Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild

Resolves: rhbz#2422451

.gitignore

@@ -15,3 +15,6 @@
 /adcli-0.8.0.tar.gz
 /adcli-0.8.2.tar.gz
 /adcli-0.9.0.tar.gz
+/adcli-0.9.1.tar.gz
+/adcli-0.9.2.tar.gz
+/adcli-0.9.3.1.tar.gz

0001-delete-do-not-exit-if-keytab-cannot-be-read.patch

@@ -1,32 +0,0 @@
-From 40d3be22f6e518e4354aa7c3d0278291fcbed32f Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 5 Jun 2020 17:06:58 +0200
-Subject: [PATCH] delete: do not exit if keytab cannot be read
-
-Reading the keytab is not required when deleting a host object in AD. It
-is only needed in the case where the host was added with a manual set
-NetBIOS name (--computer-name option) which does not match the short
-hostname and no computer name was given at the delete-computer command
-line.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1840752
----
- tools/computer.c | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/tools/computer.c b/tools/computer.c
-index 292c4d8..a90c4b2 100644
---- a/tools/computer.c
-+++ b/tools/computer.c
-@@ -952,8 +952,6 @@ adcli_tool_computer_delete (adcli_conn *conn,
- 	if (res != ADCLI_SUCCESS) {
- 		warnx ("couldn't lookup domain info from keytab: %s",
- 		       adcli_get_last_error ());
--		adcli_enroll_unref (enroll);
--		return -res;
- 	}
- 
- 	res = adcli_conn_connect (conn);
--- 
-2.26.2
-

0001-enroll-fix-issues-if-default-keytab-is-used.patch

@@ -0,0 +1,117 @@
+From 9c31bb06590f2d96a2d6d8ce87dc3273c283a671 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 19 Dec 2025 14:48:13 +0100
+Subject: [PATCH] enroll: fix issues if default keytab is used
+
+librkb5 returns the default keytab with a 'FILE:' prefix which must be
+removed before calling libselinux functions to operate on the keytab
+file.
+
+Resolves: https://issues.redhat.com/browse/RHEL-78631
+---
+ library/adenroll.c | 32 ++++++++++++++++++++------------
+ library/adenroll.h |  3 +--
+ tools/computer.c   |  6 +++---
+ 3 files changed, 24 insertions(+), 17 deletions(-)
+
+diff --git a/library/adenroll.c b/library/adenroll.c
+index 20ad198..9484cbf 100644
+--- a/library/adenroll.c
++++ b/library/adenroll.c
+@@ -2116,30 +2116,38 @@ ensure_host_keytab (adcli_result res,
+ 	return ADCLI_SUCCESS;
+ }
+ 
+-adcli_result
+-ensure_host_keytab_selinux_context (adcli_result res,
+-                                    adcli_enroll *enroll)
++void
++restore_host_keytab_selinux_context (adcli_enroll *enroll)
+ {
+ #ifdef BUILD_SELINUX_POLICY
+ 	int ret;
+-
+-	if (res != ADCLI_SUCCESS)
+-		return res;
++	krb5_context k5;
++	const char *name_start;
+ 
+ 	if (enroll->keytab_name == NULL) {
+ 		_adcli_info ("No keytab name available, skipping SELinux restorecon.");
+-		return ADCLI_SUCCESS;
++		return;
++	}
++
++	name_start = enroll->keytab_name;
++	if (strncmp (name_start, "FILE:", 5) == 0) {
++		name_start = enroll->keytab_name + 5;
+ 	}
+ 
+-	ret = selinux_restorecon (adcli_enroll_get_keytab_name (enroll), 0);
++	if (enroll->keytab != NULL) {
++		k5 = adcli_conn_get_krb5_context (enroll->conn);
++		krb5_kt_close (k5, enroll->keytab);
++		enroll->keytab = NULL;
++	}
++
++	ret = selinux_restorecon (name_start, 0);
+ 	if (ret != 0) {
+-		_adcli_err ("Failed to set SELinux context for %s with error %d: %s",
+-		            enroll->keytab_name, ret, strerror (ret));
+-		return ADCLI_ERR_FAIL;
++		_adcli_err ("Failed to set SELinux context for %s with error %d: %s, ignored",
++		            name_start, ret, strerror (errno));
+ 	}
+ #endif
+ 
+-	return ADCLI_SUCCESS;
++	return;
+ }
+ 
+ 
+diff --git a/library/adenroll.h b/library/adenroll.h
+index 79eb7a8..5aba81b 100644
+--- a/library/adenroll.h
++++ b/library/adenroll.h
+@@ -192,6 +192,5 @@ void               adcli_enroll_set_samba_data_tool     (adcli_enroll *enroll,
+ 
+ const char *       adcli_enroll_get_samba_data_tool     (adcli_enroll *enroll);
+ 
+-adcli_result        ensure_host_keytab_selinux_context  (adcli_result res,
+-                                                         adcli_enroll *enroll);
++void               restore_host_keytab_selinux_context  (adcli_enroll *enroll);
+ #endif /* ADENROLL_H_ */
+diff --git a/tools/computer.c b/tools/computer.c
+index ee027dc..f056366 100644
+--- a/tools/computer.c
++++ b/tools/computer.c
+@@ -520,7 +520,7 @@ adcli_tool_computer_join (adcli_conn *conn,
+ 	else if (show_password)
+ 		dump_password (conn, enroll);
+ 
+-	ensure_host_keytab_selinux_context (ADCLI_SUCCESS, enroll);
++	restore_host_keytab_selinux_context (enroll);
+ 
+ 	adcli_enroll_unref (enroll);
+ 
+@@ -655,7 +655,7 @@ adcli_tool_computer_update (adcli_conn *conn,
+ 	else if (show_password)
+ 		dump_password (conn, enroll);
+ 
+-	ensure_host_keytab_selinux_context (ADCLI_SUCCESS, enroll);
++	restore_host_keytab_selinux_context (enroll);
+ 
+ 	adcli_enroll_unref (enroll);
+ 
+@@ -1275,7 +1275,7 @@ adcli_tool_computer_managed_service_account (adcli_conn *conn,
+ 	else if (show_password)
+ 		dump_password (conn, enroll);
+ 
+-	ensure_host_keytab_selinux_context (ADCLI_SUCCESS, enroll);
++	restore_host_keytab_selinux_context (enroll);
+ 
+ 	adcli_enroll_unref (enroll);
+ 
+-- 
+2.52.0
+

