From 7d4105cbe3870a1dd87123f29ea842a58e6f74b4 Mon Sep 17 00:00:00 2001
From: rockyautomation <rockyautomation@rockylinux.org>
Date: Mon, 15 Feb 2021 04:56:02 +0100
Subject: [PATCH] import adcli-0.8.2-5.el8
---
...ur-hmac-md5-when-discovering-the-sal.patch | 63 +++
...0001-Fix-for-issue-found-by-Coverity.patch | 29 ++
.../0001-Use-GSS-SPNEGO-if-available.patch | 124 ++++++
...-explain-how-to-force-password-reset.patch | 30 ++
...1-man-move-note-to-the-right-section.patch | 48 +++
...0001-tools-add-show-computer-command.patch | 338 ++++++++++++++++
...escription-option-to-join-and-update.patch | 183 +++++++++
SOURCES/0002-add-option-use-ldaps.patch | 378 ++++++++++++++++++
SPECS/adcli.spec | 29 +-
9 files changed, 1221 insertions(+), 1 deletion(-)
create mode 100644 SOURCES/0001-Do-not-use-arcfour-hmac-md5-when-discovering-the-sal.patch
create mode 100644 SOURCES/0001-Fix-for-issue-found-by-Coverity.patch
create mode 100644 SOURCES/0001-Use-GSS-SPNEGO-if-available.patch
create mode 100644 SOURCES/0001-doc-explain-how-to-force-password-reset.patch
create mode 100644 SOURCES/0001-man-move-note-to-the-right-section.patch
create mode 100644 SOURCES/0001-tools-add-show-computer-command.patch
create mode 100644 SOURCES/0002-add-description-option-to-join-and-update.patch
create mode 100644 SOURCES/0002-add-option-use-ldaps.patch
diff --git a/SOURCES/0001-Do-not-use-arcfour-hmac-md5-when-discovering-the-sal.patch b/SOURCES/0001-Do-not-use-arcfour-hmac-md5-when-discovering-the-sal.patch
new file mode 100644
index 0000000..4c2323c
--- /dev/null
+++ b/SOURCES/0001-Do-not-use-arcfour-hmac-md5-when-discovering-the-sal.patch
@@ -0,0 +1,63 @@
+From 158468507bb723aa62196846749c23c121d4b298 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 8 Apr 2019 10:55:39 +0200
+Subject: [PATCH] Do not use arcfour-hmac-md5 when discovering the salt
+
+Since the arcfour-hmac-md5 encryption types does not use salts it cannot
+be used to discover the right salt.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1683745
+---
+ library/adkrb5.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/library/adkrb5.c b/library/adkrb5.c
+index da835d7..be3ede5 100644
+--- a/library/adkrb5.c
++++ b/library/adkrb5.c
+@@ -395,15 +395,33 @@ _adcli_krb5_keytab_discover_salt (krb5_context k5,
+ krb5_keytab scratch;
+ krb5_error_code code;
+ int i;
++ krb5_enctype *salt_enctypes = NULL;
++ size_t c;
++ size_t s;
+
+ /* TODO: This should be a unique name */
+
+ code = krb5_kt_resolve (k5, "MEMORY:adcli-discover-salt", &scratch);
+ return_val_if_fail (code == 0, code);
+
++ for (c = 0; enctypes[c] != 0; c++); /* count enctypes */
++ salt_enctypes = calloc (c + 1, sizeof (krb5_enctype));
++ return_val_if_fail (salt_enctypes != NULL, ENOMEM);
++
++ /* ENCTYPE_ARCFOUR_HMAC does not use salts, so it cannot be used to
++ * discover the right salt. */
++ s = 0;
++ for (c = 0; enctypes[c] != 0; c++) {
++ if (enctypes[c] == ENCTYPE_ARCFOUR_HMAC) {
++ continue;
++ }
++
++ salt_enctypes[s++] = enctypes[c];
++ }
++
+ for (i = 0; salts[i].data != NULL; i++) {
+ code = _adcli_krb5_keytab_test_salt (k5, scratch, principal, kvno,
+- password, enctypes, &salts[i]);
++ password, salt_enctypes, &salts[i]);
+ if (code == 0) {
+ *discovered = i;
+ break;
+@@ -412,6 +430,7 @@ _adcli_krb5_keytab_discover_salt (krb5_context k5,
+ }
+ }
+
++ free (salt_enctypes);
+ krb5_kt_close (k5, scratch);
+ return code;
+ }
+--
+2.21.0
+
diff --git a/SOURCES/0001-Fix-for-issue-found-by-Coverity.patch b/SOURCES/0001-Fix-for-issue-found-by-Coverity.patch
new file mode 100644
index 0000000..b5159c8
--- /dev/null
+++ b/SOURCES/0001-Fix-for-issue-found-by-Coverity.patch
@@ -0,0 +1,29 @@
+From 5da6d34e2659f915e830932fd366c635801ecd91 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 12 Aug 2019 17:28:20 +0200
+Subject: [PATCH] Fix for issue found by Coverity
+
+Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3
+---
+ library/adenroll.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/library/adenroll.c b/library/adenroll.c
+index 53cd812..524663a 100644
+--- a/library/adenroll.c
++++ b/library/adenroll.c
+@@ -2681,7 +2681,10 @@ adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll)
+ for (c = 0; cur_enctypes[c] != 0; c++);
+
+ new_enctypes = calloc (c + 1, sizeof (krb5_enctype));
+- return_val_if_fail (new_enctypes != NULL, NULL);
++ if (new_enctypes == NULL) {
++ krb5_free_enctypes (k5, permitted_enctypes);
++ return NULL;
++ }
+
+ n = 0;
+ for (c = 0; cur_enctypes[c] != 0; c++) {
+--
+2.21.0
+
diff --git a/SOURCES/0001-Use-GSS-SPNEGO-if-available.patch b/SOURCES/0001-Use-GSS-SPNEGO-if-available.patch
new file mode 100644
index 0000000..bae8b22
--- /dev/null
+++ b/SOURCES/0001-Use-GSS-SPNEGO-if-available.patch
@@ -0,0 +1,124 @@
+From a6f795ba3d6048b32d7863468688bf7f42b2cafd Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 11 Oct 2019 16:39:25 +0200
+Subject: [PATCH 1/2] Use GSS-SPNEGO if available
+
+Currently adcli uses the GSSAPI SASL mechanism for LDAP authentication
+and to establish encryption. While this works in general it does not
+handle some of the more advanced features which can be required by AD
+DCs.
