import adcli-0.8.2-5.el8

SOURCES/0001-Do-not-use-arcfour-hmac-md5-when-discovering-the-sal.patch

+From 158468507bb723aa62196846749c23c121d4b298 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 8 Apr 2019 10:55:39 +0200
+Subject: [PATCH] Do not use arcfour-hmac-md5 when discovering the salt
+
+Since the arcfour-hmac-md5 encryption types does not use salts it cannot
+be used to discover the right salt.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1683745
+---
+ library/adkrb5.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/library/adkrb5.c b/library/adkrb5.c
+index da835d7..be3ede5 100644
+--- a/library/adkrb5.c
++++ b/library/adkrb5.c
+@@ -395,15 +395,33 @@ _adcli_krb5_keytab_discover_salt (krb5_context k5,
+ 	krb5_keytab scratch;
+ 	krb5_error_code code;
+ 	int i;
++	krb5_enctype *salt_enctypes = NULL;
++	size_t c;
++	size_t s;
+ 
+ 	/* TODO: This should be a unique name */
+ 
+ 	code = krb5_kt_resolve (k5, "MEMORY:adcli-discover-salt", &scratch);
+ 	return_val_if_fail (code == 0, code);
+ 
++	for (c = 0; enctypes[c] != 0; c++); /* count enctypes */
++	salt_enctypes = calloc (c + 1, sizeof (krb5_enctype));
++	return_val_if_fail (salt_enctypes != NULL, ENOMEM);
++
++	/* ENCTYPE_ARCFOUR_HMAC does not use salts, so it cannot be used to
++	 * discover the right salt. */
++	s = 0;
++	for (c = 0; enctypes[c] != 0; c++) {
++		if (enctypes[c] == ENCTYPE_ARCFOUR_HMAC) {
++			continue;
++		}
++
++		salt_enctypes[s++] = enctypes[c];
++	}
++
+ 	for (i = 0; salts[i].data != NULL; i++) {
+ 		code = _adcli_krb5_keytab_test_salt (k5, scratch, principal, kvno,
+-		                                     password, enctypes, &salts[i]);
++		                                     password, salt_enctypes, &salts[i]);
+ 		if (code == 0) {
+ 			*discovered = i;
+ 			break;
+@@ -412,6 +430,7 @@ _adcli_krb5_keytab_discover_salt (krb5_context k5,
+ 		}
+ 	}
+ 
++	free (salt_enctypes);
+ 	krb5_kt_close (k5, scratch);
+ 	return code;
+ }
+-- 
+2.21.0
+

SOURCES/0001-Fix-for-issue-found-by-Coverity.patch

+From 5da6d34e2659f915e830932fd366c635801ecd91 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 12 Aug 2019 17:28:20 +0200
+Subject: [PATCH] Fix for issue found by Coverity
+
+Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3
+---
+ library/adenroll.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/library/adenroll.c b/library/adenroll.c
+index 53cd812..524663a 100644
+--- a/library/adenroll.c
++++ b/library/adenroll.c
+@@ -2681,7 +2681,10 @@ adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll)
+ 	for (c = 0; cur_enctypes[c] != 0; c++);
+ 
+ 	new_enctypes = calloc (c + 1, sizeof (krb5_enctype));
+-	return_val_if_fail (new_enctypes != NULL, NULL);
++	if (new_enctypes == NULL) {
++		krb5_free_enctypes (k5, permitted_enctypes);
++		return NULL;
++	}
+ 
+ 	n = 0;
+ 	for (c = 0; cur_enctypes[c] != 0; c++) {
+-- 
+2.21.0
+

SOURCES/0001-Use-GSS-SPNEGO-if-available.patch

+From a6f795ba3d6048b32d7863468688bf7f42b2cafd Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 11 Oct 2019 16:39:25 +0200
+Subject: [PATCH 1/2] Use GSS-SPNEGO if available
+
+Currently adcli uses the GSSAPI SASL mechanism for LDAP authentication
+and to establish encryption. While this works in general it does not
+handle some of the more advanced features which can be required by AD
+DCs.
+
+The GSS-SPNEGO mechanism can handle them and is used with this patch by
+adcli if the AD DC indicates that it supports it.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
+---
+ library/adconn.c | 35 ++++++++++++++++++++++++++++++++++-
+ library/adconn.h |  3 +++
+ 2 files changed, 37 insertions(+), 1 deletion(-)
+
+diff --git a/library/adconn.c b/library/adconn.c
+index bcaced8..ffb54f9 100644
+--- a/library/adconn.c
++++ b/library/adconn.c
+@@ -77,6 +77,7 @@ struct _adcli_conn_ctx {
+ 	char *default_naming_context;
+ 	char *configuration_naming_context;
+ 	char **supported_capabilities;
++	char **supported_sasl_mechs;
+ 
+ 	/* Connect state */
+ 	LDAP *ldap;
+@@ -845,6 +846,7 @@ connect_and_lookup_naming (adcli_conn *conn,
+ 		"defaultNamingContext",
+ 		"configurationNamingContext",
+ 		"supportedCapabilities",
++		"supportedSASLMechanisms",
+ 		NULL
+ 	};
+ 
+@@ -897,6 +899,11 @@ connect_and_lookup_naming (adcli_conn *conn,
+ 		                                                         "supportedCapabilities");
+ 	}
+ 
++	if (conn->supported_sasl_mechs == NULL) {
++		conn->supported_sasl_mechs = _adcli_ldap_parse_values (ldap, results,
++		                                                       "supportedSASLMechanisms");
++	}
++
+ 	ldap_msgfree (results);
+ 
+ 	if (conn->default_naming_context == NULL) {
+@@ -1022,6 +1029,7 @@ authenticate_to_directory (adcli_conn *conn)
+ 	OM_uint32 minor;
+ 	ber_len_t ssf;
+ 	int ret;
++	const char *mech = "GSSAPI";
+ 
+ 	if (conn->ldap_authenticated)
+ 		return ADCLI_SUCCESS;
+@@ -1038,7 +1046,11 @@ authenticate_to_directory (adcli_conn *conn)
+ 	ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
+ 	return_unexpected_if_fail (ret == 0);
+ 
+-	ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, "GSSAPI", NULL, NULL,
++	if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")) {
++		mech =  "GSS-SPNEGO";
++	}
++
++	ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, mech, NULL, NULL,
+ 	                                    LDAP_SASL_QUIET, sasl_interact, NULL);
+ 
+ 	/* Clear the credential cache GSSAPI to use (for this thread) */
+@@ -1231,6 +1243,7 @@ conn_free (adcli_conn *conn)
+ 	free (conn->default_naming_context);
+ 	free (conn->configuration_naming_context);
+ 	_adcli_strv_free (conn->supported_capabilities);
++	_adcli_strv_free (conn->supported_sasl_mechs);
+ 
+ 	free (conn->computer_name);
+ 	free (conn->host_fqdn);
+@@ -1606,6 +1619,26 @@ adcli_conn_server_has_capability (adcli_conn *conn,
+ 	return 0;
+ }
+ 
++bool
++adcli_conn_server_has_sasl_mech (adcli_conn *conn,
++                                 const char *mech)
++{
++	int i;
++
++	return_val_if_fail (conn != NULL, false);
++	return_val_if_fail (mech != NULL, false);
++
++	if (!conn->supported_sasl_mechs)
++		return false;
++
++	for (i = 0; conn->supported_sasl_mechs[i] != NULL; i++) {
++		if (strcasecmp (mech, conn->supported_sasl_mechs[i]) == 0)
++			return true;
++	}
++
++	return false;
++}
++
+ bool adcli_conn_is_writeable (adcli_conn *conn)
+ {
+ 	disco_dance_if_necessary (conn);
+diff --git a/library/adconn.h b/library/adconn.h
+index 1ad5715..37ebdd9 100644
+--- a/library/adconn.h
++++ b/library/adconn.h
+@@ -149,6 +149,9 @@ void                adcli_conn_set_krb5_conf_dir     (adcli_conn *conn,
+ int                 adcli_conn_server_has_capability (adcli_conn *conn,
+                                                       const char *capability);
+ 
++bool                adcli_conn_server_has_sasl_mech  (adcli_conn *conn,
++                                                      const char *mech);
++
+ bool                adcli_conn_is_writeable          (adcli_conn *conn);
+ 
+ #endif /* ADCONN_H_ */
+-- 
+2.21.0
+

