import adcli-0.8.2-9.el8

SOURCES/0001-doc-add-missing-samba_data_tool_path.xml-.in-to-EXTR.patch

+From 2edc26afda17db1a92703deb16658e9de9f79e14 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 3 Sep 2019 14:39:37 +0200
+Subject: [PATCH] doc: add missing samba_data_tool_path.xml(.in) to EXTRA_DIST
+
+---
+ doc/Makefile.am | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/doc/Makefile.am b/doc/Makefile.am
+index 3a53843..4490688 100644
+--- a/doc/Makefile.am
++++ b/doc/Makefile.am
+@@ -31,6 +31,8 @@ EXTRA_DIST = \
+ 	static \
+ 	version.xml.in \
+ 	version.xml \
++	samba_data_tool_path.xml.in \
++	samba_data_tool_path.xml \
+ 	$(NULL)
+ 
+ CLEANFILES = \
+-- 
+2.28.0
+

SOURCES/0001-doc-explain-required-AD-permissions.patch

+From fa5c5fb4f8e7bcadf3e5a3798bd060720fd35eaa Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 20 Oct 2020 13:34:41 +0200
+Subject: [PATCH] doc: explain required AD permissions
+
+When using a restricted account with adcli some operations might fail
+because the account might not have all required permissions. The man
+page is extended and now explains which permissions are needed under
+given circumstances.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1852080
+Resolves: https://gitlab.freedesktop.org/realmd/adcli/-/issues/20
+---
+ doc/Makefile.am    |  10 ++++
+ doc/adcli.xml      | 132 +++++++++++++++++++++++++++++++++++++++++++++
+ library/adenroll.c |  30 ++++++-----
+ 3 files changed, 160 insertions(+), 12 deletions(-)
+
+diff --git a/doc/Makefile.am b/doc/Makefile.am
+index 4490688..50fb777 100644
+--- a/doc/Makefile.am
++++ b/doc/Makefile.am
+@@ -33,14 +33,17 @@ EXTRA_DIST = \
+ 	version.xml \
+ 	samba_data_tool_path.xml.in \
+ 	samba_data_tool_path.xml \
++	permissions.xml \
+ 	$(NULL)
+ 
+ CLEANFILES = \
+ 	$(man8_MANS) \
++	permissions.xml \
+ 	$(NULL)
+ 
+ XSLTPROC_FLAGS = \
+ 	--nonet \
++	--xinclude \
+ 	--stringparam man.output.quietly 1 \
+ 	--stringparam funcsynopsis.style ansi \
+ 	--stringparam man.th.extra1.suppress 1 \
+@@ -50,6 +53,13 @@ XSLTPROC_FLAGS = \
+ XSLTPROC_MAN = \
+ 	$(XSLTPROC) $(XSLTPROC_FLAGS) http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl
+ 
++permissions.xml: ../library/adenroll.c adcli.xml
++	echo "<itemizedlist>" > $@
++	grep '".*".*/\* :ADPermissions: ' $< | sed -e 's#.*"\(.*\)".*/\* :ADPermissions: \(.*\)\*/$$#<listitem><para>\1</para><itemizedlist><listitem><para>\2</para></listitem></itemizedlist></listitem>#' | sed -e 's#\*#</para></listitem><listitem><para>#g' >> $@
++	echo "</itemizedlist>" >> $@
++
++$(man8_MANS): permissions.xml
++
+ .xml.8:
+ 	$(AM_V_GEN) $(XSLTPROC_MAN) $<
+ 
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index 1437679..cc44fd8 100644
+--- a/doc/adcli.xml
++++ b/doc/adcli.xml
+@@ -885,6 +885,138 @@ Password for Administrator:
+ 
+ </refsect1>
+ 
++<refsect1 id='delegation'>
++	<title>Delegated Permissions</title>
++	<para>It is common practice in AD to not use an account from the Domain
++	Administrators group to join a machine to a domain but use a dedicated
++	account which only has permissions to join a machine to one or more OUs
++	in the Active Directory tree. Giving the needed permissions to a single
++	account or a group in Active Directory is called Delegation. A typical
++	example on how to configured Delegation can be found in the Delegation
++	section of the blog post
++	<ulink url="https://docs.microsoft.com/en-us/archive/blogs/dubaisec/who-can-add-workstation-to-the-domain">Who can add workstation to the domain</ulink>.
++	</para>
++
++	<para>When using an account with delegated permissions with adcli
++	basically the same applies as well. However some aspects are explained
++	here in a bit more details to better illustrate different concepts of
++	Active Directory and to make it more easy to debug permissions issues
++	during the join. Please note that the following is not specific to
++	adcli but applies to all applications which would like to modify
++	certain properties or objects in Active Directory with an account with
++	limited permissions.</para>
++
++	<para>First, as said in the blog post it is sufficient to have
++	<literal>"Create computer object"</literal> permissions to join a
++	computer to a domain. But this would only work as expected if the
++	computer object does not exist in Active Directory before the join.
++	Because only when a new object is created Active Directory does not
++	apply additional permission checks on the attributes of the new
++	computer object. This means the delegated user can add any kind of
++	attribute with any value to a new computer object also long as they
++	meet general constraints like e.g. that the attribute must be defined
++	in the schema and is allowed in a objectclass of the object, the value
++	must match the syntax defined in the schema or that the
++	<option>sAMAccountName</option> must be unique in the domain.</para>
++
++	<para>If you want to use the account with delegated permission to
++	remove computer objects in Active Directory (adcli delete-computer) you
++	should of course make sure that the account has
++	<literal>"Delete computer object"</literal> permissions.</para>
++
++	<para>If the computer object already exists the
++	<literal>"Create computer object"</literal> permission does not apply
++	anymore since now an existing object must be modified. Now permissions
++	on the individual attributes are needed. e.g.
++	<literal>"Read and write Account Restrictions"</literal> or
++	<literal>"Reset Password"</literal>. For some attributes Active
++	Directory has two types of permissions the plain
++	<literal>"Read and Write"</literal> permissions and the
++	<literal>"Validated Write"</literal> permissions. For the latter case
++	there are two specific permissions relevant for adcli, namely
++		<itemizedlist>
++			<listitem><para>Validated write to DNS host name</para></listitem>
++			<listitem><para>Validated write to service principal name</para></listitem>
++		</itemizedlist>
++	Details about the validation of the values can be found in the
++	<literal>"Validated Writes"</literal> section of
++	<literal>[MS-ADTS]</literal>, especially
++	<ulink url="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/5c578b15-d619-408d-ba17-380714b89fd1">dNSHostName</ulink>
++	and
++	<ulink url="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/28ca4eca-0e0b-4666-9175-a37ccb8edada">servicePrincipalName</ulink>.
++	To cut it short for <literal>"Validated write to DNS host name"</literal>
++	the domain part of the fully-qualified hostname must either match the
++	domain name of the domain you want to join to or must be listed in the
++	<option>msDS-AllowedDNSSuffixes</option> attribute. And for
++	<literal>"Validated write to service principal name"</literal> the
++	hostname part of the service principal name must match the name stored
++	in <option>dNSHostName</option> or some other attributes which are
++	not handled by adcli. This also means that
++	<option>dNSHostName</option> cannot be empty or only contain a short
++	name if the service principal name should contain a fully-qualified
++	name.</para>
++
++	<para>To summarize, if you only have validated write permissions you
++	should make sure the domain part of the hostname matches the domain you
++	want to join or use the <option>--host-fqdn</option> with a matching
++	name.</para>
++
++	<para>The plain read write permissions do not run additional
++	validations but the attribute values must still be in agreement with
++	the general constraints mentioned above. If the computer object already
++	exists adcli might need the following permissions which are also needed
++	by Windows clients to modify existing attributes:
++		<itemizedlist>
++			<listitem><para>Reset Password</para></listitem>
++			<listitem><para>Read and write Account Restrictions</para></listitem>
++			<listitem><para>Read and (validated) write to DNS host name</para></listitem>
++			<listitem><para>Read and (validated) write to service principal name</para></listitem>
++		</itemizedlist>
++	additionally adcli needs
++		<itemizedlist>
++			<listitem><para>Read and write msDS-supportedEncryptionTypes</para></listitem>
++		</itemizedlist>
++	This is added for security reasons to avoid that Active Directory
++	stores Kerberos keys with (potentially weaker) encryption types than
++	the client supports since Active Directory is often configured to still
++	support older (weaker) encryption types for compatibility reasons.
++	</para>
++
++	<para>All other attributes are only set or modified on demand, i.e.
++	adcli must be called with an option the would set or modify the given
++	attribute. In the following the attributes adcli can modify together
++	with the required permissions are listed:
++	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="permissions.xml" />
++	</para>
++
++	<para>For the management of users and groups (adcli create-user,
++	adcli delete-user, adcli create-group, adcli delete-group) the same
++	applies only for different types of objects, i.e. users and groups.
++	Since currently adcli only supports the creation and the removal of
++	user and group objects it is sufficient to have the
++	<literal>"Create/Delete User objects"</literal> and
++	<literal>"Create/Delete Group objects"</literal> permissions.</para>
++
++	<para>If you want to manage group members as well (adcli add-member,
++	adcli remove-member) <literal>"Read/Write Members"</literal> permissions
++	are needed as well.</para>
++
++	<para>Depending on the version of Active Directory the
++	<literal>"Delegation of Control Wizard"</literal> might offer some
++	shortcuts for common task like e.g.
++		<itemizedlist>
++			<listitem><para>Create, delete and manage user accounts</para></listitem>
++			<listitem><para>Create, delete and manage groups</para></listitem>
++			<listitem><para>Modify the membership of a group</para></listitem>
++		</itemizedlist>
++	The first 2 shortcuts will provided full access to user and group
++	objects which, as explained above, is more than currently is needed.
++	After using those shortcut it is a good idea to verify in the
++	<literal>"Security"</literal> tab in the <literal>"Properties"</literal>
++	of the related Active Directory container that the assigned permissions
++	meet the expectations.</para>
++</refsect1>
++
+ <refsect1 id='bugs'>
+ 	<title>Bugs</title>
+ 	<para>
+diff --git a/library/adenroll.c b/library/adenroll.c
+index e745295..98e9786 100644
+--- a/library/adenroll.c
++++ b/library/adenroll.c
+@@ -71,19 +71,25 @@ static krb5_enctype v51_earlier_enctypes[] = {
+ 	0
+ };
+ 
++/* The following list containst all attributes handled by adcli, some are
++ * read-only and the others can be written as well. To properly document the
++ * required permissions each attribute which adcli tries to modify should have
++ * a comment starting with ':ADPermissions:' and the related permissions in AD
++ * on the same line. Multiple permissions can be seperated with a '*'. For all
++ * other attribute a suitable comment is very welcome. */
+ static char *default_ad_ldap_attrs[] =  {
+-	"sAMAccountName",
+-	"userPrincipalName",
+-	"msDS-KeyVersionNumber",
+-	"msDS-supportedEncryptionTypes",
+-	"dNSHostName",
+-	"servicePrincipalName",
+-	"operatingSystem",
+-	"operatingSystemVersion",
+-	"operatingSystemServicePack",
+-	"pwdLastSet",
+-	"userAccountControl",
+-	"description",
++	"sAMAccountName", /* Only set during creation */
++	"userPrincipalName",   /* :ADPermissions: Read/Write userPrincipal Name */
++	"msDS-KeyVersionNumber", /* Manages by AD */
++	"msDS-supportedEncryptionTypes", /* :ADPermissions: Read/Write msDS-SupportedEncryptionTypes */
++	"dNSHostName", /* :ADPermissions: Read/Write dNSHostName * Read and write DNS host name attributes * Validated write to DNS host name */
++	"servicePrincipalName", /* :ADPermissions: Read/Write servicePrincipalName * Validated write to service principal name */
++	"operatingSystem", /* :ADPermissions: Read/Write Operating System */
++	"operatingSystemVersion", /* :ADPermissions: Read/Write Operating System Version */
++	"operatingSystemServicePack", /* :ADPermissions: Read/Write operatingSystemServicePack */
++	"pwdLastSet", /* Managed by AD */
++	"userAccountControl", /* :ADPermissions: Read/Write userAccountControl */
++	"description", /* :ADPermissions: Read/Write Description */
+ 	NULL,
+ };
+ 
+-- 
+2.28.0
+