+
+The GSS-SPNEGO mechanism can handle them and is used with this patch by
+adcli if the AD DC indicates that it supports it.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
+---
+ library/adconn.c | 35 ++++++++++++++++++++++++++++++++++-
+ library/adconn.h | 3 +++
+ 2 files changed, 37 insertions(+), 1 deletion(-)
+
+diff --git a/library/adconn.c b/library/adconn.c
+index bcaced8..ffb54f9 100644
+--- a/library/adconn.c
++++ b/library/adconn.c
+@@ -77,6 +77,7 @@ struct _adcli_conn_ctx {
+ char *default_naming_context;
+ char *configuration_naming_context;
+ char **supported_capabilities;
++ char **supported_sasl_mechs;
+
+ /* Connect state */
+ LDAP *ldap;
+@@ -845,6 +846,7 @@ connect_and_lookup_naming (adcli_conn *conn,
+ "defaultNamingContext",
+ "configurationNamingContext",
+ "supportedCapabilities",
++ "supportedSASLMechanisms",
+ NULL
+ };
+
+@@ -897,6 +899,11 @@ connect_and_lookup_naming (adcli_conn *conn,
+ "supportedCapabilities");
+ }
+
++ if (conn->supported_sasl_mechs == NULL) {
++ conn->supported_sasl_mechs = _adcli_ldap_parse_values (ldap, results,
++ "supportedSASLMechanisms");
++ }
++
+ ldap_msgfree (results);
+
+ if (conn->default_naming_context == NULL) {
+@@ -1022,6 +1029,7 @@ authenticate_to_directory (adcli_conn *conn)
+ OM_uint32 minor;
+ ber_len_t ssf;
+ int ret;
++ const char *mech = "GSSAPI";
+
+ if (conn->ldap_authenticated)
+ return ADCLI_SUCCESS;
+@@ -1038,7 +1046,11 @@ authenticate_to_directory (adcli_conn *conn)
+ ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
+ return_unexpected_if_fail (ret == 0);
+
+- ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, "GSSAPI", NULL, NULL,
++ if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")) {
++ mech = "GSS-SPNEGO";
++ }
++
++ ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, mech, NULL, NULL,
+ LDAP_SASL_QUIET, sasl_interact, NULL);
+
+ /* Clear the credential cache GSSAPI to use (for this thread) */
+@@ -1231,6 +1243,7 @@ conn_free (adcli_conn *conn)
+ free (conn->default_naming_context);
+ free (conn->configuration_naming_context);
+ _adcli_strv_free (conn->supported_capabilities);
++ _adcli_strv_free (conn->supported_sasl_mechs);
+
+ free (conn->computer_name);
+ free (conn->host_fqdn);
+@@ -1606,6 +1619,26 @@ adcli_conn_server_has_capability (adcli_conn *conn,
+ return 0;
+ }
+
++bool
++adcli_conn_server_has_sasl_mech (adcli_conn *conn,
++ const char *mech)
++{
++ int i;
++
++ return_val_if_fail (conn != NULL, false);
++ return_val_if_fail (mech != NULL, false);
++
++ if (!conn->supported_sasl_mechs)
++ return false;
++
++ for (i = 0; conn->supported_sasl_mechs[i] != NULL; i++) {
++ if (strcasecmp (mech, conn->supported_sasl_mechs[i]) == 0)
++ return true;
++ }
++
++ return false;
++}
++
+ bool adcli_conn_is_writeable (adcli_conn *conn)
+ {
+ disco_dance_if_necessary (conn);
+diff --git a/library/adconn.h b/library/adconn.h
+index 1ad5715..37ebdd9 100644
+--- a/library/adconn.h
++++ b/library/adconn.h
+@@ -149,6 +149,9 @@ void adcli_conn_set_krb5_conf_dir (adcli_conn *conn,
+ int adcli_conn_server_has_capability (adcli_conn *conn,
+ const char *capability);
+
++bool adcli_conn_server_has_sasl_mech (adcli_conn *conn,
++ const char *mech);
++
+ bool adcli_conn_is_writeable (adcli_conn *conn);
+
+ #endif /* ADCONN_H_ */
+--
+2.21.0
+
diff --git a/SOURCES/0001-doc-explain-how-to-force-password-reset.patch b/SOURCES/0001-doc-explain-how-to-force-password-reset.patch
new file mode 100644
index 0000000..f3d25f4
--- /dev/null
+++ b/SOURCES/0001-doc-explain-how-to-force-password-reset.patch
@@ -0,0 +1,30 @@
+From 9b187095edb8c914238419ed51fef6041864f4fc Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 26 Aug 2019 13:33:24 +0200
+Subject: [PATCH] doc: explain how to force password reset
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1738573
+---
+ doc/adcli.xml | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index 094f577..4f201e0 100644
+--- a/doc/adcli.xml
++++ b/doc/adcli.xml
+@@ -330,7 +330,11 @@ Password for Administrator:
+ important here is currently the
+ <option>workgroup</option> option, see
+ <citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+- for details.</para></listitem>
++ for details.</para>
++ <para>Note that if the machine account password is not
++ older than 30 days, you have to pass
++ <option>--computer-password-lifetime=0</option> to
++ force the update.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
+--
+2.21.0
+
diff --git a/SOURCES/0001-man-move-note-to-the-right-section.patch b/SOURCES/0001-man-move-note-to-the-right-section.patch
new file mode 100644
index 0000000..307dfc9
--- /dev/null
+++ b/SOURCES/0001-man-move-note-to-the-right-section.patch
@@ -0,0 +1,48 @@
+From d2d3879bdfcea70757a8b0527882e79e8b5c6e70 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 27 Nov 2019 18:26:44 +0100
+Subject: [PATCH] man: move note to the right section
+
+Unfortunately the note about the password lifetime was added to the join
+section. This patch move it to the update section where it belongs to.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1738573
+ https://bugzilla.redhat.com/show_bug.cgi?id=1745931
+ https://bugzilla.redhat.com/show_bug.cgi?id=1774622
+---
+ doc/adcli.xml | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index 4f201e0..9faf96a 100644
+--- a/doc/adcli.xml
++++ b/doc/adcli.xml
+@@ -330,11 +330,7 @@ Password for Administrator:
+ important here is currently the
+ <option>workgroup</option> option, see
+ <citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+- for details.</para>
+- <para>Note that if the machine account password is not
+- older than 30 days, you have to pass
+- <option>--computer-password-lifetime=0</option> to
+- force the update.</para></listitem>
++ for details.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
+@@ -472,7 +468,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123
+ important here is currently the
+ <option>workgroup</option> option, see
+ <citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+- for details.</para></listitem>