SOURCES/0001-doc-explain-how-to-force-password-reset.patch

+From 9b187095edb8c914238419ed51fef6041864f4fc Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 26 Aug 2019 13:33:24 +0200
+Subject: [PATCH] doc: explain how to force password reset
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1738573
+---
+ doc/adcli.xml | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index 094f577..4f201e0 100644
+--- a/doc/adcli.xml
++++ b/doc/adcli.xml
+@@ -330,7 +330,11 @@ Password for Administrator:
+ 			important here is currently the
+ 			<option>workgroup</option> option, see
+ 			<citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+-			for details.</para></listitem>
++			for details.</para>
++			<para>Note that if the machine account password is not
++			older than 30 days, you have to pass
++			<option>--computer-password-lifetime=0</option> to
++			force the update.</para></listitem>
+ 		</varlistentry>
+ 		<varlistentry>
+ 			<term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
+-- 
+2.21.0
+

SOURCES/0001-man-move-note-to-the-right-section.patch

+From d2d3879bdfcea70757a8b0527882e79e8b5c6e70 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 27 Nov 2019 18:26:44 +0100
+Subject: [PATCH] man: move note to the right section
+
+Unfortunately the note about the password lifetime was added to the join
+section. This patch move it to the update section where it belongs to.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1738573
+           https://bugzilla.redhat.com/show_bug.cgi?id=1745931
+           https://bugzilla.redhat.com/show_bug.cgi?id=1774622
+---
+ doc/adcli.xml | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index 4f201e0..9faf96a 100644
+--- a/doc/adcli.xml
++++ b/doc/adcli.xml
+@@ -330,11 +330,7 @@ Password for Administrator:
+ 			important here is currently the
+ 			<option>workgroup</option> option, see
+ 			<citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+-			for details.</para>
+-			<para>Note that if the machine account password is not
+-			older than 30 days, you have to pass
+-			<option>--computer-password-lifetime=0</option> to
+-			force the update.</para></listitem>
++			for details.</para></listitem>
+ 		</varlistentry>
+ 		<varlistentry>
+ 			<term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
+@@ -472,7 +468,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123
+ 			important here is currently the
+ 			<option>workgroup</option> option, see
+ 			<citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+-			for details.</para></listitem>
++			for details.</para>
++			<para>Note that if the machine account password is not
++			older than 30 days, you have to pass
++			<option>--computer-password-lifetime=0</option> to
++			force the update.</para></listitem>
+ 		</varlistentry>
+ 		<varlistentry>
+ 			<term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
+-- 
+2.21.0
+