SOURCES/0001-enroll-add-is_service-member.patch

+From 4e4dbf8d2b437808863f8be85e7f30865d88c7fc Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 23 Oct 2020 16:46:43 +0200
+Subject: [PATCH 1/7] enroll: add is_service member
+
+Add helpers to indicate a managed service account.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112
+---
+ library/adenroll.c | 17 +++++++++++++++++
+ library/adenroll.h |  4 ++++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/library/adenroll.c b/library/adenroll.c
+index 98e9786..5ae1f7b 100644
+--- a/library/adenroll.c
++++ b/library/adenroll.c
+@@ -103,6 +103,8 @@ static char *default_ad_ldap_attrs[] =  {
+ struct _adcli_enroll {
+ 	int refs;
+ 	adcli_conn *conn;
++	bool is_service;
++	bool is_service_explicit;
+ 
+ 	char *host_fqdn;
+ 	int host_fqdn_explicit;
+@@ -2942,6 +2944,21 @@ adcli_enroll_get_desciption (adcli_enroll *enroll)
+ 	return enroll->description;
+ }
+ 
++void
++adcli_enroll_set_is_service (adcli_enroll *enroll, bool value)
++{
++	return_if_fail (enroll != NULL);
++
++	enroll->is_service = value;
++	enroll->is_service_explicit = true;
++}
++
++bool
++adcli_enroll_get_is_service (adcli_enroll *enroll)
++{
++	return enroll->is_service;
++}
++
+ const char **
+ adcli_enroll_get_service_principals_to_add (adcli_enroll *enroll)
+ {
+diff --git a/library/adenroll.h b/library/adenroll.h
+index 0606169..7765ed4 100644
+--- a/library/adenroll.h
++++ b/library/adenroll.h
+@@ -130,6 +130,10 @@ const char *       adcli_enroll_get_desciption          (adcli_enroll *enroll);
+ void               adcli_enroll_set_description         (adcli_enroll *enroll,
+                                                          const char *value);
+ 
++bool               adcli_enroll_get_is_service          (adcli_enroll *enroll);
++void               adcli_enroll_set_is_service          (adcli_enroll *enroll,
++                                                         bool value);
++
+ krb5_kvno          adcli_enroll_get_kvno                (adcli_enroll *enroll);
+ 
+ void               adcli_enroll_set_kvno                (adcli_enroll *enroll,
+-- 
+2.28.0
+