0001-man-move-note-to-the-right-section.patch

@@ -1,48 +0,0 @@
-From d2d3879bdfcea70757a8b0527882e79e8b5c6e70 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 27 Nov 2019 18:26:44 +0100
-Subject: [PATCH 1/6] man: move note to the right section
-
-Unfortunately the note about the password lifetime was added to the join
-section. This patch move it to the update section where it belongs to.
-
-Related to https://bugzilla.redhat.com/show_bug.cgi?id=1738573
-           https://bugzilla.redhat.com/show_bug.cgi?id=1745931
-           https://bugzilla.redhat.com/show_bug.cgi?id=1774622
----
- doc/adcli.xml | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/doc/adcli.xml b/doc/adcli.xml
-index 4f201e0..9faf96a 100644
---- a/doc/adcli.xml
-+++ b/doc/adcli.xml
-@@ -330,11 +330,7 @@ Password for Administrator:
- 			important here is currently the
- 			<option>workgroup</option> option, see
- 			<citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
--			for details.</para>
--			<para>Note that if the machine account password is not
--			older than 30 days, you have to pass
--			<option>--computer-password-lifetime=0</option> to
--			force the update.</para></listitem>
-+			for details.</para></listitem>
- 		</varlistentry>
- 		<varlistentry>
- 			<term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
-@@ -472,7 +468,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123
- 			important here is currently the
- 			<option>workgroup</option> option, see
- 			<citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
--			for details.</para></listitem>
-+			for details.</para>
-+			<para>Note that if the machine account password is not
-+			older than 30 days, you have to pass
-+			<option>--computer-password-lifetime=0</option> to
-+			force the update.</para></listitem>
- 		</varlistentry>
- 		<varlistentry>
- 			<term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
--- 
-2.25.1
-