SOURCES/0001-tools-add-show-computer-command.patch

+From 0a169bd9b2687293f74bb57694eb82f9769610c9 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 27 Nov 2019 12:34:45 +0100
+Subject: [PATCH 1/2] tools: add show-computer command
+
+The show-computer command prints the LDAP attributes of the related
+computer object from AD.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342
+---
+ doc/adcli.xml      | 28 ++++++++++++++
+ library/adenroll.c | 78 +++++++++++++++++++++++++++++---------
+ library/adenroll.h |  5 +++
+ tools/computer.c   | 93 ++++++++++++++++++++++++++++++++++++++++++++++
+ tools/tools.c      |  1 +
+ tools/tools.h      |  4 ++
+ 6 files changed, 191 insertions(+), 18 deletions(-)
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index 9faf96a..1f93186 100644
+--- a/doc/adcli.xml
++++ b/doc/adcli.xml
+@@ -93,6 +93,11 @@
+ 		<arg choice="opt">--domain=domain.example.com</arg>
+ 		<arg choice="plain">computer</arg>
+ 	</cmdsynopsis>
++	<cmdsynopsis>
++		<command>adcli show-computer</command>
++		<arg choice="opt">--domain=domain.example.com</arg>
++		<arg choice="plain">computer</arg>
++	</cmdsynopsis>
+ </refsynopsisdiv>
+ 
+ <refsect1 id='general_overview'>
+@@ -811,6 +816,29 @@ Password for Administrator:
+ 
+ </refsect1>
+ 
++<refsect1 id='show_computer_account'>
++	<title>Show Computer Account Attributes</title>
++
++	<para><command>adcli show-computer</command> show the computer account
++	attributes stored in AD. The account must already exist.</para>
++
++<programlisting>
++$ adcli show-computer --domain=domain.example.com host2
++Password for Administrator:
++</programlisting>
++
++	<para>If the computer name contains a dot, then it is
++	treated as fully qualified host name, otherwise it is treated
++	as short computer name.</para>
++
++	<para>If no computer name is specified, then the host name of the
++	computer adcli is running on is used, as returned by
++	<literal>gethostname()</literal>.</para>
++
++	<para>The various global options can be used.</para>
++
++</refsect1>
++
+ <refsect1 id='bugs'>
+ 	<title>Bugs</title>
+ 	<para>
+diff --git a/library/adenroll.c b/library/adenroll.c
+index 524663a..8d2adeb 100644
+--- a/library/adenroll.c
++++ b/library/adenroll.c
+@@ -71,6 +71,21 @@ static krb5_enctype v51_earlier_enctypes[] = {
+ 	0
+ };
+ 
++static char *default_ad_ldap_attrs[] =  {
++	"sAMAccountName",
++	"userPrincipalName",
++	"msDS-KeyVersionNumber",
++	"msDS-supportedEncryptionTypes",
++	"dNSHostName",
++	"servicePrincipalName",
++	"operatingSystem",
++	"operatingSystemVersion",
++	"operatingSystemServicePack",
++	"pwdLastSet",
++	"userAccountControl",
++	NULL,
++};
++
+ /* Some constants for the userAccountControl AD LDAP attribute, see e.g.
+  * https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro
+  * for details. */
+@@ -1213,19 +1228,6 @@ retrieve_computer_account (adcli_enroll *enroll)
+ 	char *end;
+ 	int ret;
+ 
+-	char *attrs[] =  {
+-		"msDS-KeyVersionNumber",
+-		"msDS-supportedEncryptionTypes",
+-		"dNSHostName",
+-		"servicePrincipalName",
+-		"operatingSystem",
+-		"operatingSystemVersion",
+-		"operatingSystemServicePack",
+-		"pwdLastSet",
+-		"userAccountControl",
+-		NULL,
+-	};
+-
+ 	assert (enroll->computer_dn != NULL);
+ 	assert (enroll->computer_attributes == NULL);
+ 
+@@ -1233,7 +1235,8 @@ retrieve_computer_account (adcli_enroll *enroll)
+ 	assert (ldap != NULL);
+ 
+ 	ret = ldap_search_ext_s (ldap, enroll->computer_dn, LDAP_SCOPE_BASE,
+-	                         "(objectClass=*)", attrs, 0, NULL, NULL, NULL, -1,
++	                         "(objectClass=*)", default_ad_ldap_attrs,
++	                         0, NULL, NULL, NULL, -1,
+ 	                         &enroll->computer_attributes);
+ 
+ 	if (ret != LDAP_SUCCESS) {
+@@ -2179,12 +2182,11 @@ adcli_enroll_load (adcli_enroll *enroll)
+ }
+ 
+ adcli_result
+-adcli_enroll_update (adcli_enroll *enroll,
+-		     adcli_enroll_flags flags)
++adcli_enroll_read_computer_account (adcli_enroll *enroll,
++		                    adcli_enroll_flags flags)
+ {
+ 	adcli_result res = ADCLI_SUCCESS;
+ 	LDAP *ldap;
+-	char *value;
+ 
+ 	return_unexpected_if_fail (enroll != NULL);
+ 
+@@ -2214,7 +2216,18 @@ adcli_enroll_update (adcli_enroll *enroll,
+ 	}
+ 
+ 	/* Get information about the computer account */
+-	res = retrieve_computer_account (enroll);
++	return retrieve_computer_account (enroll);
++}
++
++adcli_result
++adcli_enroll_update (adcli_enroll *enroll,
++		     adcli_enroll_flags flags)
++{
++	adcli_result res = ADCLI_SUCCESS;
++	LDAP *ldap;
++	char *value;
++
++	res = adcli_enroll_read_computer_account (enroll, flags);
+ 	if (res != ADCLI_SUCCESS)
+ 		return res;
+ 
+@@ -2242,6 +2255,35 @@ adcli_enroll_update (adcli_enroll *enroll,
+ 	return enroll_join_or_update_tasks (enroll, flags);
+ }
+ 
++adcli_result
++adcli_enroll_show_computer_attribute (adcli_enroll *enroll)
++{
++	LDAP *ldap;
++	size_t c;
++	char **vals;
++	size_t v;
++
++	ldap = adcli_conn_get_ldap_connection (enroll->conn);
++	assert (ldap != NULL);
++
++	for (c = 0; default_ad_ldap_attrs[c] != NULL; c++) {
++		vals = _adcli_ldap_parse_values (ldap,
++		                                 enroll->computer_attributes,
++		                                 default_ad_ldap_attrs[c]);
++		printf ("%s:\n", default_ad_ldap_attrs[c]);
++		if (vals == NULL) {
++			printf (" - not set -\n");
++		} else {