SOURCES/0001-join-update-set-dNSHostName-if-not-set.patch

+From beb7abfacc0010987d2cd8ab70f7c373d309eed9 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 15 Oct 2020 18:01:12 +0200
+Subject: [PATCH] join/update: set dNSHostName if not set
+
+If during a join or update an existing AD computer object does not have
+the dNSHostName attribute set it will be set with the current hostname.
+This is important for cases where the user doing the join or update only
+has "Validated write to service principal name" for the computer object.
+The validated write with fully-qualified names can only be successful if
+dNSHostName is set, see [MS-ADTS] section 3.1.1.5.3.1.1.4 "Validated
+Writes - servicePrincipalName" for details.
+
+Resolves https://bugzilla.redhat.com/show_bug.cgi?id=1734764
+---
+ library/adenroll.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/library/adenroll.c b/library/adenroll.c
+index 246f658..e745295 100644
+--- a/library/adenroll.c
++++ b/library/adenroll.c
+@@ -1403,21 +1403,29 @@ update_computer_account (adcli_enroll *enroll)
+ {
+ 	int res = 0;
+ 	LDAP *ldap;
++	char *value = NULL;
+ 
+ 	ldap = adcli_conn_get_ldap_connection (enroll->conn);
+ 	return_if_fail (ldap != NULL);
+ 
+ 	/* Only update attributes which are explicitly given on the command
+-	 * line. Otherwise 'adcli update' must be always called with the same
+-	 * set of options to make sure existing attributes are not deleted or
+-	 * overwritten with different values. */
+-	if (enroll->host_fqdn_explicit) {
++	 * line or not set in the existing AD object. Otherwise 'adcli update'
++	 * must be always called with the same set of options to make sure
++	 * existing attributes are not deleted or overwritten with different
++	 * values. */
++	if (enroll->computer_attributes != NULL) {
++		value = _adcli_ldap_parse_value (ldap,
++		                                 enroll->computer_attributes,
++		                                 "dNSHostName");
++	}
++	if (enroll->host_fqdn_explicit || value == NULL ) {
+ 		char *vals_dNSHostName[] = { enroll->host_fqdn, NULL };
+ 		LDAPMod dNSHostName = { LDAP_MOD_REPLACE, "dNSHostName", { vals_dNSHostName, } };
+ 		LDAPMod *mods[] = { &dNSHostName, NULL };
+ 
+ 		res |= update_computer_attribute (enroll, ldap, mods);
+ 	}
++	free (value);
+ 
+ 	if (res == ADCLI_SUCCESS && enroll->trusted_for_delegation_explicit) {
+ 		char *vals_userAccountControl[] = { NULL , NULL };
+-- 
+2.28.0
+

SOURCES/0001-service-account-fix-typo-in-the-man-page-entry.patch

+From 637cc53953ef61c90530ae5eaf26eb4911336465 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 10 Dec 2020 18:29:18 +0100
+Subject: [PATCH] service-account: fix typo in the man page entry
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1906303
+---
+ doc/adcli.xml | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index 14921f9..a64687a 100644
+--- a/doc/adcli.xml
++++ b/doc/adcli.xml
+@@ -943,7 +943,7 @@ Password for Administrator:
+ 	of the managed service account as a suffix. On most systems it would be
+ 	<filename>/etc/krb5.keytab</filename> with a suffix of
+ 	'domain.example.com', e.g.
+-	<filename>/etc/krb5.keytad.domain.example.com</filename>.</para>
++	<filename>/etc/krb5.keytab.domain.example.com</filename>.</para>
+ 
+ 	<para><command>adcli create-msa</command> can be called multiple
+ 	times to reset the password of the managed service account. To identify
+@@ -955,7 +955,7 @@ Password for Administrator:
+ 
+ 	<para>The managed service account password can be updated with
+ <programlisting>
+-$ adcli update --domain=domain.example.com --host-keytab=/etc/krb5.keytad.domain.example.com
++$ adcli update --domain=domain.example.com --host-keytab=/etc/krb5.keytab.domain.example.com
+ </programlisting>
+ 	and the managed service account can be deleted with
+ <programlisting>
+-- 
+2.29.2
+

SOURCES/0001-tools-add-missing-use-ldaps-option-to-update-and-tes.patch

+From 76ca1e6737742208d83e016d43a3379e378f8d90 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 14 Oct 2020 17:44:10 +0200
+Subject: [PATCH] tools: add missing use-ldaps option to update and testjoin
+
+When adding the use-ldaps option the update and testjoin sub-commands
+were forgotten.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1883467
+---
+ tools/computer.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/computer.c b/tools/computer.c
+index 24ea258..5a97d8b 100644
+--- a/tools/computer.c
++++ b/tools/computer.c
+@@ -491,6 +491,7 @@ adcli_tool_computer_update (adcli_conn *conn,
+ 	struct option options[] = {
+ 		{ "domain", required_argument, NULL, opt_domain },
+ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
+ 		{ "host-fqdn", required_argument, 0, opt_host_fqdn },
+ 		{ "computer-name", required_argument, 0, opt_computer_name },
+ 		{ "host-keytab", required_argument, 0, opt_host_keytab },
+@@ -612,6 +613,7 @@ adcli_tool_computer_testjoin (adcli_conn *conn,
+ 	struct option options[] = {
+ 		{ "domain", required_argument, NULL, opt_domain },
+ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
+ 		{ "host-keytab", required_argument, 0, opt_host_keytab },
+ 		{ "verbose", no_argument, NULL, opt_verbose },
+ 		{ "help", no_argument, NULL, 'h' },
+-- 
+2.28.0
+