0001-tools-disable-SSSD-s-locator-plugin.patch

@@ -1,41 +0,0 @@
-From 50d580c58dab5928cadfc6ca82aedccee58eaced Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 5 Jun 2020 17:28:28 +0200
-Subject: [PATCH] tools: disable SSSD's locator plugin
-
-MIT's libkrb5 checks available locator plugins first before checking the
-config file. This might cause issues when the locator plugin returns a
-different DC than the one used for the LDAP connection if some data must
-be replicated.
-
-This patch sets the SSSD_KRB5_LOCATOR_DISABLE environment variable to
-'true' to disable SSSD's locator plugin for adcli.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1762633
----
- tools/tools.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/tools/tools.c b/tools/tools.c
-index 9d422f2..1b6d879 100644
---- a/tools/tools.c
-+++ b/tools/tools.c
-@@ -296,6 +296,7 @@ cleanup_krb5_conf_directory (void)
- 	}
- 
- 	unsetenv ("KRB5_CONFIG");
-+	unsetenv ("SSSD_KRB5_LOCATOR_DISABLE");
- }
- 
- static void
-@@ -394,6 +395,7 @@ setup_krb5_conf_directory (adcli_conn *conn)
- 		adcli_krb5_conf_filename = filename;
- 		adcli_krb5_d_directory = snippets;
- 		setenv ("KRB5_CONFIG", adcli_krb5_conf_filename, 1);
-+		setenv ("SSSD_KRB5_LOCATOR_DISABLE", "true", 1);
- 
- 	} else {
- 		free (filename);
--- 
-2.26.2
-

