypes[s++] = enctypes[c];
++	}
++
+ 	for (i = 0; salts[i].data != NULL; i++) {
+ 		code = _adcli_krb5_keytab_test_salt (k5, scratch, principal, kvno,
+-		                                     password, enctypes, &salts[i]);
++		                                     password, salt_enctypes, &salts[i]);
+ 		if (code == 0) {
+ 			*discovered = i;
+ 			break;
+@@ -412,6 +430,7 @@ _adcli_krb5_keytab_discover_salt (krb5_context k5,
+ 		}
+ 	}
+ 
++	free (salt_enctypes);
+ 	krb5_kt_close (k5, scratch);
+ 	return code;
+ }
+-- 
+2.21.0
+

SOURCES/0001-Fix-for-issue-found-by-Coverity.patch

@@ -0,0 +1,29 @@
+From 5da6d34e2659f915e830932fd366c635801ecd91 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 12 Aug 2019 17:28:20 +0200
+Subject: [PATCH] Fix for issue found by Coverity
+
+Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3
+---
+ library/adenroll.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/library/adenroll.c b/library/adenroll.c
+index 53cd812..524663a 100644
+--- a/library/adenroll.c
++++ b/library/adenroll.c
+@@ -2681,7 +2681,10 @@ adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll)
+ 	for (c = 0; cur_enctypes[c] != 0; c++);
+ 
+ 	new_enctypes = calloc (c + 1, sizeof (krb5_enctype));
+-	return_val_if_fail (new_enctypes != NULL, NULL);
++	if (new_enctypes == NULL) {
++		krb5_free_enctypes (k5, permitted_enctypes);
++		return NULL;
++	}
+ 
+ 	n = 0;
+ 	for (c = 0; cur_enctypes[c] != 0; c++) {
+-- 
+2.21.0
+

SOURCES/0001-doc-explain-how-to-force-password-reset.patch

@@ -0,0 +1,30 @@
+From 9b187095edb8c914238419ed51fef6041864f4fc Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 26 Aug 2019 13:33:24 +0200
+Subject: [PATCH] doc: explain how to force password reset
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1738573
+---
+ doc/adcli.xml | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index 094f577..4f201e0 100644
+--- a/doc/adcli.xml
++++ b/doc/adcli.xml
+@@ -330,7 +330,11 @@ Password for Administrator:
+ 			important here is currently the
+ 			<option>workgroup</option> option, see
+ 			<citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+-			for details.</para></listitem>
++			for details.</para>
++			<para>Note that if the machine account password is not
++			older than 30 days, you have to pass
++			<option>--computer-password-lifetime=0</option> to
++			force the update.</para></listitem>
+ 		</varlistentry>
+ 		<varlistentry>
+ 			<term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
+-- 
+2.21.0
+

SOURCES/0001-man-move-note-to-the-right-section.patch

@@ -0,0 +1,48 @@
+From d2d3879bdfcea70757a8b0527882e79e8b5c6e70 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 27 Nov 2019 18:26:44 +0100
+Subject: [PATCH] man: move note to the right section
+
+Unfortunately the note about the password lifetime was added to the join
+section. This patch move it to the update section where it belongs to.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1738573
+           https://bugzilla.redhat.com/show_bug.cgi?id=1745931
+           https://bugzilla.redhat.com/show_bug.cgi?id=1774622
+---
+ doc/adcli.xml | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index 4f201e0..9faf96a 100644
+--- a/doc/adcli.xml
++++ b/doc/adcli.xml
+@@ -330,11 +330,7 @@ Password for Administrator:
+ 			important here is currently the
+ 			<option>workgroup</option> option, see
+ 			<citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+-			for details.</para>
+-			<para>Note that if the machine account password is not
+-			older than 30 days, you have to pass
+-			<option>--computer-password-lifetime=0</option> to
+-			force the update.</para></listitem>
++			for details.</para></listitem>
+ 		</varlistentry>
+ 		<varlistentry>
+ 			<term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
+@@ -472,7 +468,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123
+ 			important here is currently the
+ 			<option>workgroup</option> option, see
+ 			<citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+-			for details.</para></listitem>
++			for details.</para>
++			<para>Note that if the machine account password is not
++			older than 30 days, you have to pass
++			<option>--computer-password-lifetime=0</option> to
++			force the update.</para></listitem>
+ 		</varlistentry>
+ 		<varlistentry>
+ 			<term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
+-- 
+2.21.0
+