SOURCES/0003-enroll-use-computer-or-service-in-debug-messages.patch

+From eea6a8071b5e5df74808903bb15b30acf820ce3f Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 23 Oct 2020 16:55:11 +0200
+Subject: [PATCH 3/7] enroll: use 'computer' or 'service' in debug messages
+
+Use proper account type in debug messages.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112
+---
+ library/adenroll.c | 115 ++++++++++++++++++++++++++++-----------------
+ 1 file changed, 72 insertions(+), 43 deletions(-)
+
+diff --git a/library/adenroll.c b/library/adenroll.c
+index dbfda36..9cdc79b 100644
+--- a/library/adenroll.c
++++ b/library/adenroll.c
+@@ -155,6 +155,12 @@ struct _adcli_enroll {
+ 	char *description;
+ };
+ 
++static const char *
++s_or_c (adcli_enroll *enroll)
++{
++	return enroll->is_service ? "service" : "computer";
++}
++
+ static void
+ check_if_service (adcli_enroll *enroll,
+                   LDAP *ldap,
+@@ -203,13 +209,15 @@ ensure_computer_name (adcli_result res,
+ 		return res;
+ 
+ 	if (enroll->computer_name) {
+-		_adcli_info ("Enrolling computer name: %s",
++		_adcli_info ("Enrolling %s name: %s",
++		             s_or_c (enroll),
+ 		             enroll->computer_name);
+ 		return ADCLI_SUCCESS;
+ 	}
+ 
+ 	if (!enroll->host_fqdn) {
+-		_adcli_err ("No host name from which to determine the computer name");
++		_adcli_err ("No host name from which to determine the %s name",
++		            s_or_c (enroll));
+ 		return ADCLI_ERR_CONFIG;
+ 	}
+ 
+@@ -603,7 +611,8 @@ lookup_computer_container (adcli_enroll *enroll,
+ 
+ 	} else if (ret != LDAP_SUCCESS) {
+ 		return _adcli_ldap_handle_failure (ldap, ADCLI_ERR_DIRECTORY,
+-		                                   "Couldn't lookup computer container: %s", base);
++		                                   "Couldn't lookup %s container: %s",
++		                                   s_or_c (enroll), base);
+ 	}
+ 
+ 	values = _adcli_ldap_parse_values (ldap, results, attrs[0]);
+@@ -614,8 +623,8 @@ lookup_computer_container (adcli_enroll *enroll,
+ 		if (strncmp (values[i], prefix, prefix_len) == 0) {
+ 			enroll->computer_container = strdup (values[i] + prefix_len);
+ 			return_unexpected_if_fail (enroll->computer_container != NULL);
+-			_adcli_info ("Found well known computer container at: %s",
+-			             enroll->computer_container);
++			_adcli_info ("Found well known %s container at: %s",
++			             s_or_c (enroll), enroll->computer_container);
+ 			break;
+ 		}
+ 	}
+@@ -629,8 +638,9 @@ lookup_computer_container (adcli_enroll *enroll,
+ 		if (ret == LDAP_SUCCESS) {
+ 			enroll->computer_container = _adcli_ldap_parse_dn (ldap, results);
+ 			if (enroll->computer_container) {
+-				_adcli_info ("Well known computer container not "
++				_adcli_info ("Well known %s container not "
+ 				             "found, but found suitable one at: %s",
++				             s_or_c (enroll),
+ 				             enroll->computer_container);
+ 			}
+ 		}
+@@ -646,7 +656,8 @@ lookup_computer_container (adcli_enroll *enroll,
+ 	}
+ 
+ 	if (!enroll->computer_container) {
+-		_adcli_err ("Couldn't find location to create computer accounts");
++		_adcli_err ("Couldn't find location to create %s accounts",
++		            s_or_c (enroll));
+ 		return ADCLI_ERR_DIRECTORY;
+ 	}
+ 
+@@ -674,7 +685,8 @@ calculate_computer_account (adcli_enroll *enroll,
+ 	if (asprintf (&enroll->computer_dn, "CN=%s,%s", enroll->computer_name, enroll->computer_container) < 0)
+ 		return_unexpected_if_reached ();
+ 
+-	_adcli_info ("Calculated computer account: %s", enroll->computer_dn);
++	_adcli_info ("Calculated %s account: %s",
++	             s_or_c (enroll), enroll->computer_dn);
+ 	return ADCLI_SUCCESS;
+ }
+ 
+@@ -861,7 +873,8 @@ create_computer_account (adcli_enroll *enroll,
+ 		                                   enroll->computer_dn);
+ 	}
+ 
+-	_adcli_info ("Created computer account: %s", enroll->computer_dn);
++	_adcli_info ("Created %s account: %s", s_or_c (enroll),
++	                                       enroll->computer_dn);
+ 	return ADCLI_SUCCESS;
+ }
+ 
+@@ -908,17 +921,17 @@ validate_computer_account (adcli_enroll *enroll,
+ 	assert (enroll->computer_dn != NULL);
+ 
+ 	if (already_exists && !allow_overwrite) {
+-		_adcli_err ("The computer account %s already exists",
+-		            enroll->computer_name);
++		_adcli_err ("The %s account %s already exists",
++		            s_or_c (enroll), enroll->computer_name);
+ 		return ADCLI_ERR_CONFIG;
+ 	}
+ 
+ 	/* Do we have an explicitly requested ou? */
+ 	if (enroll->domain_ou && enroll->domain_ou_explicit && already_exists) {
+ 		if (!_adcli_ldap_dn_has_ancestor (enroll->computer_dn, enroll->domain_ou)) {
+-			_adcli_err ("The computer account %s already exists, "
++			_adcli_err ("The %s account %s already exists, "
+ 			            "but is not in the desired organizational unit.",
+-			            enroll->computer_name);
++			            s_or_c (enroll), enroll->computer_name);
+ 			return ADCLI_ERR_CONFIG;
+ 		}
+ 	}
+@@ -943,7 +956,8 @@ delete_computer_account (adcli_enroll *enroll,
+ 		                                   "Couldn't delete computer account: %s",
+ 		                                   enroll->computer_dn);
+ 	} else {
+-		_adcli_info ("Deleted computer account at: %s", enroll->computer_dn);
++		_adcli_info ("Deleted %s account at: %s", s_or_c (enroll),
++		                                          enroll->computer_dn);
+ 	}
+ 
+ 	return ADCLI_SUCCESS;
+@@ -992,20 +1006,21 @@ locate_computer_account (adcli_enroll *enroll,
+ 			free (enroll->computer_dn);
+ 			enroll->computer_dn = strdup (dn);
+ 			return_unexpected_if_fail (enroll->computer_dn != NULL);
+-			_adcli_info ("Found computer account for %s at: %s",
+-			             enroll->computer_sam, dn);
++			_adcli_info ("Found %s account for %s at: %s",
++			             s_or_c (enroll), enroll->computer_sam, dn);
+ 			ldap_memfree (dn);
+ 
+ 		} else {
+ 			ldap_msgfree (results);
+ 			results = NULL;
+-			_adcli_info ("Computer account for %s does not exist",
+-			             enroll->computer_sam);
++			_adcli_info ("A %s account for %s does not exist",
++			             s_or_c (enroll), enroll->computer_sam);
+ 		}
+ 
+ 	} else {
+ 		return _adcli_ldap_handle_failure (ldap, ADCLI_ERR_DIRECTORY,
+-		                                   "Couldn't lookup computer account: %s",
++		                                   "Couldn't lookup %s account: %s",
++		                                   s_or_c (enroll),
+ 		                                   enroll->computer_sam);
+ 	}
+ 
+@@ -1039,7 +1054,9 @@ load_computer_account (adcli_enroll *enroll,
+ 	if (ret == LDAP_SUCCESS) {
+ 		entry = ldap_first_entry (ldap, results);
+ 		if (entry) {
+-			_adcli_info ("Found computer account for %s at: %s",
++			check_if_service (enroll, ldap, results);
++			_adcli_info ("Found %s account for %s at: %s",
++			             s_or_c (enroll),
+ 			             enroll->computer_sam, enroll->computer_dn);
+ 		}
+ 
+@@ -1146,7 +1163,8 @@ set_password_with_user_creds (adcli_enroll *enroll)
+ 	                                       &result_code_string, &result_string);
+ 
+ 	if (code != 0) {
+-		_adcli_err ("Couldn't set password for computer account: %s: %s",
++		_adcli_err ("Couldn't set password for %s account: %s: %s",
++		            s_or_c (enroll),
+ 		            enroll->computer_sam, krb5_get_error_message (k5, code));