++			for (v = 0; vals[v] != NULL; v++) {
++				printf (" %s\n", vals[v]);
++			}
++		}
++		_adcli_strv_free (vals);
++	}
++
++	return ADCLI_SUCCESS;
++}
++
+ adcli_result
+ adcli_enroll_delete (adcli_enroll *enroll,
+                      adcli_enroll_flags delete_flags)
+diff --git a/library/adenroll.h b/library/adenroll.h
+index 1d5d00d..11eb517 100644
+--- a/library/adenroll.h
++++ b/library/adenroll.h
+@@ -46,6 +46,11 @@ adcli_result       adcli_enroll_join                    (adcli_enroll *enroll,
+ adcli_result       adcli_enroll_update                  (adcli_enroll *enroll,
+ 		                                         adcli_enroll_flags flags);
+ 
++adcli_result       adcli_enroll_read_computer_account   (adcli_enroll *enroll,
++                                                         adcli_enroll_flags flags);
++
++adcli_result       adcli_enroll_show_computer_attribute (adcli_enroll *enroll);
++
+ adcli_result       adcli_enroll_delete                  (adcli_enroll *enroll,
+                                                          adcli_enroll_flags delete_flags);
+ 
+diff --git a/tools/computer.c b/tools/computer.c
+index ac8a203..c8b96a4 100644
+--- a/tools/computer.c
++++ b/tools/computer.c
+@@ -964,3 +964,96 @@ adcli_tool_computer_delete (adcli_conn *conn,
+ 	adcli_enroll_unref (enroll);
+ 	return 0;
+ }
++
++int
++adcli_tool_computer_show (adcli_conn *conn,
++                          int argc,
++                          char *argv[])
++{
++	adcli_enroll *enroll;
++	adcli_result res;
++	int opt;
++
++	struct option options[] = {
++		{ "domain", required_argument, NULL, opt_domain },
++		{ "domain-realm", required_argument, NULL, opt_domain_realm },
++		{ "domain-controller", required_argument, NULL, opt_domain_controller },
++		{ "login-user", required_argument, NULL, opt_login_user },
++		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
++		{ "login-type", required_argument, NULL, opt_login_type },
++		{ "no-password", no_argument, 0, opt_no_password },
++		{ "stdin-password", no_argument, 0, opt_stdin_password },
++		{ "prompt-password", no_argument, 0, opt_prompt_password },
++		{ "verbose", no_argument, NULL, opt_verbose },
++		{ "help", no_argument, NULL, 'h' },
++		{ 0 },
++	};
++
++	static adcli_tool_desc usages[] = {
++		{ 0, "usage: adcli show-computer --domain=xxxx host1.example.com" },
++		{ 0 },
++	};
++
++	enroll = adcli_enroll_new (conn);
++	if (enroll == NULL) {
++		warnx ("unexpected memory problems");
++		return -1;
++	}
++
++	while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) {
++		switch (opt) {
++		case 'h':
++		case '?':
++		case ':':
++			adcli_tool_usage (options, usages);
++			adcli_tool_usage (options, common_usages);
++			adcli_enroll_unref (enroll);
++			return opt == 'h' ? 0 : 2;
++		default:
++			res = parse_option ((Option)opt, optarg, conn, enroll);
++			if (res != ADCLI_SUCCESS) {
++				adcli_enroll_unref (enroll);
++				return res;
++			}
++			break;
++		}
++	}
++
++	argc -= optind;
++	argv += optind;
++
++	res = adcli_conn_connect (conn);
++	if (res != ADCLI_SUCCESS) {
++		warnx ("couldn't connect to %s domain: %s",
++		       adcli_conn_get_domain_name (conn),
++		       adcli_get_last_error ());
++		adcli_enroll_unref (enroll);
++		return -res;
++	}
++
++	if (argc == 1) {
++		parse_fqdn_or_name (enroll, argv[0]);
++	}
++
++	res = adcli_enroll_read_computer_account (enroll, 0);
++	if (res != ADCLI_SUCCESS) {
++		warnx ("couldn't read data for %s: %s",
++		       adcli_enroll_get_host_fqdn (enroll) != NULL
++		           ? adcli_enroll_get_host_fqdn (enroll)
++		           : adcli_enroll_get_computer_name (enroll),
++		       adcli_get_last_error ());
++		adcli_enroll_unref (enroll);
++		return -res;
++	}
++
++	res = adcli_enroll_show_computer_attribute (enroll);
++	if (res != ADCLI_SUCCESS) {
++		warnx ("couldn't print data for %s: %s",
++		       argv[0], adcli_get_last_error ());
++		adcli_enroll_unref (enroll);
++		return -res;
++	}
++
++	adcli_enroll_unref (enroll);
++	return 0;
++}
+diff --git a/tools/tools.c b/tools/tools.c
+index fc9fa9a..9d422f2 100644
+--- a/tools/tools.c
++++ b/tools/tools.c
+@@ -59,6 +59,7 @@ struct {
+ 	{ "preset-computer", adcli_tool_computer_preset, "Pre setup computers accounts", },
+ 	{ "reset-computer", adcli_tool_computer_reset, "Reset a computer account", },
+ 	{ "delete-computer", adcli_tool_computer_delete, "Delete a computer account", },
++	{ "show-computer", adcli_tool_computer_show, "Show computer account attributes stored in AD", },
+ 	{ "create-user", adcli_tool_user_create, "Create a user account", },
+ 	{ "delete-user", adcli_tool_user_delete, "Delete a user account", },
+ 	{ "create-group", adcli_tool_group_create, "Create a group", },
+diff --git a/tools/tools.h b/tools/tools.h
+index 8cebbf9..3702875 100644
+--- a/tools/tools.h
++++ b/tools/tools.h
+@@ -78,6 +78,10 @@ int       adcli_tool_computer_delete   (adcli_conn *conn,
+                                         int argc,
+                                         char *argv[]);
+ 
++int       adcli_tool_computer_show     (adcli_conn *conn,
++                                        int argc,
++                                        char *argv[]);
++
+ int       adcli_tool_user_create       (adcli_conn *conn,
+                                         int argc,
+                                         char *argv[]);
+-- 
+2.21.0
+