SOURCES/0001-tools-add-show-computer-command.patch

@@ -0,0 +1,338 @@
+From 0a169bd9b2687293f74bb57694eb82f9769610c9 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 27 Nov 2019 12:34:45 +0100
+Subject: [PATCH 1/2] tools: add show-computer command
+
+The show-computer command prints the LDAP attributes of the related
+computer object from AD.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342
+---
+ doc/adcli.xml      | 28 ++++++++++++++
+ library/adenroll.c | 78 +++++++++++++++++++++++++++++---------
+ library/adenroll.h |  5 +++
+ tools/computer.c   | 93 ++++++++++++++++++++++++++++++++++++++++++++++
+ tools/tools.c      |  1 +
+ tools/tools.h      |  4 ++
+ 6 files changed, 191 insertions(+), 18 deletions(-)
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index 9faf96a..1f93186 100644
+--- a/doc/adcli.xml
++++ b/doc/adcli.xml
+@@ -93,6 +93,11 @@
+ 		<arg choice="opt">--domain=domain.example.com</arg>
+ 		<arg choice="plain">computer</arg>
+ 	</cmdsynopsis>
++	<cmdsynopsis>
++		<command>adcli show-computer</command>
++		<arg choice="opt">--domain=domain.example.com</arg>
++		<arg choice="plain">computer</arg>
++	</cmdsynopsis>
+ </refsynopsisdiv>
+ 
+ <refsect1 id='general_overview'>
+@@ -811,6 +816,29 @@ Password for Administrator:
+ 
+ </refsect1>
+ 
++<refsect1 id='show_computer_account'>
++	<title>Show Computer Account Attributes</title>
++
++	<para><command>adcli show-computer</command> show the computer account
++	attributes stored in AD. The account must already exist.</para>
++
++<programlisting>
++$ adcli show-computer --domain=domain.example.com host2
++Password for Administrator:
++</programlisting>
++
++	<para>If the computer name contains a dot, then it is
++	treated as fully qualified host name, otherwise it is treated
++	as short computer name.</para>
++
++	<para>If no computer name is specified, then the host name of the
++	computer adcli is running on is used, as returned by
++	<literal>gethostname()</literal>.</para>
++
++	<para>The various global options can be used.</para>
++
++</refsect1>
++
+ <refsect1 id='bugs'>
+ 	<title>Bugs</title>
+ 	<para>
+diff --git a/library/adenroll.c b/library/adenroll.c
+index 524663a..8d2adeb 100644
+--- a/library/adenroll.c
++++ b/library/adenroll.c
+@@ -71,6 +71,21 @@ static krb5_enctype v51_earlier_enctypes[] = {
+ 	0
+ };
+ 
++static char *default_ad_ldap_attrs[] =  {
++	"sAMAccountName",
++	"userPrincipalName",
++	"msDS-KeyVersionNumber",
++	"msDS-supportedEncryptionTypes",
++	"dNSHostName",
++	"servicePrincipalName",
++	"operatingSystem",
++	"operatingSystemVersion",
++	"operatingSystemServicePack",
++	"pwdLastSet",
++	"userAccountControl",
++	NULL,
++};
++
+ /* Some constants for the userAccountControl AD LDAP attribute, see e.g.
+  * https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro
+  * for details. */
+@@ -1213,19 +1228,6 @@ retrieve_computer_account (adcli_enroll *enroll)
+ 	char *end;
+ 	int ret;
+ 
+-	char *attrs[] =  {
+-		"msDS-KeyVersionNumber",
+-		"msDS-supportedEncryptionTypes",
+-		"dNSHostName",
+-		"servicePrincipalName",
+-		"operatingSystem",
+-		"operatingSystemVersion",
+-		"operatingSystemServicePack",
+-		"pwdLastSet",
+-		"userAccountControl",
+-		NULL,
+-	};
+-
+ 	assert (enroll->computer_dn != NULL);
+ 	assert (enroll->computer_attributes == NULL);
+ 
+@@ -1233,7 +1235,8 @@ retrieve_computer_account (adcli_enroll *enroll)
+ 	assert (ldap != NULL);
+ 
+ 	ret = ldap_search_ext_s (ldap, enroll->computer_dn, LDAP_SCOPE_BASE,
+-	                         "(objectClass=*)", attrs, 0, NULL, NULL, NULL, -1,