+ 		/* TODO: Parse out these values */
+ 		res = ADCLI_ERR_DIRECTORY;
+@@ -1160,7 +1178,8 @@ set_password_with_user_creds (adcli_enroll *enroll)
+ 		if (result_string.length)
+ 			message = _adcli_str_dupn (result_string.data, result_string.length);
+ #endif
+-		_adcli_err ("Cannot set computer password: %.*s%s%s",
++		_adcli_err ("Cannot set %s password: %.*s%s%s",
++		            s_or_c (enroll),
+ 		            (int)result_code_string.length, result_code_string.data,
+ 		            message ? ": " : "", message ? message : "");
+ 		res = ADCLI_ERR_CREDENTIALS;
+@@ -1170,7 +1189,7 @@ set_password_with_user_creds (adcli_enroll *enroll)
+ 		free (message);
+ #endif
+ 	} else {
+-		_adcli_info ("Set computer password");
++		_adcli_info ("Set %s password", s_or_c (enroll));
+ 		if (enroll->kvno > 0) {
+ 			enroll->kvno++;
+ 			_adcli_info ("kvno incremented to %d", enroll->kvno);
+@@ -1203,7 +1222,8 @@ set_password_with_computer_creds (adcli_enroll *enroll)
+ 
+ 	code = _adcli_kinit_computer_creds (enroll->conn, "kadmin/changepw", NULL, &creds);
+ 	if (code != 0) {
+-		_adcli_err ("Couldn't get change password ticket for computer account: %s: %s",
++		_adcli_err ("Couldn't get change password ticket for %s account: %s: %s",
++		            s_or_c (enroll),
+ 		            enroll->computer_sam, krb5_get_error_message (k5, code));
+ 		return ADCLI_ERR_DIRECTORY;
+ 	}
+@@ -1214,7 +1234,8 @@ set_password_with_computer_creds (adcli_enroll *enroll)
+ 	krb5_free_cred_contents (k5, &creds);
+ 
+ 	if (code != 0) {
+-		_adcli_err ("Couldn't change password for computer account: %s: %s",
++		_adcli_err ("Couldn't change password for %s account: %s: %s",
++		            s_or_c (enroll),
+ 		            enroll->computer_sam, krb5_get_error_message (k5, code));
+ 		/* TODO: Parse out these values */
+ 		res = ADCLI_ERR_DIRECTORY;
+@@ -1284,7 +1305,8 @@ retrieve_computer_account (adcli_enroll *enroll)
+ 
+ 	if (ret != LDAP_SUCCESS) {
+ 		return _adcli_ldap_handle_failure (ldap, ADCLI_ERR_DIRECTORY,
+-		                                   "Couldn't retrieve computer account info: %s",
++		                                   "Couldn't retrieve %s account info: %s",
++		                                   s_or_c (enroll),
+ 		                                   enroll->computer_dn);
+ 	}
+ 
+@@ -1294,15 +1316,15 @@ retrieve_computer_account (adcli_enroll *enroll)
+ 		if (value != NULL) {
+ 			kvno = strtoul (value, &end, 10);
+ 			if (end == NULL || *end != '\0') {
+-				_adcli_err ("Invalid kvno '%s' for computer account in directory: %s",
+-				            value, enroll->computer_dn);
++				_adcli_err ("Invalid kvno '%s' for %s account in directory: %s",
++				            value, s_or_c (enroll), enroll->computer_dn);
+ 				res = ADCLI_ERR_DIRECTORY;
+ 
+ 			} else {
+ 				enroll->kvno = kvno;
+ 
+-				_adcli_info ("Retrieved kvno '%s' for computer account in directory: %s",
+-				             value, enroll->computer_dn);
++				_adcli_info ("Retrieved kvno '%s' for %s account in directory: %s",
++				             value, s_or_c (enroll), enroll->computer_dn);
+ 			}
+ 
+ 			free (value);
+@@ -1311,8 +1333,8 @@ retrieve_computer_account (adcli_enroll *enroll)
+ 			/* Apparently old AD didn't have this attribute, use zero */
+ 			enroll->kvno = 0;
+ 
+-			_adcli_info ("No kvno found for computer account in directory: %s",
+-			             enroll->computer_dn);
++			_adcli_info ("No kvno found for %s account in directory: %s",
++			             s_or_c (enroll), enroll->computer_dn);
+ 		}
+ 	}
+ 
+@@ -1353,12 +1375,14 @@ update_and_calculate_enctypes (adcli_enroll *enroll)
+ 
+ 	if (ret == LDAP_INSUFFICIENT_ACCESS) {
+ 		return _adcli_ldap_handle_failure (ldap, ADCLI_ERR_CREDENTIALS,
+-		                                   "Insufficient permissions to set encryption types on computer account: %s",
++		                                   "Insufficient permissions to set encryption types on %s account: %s",
++		                                   s_or_c (enroll),
+ 		                                   enroll->computer_dn);
+ 
+ 	} else if (ret != LDAP_SUCCESS) {
+ 		return _adcli_ldap_handle_failure (ldap, ADCLI_ERR_DIRECTORY,
+-		                                   "Couldn't set encryption types on computer account: %s",
++		                                   "Couldn't set encryption types on %s account: %s",
++		                                   s_or_c (enroll),
+ 		                                   enroll->computer_dn);
+ 	}
+ 
+@@ -1381,13 +1405,14 @@ update_computer_attribute (adcli_enroll *enroll,
+ 	string = _adcli_ldap_mods_to_string (mods);
+ 	return_unexpected_if_fail (string != NULL);
+ 
+-	_adcli_info ("Modifying computer account: %s", string);
++	_adcli_info ("Modifying %s account: %s", s_or_c (enroll), string);
+ 
+ 	ret = ldap_modify_ext_s (ldap, enroll->computer_dn, mods, NULL, NULL);
+ 
+ 	if (ret != LDAP_SUCCESS) {
+-		_adcli_warn ("Couldn't set %s on computer account: %s: %s",
+-		             string, enroll->computer_dn, ldap_err2string (ret));
++		_adcli_warn ("Couldn't set %s on %s account: %s: %s",
++		             string, s_or_c (enroll), enroll->computer_dn,
++		             ldap_err2string (ret));
+ 		res = ADCLI_ERR_DIRECTORY;
+ 	}
+ 
+@@ -1411,8 +1436,8 @@ static char *get_user_account_control (adcli_enroll *enroll)
+ 
+ 		attr_val = strtoul (uac_str, &end, 10);
+ 		if (*end != '\0' || attr_val > UINT32_MAX) {
+-			_adcli_warn ("Invalid userAccountControl '%s' for computer account in directory: %s, assuming 0",
+-			            uac_str, enroll->computer_dn);
++			_adcli_warn ("Invalid userAccountControl '%s' for %s account in directory: %s, assuming 0",
++			            uac_str, s_or_c (enroll), enroll->computer_dn);
+ 		} else {
+ 			uac = attr_val;
+ 		}
+@@ -1653,7 +1678,8 @@ load_keytab_entry (krb5_context k5,
+ 		    _adcli_str_has_suffix (name, "$") && !strchr (name, '/')) {
+ 			enroll->computer_name = name;
+ 			name[len - 1] = '\0';
+-			_adcli_info ("Found computer name in keytab: %s", name);
++			_adcli_info ("Found %s name in keytab: %s",
++			             s_or_c (enroll), name);
+ 			adcli_conn_set_computer_name (enroll->conn,
+ 			                              enroll->computer_name);
+ 			name = NULL;
+@@ -2348,7 +2374,8 @@ adcli_enroll_read_computer_account (adcli_enroll *enroll,
+ 		if (res != ADCLI_SUCCESS)
+ 			return res;
+ 		if (!enroll->computer_dn) {
+-			_adcli_err ("No computer account for %s exists", enroll->computer_sam);
++			_adcli_err ("No %s account for %s exists",
++			            s_or_c (enroll), enroll->computer_sam);
+ 			return ADCLI_ERR_CONFIG;
+ 		}
+ 	}
+@@ -2460,7 +2487,8 @@ adcli_enroll_delete (adcli_enroll *enroll,
+ 		if (res != ADCLI_SUCCESS)
+ 			return res;
+ 		if (!enroll->computer_dn) {
+-			_adcli_err ("No computer account for %s exists",
++			_adcli_err ("No %s account for %s exists",
++			            s_or_c (enroll),
+ 			            enroll->computer_sam);
+ 			return ADCLI_ERR_CONFIG;
+ 		}
+@@ -2503,7 +2531,8 @@ adcli_enroll_password (adcli_enroll *enroll,
+ 		if (res != ADCLI_SUCCESS)
+ 			return res;
+ 		if (!enroll->computer_dn) {
+-			_adcli_err ("No computer account for %s exists",
++			_adcli_err ("No %s account for %s exists",
++			            s_or_c (enroll),
+ 			            enroll->computer_sam);
+ 			return ADCLI_ERR_CONFIG;
+ 		}
+-- 
+2.28.0
+