SOURCES/0002-add-description-option-to-join-and-update.patch

+From 3937a2a7db90611aa7a93248233b0c5d31e85a3e Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 27 Nov 2019 14:48:32 +0100
+Subject: [PATCH 2/2] add description option to join and update
+
+This new option allows to set the description LDAP attribute for the AD
+computer object.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342
+---
+ doc/adcli.xml      | 10 ++++++++++
+ library/adenroll.c | 29 +++++++++++++++++++++++++++++
+ library/adenroll.h |  4 ++++
+ tools/computer.c   |  7 +++++++
+ 4 files changed, 50 insertions(+)
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index 1f93186..dd30435 100644
+--- a/doc/adcli.xml
++++ b/doc/adcli.xml
+@@ -275,6 +275,11 @@ Password for Administrator:
+ 			<listitem><para>Set the operating system version on the computer
+ 			account. Not set by default.</para></listitem>
+ 		</varlistentry>
++		<varlistentry>
++			<term><option>--description=<parameter>description</parameter></option></term>
++			<listitem><para>Set the description attribute on the computer
++			account. Not set by default.</para></listitem>
++		</varlistentry>
+ 		<varlistentry>
+ 			<term><option>--service-name=<parameter>service</parameter></option></term>
+ 			<listitem><para>Additional service name for a kerberos
+@@ -416,6 +421,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123
+ 			<listitem><para>Set the operating system version on the computer
+ 			account. Not set by default.</para></listitem>
+ 		</varlistentry>
++		<varlistentry>
++			<term><option>--description=<parameter>description</parameter></option></term>
++			<listitem><para>Set the description attribute on the computer
++			account. Not set by default.</para></listitem>
++		</varlistentry>
+ 		<varlistentry>
+ 			<term><option>--service-name=<parameter>service</parameter></option></term>
+ 			<listitem><para>Additional service name for a Kerberos
+diff --git a/library/adenroll.c b/library/adenroll.c
+index 8d2adeb..246f658 100644
+--- a/library/adenroll.c
++++ b/library/adenroll.c
+@@ -83,6 +83,7 @@ static char *default_ad_ldap_attrs[] =  {
+ 	"operatingSystemServicePack",
+ 	"pwdLastSet",
+ 	"userAccountControl",
++	"description",
+ 	NULL,
+ };
+ 
+@@ -143,6 +144,7 @@ struct _adcli_enroll {
+ 	char *samba_data_tool;
+ 	bool trusted_for_delegation;
+ 	int trusted_for_delegation_explicit;
++	char *description;
+ };
+ 
+ static adcli_result
+@@ -756,6 +758,8 @@ create_computer_account (adcli_enroll *enroll,
+ 	char *vals_userPrincipalName[] = { enroll->user_principal, NULL };
+ 	LDAPMod userPrincipalName = { LDAP_MOD_ADD, "userPrincipalName", { vals_userPrincipalName, }, };
+ 	LDAPMod servicePrincipalName = { LDAP_MOD_ADD, "servicePrincipalName", { enroll->service_principals, } };
++	char *vals_description[] = { enroll->description, NULL };
++	LDAPMod description = { LDAP_MOD_ADD, "description", { vals_description, }, };
+ 
+ 	char *val = NULL;
+ 
+@@ -774,6 +778,7 @@ create_computer_account (adcli_enroll *enroll,
+ 		&operatingSystemServicePack,
+ 		&userPrincipalName,
+ 		&servicePrincipalName,
++		&description,
+ 		NULL
+ 	};
+ 
+@@ -1460,6 +1465,14 @@ update_computer_account (adcli_enroll *enroll)
+ 		res |= update_computer_attribute (enroll, ldap, mods);
+ 	}
+ 
++	if (res == ADCLI_SUCCESS && enroll->description != NULL) {
++		char *vals_description[] = { enroll->description, NULL };
++		LDAPMod description = { LDAP_MOD_REPLACE, "description", { vals_description, }, };
++		LDAPMod *mods[] = { &description, NULL, };
++
++		res |= update_computer_attribute (enroll, ldap, mods);
++	}
++
+ 	if (res != 0)
+ 		_adcli_info ("Updated existing computer account: %s", enroll->computer_dn);
+ }
+@@ -2899,6 +2912,22 @@ adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll,
+ 	enroll->trusted_for_delegation_explicit = 1;
+ }
+ 
++void
++adcli_enroll_set_description (adcli_enroll *enroll, const char *value)
++{
++	return_if_fail (enroll != NULL);
++	if (value != NULL && value[0] != '\0') {
++		_adcli_str_set (&enroll->description, value);
++	}
++}
++
++const char *
++adcli_enroll_get_desciption (adcli_enroll *enroll)
++{
++	return_val_if_fail (enroll != NULL, NULL);
++	return enroll->description;
++}
++
+ const char **
+ adcli_enroll_get_service_principals_to_add (adcli_enroll *enroll)
+ {
+diff --git a/library/adenroll.h b/library/adenroll.h
+index 11eb517..0606169 100644
+--- a/library/adenroll.h
++++ b/library/adenroll.h
+@@ -126,6 +126,10 @@ bool               adcli_enroll_get_trusted_for_delegation (adcli_enroll *enroll
+ void               adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll,
+                                                             bool value);
+ 
++const char *       adcli_enroll_get_desciption          (adcli_enroll *enroll);
++void               adcli_enroll_set_description         (adcli_enroll *enroll,
++                                                         const char *value);
++
+ krb5_kvno          adcli_enroll_get_kvno                (adcli_enroll *enroll);
+ 
+ void               adcli_enroll_set_kvno                (adcli_enroll *enroll,
+diff --git a/tools/computer.c b/tools/computer.c
+index c8b96a4..840e334 100644
+--- a/tools/computer.c
++++ b/tools/computer.c
+@@ -112,6 +112,7 @@ typedef enum {
+ 	opt_trusted_for_delegation,
+ 	opt_add_service_principal,
+ 	opt_remove_service_principal,
++	opt_description,
+ } Option;
+ 
+ static adcli_tool_desc common_usages[] = {
+@@ -142,6 +143,7 @@ static adcli_tool_desc common_usages[] = {
+ 	                              "in the userAccountControl attribute", },
+ 	{ opt_add_service_principal, "add the given service principal to the account\n" },
+ 	{ opt_remove_service_principal, "remove the given service principal from the account\n" },
++	{ opt_description, "add a description to the account\n" },
+ 	{ opt_no_password, "don't prompt for or read a password" },
+ 	{ opt_prompt_password, "prompt for a password if necessary" },
+ 	{ opt_stdin_password, "read a password from stdin (until EOF) if\n"
+@@ -306,6 +308,9 @@ parse_option (Option opt,
+ 	case opt_remove_service_principal:
+ 		adcli_enroll_add_service_principal_to_remove (enroll, optarg);
+ 		return ADCLI_SUCCESS;
++	case opt_description:
++		adcli_enroll_set_description (enroll, optarg);
++		return ADCLI_SUCCESS;
+ 	case opt_verbose:
+ 		return ADCLI_SUCCESS;
+ 
+@@ -369,6 +374,7 @@ adcli_tool_computer_join (adcli_conn *conn,
+ 		{ "os-name", required_argument, NULL, opt_os_name },
+ 		{ "os-version", required_argument, NULL, opt_os_version },
+ 		{ "os-service-pack", optional_argument, NULL, opt_os_service_pack },
++		{ "description", optional_argument, NULL, opt_description },
+ 		{ "user-principal", optional_argument, NULL, opt_user_principal },
+ 		{ "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation },
+ 		{ "add-service-principal", required_argument, NULL, opt_add_service_principal },
+@@ -487,6 +493,7 @@ adcli_tool_computer_update (adcli_conn *conn,
+ 		{ "os-name", required_argument, NULL, opt_os_name },
+ 		{ "os-version", required_argument, NULL, opt_os_version },
+ 		{ "os-service-pack", optional_argument, NULL, opt_os_service_pack },
++		{ "description", optional_argument, NULL, opt_description },
+ 		{ "user-principal", optional_argument, NULL, opt_user_principal },
+ 		{ "computer-password-lifetime", optional_argument, NULL, opt_computer_password_lifetime },
+ 		{ "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation },
+-- 
+2.21.0
+