++	                         "(objectClass=*)", default_ad_ldap_attrs,
++	                         0, NULL, NULL, NULL, -1,
+ 	                         &enroll->computer_attributes);
+ 
+ 	if (ret != LDAP_SUCCESS) {
+@@ -2179,12 +2182,11 @@ adcli_enroll_load (adcli_enroll *enroll)
+ }
+ 
+ adcli_result
+-adcli_enroll_update (adcli_enroll *enroll,
+-		     adcli_enroll_flags flags)
++adcli_enroll_read_computer_account (adcli_enroll *enroll,
++		                    adcli_enroll_flags flags)
+ {
+ 	adcli_result res = ADCLI_SUCCESS;
+ 	LDAP *ldap;
+-	char *value;
+ 
+ 	return_unexpected_if_fail (enroll != NULL);
+ 
+@@ -2214,7 +2216,18 @@ adcli_enroll_update (adcli_enroll *enroll,
+ 	}
+ 
+ 	/* Get information about the computer account */
+-	res = retrieve_computer_account (enroll);
++	return retrieve_computer_account (enroll);
++}
++
++adcli_result
++adcli_enroll_update (adcli_enroll *enroll,
++		     adcli_enroll_flags flags)
++{
++	adcli_result res = ADCLI_SUCCESS;
++	LDAP *ldap;
++	char *value;
++
++	res = adcli_enroll_read_computer_account (enroll, flags);
+ 	if (res != ADCLI_SUCCESS)
+ 		return res;
+ 
+@@ -2242,6 +2255,35 @@ adcli_enroll_update (adcli_enroll *enroll,
+ 	return enroll_join_or_update_tasks (enroll, flags);
+ }
+ 
++adcli_result
++adcli_enroll_show_computer_attribute (adcli_enroll *enroll)
++{
++	LDAP *ldap;
++	size_t c;
++	char **vals;
++	size_t v;
++
++	ldap = adcli_conn_get_ldap_connection (enroll->conn);
++	assert (ldap != NULL);
++
++	for (c = 0; default_ad_ldap_attrs[c] != NULL; c++) {
++		vals = _adcli_ldap_parse_values (ldap,
++		                                 enroll->computer_attributes,
++		                                 default_ad_ldap_attrs[c]);
++		printf ("%s:\n", default_ad_ldap_attrs[c]);
++		if (vals == NULL) {
++			printf (" - not set -\n");
++		} else {
++			for (v = 0; vals[v] != NULL; v++) {
++				printf (" %s\n", vals[v]);
++			}
++		}
++		_adcli_strv_free (vals);
++	}
++
++	return ADCLI_SUCCESS;
++}
++
+ adcli_result
+ adcli_enroll_delete (adcli_enroll *enroll,
+                      adcli_enroll_flags delete_flags)
+diff --git a/library/adenroll.h b/library/adenroll.h
+index 1d5d00d..11eb517 100644
+--- a/library/adenroll.h
++++ b/library/adenroll.h
+@@ -46,6 +46,11 @@ adcli_result       adcli_enroll_join                    (adcli_enroll *enroll,
+ adcli_result       adcli_enroll_update                  (adcli_enroll *enroll,
+ 		                                         adcli_enroll_flags flags);
+ 
++adcli_result       adcli_enroll_read_computer_account   (adcli_enroll *enroll,
++                                                         adcli_enroll_flags flags);
++
++adcli_result       adcli_enroll_show_computer_attribute (adcli_enroll *enroll);
++
+ adcli_result       adcli_enroll_delete                  (adcli_enroll *enroll,
+                                                          adcli_enroll_flags delete_flags);
+ 
+diff --git a/tools/computer.c b/tools/computer.c
+index ac8a203..c8b96a4 100644
+--- a/tools/computer.c
++++ b/tools/computer.c
+@@ -964,3 +964,96 @@ adcli_tool_computer_delete (adcli_conn *conn,
+ 	adcli_enroll_unref (enroll);
+ 	return 0;
+ }
++
++int
++adcli_tool_computer_show (adcli_conn *conn,
++                          int argc,
++                          char *argv[])
++{
++	adcli_enroll *enroll;
++	adcli_result res;
++	int opt;
++
++	struct option options[] = {
++		{ "domain", required_argument, NULL, opt_domain },
++		{ "domain-realm", required_argument, NULL, opt_domain_realm },
++		{ "domain-controller", required_argument, NULL, opt_domain_controller },