SOURCES/0004-enroll-more-filters-for-random-characters.patch

+From 2750f536ac6746756335eec8332060d2365a4126 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 27 Oct 2020 14:44:07 +0100
+Subject: [PATCH 4/7] enroll: more filters for random characters
+
+Make handling of random strings more flexible.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112
+---
+ library/adenroll.c | 30 +++++++++++++++++++++++++++---
+ 1 file changed, 27 insertions(+), 3 deletions(-)
+
+diff --git a/library/adenroll.c b/library/adenroll.c
+index 9cdc79b..44383cc 100644
+--- a/library/adenroll.c
++++ b/library/adenroll.c
+@@ -259,6 +259,29 @@ ensure_computer_sam (adcli_result res,
+ 	return ADCLI_SUCCESS;
+ }
+ 
++typedef int (rand_filter) (char *password, int length);
++
++static int
++filter_sam_chars (char *password,
++                       int length)
++{
++	int i, j;
++
++	/*
++	 * There are a couple of restrictions for characters in the
++	 * sAMAccountName attribute value, for our purpose (random suffix)
++	 * letters and numbers are sufficient.
++	 */
++	for (i = 0, j = 0; i < length; i++) {
++		if (password[i] >= 48 && password[i] <= 122 &&
++		    isalnum (password[i]))
++			password[j++] = password[i];
++	}
++
++	/* return the number of valid characters remaining */
++	return j;
++}
++
+ static int
+ filter_password_chars (char *password,
+                        int length)
+@@ -283,7 +306,8 @@ filter_password_chars (char *password,
+ 
+ static char *
+ generate_host_password  (adcli_enroll *enroll,
+-                         size_t length)
++                         size_t length,
++                         rand_filter *filter)
+ {
+ 	char *password;
+ 	krb5_context k5;
+@@ -305,7 +329,7 @@ generate_host_password  (adcli_enroll *enroll,
+ 		code = krb5_c_random_make_octets (k5, &buffer);
+ 		return_val_if_fail (code == 0, NULL);
+ 
+-		at += filter_password_chars (buffer.data, buffer.length);
++		at += filter (buffer.data, buffer.length);
+ 		assert (at <= length);
+ 	}
+ 
+@@ -333,7 +357,7 @@ ensure_computer_password (adcli_result res,
+ 		_adcli_info ("Using default reset computer password");
+ 
+ 	} else {
+-		enroll->computer_password = generate_host_password (enroll, length);
++		enroll->computer_password = generate_host_password (enroll, length, filter_password_chars);
+ 		return_unexpected_if_fail (enroll->computer_password != NULL);
+ 		_adcli_info ("Generated %d character computer password", length);
+ 	}
+-- 
+2.28.0
+

SOURCES/0005-enroll-make-adcli_enroll_add_keytab_for_service_acco.patch

+From 81c98e367ba4bc8d77668acd31e462ad31cf12be Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 27 Oct 2020 14:47:31 +0100
+Subject: [PATCH 5/7] enroll: make adcli_enroll_add_keytab_for_service_account
+ public
+
+Determine keytab name more early to catch errors more early.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112
+---
+ library/adenroll.c | 13 +++++++------
+ library/adenroll.h |  2 ++
+ tools/computer.c   |  6 ++++++
+ 3 files changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/library/adenroll.c b/library/adenroll.c
+index 44383cc..05bb085 100644
+--- a/library/adenroll.c
++++ b/library/adenroll.c
+@@ -2276,9 +2276,10 @@ adcli_enroll_add_description_for_service_account (adcli_enroll *enroll)
+ 	return ADCLI_SUCCESS;
+ }
+ 
+-static adcli_result
++adcli_result
+ adcli_enroll_add_keytab_for_service_account (adcli_enroll *enroll)
+ {
++	adcli_result res;
+ 	krb5_context k5;
+ 	krb5_error_code code;
+ 	char def_keytab_name[MAX_KEYTAB_NAME_LEN];
+@@ -2286,11 +2287,14 @@ adcli_enroll_add_keytab_for_service_account (adcli_enroll *enroll)
+ 	int ret;
+ 
+ 	if (adcli_enroll_get_keytab_name (enroll) == NULL) {
+-		k5 = adcli_conn_get_krb5_context (enroll->conn);
+-		return_unexpected_if_fail (k5 != NULL);
++		res = _adcli_krb5_init_context (&k5);
++		if (res != ADCLI_SUCCESS) {
++			return res;
++		}
+ 
+ 		code = krb5_kt_default_name (k5, def_keytab_name,
+ 		                             sizeof (def_keytab_name));
++		krb5_free_context (k5);
+ 		return_unexpected_if_fail (code == 0);
+ 
+ 		lc_dom_name = strdup (adcli_conn_get_domain_name (enroll->conn));
+@@ -2326,9 +2330,6 @@ adcli_enroll_join (adcli_enroll *enroll,
+ 
+ 	if (enroll->is_service) {
+ 		res = adcli_enroll_add_description_for_service_account (enroll);
+-		if (res == ADCLI_SUCCESS) {
+-			res = adcli_enroll_add_keytab_for_service_account (enroll);
+-		}
+ 	} else {
+ 		res = ensure_default_service_names (enroll);
+ 	}
+diff --git a/library/adenroll.h b/library/adenroll.h
+index 7765ed4..11a30c8 100644
+--- a/library/adenroll.h
++++ b/library/adenroll.h
+@@ -146,6 +146,8 @@ const char *       adcli_enroll_get_keytab_name         (adcli_enroll *enroll);
+ void               adcli_enroll_set_keytab_name         (adcli_enroll *enroll,
+                                                          const char *value);
+ 
++adcli_result       adcli_enroll_add_keytab_for_service_account (adcli_enroll *enroll);
++
+ krb5_enctype *     adcli_enroll_get_keytab_enctypes     (adcli_enroll *enroll);
+ 
+ void               adcli_enroll_set_keytab_enctypes     (adcli_enroll *enroll,
+diff --git a/tools/computer.c b/tools/computer.c
+index 63fd374..98a0472 100644
+--- a/tools/computer.c
++++ b/tools/computer.c
+@@ -1166,6 +1166,12 @@ adcli_tool_computer_managed_service_account (adcli_conn *conn,
+ 
+ 	adcli_enroll_set_is_service (enroll, true);
+ 	adcli_conn_set_allowed_login_types (conn, ADCLI_LOGIN_USER_ACCOUNT);
++	res = adcli_enroll_add_keytab_for_service_account (enroll);
++	if (res != ADCLI_SUCCESS) {
++		warnx ("Failed to set domain specific keytab name");
++		adcli_enroll_unref (enroll);
++		return 2;
++	}
+ 
+ 	res = adcli_enroll_load (enroll);
+ 	if (res != ADCLI_SUCCESS) {
+-- 
+2.28.0
+