++ for details.</para>
++ <para>Note that if the machine account password is not
++ older than 30 days, you have to pass
++ <option>--computer-password-lifetime=0</option> to
++ force the update.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
+--
+2.21.0
+
diff --git a/SOURCES/0001-tools-add-show-computer-command.patch b/SOURCES/0001-tools-add-show-computer-command.patch
new file mode 100644
index 0000000..1decaf6
--- /dev/null
+++ b/SOURCES/0001-tools-add-show-computer-command.patch
@@ -0,0 +1,338 @@
+From 0a169bd9b2687293f74bb57694eb82f9769610c9 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 27 Nov 2019 12:34:45 +0100
+Subject: [PATCH 1/2] tools: add show-computer command
+
+The show-computer command prints the LDAP attributes of the related
+computer object from AD.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342
+---
+ doc/adcli.xml | 28 ++++++++++++++
+ library/adenroll.c | 78 +++++++++++++++++++++++++++++---------
+ library/adenroll.h | 5 +++
+ tools/computer.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++
+ tools/tools.c | 1 +
+ tools/tools.h | 4 ++
+ 6 files changed, 191 insertions(+), 18 deletions(-)
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index 9faf96a..1f93186 100644
+--- a/doc/adcli.xml
++++ b/doc/adcli.xml
+@@ -93,6 +93,11 @@
+ <arg choice="opt">--domain=domain.example.com</arg>
+ <arg choice="plain">computer</arg>
+ </cmdsynopsis>
++ <cmdsynopsis>
++ <command>adcli show-computer</command>
++ <arg choice="opt">--domain=domain.example.com</arg>
++ <arg choice="plain">computer</arg>
++ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id='general_overview'>
+@@ -811,6 +816,29 @@ Password for Administrator:
+
+ </refsect1>
+
++<refsect1 id='show_computer_account'>
++ <title>Show Computer Account Attributes</title>
++
++ <para><command>adcli show-computer</command> show the computer account
++ attributes stored in AD. The account must already exist.</para>
++
++<programlisting>
++$ adcli show-computer --domain=domain.example.com host2
++Password for Administrator:
++</programlisting>
++
++ <para>If the computer name contains a dot, then it is
++ treated as fully qualified host name, otherwise it is treated
++ as short computer name.</para>
++
++ <para>If no computer name is specified, then the host name of the
++ computer adcli is running on is used, as returned by
++ <literal>gethostname()</literal>.</para>
++
++ <para>The various global options can be used.</para>
++
++</refsect1>
++
+ <refsect1 id='bugs'>
+ <title>Bugs</title>
+ <para>
+diff --git a/library/adenroll.c b/library/adenroll.c
+index 524663a..8d2adeb 100644
+--- a/library/adenroll.c
++++ b/library/adenroll.c
+@@ -71,6 +71,21 @@ static krb5_enctype v51_earlier_enctypes[] = {
+ 0
+ };
+
++static char *default_ad_ldap_attrs[] = {
++ "sAMAccountName",
++ "userPrincipalName",
++ "msDS-KeyVersionNumber",
++ "msDS-supportedEncryptionTypes",
++ "dNSHostName",
++ "servicePrincipalName",
++ "operatingSystem",
++ "operatingSystemVersion",
++ "operatingSystemServicePack",
++ "pwdLastSet",
++ "userAccountControl",
++ NULL,
++};
++
+ /* Some constants for the userAccountControl AD LDAP attribute, see e.g.
+ * https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro
+ * for details. */
+@@ -1213,19 +1228,6 @@ retrieve_computer_account (adcli_enroll *enroll)
+ char *end;
+ int ret;
+
+- char *attrs[] = {
+- "msDS-KeyVersionNumber",
+- "msDS-supportedEncryptionTypes",
+- "dNSHostName",
+- "servicePrincipalName",
+- "operatingSystem",
+- "operatingSystemVersion",
+- "operatingSystemServicePack",
+- "pwdLastSet",
+- "userAccountControl",
+- NULL,
+- };
+-
+ assert (enroll->computer_dn != NULL);
+ assert (enroll->computer_attributes == NULL);
+
+@@ -1233,7 +1235,8 @@ retrieve_computer_account (adcli_enroll *enroll)
+ assert (ldap != NULL);
+
+ ret = ldap_search_ext_s (ldap, enroll->computer_dn, LDAP_SCOPE_BASE,
+- "(objectClass=*)", attrs, 0, NULL, NULL, NULL, -1,
++ "(objectClass=*)", default_ad_ldap_attrs,
++ 0, NULL, NULL, NULL, -1,
+ &enroll->computer_attributes);
+
+ if (ret != LDAP_SUCCESS) {
+@@ -2179,12 +2182,11 @@ adcli_enroll_load (adcli_enroll *enroll)
+ }
+
+ adcli_result
+-adcli_enroll_update (adcli_enroll *enroll,
+- adcli_enroll_flags flags)
++adcli_enroll_read_computer_account (adcli_enroll *enroll,
++ adcli_enroll_flags flags)
+ {
+ adcli_result res = ADCLI_SUCCESS;
+ LDAP *ldap;
+- char *value;
+
+ return_unexpected_if_fail (enroll != NULL);
+
+@@ -2214,7 +2216,18 @@ adcli_enroll_update (adcli_enroll *enroll,
+ }
+
+ /* Get information about the computer account */
+- res = retrieve_computer_account (enroll);
++ return retrieve_computer_account (enroll);
++}
++
++adcli_result
++adcli_enroll_update (adcli_enroll *enroll,
++ adcli_enroll_flags flags)
++{
++ adcli_result res = ADCLI_SUCCESS;
++ LDAP *ldap;
++ char *value;
++
++ res = adcli_enroll_read_computer_account (enroll, flags);
+ if (res != ADCLI_SUCCESS)
+ return res;
+
+@@ -2242,6 +2255,35 @@ adcli_enroll_update (adcli_enroll *enroll,
+ return enroll_join_or_update_tasks (enroll, flags);
+ }
+
++adcli_result
++adcli_enroll_show_computer_attribute (adcli_enroll *enroll)
++{
++ LDAP *ldap;
++ size_t c;
++ char **vals;
++ size_t v;
++
++ ldap = adcli_conn_get_ldap_connection (enroll->conn);
++ assert (ldap != NULL);
++
++ for (c = 0; default_ad_ldap_attrs[c] != NULL; c++) {
++ vals = _adcli_ldap_parse_values (ldap,
++ enroll->computer_attributes,
++ default_ad_ldap_attrs[c]);
++ printf ("%s:\n", default_ad_ldap_attrs[c]);
++ if (vals == NULL) {
++ printf (" - not set -\n");
++ } else {
++ for (v = 0; vals[v] != NULL; v++) {
++ printf (" %s\n", vals[v]);
++ }
++ }
++ _adcli_strv_free (vals);
++ }
++
++ return ADCLI_SUCCESS;
++}
++
+ adcli_result
+ adcli_enroll_delete (adcli_enroll *enroll,
+ adcli_enroll_flags delete_flags)
+diff --git a/library/adenroll.h b/library/adenroll.h
+index 1d5d00d..11eb517 100644
+--- a/library/adenroll.h
++++ b/library/adenroll.h
+@@ -46,6 +46,11 @@ adcli_result adcli_enroll_join (adcli_enroll *enroll,