++		{ "login-user", required_argument, NULL, opt_login_user },
++		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
++		{ "login-type", required_argument, NULL, opt_login_type },
++		{ "no-password", no_argument, 0, opt_no_password },
++		{ "stdin-password", no_argument, 0, opt_stdin_password },
++		{ "prompt-password", no_argument, 0, opt_prompt_password },
++		{ "verbose", no_argument, NULL, opt_verbose },
++		{ "help", no_argument, NULL, 'h' },
++		{ 0 },
++	};
++
++	static adcli_tool_desc usages[] = {
++		{ 0, "usage: adcli show-computer --domain=xxxx host1.example.com" },
++		{ 0 },
++	};
++
++	enroll = adcli_enroll_new (conn);
++	if (enroll == NULL) {
++		warnx ("unexpected memory problems");
++		return -1;
++	}
++
++	while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) {
++		switch (opt) {
++		case 'h':
++		case '?':
++		case ':':
++			adcli_tool_usage (options, usages);
++			adcli_tool_usage (options, common_usages);
++			adcli_enroll_unref (enroll);
++			return opt == 'h' ? 0 : 2;
++		default:
++			res = parse_option ((Option)opt, optarg, conn, enroll);
++			if (res != ADCLI_SUCCESS) {
++				adcli_enroll_unref (enroll);
++				return res;
++			}
++			break;
++		}
++	}
++
++	argc -= optind;
++	argv += optind;
++
++	res = adcli_conn_connect (conn);
++	if (res != ADCLI_SUCCESS) {
++		warnx ("couldn't connect to %s domain: %s",
++		       adcli_conn_get_domain_name (conn),
++		       adcli_get_last_error ());
++		adcli_enroll_unref (enroll);
++		return -res;
++	}
++
++	if (argc == 1) {
++		parse_fqdn_or_name (enroll, argv[0]);
++	}
++
++	res = adcli_enroll_read_computer_account (enroll, 0);
++	if (res != ADCLI_SUCCESS) {
++		warnx ("couldn't read data for %s: %s",
++		       adcli_enroll_get_host_fqdn (enroll) != NULL
++		           ? adcli_enroll_get_host_fqdn (enroll)
++		           : adcli_enroll_get_computer_name (enroll),
++		       adcli_get_last_error ());
++		adcli_enroll_unref (enroll);
++		return -res;
++	}
++
++	res = adcli_enroll_show_computer_attribute (enroll);
++	if (res != ADCLI_SUCCESS) {
++		warnx ("couldn't print data for %s: %s",
++		       argv[0], adcli_get_last_error ());
++		adcli_enroll_unref (enroll);
++		return -res;
++	}
++
++	adcli_enroll_unref (enroll);
++	return 0;
++}
+diff --git a/tools/tools.c b/tools/tools.c
+index fc9fa9a..9d422f2 100644
+--- a/tools/tools.c
++++ b/tools/tools.c
+@@ -59,6 +59,7 @@ struct {
+ 	{ "preset-computer", adcli_tool_computer_preset, "Pre setup computers accounts", },
+ 	{ "reset-computer", adcli_tool_computer_reset, "Reset a computer account", },
+ 	{ "delete-computer", adcli_tool_computer_delete, "Delete a computer account", },
++	{ "show-computer", adcli_tool_computer_show, "Show computer account attributes stored in AD", },
+ 	{ "create-user", adcli_tool_user_create, "Create a user account", },
+ 	{ "delete-user", adcli_tool_user_delete, "Delete a user account", },
+ 	{ "create-group", adcli_tool_group_create, "Create a group", },
+diff --git a/tools/tools.h b/tools/tools.h
+index 8cebbf9..3702875 100644
+--- a/tools/tools.h
++++ b/tools/tools.h
+@@ -78,6 +78,10 @@ int       adcli_tool_computer_delete   (adcli_conn *conn,
+                                         int argc,
+                                         char *argv[]);
+ 
++int       adcli_tool_computer_show     (adcli_conn *conn,
++                                        int argc,
++                                        char *argv[]);
++
+ int       adcli_tool_user_create       (adcli_conn *conn,
+                                         int argc,
+                                         char *argv[]);
+-- 
+2.21.0
+