SOURCES/0006-enroll-allow-fqdn-for-locate_computer_account.patch

+From 2a695dfe09cafeee3a648d3b969c364f8d3f494f Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 27 Oct 2020 14:49:55 +0100
+Subject: [PATCH 6/7] enroll: allow fqdn for locate_computer_account
+
+Make it possible to find existing manages service account by the
+fully-qualified name.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112
+---
+ library/adenroll.c | 45 +++++++++++++++++++++++++++++++--------------
+ 1 file changed, 31 insertions(+), 14 deletions(-)
+
+diff --git a/library/adenroll.c b/library/adenroll.c
+index 05bb085..98cd5fa 100644
+--- a/library/adenroll.c
++++ b/library/adenroll.c
+@@ -990,10 +990,11 @@ delete_computer_account (adcli_enroll *enroll,
+ static adcli_result
+ locate_computer_account (adcli_enroll *enroll,
+                          LDAP *ldap,
++                         bool use_fqdn,
+                          LDAPMessage **rresults,
+                          LDAPMessage **rentry)
+ {
+-	char *attrs[] = { "objectClass", NULL };
++	char *attrs[] = { "objectClass", "CN", NULL };
+ 	LDAPMessage *results = NULL;
+ 	LDAPMessage *entry = NULL;
+ 	const char *base;
+@@ -1003,12 +1004,22 @@ locate_computer_account (adcli_enroll *enroll,
+ 	int ret = 0;
+ 
+ 	/* If we don't yet know our computer dn, then try and find it */
+-	value = _adcli_ldap_escape_filter (enroll->computer_sam);
+-	return_unexpected_if_fail (value != NULL);
+-	if (asprintf (&filter, "(&(objectClass=%s)(sAMAccountName=%s))",
+-	              enroll->is_service ? "msDS-ManagedServiceAccount" : "computer",
+-	              value) < 0)
+-		return_unexpected_if_reached ();
++	if (use_fqdn) {
++		return_unexpected_if_fail (enroll->host_fqdn != NULL);
++		value = _adcli_ldap_escape_filter (enroll->host_fqdn);
++		return_unexpected_if_fail (value != NULL);
++		if (asprintf (&filter, "(&(objectClass=%s)(dNSHostName=%s))",
++		              enroll->is_service ? "msDS-ManagedServiceAccount" : "computer",
++		              value) < 0)
++			return_unexpected_if_reached ();
++	} else {
++		value = _adcli_ldap_escape_filter (enroll->computer_sam);
++		return_unexpected_if_fail (value != NULL);
++		if (asprintf (&filter, "(&(objectClass=%s)(sAMAccountName=%s))",
++		              enroll->is_service ? "msDS-ManagedServiceAccount" : "computer",
++		              value) < 0)
++			return_unexpected_if_reached ();
++	}
+ 	free (value);
+ 
+ 	base = adcli_conn_get_default_naming_context (enroll->conn);
+@@ -1031,21 +1042,26 @@ locate_computer_account (adcli_enroll *enroll,
+ 			enroll->computer_dn = strdup (dn);
+ 			return_unexpected_if_fail (enroll->computer_dn != NULL);
+ 			_adcli_info ("Found %s account for %s at: %s",
+-			             s_or_c (enroll), enroll->computer_sam, dn);
++			             s_or_c (enroll),
++			             use_fqdn ? enroll->host_fqdn
++			                      : enroll->computer_sam, dn);
+ 			ldap_memfree (dn);
+ 
+ 		} else {
+ 			ldap_msgfree (results);
+ 			results = NULL;
+ 			_adcli_info ("A %s account for %s does not exist",
+-			             s_or_c (enroll), enroll->computer_sam);
++			             s_or_c (enroll),
++			             use_fqdn ? enroll->host_fqdn
++			                      : enroll->computer_sam);
+ 		}
+ 
+ 	} else {
+ 		return _adcli_ldap_handle_failure (ldap, ADCLI_ERR_DIRECTORY,
+ 		                                   "Couldn't lookup %s account: %s",
+ 		                                   s_or_c (enroll),
+-		                                   enroll->computer_sam);
++		                                   use_fqdn ? enroll->host_fqdn
++		                                            :enroll->computer_sam);
+ 	}
+ 
+ 	if (rresults)
+@@ -1120,7 +1136,8 @@ locate_or_create_computer_account (adcli_enroll *enroll,
+ 
+ 	/* Try to find the computer account */
+ 	if (!enroll->computer_dn) {
+-		res = locate_computer_account (enroll, ldap, &results, &entry);
++		res = locate_computer_account (enroll, ldap, false,
++		                               &results, &entry);
+ 		if (res != ADCLI_SUCCESS)
+ 			return res;
+ 		searched = 1;
+@@ -2395,7 +2412,7 @@ adcli_enroll_read_computer_account (adcli_enroll *enroll,
+ 
+ 	/* Find the computer dn */
+ 	if (!enroll->computer_dn) {
+-		res = locate_computer_account (enroll, ldap, NULL, NULL);
++		res = locate_computer_account (enroll, ldap, false, NULL, NULL);
+ 		if (res != ADCLI_SUCCESS)
+ 			return res;
+ 		if (!enroll->computer_dn) {
+@@ -2508,7 +2525,7 @@ adcli_enroll_delete (adcli_enroll *enroll,
+ 
+ 	/* Find the computer dn */
+ 	if (!enroll->computer_dn) {
+-		res = locate_computer_account (enroll, ldap, NULL, NULL);
++		res = locate_computer_account (enroll, ldap, false, NULL, NULL);
+ 		if (res != ADCLI_SUCCESS)
+ 			return res;
+ 		if (!enroll->computer_dn) {
+@@ -2552,7 +2569,7 @@ adcli_enroll_password (adcli_enroll *enroll,
+ 
+ 	/* Find the computer dn */
+ 	if (!enroll->computer_dn) {
+-		res = locate_computer_account (enroll, ldap, NULL, NULL);
++		res = locate_computer_account (enroll, ldap, false, NULL, NULL);
+ 		if (res != ADCLI_SUCCESS)
+ 			return res;
+ 		if (!enroll->computer_dn) {
+-- 
+2.28.0
+