0002-tools-add-show-computer-command.patch

@@ -1,338 +0,0 @@
-From 0a169bd9b2687293f74bb57694eb82f9769610c9 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 27 Nov 2019 12:34:45 +0100
-Subject: [PATCH 2/6] tools: add show-computer command
-
-The show-computer command prints the LDAP attributes of the related
-computer object from AD.
-
-Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342
----
- doc/adcli.xml      | 28 ++++++++++++++
- library/adenroll.c | 78 +++++++++++++++++++++++++++++---------
- library/adenroll.h |  5 +++
- tools/computer.c   | 93 ++++++++++++++++++++++++++++++++++++++++++++++
- tools/tools.c      |  1 +
- tools/tools.h      |  4 ++
- 6 files changed, 191 insertions(+), 18 deletions(-)
-
-diff --git a/doc/adcli.xml b/doc/adcli.xml
-index 9faf96a..1f93186 100644
---- a/doc/adcli.xml
-+++ b/doc/adcli.xml
-@@ -93,6 +93,11 @@
- 		<arg choice="opt">--domain=domain.example.com</arg>
- 		<arg choice="plain">computer</arg>
- 	</cmdsynopsis>
-+	<cmdsynopsis>
-+		<command>adcli show-computer</command>
-+		<arg choice="opt">--domain=domain.example.com</arg>
-+		<arg choice="plain">computer</arg>
-+	</cmdsynopsis>
- </refsynopsisdiv>
- 
- <refsect1 id='general_overview'>
-@@ -811,6 +816,29 @@ Password for Administrator:
- 
- </refsect1>
- 
-+<refsect1 id='show_computer_account'>
-+	<title>Show Computer Account Attributes</title>
-+
-+	<para><command>adcli show-computer</command> show the computer account
-+	attributes stored in AD. The account must already exist.</para>
-+
-+<programlisting>
-+$ adcli show-computer --domain=domain.example.com host2
-+Password for Administrator:
-+</programlisting>
-+
-+	<para>If the computer name contains a dot, then it is
-+	treated as fully qualified host name, otherwise it is treated
-+	as short computer name.</para>
-+
-+	<para>If no computer name is specified, then the host name of the
-+	computer adcli is running on is used, as returned by
-+	<literal>gethostname()</literal>.</para>
-+
-+	<para>The various global options can be used.</para>
-+
-+</refsect1>
-+
- <refsect1 id='bugs'>
- 	<title>Bugs</title>
- 	<para>
-diff --git a/library/adenroll.c b/library/adenroll.c
-index 524663a..8d2adeb 100644
---- a/library/adenroll.c
-+++ b/library/adenroll.c
-@@ -71,6 +71,21 @@ static krb5_enctype v51_earlier_enctypes[] = {
- 	0
- };
- 
-+static char *default_ad_ldap_attrs[] =  {
-+	"sAMAccountName",
-+	"userPrincipalName",
-+	"msDS-KeyVersionNumber",
-+	"msDS-supportedEncryptionTypes",
-+	"dNSHostName",
-+	"servicePrincipalName",
-+	"operatingSystem",
-+	"operatingSystemVersion",
-+	"operatingSystemServicePack",
-+	"pwdLastSet",
-+	"userAccountControl",
-+	NULL,
-+};
-+
- /* Some constants for the userAccountControl AD LDAP attribute, see e.g.
-  * https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro
-  * for details. */
-@@ -1213,19 +1228,6 @@ retrieve_computer_account (adcli_enroll *enroll)
- 	char *end;
- 	int ret;
- 
--	char *attrs[] =  {
--		"msDS-KeyVersionNumber",
--		"msDS-supportedEncryptionTypes",
--		"dNSHostName",
--		"servicePrincipalName",
--		"operatingSystem",
--		"operatingSystemVersion",
--		"operatingSystemServicePack",
--		"pwdLastSet",
--		"userAccountControl",
--		NULL,
--	};
--
- 	assert (enroll->computer_dn != NULL);
- 	assert (enroll->computer_attributes == NULL);
- 
-@@ -1233,7 +1235,8 @@ retrieve_computer_account (adcli_enroll *enroll)
- 	assert (ldap != NULL);
- 
- 	ret = ldap_search_ext_s (ldap, enroll->computer_dn, LDAP_SCOPE_BASE,
--	                         "(objectClass=*)", attrs, 0, NULL, NULL, NULL, -1,