SOURCES/0002-add-description-option-to-join-and-update.patch

@@ -0,0 +1,183 @@
+From 3937a2a7db90611aa7a93248233b0c5d31e85a3e Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 27 Nov 2019 14:48:32 +0100
+Subject: [PATCH 2/2] add description option to join and update
+
+This new option allows to set the description LDAP attribute for the AD
+computer object.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342
+---
+ doc/adcli.xml      | 10 ++++++++++
+ library/adenroll.c | 29 +++++++++++++++++++++++++++++
+ library/adenroll.h |  4 ++++
+ tools/computer.c   |  7 +++++++
+ 4 files changed, 50 insertions(+)
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index 1f93186..dd30435 100644
+--- a/doc/adcli.xml
++++ b/doc/adcli.xml
+@@ -275,6 +275,11 @@ Password for Administrator:
+ 			<listitem><para>Set the operating system version on the computer
+ 			account. Not set by default.</para></listitem>
+ 		</varlistentry>
++		<varlistentry>
++			<term><option>--description=<parameter>description</parameter></option></term>
++			<listitem><para>Set the description attribute on the computer
++			account. Not set by default.</para></listitem>
++		</varlistentry>
+ 		<varlistentry>
+ 			<term><option>--service-name=<parameter>service</parameter></option></term>
+ 			<listitem><para>Additional service name for a kerberos
+@@ -416,6 +421,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123
+ 			<listitem><para>Set the operating system version on the computer
+ 			account. Not set by default.</para></listitem>
+ 		</varlistentry>
++		<varlistentry>
++			<term><option>--description=<parameter>description</parameter></option></term>
++			<listitem><para>Set the description attribute on the computer
++			account. Not set by default.</para></listitem>
++		</varlistentry>
+ 		<varlistentry>
+ 			<term><option>--service-name=<parameter>service</parameter></option></term>
+ 			<listitem><para>Additional service name for a Kerberos
+diff --git a/library/adenroll.c b/library/adenroll.c
+index 8d2adeb..246f658 100644
+--- a/library/adenroll.c
++++ b/library/adenroll.c
+@@ -83,6 +83,7 @@ static char *default_ad_ldap_attrs[] =  {
+ 	"operatingSystemServicePack",
+ 	"pwdLastSet",
+ 	"userAccountControl",
++	"description",
+ 	NULL,
+ };
+ 
+@@ -143,6 +144,7 @@ struct _adcli_enroll {
+ 	char *samba_data_tool;
+ 	bool trusted_for_delegation;
+ 	int trusted_for_delegation_explicit;
++	char *description;
+ };
+ 
+ static adcli_result
+@@ -756,6 +758,8 @@ create_computer_account (adcli_enroll *enroll,
+ 	char *vals_userPrincipalName[] = { enroll->user_principal, NULL };
+ 	LDAPMod userPrincipalName = { LDAP_MOD_ADD, "userPrincipalName", { vals_userPrincipalName, }, };
+ 	LDAPMod servicePrincipalName = { LDAP_MOD_ADD, "servicePrincipalName", { enroll->service_principals, } };
++	char *vals_description[] = { enroll->description, NULL };
++	LDAPMod description = { LDAP_MOD_ADD, "description", { vals_description, }, };
+ 
+ 	char *val = NULL;
+ 
+@@ -774,6 +778,7 @@ create_computer_account (adcli_enroll *enroll,
+ 		&operatingSystemServicePack,
+ 		&userPrincipalName,
+ 		&servicePrincipalName,
++		&description,
+ 		NULL
+ 	};
+ 
+@@ -1460,6 +1465,14 @@ update_computer_account (adcli_enroll *enroll)
+ 		res |= update_computer_attribute (enroll, ldap, mods);
+ 	}
+ 
++	if (res == ADCLI_SUCCESS && enroll->description != NULL) {
++		char *vals_description[] = { enroll->description, NULL };
++		LDAPMod description = { LDAP_MOD_REPLACE, "description", { vals_description, }, };
++		LDAPMod *mods[] = { &description, NULL, };
++
++		res |= update_computer_attribute (enroll, ldap, mods);
++	}
++
+ 	if (res != 0)
+ 		_adcli_info ("Updated existing computer account: %s", enroll->computer_dn);
+ }