+ adcli_result adcli_enroll_update (adcli_enroll *enroll,
+ adcli_enroll_flags flags);
+
++adcli_result adcli_enroll_read_computer_account (adcli_enroll *enroll,
++ adcli_enroll_flags flags);
++
++adcli_result adcli_enroll_show_computer_attribute (adcli_enroll *enroll);
++
+ adcli_result adcli_enroll_delete (adcli_enroll *enroll,
+ adcli_enroll_flags delete_flags);
+
+diff --git a/tools/computer.c b/tools/computer.c
+index ac8a203..c8b96a4 100644
+--- a/tools/computer.c
++++ b/tools/computer.c
+@@ -964,3 +964,96 @@ adcli_tool_computer_delete (adcli_conn *conn,
+ adcli_enroll_unref (enroll);
+ return 0;
+ }
++
++int
++adcli_tool_computer_show (adcli_conn *conn,
++ int argc,
++ char *argv[])
++{
++ adcli_enroll *enroll;
++ adcli_result res;
++ int opt;
++
++ struct option options[] = {
++ { "domain", required_argument, NULL, opt_domain },
++ { "domain-realm", required_argument, NULL, opt_domain_realm },
++ { "domain-controller", required_argument, NULL, opt_domain_controller },
++ { "login-user", required_argument, NULL, opt_login_user },
++ { "login-ccache", optional_argument, NULL, opt_login_ccache },
++ { "login-type", required_argument, NULL, opt_login_type },
++ { "no-password", no_argument, 0, opt_no_password },
++ { "stdin-password", no_argument, 0, opt_stdin_password },
++ { "prompt-password", no_argument, 0, opt_prompt_password },
++ { "verbose", no_argument, NULL, opt_verbose },
++ { "help", no_argument, NULL, 'h' },
++ { 0 },
++ };
++
++ static adcli_tool_desc usages[] = {
++ { 0, "usage: adcli show-computer --domain=xxxx host1.example.com" },
++ { 0 },
++ };
++
++ enroll = adcli_enroll_new (conn);
++ if (enroll == NULL) {
++ warnx ("unexpected memory problems");
++ return -1;
++ }
++
++ while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) {
++ switch (opt) {
++ case 'h':
++ case '?':
++ case ':':
++ adcli_tool_usage (options, usages);
++ adcli_tool_usage (options, common_usages);
++ adcli_enroll_unref (enroll);
++ return opt == 'h' ? 0 : 2;
++ default:
++ res = parse_option ((Option)opt, optarg, conn, enroll);
++ if (res != ADCLI_SUCCESS) {
++ adcli_enroll_unref (enroll);
++ return res;
++ }
++ break;
++ }
++ }
++
++ argc -= optind;
++ argv += optind;
++
++ res = adcli_conn_connect (conn);
++ if (res != ADCLI_SUCCESS) {
++ warnx ("couldn't connect to %s domain: %s",
++ adcli_conn_get_domain_name (conn),
++ adcli_get_last_error ());
++ adcli_enroll_unref (enroll);
++ return -res;
++ }
++
++ if (argc == 1) {
++ parse_fqdn_or_name (enroll, argv[0]);
++ }
++
++ res = adcli_enroll_read_computer_account (enroll, 0);
++ if (res != ADCLI_SUCCESS) {
++ warnx ("couldn't read data for %s: %s",
++ adcli_enroll_get_host_fqdn (enroll) != NULL
++ ? adcli_enroll_get_host_fqdn (enroll)
++ : adcli_enroll_get_computer_name (enroll),
++ adcli_get_last_error ());
++ adcli_enroll_unref (enroll);
++ return -res;
++ }
++
++ res = adcli_enroll_show_computer_attribute (enroll);
++ if (res != ADCLI_SUCCESS) {
++ warnx ("couldn't print data for %s: %s",
++ argv[0], adcli_get_last_error ());
++ adcli_enroll_unref (enroll);
++ return -res;
++ }
++
++ adcli_enroll_unref (enroll);
++ return 0;
++}
+diff --git a/tools/tools.c b/tools/tools.c
+index fc9fa9a..9d422f2 100644
+--- a/tools/tools.c
++++ b/tools/tools.c
+@@ -59,6 +59,7 @@ struct {
+ { "preset-computer", adcli_tool_computer_preset, "Pre setup computers accounts", },
+ { "reset-computer", adcli_tool_computer_reset, "Reset a computer account", },
+ { "delete-computer", adcli_tool_computer_delete, "Delete a computer account", },
++ { "show-computer", adcli_tool_computer_show, "Show computer account attributes stored in AD", },
+ { "create-user", adcli_tool_user_create, "Create a user account", },
+ { "delete-user", adcli_tool_user_delete, "Delete a user account", },
+ { "create-group", adcli_tool_group_create, "Create a group", },
+diff --git a/tools/tools.h b/tools/tools.h
+index 8cebbf9..3702875 100644
+--- a/tools/tools.h
++++ b/tools/tools.h
+@@ -78,6 +78,10 @@ int adcli_tool_computer_delete (adcli_conn *conn,
+ int argc,
+ char *argv[]);
+
++int adcli_tool_computer_show (adcli_conn *conn,
++ int argc,
++ char *argv[]);
++
+ int adcli_tool_user_create (adcli_conn *conn,
+ int argc,
+ char *argv[]);
+--
+2.21.0
+
diff --git a/SOURCES/0002-add-description-option-to-join-and-update.patch b/SOURCES/0002-add-description-option-to-join-and-update.patch
new file mode 100644
index 0000000..a36dfc9
--- /dev/null
+++ b/SOURCES/0002-add-description-option-to-join-and-update.patch
@@ -0,0 +1,183 @@
+From 3937a2a7db90611aa7a93248233b0c5d31e85a3e Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 27 Nov 2019 14:48:32 +0100
+Subject: [PATCH 2/2] add description option to join and update
+
+This new option allows to set the description LDAP attribute for the AD
+computer object.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342
+---
+ doc/adcli.xml | 10 ++++++++++
+ library/adenroll.c | 29 +++++++++++++++++++++++++++++
+ library/adenroll.h | 4 ++++
+ tools/computer.c | 7 +++++++
+ 4 files changed, 50 insertions(+)
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index 1f93186..dd30435 100644
+--- a/doc/adcli.xml
++++ b/doc/adcli.xml
+@@ -275,6 +275,11 @@ Password for Administrator:
+ <listitem><para>Set the operating system version on the computer
+ account. Not set by default.</para></listitem>
+ </varlistentry>
++ <varlistentry>
++ <term><option>--description=<parameter>description</parameter></option></term>
++ <listitem><para>Set the description attribute on the computer
++ account. Not set by default.</para></listitem>
++ </varlistentry>
+ <varlistentry>
+ <term><option>--service-name=<parameter>service</parameter></option></term>
+ <listitem><para>Additional service name for a kerberos
+@@ -416,6 +421,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123
+ <listitem><para>Set the operating system version on the computer
+ account. Not set by default.</para></listitem>
+ </varlistentry>
++ <varlistentry>
++ <term><option>--description=<parameter>description</parameter></option></term>