SOURCES/0007-service-account-add-random-suffix-to-account-name.patch

+From 6b94f9712378b8f1fa1bc530c64cb987abb0c43b Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 27 Oct 2020 15:23:04 +0100
+Subject: [PATCH 7/7] service-account: add random suffix to account name
+
+Add a random component to the default managed service account name to
+avoid name collisions.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1854112
+---
+ library/adenroll.c | 79 ++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 79 insertions(+)
+
+diff --git a/library/adenroll.c b/library/adenroll.c
+index 98cd5fa..f693e58 100644
+--- a/library/adenroll.c
++++ b/library/adenroll.c
+@@ -1121,6 +1121,59 @@ load_computer_account (adcli_enroll *enroll,
+ 	return ADCLI_SUCCESS;
+ }
+ 
++static adcli_result
++refresh_service_account_name_sam_and_princ (adcli_enroll *enroll,
++                                            const char *name)
++{
++	adcli_result res;
++
++	adcli_enroll_set_computer_name (enroll, name);
++	res = ensure_computer_sam (ADCLI_SUCCESS, enroll);
++	res = ensure_keytab_principals (res, enroll);
++
++	return res;
++}
++
++static adcli_result
++calculate_random_service_account_name (adcli_enroll *enroll)
++{
++	char *suffix;
++	char *new_name;
++	int ret;
++	adcli_result res;
++
++	suffix = generate_host_password (enroll, 3, filter_sam_chars);
++	return_unexpected_if_fail (suffix != NULL);
++
++	ret = asprintf (&new_name, "%s!%s", enroll->computer_name, suffix);
++	free (suffix);
++	return_unexpected_if_fail (ret > 0);
++
++	res = refresh_service_account_name_sam_and_princ (enroll, new_name);
++	free (new_name);
++
++	return res;
++}
++
++static adcli_result
++get_service_account_name_from_ldap (adcli_enroll *enroll, LDAPMessage *results)
++{
++	LDAP *ldap;
++	char *cn;
++	adcli_result res;
++
++	ldap = adcli_conn_get_ldap_connection (enroll->conn);
++	assert (ldap != NULL);
++
++	cn = _adcli_ldap_parse_value (ldap, results, "CN");
++	return_unexpected_if_fail (cn != NULL);
++
++	res = refresh_service_account_name_sam_and_princ (enroll, cn);
++	free (cn);
++
++	return res;
++}
++
+ static adcli_result
+ locate_or_create_computer_account (adcli_enroll *enroll,
+                                    int allow_overwrite)
+@@ -1143,8 +1196,32 @@ locate_or_create_computer_account (adcli_enroll *enroll,
+ 		searched = 1;
+ 	}
+ 
++	/* Try with fqdn for service accounts */
++	if (!enroll->computer_dn && enroll->is_service
++	                && enroll->host_fqdn != NULL) {
++		res = locate_computer_account (enroll, ldap, true,
++		                               &results, &entry);
++		if (res != ADCLI_SUCCESS)
++			return res;
++		searched = 1;
++
++		if (results != NULL) {
++			res = get_service_account_name_from_ldap (enroll,
++			                                          results);
++			if (res != ADCLI_SUCCESS) {
++				return res;
++			}
++		}
++	}
++
+ 	/* Next try and come up with where we think it should be */
+ 	if (enroll->computer_dn == NULL) {
++		if (enroll->is_service && !enroll->computer_name_explicit) {
++			res = calculate_random_service_account_name (enroll);
++			if (res != ADCLI_SUCCESS) {
++				return res;
++			}
++		}
+ 		res = calculate_computer_account (enroll, ldap);
+ 		if (res != ADCLI_SUCCESS)
+ 			return res;
+@@ -2113,6 +2190,8 @@ adcli_enroll_prepare (adcli_enroll *enroll,
+ 
+ 	if (enroll->is_service) {
+ 		/* Ensure basic params for service accounts */
++		res = ensure_host_fqdn (res, enroll);
++		res = ensure_computer_name (res, enroll);
+ 		res = ensure_computer_sam (res, enroll);
+ 		res = ensure_computer_password (res, enroll);
+ 		res = ensure_host_keytab (res, enroll);
+-- 
+2.28.0
+

SPECS/adcli.spec

 Name:		adcli
 Version:	0.8.2
-Release:	7%{?dist}
+Release:	9%{?dist}
 Summary:	Active Directory enrollment
 License:	LGPLv2+
 URL:		http://cgit.freedesktop.org/realmd/adcli
@@ -115,7 +115,7 @@ Patch64:	0001-discovery-fix.patch
 Patch65:	0001-delete-do-not-exit-if-keytab-cannot-be-read.patch
 
 # rhbz#1846878 - adcli: presetting $computer in $domain domain failed: Cannot
-#               set computer password: Authentication error
+# set computer password: Authentication error
 Patch66:	0001-tools-disable-SSSD-s-locator-plugin.patch
 
 # rhbz#1791611 - Typo in adcli update --help option
@@ -125,6 +125,31 @@ Patch67:	0001-tools-fix-typo-in-show-password-help-output.patch
 Patch68:	0001-man-explain-optional-parameter-of-login-ccache-bette.patch
 Patch69:	0001-man-make-handling-of-optional-credential-cache-more-.patch
 
+# rhbz#1883467 - Add --use-ldaps option to adcli update as well
+Patch70:	0001-tools-add-missing-use-ldaps-option-to-update-and-tes.patch
+
+# rhbz#1734764 - Cannot join a pre-staged Computer Account on AD in Custom OU
+# using Delegated user
+Patch71:	0001-join-update-set-dNSHostName-if-not-set.patch
+
+# rhbz#1852080 - missing documentation for required AD rights for adcli join
+# and net join
+Patch72:	0001-doc-add-missing-samba_data_tool_path.xml-.in-to-EXTR.patch
+Patch73:	0001-doc-explain-required-AD-permissions.patch
+
+# rhbz#1854112 - [RFE] Add new mode to just create an AD account to be able to
+# connect to LDAP
+Patch74:	0001-enroll-add-is_service-member.patch
+Patch75:	0002-computer-add-create-msa-sub-command.patch
+Patch76:	0003-enroll-use-computer-or-service-in-debug-messages.patch
+Patch77:	0004-enroll-more-filters-for-random-characters.patch
+Patch78:	0005-enroll-make-adcli_enroll_add_keytab_for_service_acco.patch
+Patch79:	0006-enroll-allow-fqdn-for-locate_computer_account.patch
+Patch80:	0007-service-account-add-random-suffix-to-account-name.patch
+
+# rhbz#1906303 - Typo in CREATE A SERVICE ACCOUNT section of man page of adcli
+Patch81:	0001-service-account-fix-typo-in-the-man-page-entry.patch
+
 BuildRequires:	gcc
 BuildRequires:	intltool pkgconfig
 BuildRequires:	libtool
@@ -185,6 +210,18 @@ documentation.
 %doc %{_datadir}/doc/adcli/*
 
 %changelog
+* Fri Dec 11 2020 Sumit Bose <sbose@redhat,com> - 0.8.2-9
+- Typo in CREATE A SERVICE ACCOUNT section of man page of adcli [#1906303]
+
+* Wed Nov 11 2020 Sumit Bose <sbose@redhat.com> - 0.8.2-8
+- Add --use-ldaps option to adcli update as well [#1883467]
+- Cannot join a pre-staged Computer Account on AD in Custom OU using Delegated
+  user [#1734764]
+- missing documentation for required AD rights for adcli join and net
+  join [#1852080]
+- [RFE] Add new mode to just create an AD account to be able to connect to
+  LDAP [#1854112]
+
 * Thu Aug 13 2020 Sumit Bose <sbose@redhat.com> - 0.8.2-7
 - Improve "-C" option description in man page even more [#1791545]