SOURCES/0002-add-option-use-ldaps.patch

+From 85097245b57f190337225dbdbf6e33b58616c092 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 19 Dec 2019 07:22:33 +0100
+Subject: [PATCH 2/2] add option use-ldaps
+
+In general using the LDAP port with GSS-SPNEGO should satifiy all
+requirements an AD DC should have for authentication on an encrypted
+LDAP connection.
+
+But if e.g. the LDAP port is blocked by a firewall using the LDAPS port
+with TLS encryption might be an alternative. For this use case the
+--use-ldaps option is added.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
+---
+ doc/adcli.xml    | 24 +++++++++++++++
+ library/adconn.c | 79 ++++++++++++++++++++++++++++++++++++++++++------
+ library/adconn.h |  4 +++
+ tools/computer.c | 10 ++++++
+ tools/entry.c    | 11 +++++++
+ 5 files changed, 119 insertions(+), 9 deletions(-)
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index dd30435..acced25 100644
+--- a/doc/adcli.xml
++++ b/doc/adcli.xml
+@@ -128,6 +128,30 @@
+ 			If not specified, then an appropriate domain controller
+ 			is automatically discovered.</para></listitem>
+ 		</varlistentry>
++		<varlistentry>
++			<term><option>--use-ldaps</option></term>
++			<listitem><para>Connect to the domain controller
++			with LDAPS. By default the LDAP port is used and SASL
++			GSS-SPNEGO or GSSAPI is used for authentication and to
++			establish encryption. This should satisfy all
++			requirements set on the server side and LDAPS should
++			only be used if the LDAP port is not accessible due to
++			firewalls or other reasons.</para>
++			<para> Please note that the place where CA certificates
++			can be found to validate the AD DC certificates
++			must be configured in the OpenLDAP configuration
++			file, e.g. <filename>/etc/openldap/ldap.conf</filename>.
++			As an alternative it can be specified with the help of
++			an environment variable, e.g.
++<programlisting>
++$ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com
++...
++</programlisting>
++			Please see
++			<citerefentry><refentrytitle>ldap.conf</refentrytitle>
++			<manvolnum>5</manvolnum></citerefentry> for details.
++			</para></listitem>
++		</varlistentry>
+ 		<varlistentry>
+ 			<term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>
+ 			<listitem><para>Use the specified kerberos credential
+diff --git a/library/adconn.c b/library/adconn.c
+index ffb54f9..7bab852 100644
+--- a/library/adconn.c
++++ b/library/adconn.c
+@@ -70,6 +70,7 @@ struct _adcli_conn_ctx {
+ 	char *domain_name;
+ 	char *domain_realm;
+ 	char *domain_controller;
++	bool use_ldaps;
+ 	char *canonical_host;
+ 	char *domain_short;
+ 	char *domain_sid;
+@@ -773,7 +774,8 @@ int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap
+ 
+ static LDAP *
+ connect_to_address (const char *host,
+-                    const char *canonical_host)
++                    const char *canonical_host,
++                    bool use_ldaps)
+ {
+ 	struct addrinfo *res = NULL;
+ 	struct addrinfo *ai;
+@@ -783,6 +785,16 @@ connect_to_address (const char *host,
+ 	char *url;
+ 	int sock;
+ 	int rc;
++	int opt_rc;
++	const char *port = "389";
++	const char *proto = "ldap";
++	const char *errmsg = NULL;
++
++	if (use_ldaps) {
++		port = "636";
++		proto = "ldaps";
++		_adcli_info ("Using LDAPS to connect to %s", host);
++	}
+ 
+ 	memset (&hints, '\0', sizeof(hints));
+ #ifdef AI_ADDRCONFIG
+@@ -794,7 +806,7 @@ connect_to_address (const char *host,
+ 	if (!canonical_host)
+ 		canonical_host = host;
+ 
+-	rc = getaddrinfo (host, "389", &hints, &res);
++	rc = getaddrinfo (host, port, &hints, &res);
+ 	if (rc != 0) {
+ 		_adcli_err ("Couldn't resolve host name: %s: %s", host, gai_strerror (rc));
+ 		return NULL;
+@@ -810,7 +822,7 @@ connect_to_address (const char *host,
+ 			close (sock);
+ 		} else {
+ 			error = 0;
+-			if (asprintf (&url, "ldap://%s", canonical_host) < 0)
++			if (asprintf (&url, "%s://%s", proto, canonical_host) < 0)
+ 				return_val_if_reached (NULL);
+ 			rc = ldap_init_fd (sock, 1, url, &ldap);
+ 			free (url);
+@@ -820,6 +832,25 @@ connect_to_address (const char *host,
+ 				            ldap_err2string (rc));
+ 				break;
+ 			}
++
++			if (use_ldaps) {
++				rc = ldap_install_tls (ldap);
++				if (rc != LDAP_SUCCESS) {
++					opt_rc = ldap_get_option (ldap,
++					                          LDAP_OPT_DIAGNOSTIC_MESSAGE,
++					                          (void *) &errmsg);
++					if (opt_rc != LDAP_SUCCESS) {
++						errmsg = NULL;
++					}
++					_adcli_err ("Couldn't initialize TLS [%s]: %s",
++					            ldap_err2string (rc),
++					            errmsg == NULL ? "- no details -"
++					                           : errmsg);
++					ldap_unbind_ext_s (ldap, NULL, NULL);
++					ldap = NULL;
++					break;
++				}
++			}
+ 		}
+ 	}
+ 
+@@ -856,7 +887,8 @@ connect_and_lookup_naming (adcli_conn *conn,
+ 	if (!canonical_host)
+ 		canonical_host = disco->host_addr;
+ 
+-	ldap = connect_to_address (disco->host_addr, canonical_host);
++	ldap = connect_to_address (disco->host_addr, canonical_host,
++	                           adcli_conn_get_use_ldaps (conn));
+ 	if (ldap == NULL)
+ 		return ADCLI_ERR_DIRECTORY;
+ 
+@@ -1041,14 +1073,28 @@ authenticate_to_directory (adcli_conn *conn)
+ 	status = gss_krb5_ccache_name (&minor, conn->login_ccache_name, NULL);
+ 	return_unexpected_if_fail (status == 0);
+ 
+-	/* Clumsily tell ldap + cyrus-sasl that we want encryption */
+-	ssf = 1;
+-	ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
+-	return_unexpected_if_fail (ret == 0);
++	if (adcli_conn_get_use_ldaps (conn)) {
++		/* do not use SASL encryption on LDAPS connection */
++		ssf = 0;
++		ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
++		return_unexpected_if_fail (ret == 0);
++		ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MAX, &ssf);
++		return_unexpected_if_fail (ret == 0);
++	} else {
++		/* Clumsily tell ldap + cyrus-sasl that we want encryption */
++		ssf = 1;
++		ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
++		return_unexpected_if_fail (ret == 0);
++	}
+ 
+-	if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")) {
++	/* There are issues with cryrus-sasl and GSS-SPNEGO with TLS even if
++	 * ssf_max is set to 0. To be on the safe side GSS-SPNEGO is only used
++	 * without LDAPS. */
++	if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")
++	                     && !adcli_conn_get_use_ldaps (conn)) {
+ 		mech =  "GSS-SPNEGO";
+ 	}
++	_adcli_info ("Using %s for SASL bind", mech);
+ 
+ 	ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, mech, NULL, NULL,
+ 	                                    LDAP_SASL_QUIET, sasl_interact, NULL);
+@@ -1230,6 +1276,7 @@ adcli_conn_new (const char *domain_name)
+ 	conn->refs = 1;
+ 	conn->logins_allowed = ADCLI_LOGIN_COMPUTER_ACCOUNT | ADCLI_LOGIN_USER_ACCOUNT;
+ 	adcli_conn_set_domain_name (conn, domain_name);
++	adcli_conn_set_use_ldaps (conn, false);
+ 	return conn;
+ }
+ 
+@@ -1389,6 +1436,20 @@ adcli_conn_set_domain_controller (adcli_conn *conn,
+ 	no_more_disco (conn);
+ }
+ 
++bool
++adcli_conn_get_use_ldaps (adcli_conn *conn)
++{
++	return_val_if_fail (conn != NULL, NULL);
++	return conn->use_ldaps;
++}
++
++void
++adcli_conn_set_use_ldaps (adcli_conn *conn, bool value)
++{
++	return_if_fail (conn != NULL);
++	conn->use_ldaps = value;
++}
++
+ const char *
+ adcli_conn_get_domain_short (adcli_conn *conn)
+ {