++ <listitem><para>Set the description attribute on the computer
++ account. Not set by default.</para></listitem>
++ </varlistentry>
+ <varlistentry>
+ <term><option>--service-name=<parameter>service</parameter></option></term>
+ <listitem><para>Additional service name for a Kerberos
+diff --git a/library/adenroll.c b/library/adenroll.c
+index 8d2adeb..246f658 100644
+--- a/library/adenroll.c
++++ b/library/adenroll.c
+@@ -83,6 +83,7 @@ static char *default_ad_ldap_attrs[] = {
+ "operatingSystemServicePack",
+ "pwdLastSet",
+ "userAccountControl",
++ "description",
+ NULL,
+ };
+
+@@ -143,6 +144,7 @@ struct _adcli_enroll {
+ char *samba_data_tool;
+ bool trusted_for_delegation;
+ int trusted_for_delegation_explicit;
++ char *description;
+ };
+
+ static adcli_result
+@@ -756,6 +758,8 @@ create_computer_account (adcli_enroll *enroll,
+ char *vals_userPrincipalName[] = { enroll->user_principal, NULL };
+ LDAPMod userPrincipalName = { LDAP_MOD_ADD, "userPrincipalName", { vals_userPrincipalName, }, };
+ LDAPMod servicePrincipalName = { LDAP_MOD_ADD, "servicePrincipalName", { enroll->service_principals, } };
++ char *vals_description[] = { enroll->description, NULL };
++ LDAPMod description = { LDAP_MOD_ADD, "description", { vals_description, }, };
+
+ char *val = NULL;
+
+@@ -774,6 +778,7 @@ create_computer_account (adcli_enroll *enroll,
+ &operatingSystemServicePack,
+ &userPrincipalName,
+ &servicePrincipalName,
++ &description,
+ NULL
+ };
+
+@@ -1460,6 +1465,14 @@ update_computer_account (adcli_enroll *enroll)
+ res |= update_computer_attribute (enroll, ldap, mods);
+ }
+
++ if (res == ADCLI_SUCCESS && enroll->description != NULL) {
++ char *vals_description[] = { enroll->description, NULL };
++ LDAPMod description = { LDAP_MOD_REPLACE, "description", { vals_description, }, };
++ LDAPMod *mods[] = { &description, NULL, };
++
++ res |= update_computer_attribute (enroll, ldap, mods);
++ }
++
+ if (res != 0)
+ _adcli_info ("Updated existing computer account: %s", enroll->computer_dn);
+ }
+@@ -2899,6 +2912,22 @@ adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll,
+ enroll->trusted_for_delegation_explicit = 1;
+ }
+
++void
++adcli_enroll_set_description (adcli_enroll *enroll, const char *value)
++{
++ return_if_fail (enroll != NULL);
++ if (value != NULL && value[0] != '\0') {
++ _adcli_str_set (&enroll->description, value);
++ }
++}
++
++const char *
++adcli_enroll_get_desciption (adcli_enroll *enroll)
++{
++ return_val_if_fail (enroll != NULL, NULL);
++ return enroll->description;
++}
++
+ const char **
+ adcli_enroll_get_service_principals_to_add (adcli_enroll *enroll)
+ {
+diff --git a/library/adenroll.h b/library/adenroll.h
+index 11eb517..0606169 100644
+--- a/library/adenroll.h
++++ b/library/adenroll.h
+@@ -126,6 +126,10 @@ bool adcli_enroll_get_trusted_for_delegation (adcli_enroll *enroll
+ void adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll,
+ bool value);
+
++const char * adcli_enroll_get_desciption (adcli_enroll *enroll);
++void adcli_enroll_set_description (adcli_enroll *enroll,
++ const char *value);
++
+ krb5_kvno adcli_enroll_get_kvno (adcli_enroll *enroll);
+
+ void adcli_enroll_set_kvno (adcli_enroll *enroll,
+diff --git a/tools/computer.c b/tools/computer.c
+index c8b96a4..840e334 100644
+--- a/tools/computer.c
++++ b/tools/computer.c
+@@ -112,6 +112,7 @@ typedef enum {
+ opt_trusted_for_delegation,
+ opt_add_service_principal,
+ opt_remove_service_principal,
++ opt_description,
+ } Option;
+
+ static adcli_tool_desc common_usages[] = {
+@@ -142,6 +143,7 @@ static adcli_tool_desc common_usages[] = {
+ "in the userAccountControl attribute", },
+ { opt_add_service_principal, "add the given service principal to the account\n" },
+ { opt_remove_service_principal, "remove the given service principal from the account\n" },
++ { opt_description, "add a description to the account\n" },
+ { opt_no_password, "don't prompt for or read a password" },
+ { opt_prompt_password, "prompt for a password if necessary" },
+ { opt_stdin_password, "read a password from stdin (until EOF) if\n"
+@@ -306,6 +308,9 @@ parse_option (Option opt,
+ case opt_remove_service_principal:
+ adcli_enroll_add_service_principal_to_remove (enroll, optarg);
+ return ADCLI_SUCCESS;
++ case opt_description:
++ adcli_enroll_set_description (enroll, optarg);
++ return ADCLI_SUCCESS;
+ case opt_verbose:
+ return ADCLI_SUCCESS;
+
+@@ -369,6 +374,7 @@ adcli_tool_computer_join (adcli_conn *conn,
+ { "os-name", required_argument, NULL, opt_os_name },
+ { "os-version", required_argument, NULL, opt_os_version },
+ { "os-service-pack", optional_argument, NULL, opt_os_service_pack },
++ { "description", optional_argument, NULL, opt_description },
+ { "user-principal", optional_argument, NULL, opt_user_principal },
+ { "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation },
+ { "add-service-principal", required_argument, NULL, opt_add_service_principal },
+@@ -487,6 +493,7 @@ adcli_tool_computer_update (adcli_conn *conn,
+ { "os-name", required_argument, NULL, opt_os_name },
+ { "os-version", required_argument, NULL, opt_os_version },
+ { "os-service-pack", optional_argument, NULL, opt_os_service_pack },
++ { "description", optional_argument, NULL, opt_description },
+ { "user-principal", optional_argument, NULL, opt_user_principal },
+ { "computer-password-lifetime", optional_argument, NULL, opt_computer_password_lifetime },
+ { "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation },
+--
+2.21.0
+
diff --git a/SOURCES/0002-add-option-use-ldaps.patch b/SOURCES/0002-add-option-use-ldaps.patch
new file mode 100644
index 0000000..ab34272
--- /dev/null
+++ b/SOURCES/0002-add-option-use-ldaps.patch
@@ -0,0 +1,378 @@
+From 85097245b57f190337225dbdbf6e33b58616c092 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 19 Dec 2019 07:22:33 +0100
+Subject: [PATCH 2/2] add option use-ldaps
+
+In general using the LDAP port with GSS-SPNEGO should satifiy all
+requirements an AD DC should have for authentication on an encrypted
+LDAP connection.