-+	                         "(objectClass=*)", default_ad_ldap_attrs,
-+	                         0, NULL, NULL, NULL, -1,
- 	                         &enroll->computer_attributes);
- 
- 	if (ret != LDAP_SUCCESS) {
-@@ -2179,12 +2182,11 @@ adcli_enroll_load (adcli_enroll *enroll)
- }
- 
- adcli_result
--adcli_enroll_update (adcli_enroll *enroll,
--		     adcli_enroll_flags flags)
-+adcli_enroll_read_computer_account (adcli_enroll *enroll,
-+		                    adcli_enroll_flags flags)
- {
- 	adcli_result res = ADCLI_SUCCESS;
- 	LDAP *ldap;
--	char *value;
- 
- 	return_unexpected_if_fail (enroll != NULL);
- 
-@@ -2214,7 +2216,18 @@ adcli_enroll_update (adcli_enroll *enroll,
- 	}
- 
- 	/* Get information about the computer account */
--	res = retrieve_computer_account (enroll);
-+	return retrieve_computer_account (enroll);
-+}
-+
-+adcli_result
-+adcli_enroll_update (adcli_enroll *enroll,
-+		     adcli_enroll_flags flags)
-+{
-+	adcli_result res = ADCLI_SUCCESS;
-+	LDAP *ldap;
-+	char *value;
-+
-+	res = adcli_enroll_read_computer_account (enroll, flags);
- 	if (res != ADCLI_SUCCESS)
- 		return res;
- 
-@@ -2242,6 +2255,35 @@ adcli_enroll_update (adcli_enroll *enroll,
- 	return enroll_join_or_update_tasks (enroll, flags);
- }
- 
-+adcli_result
-+adcli_enroll_show_computer_attribute (adcli_enroll *enroll)
-+{
-+	LDAP *ldap;
-+	size_t c;
-+	char **vals;
-+	size_t v;
-+
-+	ldap = adcli_conn_get_ldap_connection (enroll->conn);
-+	assert (ldap != NULL);
-+
-+	for (c = 0; default_ad_ldap_attrs[c] != NULL; c++) {
-+		vals = _adcli_ldap_parse_values (ldap,
-+		                                 enroll->computer_attributes,
-+		                                 default_ad_ldap_attrs[c]);
-+		printf ("%s:\n", default_ad_ldap_attrs[c]);
-+		if (vals == NULL) {
-+			printf (" - not set -\n");
-+		} else {
-+			for (v = 0; vals[v] != NULL; v++) {
-+				printf (" %s\n", vals[v]);
-+			}
-+		}
-+		_adcli_strv_free (vals);
-+	}
-+
-+	return ADCLI_SUCCESS;
-+}
-+
- adcli_result
- adcli_enroll_delete (adcli_enroll *enroll,
-                      adcli_enroll_flags delete_flags)
-diff --git a/library/adenroll.h b/library/adenroll.h
-index 1d5d00d..11eb517 100644
---- a/library/adenroll.h
-+++ b/library/adenroll.h
-@@ -46,6 +46,11 @@ adcli_result       adcli_enroll_join                    (adcli_enroll *enroll,
- adcli_result       adcli_enroll_update                  (adcli_enroll *enroll,
- 		                                         adcli_enroll_flags flags);
- 
-+adcli_result       adcli_enroll_read_computer_account   (adcli_enroll *enroll,
-+                                                         adcli_enroll_flags flags);
-+
-+adcli_result       adcli_enroll_show_computer_attribute (adcli_enroll *enroll);
-+
- adcli_result       adcli_enroll_delete                  (adcli_enroll *enroll,
-                                                          adcli_enroll_flags delete_flags);
- 
-diff --git a/tools/computer.c b/tools/computer.c
-index ac8a203..c8b96a4 100644
---- a/tools/computer.c
-+++ b/tools/computer.c
-@@ -964,3 +964,96 @@ adcli_tool_computer_delete (adcli_conn *conn,
- 	adcli_enroll_unref (enroll);
- 	return 0;
- }
-+
-+int
-+adcli_tool_computer_show (adcli_conn *conn,
-+                          int argc,
-+                          char *argv[])
-+{
-+	adcli_enroll *enroll;
-+	adcli_result res;
-+	int opt;
-+
-+	struct option options[] = {
-+		{ "domain", required_argument, NULL, opt_domain },
-+		{ "domain-realm", required_argument, NULL, opt_domain_realm },
-+		{ "domain-controller", required_argument, NULL, opt_domain_controller },
-+		{ "login-user", required_argument, NULL, opt_login_user },