+diff --git a/library/adconn.h b/library/adconn.h
+index 37ebdd9..1d5faa8 100644
+--- a/library/adconn.h
++++ b/library/adconn.h
+@@ -89,6 +89,10 @@ const char *        adcli_conn_get_domain_controller (adcli_conn *conn);
+ void                adcli_conn_set_domain_controller (adcli_conn *conn,
+                                                       const char *value);
+ 
++bool                adcli_conn_get_use_ldaps         (adcli_conn *conn);
++void                adcli_conn_set_use_ldaps         (adcli_conn *conn,
++                                                      bool value);
++
+ const char *        adcli_conn_get_domain_short      (adcli_conn *conn);
+ 
+ const char *        adcli_conn_get_domain_sid        (adcli_conn *conn);
+diff --git a/tools/computer.c b/tools/computer.c
+index 840e334..292c4d8 100644
+--- a/tools/computer.c
++++ b/tools/computer.c
+@@ -113,12 +113,14 @@ typedef enum {
+ 	opt_add_service_principal,
+ 	opt_remove_service_principal,
+ 	opt_description,
++	opt_use_ldaps,
+ } Option;
+ 
+ static adcli_tool_desc common_usages[] = {
+ 	{ opt_domain, "active directory domain name" },
+ 	{ opt_domain_realm, "kerberos realm for the domain" },
+ 	{ opt_domain_controller, "domain controller to connect to" },
++	{ opt_use_ldaps, "use LDAPS port for communication" },
+ 	{ opt_host_fqdn, "override the fully qualified domain name of the\n"
+ 	                 "local machine" },
+ 	{ opt_host_keytab, "filename for the host kerberos keytab" },
+@@ -311,6 +313,9 @@ parse_option (Option opt,
+ 	case opt_description:
+ 		adcli_enroll_set_description (enroll, optarg);
+ 		return ADCLI_SUCCESS;
++	case opt_use_ldaps:
++		adcli_conn_set_use_ldaps (conn, true);
++		return ADCLI_SUCCESS;
+ 	case opt_verbose:
+ 		return ADCLI_SUCCESS;
+ 
+@@ -357,6 +362,7 @@ adcli_tool_computer_join (adcli_conn *conn,
+ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
+ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
+ 		{ "domain-server", required_argument, NULL, opt_domain_controller }, /* compat */
++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
+ 		{ "login-user", required_argument, NULL, opt_login_user },
+ 		{ "user", required_argument, NULL, opt_login_user }, /* compat */
+ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
+@@ -688,6 +694,7 @@ adcli_tool_computer_preset (adcli_conn *conn,
+ 		{ "domain", required_argument, NULL, opt_domain },
+ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
+ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
+ 		{ "domain-ou", required_argument, NULL, opt_domain_ou },
+ 		{ "login-user", required_argument, NULL, opt_login_user },
+ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
+@@ -800,6 +807,7 @@ adcli_tool_computer_reset (adcli_conn *conn,
+ 		{ "domain", required_argument, NULL, opt_domain },
+ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
+ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
+ 		{ "login-user", required_argument, NULL, opt_login_user },
+ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
+ 		{ "login-type", required_argument, NULL, opt_login_type },
+@@ -888,6 +896,7 @@ adcli_tool_computer_delete (adcli_conn *conn,
+ 		{ "domain", required_argument, NULL, opt_domain },
+ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
+ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
+ 		{ "login-user", required_argument, NULL, opt_login_user },
+ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
+ 		{ "no-password", no_argument, 0, opt_no_password },
+@@ -985,6 +994,7 @@ adcli_tool_computer_show (adcli_conn *conn,
+ 		{ "domain", required_argument, NULL, opt_domain },
+ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
+ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
+ 		{ "login-user", required_argument, NULL, opt_login_user },
+ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
+ 		{ "login-type", required_argument, NULL, opt_login_type },
+diff --git a/tools/entry.c b/tools/entry.c
+index f361845..05e4313 100644
+--- a/tools/entry.c
++++ b/tools/entry.c
+@@ -53,6 +53,7 @@ typedef enum {
+ 	opt_unix_gid,
+ 	opt_unix_shell,
+ 	opt_nis_domain,
++	opt_use_ldaps,
+ } Option;
+ 
+ static adcli_tool_desc common_usages[] = {
+@@ -67,6 +68,7 @@ static adcli_tool_desc common_usages[] = {
+ 	{ opt_domain, "active directory domain name" },
+ 	{ opt_domain_realm, "kerberos realm for the domain" },
+ 	{ opt_domain_controller, "domain directory server to connect to" },
++	{ opt_use_ldaps, "use LDAPS port for communication" },
+ 	{ opt_login_ccache, "kerberos credential cache file which contains\n"
+ 	                    "ticket to used to connect to the domain" },
+ 	{ opt_login_user, "user (usually administrative) login name of\n"
+@@ -136,6 +138,9 @@ parse_option (Option opt,
+ 			stdin_password = 1;
+ 		}
+ 		return ADCLI_SUCCESS;
++	case opt_use_ldaps:
++		adcli_conn_set_use_ldaps (conn, true);
++		return ADCLI_SUCCESS;
+ 	case opt_verbose:
+ 		return ADCLI_SUCCESS;
+ 	default:
+@@ -172,6 +177,7 @@ adcli_tool_user_create (adcli_conn *conn,
+ 		{ "domain", required_argument, NULL, opt_domain },
+ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
+ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
+ 		{ "login-user", required_argument, NULL, opt_login_user },
+ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
+ 		{ "no-password", no_argument, 0, opt_no_password },
+@@ -306,6 +312,7 @@ adcli_tool_user_delete (adcli_conn *conn,
+ 		{ "domain", required_argument, NULL, opt_domain },
+ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
+ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
+ 		{ "login-user", required_argument, NULL, opt_login_user },
+ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
+ 		{ "no-password", no_argument, 0, opt_no_password },
+@@ -394,6 +401,7 @@ adcli_tool_group_create (adcli_conn *conn,
+ 		{ "domain", required_argument, NULL, opt_domain },
+ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
+ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
+ 		{ "domain-ou", required_argument, NULL, opt_domain_ou },
+ 		{ "login-user", required_argument, NULL, opt_login_user },
+ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
+@@ -496,6 +504,7 @@ adcli_tool_group_delete (adcli_conn *conn,
+ 		{ "domain", required_argument, NULL, opt_domain },
+ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
+ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
+ 		{ "login-user", required_argument, NULL, opt_login_user },
+ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
+ 		{ "no-password", no_argument, 0, opt_no_password },
+@@ -622,6 +631,7 @@ adcli_tool_member_add (adcli_conn *conn,
+ 		{ "domain", required_argument, NULL, opt_domain },
+ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
+ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
+ 		{ "login-user", required_argument, NULL, opt_login_user },
+ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
+ 		{ "no-password", no_argument, 0, opt_no_password },
+@@ -722,6 +732,7 @@ adcli_tool_member_remove (adcli_conn *conn,
+ 		{ "domain", required_argument, NULL, opt_domain },
+ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
+ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
+ 		{ "login-user", required_argument, NULL, opt_login_user },
+ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
+ 		{ "no-password", no_argument, 0, opt_no_password },
+-- 
+2.21.0
+