+
+But if e.g. the LDAP port is blocked by a firewall using the LDAPS port
+with TLS encryption might be an alternative. For this use case the
+--use-ldaps option is added.
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
+---
+ doc/adcli.xml | 24 +++++++++++++++
+ library/adconn.c | 79 ++++++++++++++++++++++++++++++++++++++++++------
+ library/adconn.h | 4 +++
+ tools/computer.c | 10 ++++++
+ tools/entry.c | 11 +++++++
+ 5 files changed, 119 insertions(+), 9 deletions(-)
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index dd30435..acced25 100644
+--- a/doc/adcli.xml
++++ b/doc/adcli.xml
+@@ -128,6 +128,30 @@
+ If not specified, then an appropriate domain controller
+ is automatically discovered.</para></listitem>
+ </varlistentry>
++ <varlistentry>
++ <term><option>--use-ldaps</option></term>
++ <listitem><para>Connect to the domain controller
++ with LDAPS. By default the LDAP port is used and SASL
++ GSS-SPNEGO or GSSAPI is used for authentication and to
++ establish encryption. This should satisfy all
++ requirements set on the server side and LDAPS should
++ only be used if the LDAP port is not accessible due to
++ firewalls or other reasons.</para>
++ <para> Please note that the place where CA certificates
++ can be found to validate the AD DC certificates
++ must be configured in the OpenLDAP configuration
++ file, e.g. <filename>/etc/openldap/ldap.conf</filename>.
++ As an alternative it can be specified with the help of
++ an environment variable, e.g.
++<programlisting>
++$ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com
++...
++</programlisting>
++ Please see
++ <citerefentry><refentrytitle>ldap.conf</refentrytitle>
++ <manvolnum>5</manvolnum></citerefentry> for details.
++ </para></listitem>
++ </varlistentry>
+ <varlistentry>
+ <term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>
+ <listitem><para>Use the specified kerberos credential
+diff --git a/library/adconn.c b/library/adconn.c
+index ffb54f9..7bab852 100644
+--- a/library/adconn.c
++++ b/library/adconn.c
+@@ -70,6 +70,7 @@ struct _adcli_conn_ctx {
+ char *domain_name;
+ char *domain_realm;
+ char *domain_controller;
++ bool use_ldaps;
+ char *canonical_host;
+ char *domain_short;
+ char *domain_sid;
+@@ -773,7 +774,8 @@ int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap
+
+ static LDAP *
+ connect_to_address (const char *host,
+- const char *canonical_host)
++ const char *canonical_host,
++ bool use_ldaps)
+ {
+ struct addrinfo *res = NULL;
+ struct addrinfo *ai;
+@@ -783,6 +785,16 @@ connect_to_address (const char *host,
+ char *url;
+ int sock;
+ int rc;
++ int opt_rc;
++ const char *port = "389";
++ const char *proto = "ldap";
++ const char *errmsg = NULL;
++
++ if (use_ldaps) {
++ port = "636";
++ proto = "ldaps";
++ _adcli_info ("Using LDAPS to connect to %s", host);
++ }
+
+ memset (&hints, '\0', sizeof(hints));
+ #ifdef AI_ADDRCONFIG
+@@ -794,7 +806,7 @@ connect_to_address (const char *host,
+ if (!canonical_host)
+ canonical_host = host;
+
+- rc = getaddrinfo (host, "389", &hints, &res);
++ rc = getaddrinfo (host, port, &hints, &res);
+ if (rc != 0) {
+ _adcli_err ("Couldn't resolve host name: %s: %s", host, gai_strerror (rc));
+ return NULL;
+@@ -810,7 +822,7 @@ connect_to_address (const char *host,
+ close (sock);
+ } else {
+ error = 0;
+- if (asprintf (&url, "ldap://%s", canonical_host) < 0)
++ if (asprintf (&url, "%s://%s", proto, canonical_host) < 0)
+ return_val_if_reached (NULL);
+ rc = ldap_init_fd (sock, 1, url, &ldap);
+ free (url);
+@@ -820,6 +832,25 @@ connect_to_address (const char *host,
+ ldap_err2string (rc));
+ break;
+ }
++
++ if (use_ldaps) {
++ rc = ldap_install_tls (ldap);
++ if (rc != LDAP_SUCCESS) {
++ opt_rc = ldap_get_option (ldap,
++ LDAP_OPT_DIAGNOSTIC_MESSAGE,
++ (void *) &errmsg);
++ if (opt_rc != LDAP_SUCCESS) {
++ errmsg = NULL;
++ }
++ _adcli_err ("Couldn't initialize TLS [%s]: %s",
++ ldap_err2string (rc),
++ errmsg == NULL ? "- no details -"
++ : errmsg);
++ ldap_unbind_ext_s (ldap, NULL, NULL);
++ ldap = NULL;
++ break;
++ }
++ }
+ }
+ }
+
+@@ -856,7 +887,8 @@ connect_and_lookup_naming (adcli_conn *conn,
+ if (!canonical_host)
+ canonical_host = disco->host_addr;
+
+- ldap = connect_to_address (disco->host_addr, canonical_host);
++ ldap = connect_to_address (disco->host_addr, canonical_host,
++ adcli_conn_get_use_ldaps (conn));
+ if (ldap == NULL)
+ return ADCLI_ERR_DIRECTORY;
+
+@@ -1041,14 +1073,28 @@ authenticate_to_directory (adcli_conn *conn)
+ status = gss_krb5_ccache_name (&minor, conn->login_ccache_name, NULL);
+ return_unexpected_if_fail (status == 0);
+
+- /* Clumsily tell ldap + cyrus-sasl that we want encryption */
+- ssf = 1;
+- ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
+- return_unexpected_if_fail (ret == 0);
++ if (adcli_conn_get_use_ldaps (conn)) {
++ /* do not use SASL encryption on LDAPS connection */
++ ssf = 0;
++ ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
++ return_unexpected_if_fail (ret == 0);
++ ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MAX, &ssf);
++ return_unexpected_if_fail (ret == 0);
++ } else {
++ /* Clumsily tell ldap + cyrus-sasl that we want encryption */
++ ssf = 1;
++ ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
++ return_unexpected_if_fail (ret == 0);
++ }
+
+- if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")) {
++ /* There are issues with cryrus-sasl and GSS-SPNEGO with TLS even if
++ * ssf_max is set to 0. To be on the safe side GSS-SPNEGO is only used
++ * without LDAPS. */