-+		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
-+		{ "login-type", required_argument, NULL, opt_login_type },
-+		{ "no-password", no_argument, 0, opt_no_password },
-+		{ "stdin-password", no_argument, 0, opt_stdin_password },
-+		{ "prompt-password", no_argument, 0, opt_prompt_password },
-+		{ "verbose", no_argument, NULL, opt_verbose },
-+		{ "help", no_argument, NULL, 'h' },
-+		{ 0 },
-+	};
-+
-+	static adcli_tool_desc usages[] = {
-+		{ 0, "usage: adcli show-computer --domain=xxxx host1.example.com" },
-+		{ 0 },
-+	};
-+
-+	enroll = adcli_enroll_new (conn);
-+	if (enroll == NULL) {
-+		warnx ("unexpected memory problems");
-+		return -1;
-+	}
-+
-+	while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) {
-+		switch (opt) {
-+		case 'h':
-+		case '?':
-+		case ':':
-+			adcli_tool_usage (options, usages);
-+			adcli_tool_usage (options, common_usages);
-+			adcli_enroll_unref (enroll);
-+			return opt == 'h' ? 0 : 2;
-+		default:
-+			res = parse_option ((Option)opt, optarg, conn, enroll);
-+			if (res != ADCLI_SUCCESS) {
-+				adcli_enroll_unref (enroll);
-+				return res;
-+			}
-+			break;
-+		}
-+	}
-+
-+	argc -= optind;
-+	argv += optind;
-+
-+	res = adcli_conn_connect (conn);
-+	if (res != ADCLI_SUCCESS) {
-+		warnx ("couldn't connect to %s domain: %s",
-+		       adcli_conn_get_domain_name (conn),
-+		       adcli_get_last_error ());
-+		adcli_enroll_unref (enroll);
-+		return -res;
-+	}
-+
-+	if (argc == 1) {
-+		parse_fqdn_or_name (enroll, argv[0]);
-+	}
-+
-+	res = adcli_enroll_read_computer_account (enroll, 0);
-+	if (res != ADCLI_SUCCESS) {
-+		warnx ("couldn't read data for %s: %s",
-+		       adcli_enroll_get_host_fqdn (enroll) != NULL
-+		           ? adcli_enroll_get_host_fqdn (enroll)
-+		           : adcli_enroll_get_computer_name (enroll),
-+		       adcli_get_last_error ());
-+		adcli_enroll_unref (enroll);
-+		return -res;
-+	}
-+
-+	res = adcli_enroll_show_computer_attribute (enroll);
-+	if (res != ADCLI_SUCCESS) {
-+		warnx ("couldn't print data for %s: %s",
-+		       argv[0], adcli_get_last_error ());
-+		adcli_enroll_unref (enroll);
-+		return -res;
-+	}
-+
-+	adcli_enroll_unref (enroll);
-+	return 0;
-+}
-diff --git a/tools/tools.c b/tools/tools.c
-index fc9fa9a..9d422f2 100644
---- a/tools/tools.c
-+++ b/tools/tools.c
-@@ -59,6 +59,7 @@ struct {
- 	{ "preset-computer", adcli_tool_computer_preset, "Pre setup computers accounts", },
- 	{ "reset-computer", adcli_tool_computer_reset, "Reset a computer account", },
- 	{ "delete-computer", adcli_tool_computer_delete, "Delete a computer account", },
-+	{ "show-computer", adcli_tool_computer_show, "Show computer account attributes stored in AD", },
- 	{ "create-user", adcli_tool_user_create, "Create a user account", },
- 	{ "delete-user", adcli_tool_user_delete, "Delete a user account", },
- 	{ "create-group", adcli_tool_group_create, "Create a group", },
-diff --git a/tools/tools.h b/tools/tools.h
-index 8cebbf9..3702875 100644
---- a/tools/tools.h
-+++ b/tools/tools.h
-@@ -78,6 +78,10 @@ int       adcli_tool_computer_delete   (adcli_conn *conn,
-                                         int argc,
-                                         char *argv[]);
- 
-+int       adcli_tool_computer_show     (adcli_conn *conn,
-+                                        int argc,
-+                                        char *argv[]);
-+
- int       adcli_tool_user_create       (adcli_conn *conn,
-                                         int argc,
-                                         char *argv[]);
--- 
-2.25.1
-