+@@ -2899,6 +2912,22 @@ adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll,
+ 	enroll->trusted_for_delegation_explicit = 1;
+ }
+ 
++void
++adcli_enroll_set_description (adcli_enroll *enroll, const char *value)
++{
++	return_if_fail (enroll != NULL);
++	if (value != NULL && value[0] != '\0') {
++		_adcli_str_set (&enroll->description, value);
++	}
++}
++
++const char *
++adcli_enroll_get_desciption (adcli_enroll *enroll)
++{
++	return_val_if_fail (enroll != NULL, NULL);
++	return enroll->description;
++}
++
+ const char **
+ adcli_enroll_get_service_principals_to_add (adcli_enroll *enroll)
+ {
+diff --git a/library/adenroll.h b/library/adenroll.h
+index 11eb517..0606169 100644
+--- a/library/adenroll.h
++++ b/library/adenroll.h
+@@ -126,6 +126,10 @@ bool               adcli_enroll_get_trusted_for_delegation (adcli_enroll *enroll
+ void               adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll,
+                                                             bool value);
+ 
++const char *       adcli_enroll_get_desciption          (adcli_enroll *enroll);
++void               adcli_enroll_set_description         (adcli_enroll *enroll,
++                                                         const char *value);
++
+ krb5_kvno          adcli_enroll_get_kvno                (adcli_enroll *enroll);
+ 
+ void               adcli_enroll_set_kvno                (adcli_enroll *enroll,
+diff --git a/tools/computer.c b/tools/computer.c
+index c8b96a4..840e334 100644
+--- a/tools/computer.c
++++ b/tools/computer.c
+@@ -112,6 +112,7 @@ typedef enum {
+ 	opt_trusted_for_delegation,
+ 	opt_add_service_principal,
+ 	opt_remove_service_principal,
++	opt_description,
+ } Option;
+ 
+ static adcli_tool_desc common_usages[] = {
+@@ -142,6 +143,7 @@ static adcli_tool_desc common_usages[] = {
+ 	                              "in the userAccountControl attribute", },
+ 	{ opt_add_service_principal, "add the given service principal to the account\n" },
+ 	{ opt_remove_service_principal, "remove the given service principal from the account\n" },
++	{ opt_description, "add a description to the account\n" },
+ 	{ opt_no_password, "don't prompt for or read a password" },
+ 	{ opt_prompt_password, "prompt for a password if necessary" },
+ 	{ opt_stdin_password, "read a password from stdin (until EOF) if\n"
+@@ -306,6 +308,9 @@ parse_option (Option opt,
+ 	case opt_remove_service_principal:
+ 		adcli_enroll_add_service_principal_to_remove (enroll, optarg);
+ 		return ADCLI_SUCCESS;
++	case opt_description:
++		adcli_enroll_set_description (enroll, optarg);
++		return ADCLI_SUCCESS;
+ 	case opt_verbose:
+ 		return ADCLI_SUCCESS;
+ 
+@@ -369,6 +374,7 @@ adcli_tool_computer_join (adcli_conn *conn,
+ 		{ "os-name", required_argument, NULL, opt_os_name },
+ 		{ "os-version", required_argument, NULL, opt_os_version },
+ 		{ "os-service-pack", optional_argument, NULL, opt_os_service_pack },
++		{ "description", optional_argument, NULL, opt_description },
+ 		{ "user-principal", optional_argument, NULL, opt_user_principal },
+ 		{ "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation },
+ 		{ "add-service-principal", required_argument, NULL, opt_add_service_principal },
+@@ -487,6 +493,7 @@ adcli_tool_computer_update (adcli_conn *conn,
+ 		{ "os-name", required_argument, NULL, opt_os_name },
+ 		{ "os-version", required_argument, NULL, opt_os_version },
+ 		{ "os-service-pack", optional_argument, NULL, opt_os_service_pack },
++		{ "description", optional_argument, NULL, opt_description },
+ 		{ "user-principal", optional_argument, NULL, opt_user_principal },
+ 		{ "computer-password-lifetime", optional_argument, NULL, opt_computer_password_lifetime },
+ 		{ "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation },
+-- 
+2.21.0
+