++ if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")
++ && !adcli_conn_get_use_ldaps (conn)) {
+ mech = "GSS-SPNEGO";
+ }
++ _adcli_info ("Using %s for SASL bind", mech);
+
+ ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, mech, NULL, NULL,
+ LDAP_SASL_QUIET, sasl_interact, NULL);
+@@ -1230,6 +1276,7 @@ adcli_conn_new (const char *domain_name)
+ conn->refs = 1;
+ conn->logins_allowed = ADCLI_LOGIN_COMPUTER_ACCOUNT | ADCLI_LOGIN_USER_ACCOUNT;
+ adcli_conn_set_domain_name (conn, domain_name);
++ adcli_conn_set_use_ldaps (conn, false);
+ return conn;
+ }
+
+@@ -1389,6 +1436,20 @@ adcli_conn_set_domain_controller (adcli_conn *conn,
+ no_more_disco (conn);
+ }
+
++bool
++adcli_conn_get_use_ldaps (adcli_conn *conn)
++{
++ return_val_if_fail (conn != NULL, NULL);
++ return conn->use_ldaps;
++}
++
++void
++adcli_conn_set_use_ldaps (adcli_conn *conn, bool value)
++{
++ return_if_fail (conn != NULL);
++ conn->use_ldaps = value;
++}
++
+ const char *
+ adcli_conn_get_domain_short (adcli_conn *conn)
+ {
+diff --git a/library/adconn.h b/library/adconn.h
+index 37ebdd9..1d5faa8 100644
+--- a/library/adconn.h
++++ b/library/adconn.h
+@@ -89,6 +89,10 @@ const char * adcli_conn_get_domain_controller (adcli_conn *conn);
+ void adcli_conn_set_domain_controller (adcli_conn *conn,
+ const char *value);
+
++bool adcli_conn_get_use_ldaps (adcli_conn *conn);
++void adcli_conn_set_use_ldaps (adcli_conn *conn,
++ bool value);
++
+ const char * adcli_conn_get_domain_short (adcli_conn *conn);
+
+ const char * adcli_conn_get_domain_sid (adcli_conn *conn);
+diff --git a/tools/computer.c b/tools/computer.c
+index 840e334..292c4d8 100644
+--- a/tools/computer.c
++++ b/tools/computer.c
+@@ -113,12 +113,14 @@ typedef enum {
+ opt_add_service_principal,
+ opt_remove_service_principal,
+ opt_description,
++ opt_use_ldaps,
+ } Option;
+
+ static adcli_tool_desc common_usages[] = {
+ { opt_domain, "active directory domain name" },
+ { opt_domain_realm, "kerberos realm for the domain" },
+ { opt_domain_controller, "domain controller to connect to" },
++ { opt_use_ldaps, "use LDAPS port for communication" },
+ { opt_host_fqdn, "override the fully qualified domain name of the\n"
+ "local machine" },
+ { opt_host_keytab, "filename for the host kerberos keytab" },
+@@ -311,6 +313,9 @@ parse_option (Option opt,
+ case opt_description:
+ adcli_enroll_set_description (enroll, optarg);
+ return ADCLI_SUCCESS;
++ case opt_use_ldaps:
++ adcli_conn_set_use_ldaps (conn, true);
++ return ADCLI_SUCCESS;
+ case opt_verbose:
+ return ADCLI_SUCCESS;
+
+@@ -357,6 +362,7 @@ adcli_tool_computer_join (adcli_conn *conn,
+ { "domain-realm", required_argument, NULL, opt_domain_realm },
+ { "domain-controller", required_argument, NULL, opt_domain_controller },
+ { "domain-server", required_argument, NULL, opt_domain_controller }, /* compat */
++ { "use-ldaps", no_argument, 0, opt_use_ldaps },
+ { "login-user", required_argument, NULL, opt_login_user },
+ { "user", required_argument, NULL, opt_login_user }, /* compat */
+ { "login-ccache", optional_argument, NULL, opt_login_ccache },
+@@ -688,6 +694,7 @@ adcli_tool_computer_preset (adcli_conn *conn,
+ { "domain", required_argument, NULL, opt_domain },
+ { "domain-realm", required_argument, NULL, opt_domain_realm },
+ { "domain-controller", required_argument, NULL, opt_domain_controller },
++ { "use-ldaps", no_argument, 0, opt_use_ldaps },
+ { "domain-ou", required_argument, NULL, opt_domain_ou },
+ { "login-user", required_argument, NULL, opt_login_user },
+ { "login-ccache", optional_argument, NULL, opt_login_ccache },
+@@ -800,6 +807,7 @@ adcli_tool_computer_reset (adcli_conn *conn,
+ { "domain", required_argument, NULL, opt_domain },
+ { "domain-realm", required_argument, NULL, opt_domain_realm },
+ { "domain-controller", required_argument, NULL, opt_domain_controller },
++ { "use-ldaps", no_argument, 0, opt_use_ldaps },
+ { "login-user", required_argument, NULL, opt_login_user },
+ { "login-ccache", optional_argument, NULL, opt_login_ccache },
+ { "login-type", required_argument, NULL, opt_login_type },
+@@ -888,6 +896,7 @@ adcli_tool_computer_delete (adcli_conn *conn,
+ { "domain", required_argument, NULL, opt_domain },
+ { "domain-realm", required_argument, NULL, opt_domain_realm },
+ { "domain-controller", required_argument, NULL, opt_domain_controller },
++ { "use-ldaps", no_argument, 0, opt_use_ldaps },
+ { "login-user", required_argument, NULL, opt_login_user },
+ { "login-ccache", optional_argument, NULL, opt_login_ccache },
+ { "no-password", no_argument, 0, opt_no_password },
+@@ -985,6 +994,7 @@ adcli_tool_computer_show (adcli_conn *conn,
+ { "domain", required_argument, NULL, opt_domain },
+ { "domain-realm", required_argument, NULL, opt_domain_realm },
+ { "domain-controller", required_argument, NULL, opt_domain_controller },
++ { "use-ldaps", no_argument, 0, opt_use_ldaps },
+ { "login-user", required_argument, NULL, opt_login_user },
+ { "login-ccache", optional_argument, NULL, opt_login_ccache },
+ { "login-type", required_argument, NULL, opt_login_type },
+diff --git a/tools/entry.c b/tools/entry.c
+index f361845..05e4313 100644
+--- a/tools/entry.c
++++ b/tools/entry.c
+@@ -53,6 +53,7 @@ typedef enum {
+ opt_unix_gid,
+ opt_unix_shell,
+ opt_nis_domain,
++ opt_use_ldaps,
+ } Option;
+
+ static adcli_tool_desc common_usages[] = {
+@@ -67,6 +68,7 @@ static adcli_tool_desc common_usages[] = {
+ { opt_domain, "active directory domain name" },
+ { opt_domain_realm, "kerberos realm for the domain" },