0003-add-description-option-to-join-and-update.patch

@@ -1,183 +0,0 @@
-From 3937a2a7db90611aa7a93248233b0c5d31e85a3e Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 27 Nov 2019 14:48:32 +0100
-Subject: [PATCH 3/6] add description option to join and update
-
-This new option allows to set the description LDAP attribute for the AD
-computer object.
-
-Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342
----
- doc/adcli.xml      | 10 ++++++++++
- library/adenroll.c | 29 +++++++++++++++++++++++++++++
- library/adenroll.h |  4 ++++
- tools/computer.c   |  7 +++++++
- 4 files changed, 50 insertions(+)
-
-diff --git a/doc/adcli.xml b/doc/adcli.xml
-index 1f93186..dd30435 100644
---- a/doc/adcli.xml
-+++ b/doc/adcli.xml
-@@ -275,6 +275,11 @@ Password for Administrator:
- 			<listitem><para>Set the operating system version on the computer
- 			account. Not set by default.</para></listitem>
- 		</varlistentry>
-+		<varlistentry>
-+			<term><option>--description=<parameter>description</parameter></option></term>
-+			<listitem><para>Set the description attribute on the computer
-+			account. Not set by default.</para></listitem>
-+		</varlistentry>
- 		<varlistentry>
- 			<term><option>--service-name=<parameter>service</parameter></option></term>
- 			<listitem><para>Additional service name for a kerberos
-@@ -416,6 +421,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123
- 			<listitem><para>Set the operating system version on the computer
- 			account. Not set by default.</para></listitem>
- 		</varlistentry>
-+		<varlistentry>
-+			<term><option>--description=<parameter>description</parameter></option></term>
-+			<listitem><para>Set the description attribute on the computer
-+			account. Not set by default.</para></listitem>
-+		</varlistentry>
- 		<varlistentry>
- 			<term><option>--service-name=<parameter>service</parameter></option></term>
- 			<listitem><para>Additional service name for a Kerberos
-diff --git a/library/adenroll.c b/library/adenroll.c
-index 8d2adeb..246f658 100644
---- a/library/adenroll.c
-+++ b/library/adenroll.c
-@@ -83,6 +83,7 @@ static char *default_ad_ldap_attrs[] =  {
- 	"operatingSystemServicePack",
- 	"pwdLastSet",
- 	"userAccountControl",
-+	"description",
- 	NULL,
- };
- 
-@@ -143,6 +144,7 @@ struct _adcli_enroll {
- 	char *samba_data_tool;
- 	bool trusted_for_delegation;
- 	int trusted_for_delegation_explicit;
-+	char *description;
- };
- 
- static adcli_result
-@@ -756,6 +758,8 @@ create_computer_account (adcli_enroll *enroll,
- 	char *vals_userPrincipalName[] = { enroll->user_principal, NULL };
- 	LDAPMod userPrincipalName = { LDAP_MOD_ADD, "userPrincipalName", { vals_userPrincipalName, }, };
- 	LDAPMod servicePrincipalName = { LDAP_MOD_ADD, "servicePrincipalName", { enroll->service_principals, } };
-+	char *vals_description[] = { enroll->description, NULL };
-+	LDAPMod description = { LDAP_MOD_ADD, "description", { vals_description, }, };
- 
- 	char *val = NULL;
- 
-@@ -774,6 +778,7 @@ create_computer_account (adcli_enroll *enroll,
- 		&operatingSystemServicePack,
- 		&userPrincipalName,
- 		&servicePrincipalName,
-+		&description,
- 		NULL
- 	};
- 
-@@ -1460,6 +1465,14 @@ update_computer_account (adcli_enroll *enroll)
- 		res |= update_computer_attribute (enroll, ldap, mods);
- 	}
- 
-+	if (res == ADCLI_SUCCESS && enroll->description != NULL) {
-+		char *vals_description[] = { enroll->description, NULL };
-+		LDAPMod description = { LDAP_MOD_REPLACE, "description", { vals_description, }, };
-+		LDAPMod *mods[] = { &description, NULL, };
-+
-+		res |= update_computer_attribute (enroll, ldap, mods);
-+	}
-+
- 	if (res != 0)
- 		_adcli_info ("Updated existing computer account: %s", enroll->computer_dn);
- }
-@@ -2899,6 +2912,22 @@ adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll,
- 	enroll->trusted_for_delegation_explicit = 1;
- }
- 
-+void
-+adcli_enroll_set_description (adcli_enroll *enroll, const char *value)
-+{
-+	return_if_fail (enroll != NULL);
-+	if (value != NULL && value[0] != '\0') {
-+		_adcli_str_set (&enroll->description, value);
-+	}
-+}
-+
-+const char *
-+adcli_enroll_get_desciption (adcli_enroll *enroll)
-+{
-+	return_val_if_fail (enroll != NULL, NULL);
-+	return enroll->description;