SPECS/adcli.spec

@@ -1,6 +1,6 @@
 Name:		adcli
 Version:	0.8.2
-Release:	3%{?dist}
+Release:	4%{?dist}
 Summary:	Active Directory enrollment
 License:	LGPLv2+
 URL:		http://cgit.freedesktop.org/realmd/adcli
@@ -90,6 +90,20 @@ Patch52:	0002-adconn-add-adcli_conn_set_krb5_context.patch
 Patch53:	0003-adenroll-add-adcli_enroll_get_permitted_keytab_encty.patch
 Patch54:	0004-adenroll-use-only-enctypes-permitted-by-Kerberos-con.patch
 
+# rhbz#1745931 - adcli update --add-samba-data does not work as expected
+Patch55:	0001-doc-explain-how-to-force-password-reset.patch
+Patch56:	0001-man-move-note-to-the-right-section.patch
+
+# rhbz#1745932 - Issue is that with arcfour-hmac as first encryption type
+Patch57:	0001-Do-not-use-arcfour-hmac-md5-when-discovering-the-sal.patch
+
+Patch58:	0001-Fix-for-issue-found-by-Coverity.patch
+
+# rhbz#1737342 - [RFE] enhancement adcli to set description attribute and to
+# show all AD attributes
+Patch59:	0001-tools-add-show-computer-command.patch
+Patch60:	0002-add-description-option-to-join-and-update.patch
+
 BuildRequires:	gcc
 BuildRequires:	intltool pkgconfig
 BuildRequires:	libtool
@@ -150,6 +164,12 @@ documentation.
 %doc %{_datadir}/doc/adcli/*
 
 %changelog
+* Thu Nov 28 2019 Sumit Bose <sbose@redhat.com> - 0.8.2-4
+- adcli update --add-samba-data does not work as expected [#1745931]
+- Issue is that with arcfour-hmac as first encryption type [#1745932]
+- [RFE] enhancement adcli to set description attribute and to show all AD
+  attributes [#1737342]
+
 * Fri Jun 14 2019 Sumit Bose <sbose@redhat.com> - 0.8.2-3
 - use autosetup macro to simplify patch handling
 - fixed rpmlint warnings in the spec file