SPECS/adcli.spec

 Name:		adcli
 Version:	0.8.2
-Release:	3%{?dist}
+Release:	5%{?dist}
 Summary:	Active Directory enrollment
 License:	LGPLv2+
 URL:		http://cgit.freedesktop.org/realmd/adcli
@@ -90,6 +90,23 @@ Patch52:	0002-adconn-add-adcli_conn_set_krb5_context.patch
 Patch53:	0003-adenroll-add-adcli_enroll_get_permitted_keytab_encty.patch
 Patch54:	0004-adenroll-use-only-enctypes-permitted-by-Kerberos-con.patch
 
+# rhbz#1745931 - adcli update --add-samba-data does not work as expected
+Patch55:	0001-doc-explain-how-to-force-password-reset.patch
+Patch56:	0001-man-move-note-to-the-right-section.patch
+
+# rhbz#1745932 - Issue is that with arcfour-hmac as first encryption type
+Patch57:	0001-Do-not-use-arcfour-hmac-md5-when-discovering-the-sal.patch
+
+Patch58:	0001-Fix-for-issue-found-by-Coverity.patch
+
+# rhbz#1737342 - [RFE] enhancement adcli to set description attribute and to
+# show all AD attributes
+Patch59:	0001-tools-add-show-computer-command.patch
+Patch60:	0002-add-description-option-to-join-and-update.patch
+
+Patch61:	0001-Use-GSS-SPNEGO-if-available.patch
+Patch62:	0002-add-option-use-ldaps.patch
+
 BuildRequires:	gcc
 BuildRequires:	intltool pkgconfig
 BuildRequires:	libtool
@@ -150,6 +167,16 @@ documentation.
 %doc %{_datadir}/doc/adcli/*
 
 %changelog
+* Wed Jan 29 2020 Sumit Bose <sbose@redhat.com> - 0.8.2-5
+- adcli should be able to Force LDAPS over 636 with AD Access Provider w.r.t
+  sssd [#1762420]
+
+* Thu Nov 28 2019 Sumit Bose <sbose@redhat.com> - 0.8.2-4
+- adcli update --add-samba-data does not work as expected [#1745931]
+- Issue is that with arcfour-hmac as first encryption type [#1745932]
+- [RFE] enhancement adcli to set description attribute and to show all AD
+  attributes [#1737342]
+
 * Fri Jun 14 2019 Sumit Bose <sbose@redhat.com> - 0.8.2-3
 - use autosetup macro to simplify patch handling
 - fixed rpmlint warnings in the spec file