+ { opt_domain_controller, "domain directory server to connect to" },
++ { opt_use_ldaps, "use LDAPS port for communication" },
+ { opt_login_ccache, "kerberos credential cache file which contains\n"
+ "ticket to used to connect to the domain" },
+ { opt_login_user, "user (usually administrative) login name of\n"
+@@ -136,6 +138,9 @@ parse_option (Option opt,
+ stdin_password = 1;
+ }
+ return ADCLI_SUCCESS;
++ case opt_use_ldaps:
++ adcli_conn_set_use_ldaps (conn, true);
++ return ADCLI_SUCCESS;
+ case opt_verbose:
+ return ADCLI_SUCCESS;
+ default:
+@@ -172,6 +177,7 @@ adcli_tool_user_create (adcli_conn *conn,
+ { "domain", required_argument, NULL, opt_domain },
+ { "domain-realm", required_argument, NULL, opt_domain_realm },
+ { "domain-controller", required_argument, NULL, opt_domain_controller },
++ { "use-ldaps", no_argument, 0, opt_use_ldaps },
+ { "login-user", required_argument, NULL, opt_login_user },
+ { "login-ccache", optional_argument, NULL, opt_login_ccache },
+ { "no-password", no_argument, 0, opt_no_password },
+@@ -306,6 +312,7 @@ adcli_tool_user_delete (adcli_conn *conn,
+ { "domain", required_argument, NULL, opt_domain },
+ { "domain-realm", required_argument, NULL, opt_domain_realm },
+ { "domain-controller", required_argument, NULL, opt_domain_controller },
++ { "use-ldaps", no_argument, 0, opt_use_ldaps },
+ { "login-user", required_argument, NULL, opt_login_user },
+ { "login-ccache", optional_argument, NULL, opt_login_ccache },
+ { "no-password", no_argument, 0, opt_no_password },
+@@ -394,6 +401,7 @@ adcli_tool_group_create (adcli_conn *conn,
+ { "domain", required_argument, NULL, opt_domain },
+ { "domain-realm", required_argument, NULL, opt_domain_realm },
+ { "domain-controller", required_argument, NULL, opt_domain_controller },
++ { "use-ldaps", no_argument, 0, opt_use_ldaps },
+ { "domain-ou", required_argument, NULL, opt_domain_ou },
+ { "login-user", required_argument, NULL, opt_login_user },
+ { "login-ccache", optional_argument, NULL, opt_login_ccache },
+@@ -496,6 +504,7 @@ adcli_tool_group_delete (adcli_conn *conn,
+ { "domain", required_argument, NULL, opt_domain },
+ { "domain-realm", required_argument, NULL, opt_domain_realm },
+ { "domain-controller", required_argument, NULL, opt_domain_controller },
++ { "use-ldaps", no_argument, 0, opt_use_ldaps },
+ { "login-user", required_argument, NULL, opt_login_user },
+ { "login-ccache", optional_argument, NULL, opt_login_ccache },
+ { "no-password", no_argument, 0, opt_no_password },
+@@ -622,6 +631,7 @@ adcli_tool_member_add (adcli_conn *conn,
+ { "domain", required_argument, NULL, opt_domain },
+ { "domain-realm", required_argument, NULL, opt_domain_realm },
+ { "domain-controller", required_argument, NULL, opt_domain_controller },
++ { "use-ldaps", no_argument, 0, opt_use_ldaps },
+ { "login-user", required_argument, NULL, opt_login_user },
+ { "login-ccache", optional_argument, NULL, opt_login_ccache },
+ { "no-password", no_argument, 0, opt_no_password },
+@@ -722,6 +732,7 @@ adcli_tool_member_remove (adcli_conn *conn,
+ { "domain", required_argument, NULL, opt_domain },
+ { "domain-realm", required_argument, NULL, opt_domain_realm },
+ { "domain-controller", required_argument, NULL, opt_domain_controller },
++ { "use-ldaps", no_argument, 0, opt_use_ldaps },
+ { "login-user", required_argument, NULL, opt_login_user },
+ { "login-ccache", optional_argument, NULL, opt_login_ccache },
+ { "no-password", no_argument, 0, opt_no_password },
+--
+2.21.0
+
diff --git a/SPECS/adcli.spec b/SPECS/adcli.spec
index 371dfe4..022476f 100644
--- a/SPECS/adcli.spec
+++ b/SPECS/adcli.spec
@@ -1,6 +1,6 @@
Name: adcli
Version: 0.8.2
-Release: 3%{?dist}
+Release: 5%{?dist}
Summary: Active Directory enrollment
License: LGPLv2+
URL: http://cgit.freedesktop.org/realmd/adcli
@@ -90,6 +90,23 @@ Patch52: 0002-adconn-add-adcli_conn_set_krb5_context.patch
Patch53: 0003-adenroll-add-adcli_enroll_get_permitted_keytab_encty.patch
Patch54: 0004-adenroll-use-only-enctypes-permitted-by-Kerberos-con.patch
+# rhbz#1745931 - adcli update --add-samba-data does not work as expected
+Patch55: 0001-doc-explain-how-to-force-password-reset.patch
+Patch56: 0001-man-move-note-to-the-right-section.patch
+
+# rhbz#1745932 - Issue is that with arcfour-hmac as first encryption type
+Patch57: 0001-Do-not-use-arcfour-hmac-md5-when-discovering-the-sal.patch
+
+Patch58: 0001-Fix-for-issue-found-by-Coverity.patch
+
+# rhbz#1737342 - [RFE] enhancement adcli to set description attribute and to
+# show all AD attributes
+Patch59: 0001-tools-add-show-computer-command.patch
+Patch60: 0002-add-description-option-to-join-and-update.patch
+
+Patch61: 0001-Use-GSS-SPNEGO-if-available.patch
+Patch62: 0002-add-option-use-ldaps.patch
+
BuildRequires: gcc
BuildRequires: intltool pkgconfig
BuildRequires: libtool
@@ -150,6 +167,16 @@ documentation.
%doc %{_datadir}/doc/adcli/*
%changelog
+* Wed Jan 29 2020 Sumit Bose <sbose@redhat.com> - 0.8.2-5
+- adcli should be able to Force LDAPS over 636 with AD Access Provider w.r.t
+ sssd [#1762420]
+
+* Thu Nov 28 2019 Sumit Bose <sbose@redhat.com> - 0.8.2-4
+- adcli update --add-samba-data does not work as expected [#1745931]
+- Issue is that with arcfour-hmac as first encryption type [#1745932]
+- [RFE] enhancement adcli to set description attribute and to show all AD
+ attributes [#1737342]
+
* Fri Jun 14 2019 Sumit Bose <sbose@redhat.com> - 0.8.2-3
- use autosetup macro to simplify patch handling
- fixed rpmlint warnings in the spec file
--
GitLab