-+}
-+
- const char **
- adcli_enroll_get_service_principals_to_add (adcli_enroll *enroll)
- {
-diff --git a/library/adenroll.h b/library/adenroll.h
-index 11eb517..0606169 100644
---- a/library/adenroll.h
-+++ b/library/adenroll.h
-@@ -126,6 +126,10 @@ bool               adcli_enroll_get_trusted_for_delegation (adcli_enroll *enroll
- void               adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll,
-                                                             bool value);
- 
-+const char *       adcli_enroll_get_desciption          (adcli_enroll *enroll);
-+void               adcli_enroll_set_description         (adcli_enroll *enroll,
-+                                                         const char *value);
-+
- krb5_kvno          adcli_enroll_get_kvno                (adcli_enroll *enroll);
- 
- void               adcli_enroll_set_kvno                (adcli_enroll *enroll,
-diff --git a/tools/computer.c b/tools/computer.c
-index c8b96a4..840e334 100644
---- a/tools/computer.c
-+++ b/tools/computer.c
-@@ -112,6 +112,7 @@ typedef enum {
- 	opt_trusted_for_delegation,
- 	opt_add_service_principal,
- 	opt_remove_service_principal,
-+	opt_description,
- } Option;
- 
- static adcli_tool_desc common_usages[] = {
-@@ -142,6 +143,7 @@ static adcli_tool_desc common_usages[] = {
- 	                              "in the userAccountControl attribute", },
- 	{ opt_add_service_principal, "add the given service principal to the account\n" },
- 	{ opt_remove_service_principal, "remove the given service principal from the account\n" },
-+	{ opt_description, "add a description to the account\n" },
- 	{ opt_no_password, "don't prompt for or read a password" },
- 	{ opt_prompt_password, "prompt for a password if necessary" },
- 	{ opt_stdin_password, "read a password from stdin (until EOF) if\n"
-@@ -306,6 +308,9 @@ parse_option (Option opt,
- 	case opt_remove_service_principal:
- 		adcli_enroll_add_service_principal_to_remove (enroll, optarg);
- 		return ADCLI_SUCCESS;
-+	case opt_description:
-+		adcli_enroll_set_description (enroll, optarg);
-+		return ADCLI_SUCCESS;
- 	case opt_verbose:
- 		return ADCLI_SUCCESS;
- 
-@@ -369,6 +374,7 @@ adcli_tool_computer_join (adcli_conn *conn,
- 		{ "os-name", required_argument, NULL, opt_os_name },
- 		{ "os-version", required_argument, NULL, opt_os_version },
- 		{ "os-service-pack", optional_argument, NULL, opt_os_service_pack },
-+		{ "description", optional_argument, NULL, opt_description },
- 		{ "user-principal", optional_argument, NULL, opt_user_principal },
- 		{ "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation },
- 		{ "add-service-principal", required_argument, NULL, opt_add_service_principal },
-@@ -487,6 +493,7 @@ adcli_tool_computer_update (adcli_conn *conn,
- 		{ "os-name", required_argument, NULL, opt_os_name },
- 		{ "os-version", required_argument, NULL, opt_os_version },
- 		{ "os-service-pack", optional_argument, NULL, opt_os_service_pack },
-+		{ "description", optional_argument, NULL, opt_description },
- 		{ "user-principal", optional_argument, NULL, opt_user_principal },
- 		{ "computer-password-lifetime", optional_argument, NULL, opt_computer_password_lifetime },
- 		{ "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation },
--- 
-2.25.1
-

0004-Use-GSS-SPNEGO-if-available.patch

@@ -1,124 +0,0 @@
-From a6f795ba3d6048b32d7863468688bf7f42b2cafd Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 11 Oct 2019 16:39:25 +0200
-Subject: [PATCH 4/6] Use GSS-SPNEGO if available
-
-Currently adcli uses the GSSAPI SASL mechanism for LDAP authentication
-and to establish encryption. While this works in general it does not
-handle some of the more advanced features which can be required by AD
-DCs.
-
-The GSS-SPNEGO mechanism can handle them and is used with this patch by
-adcli if the AD DC indicates that it supports it.
-
-Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
----
- library/adconn.c | 35 ++++++++++++++++++++++++++++++++++-
- library/adconn.h |  3 +++
- 2 files changed, 37 insertions(+), 1 deletion(-)
-
-diff --git a/library/adconn.c b/library/adconn.c
-index bcaced8..ffb54f9 100644
---- a/library/adconn.c
-+++ b/library/adconn.c
-@@ -77,6 +77,7 @@ struct _adcli_conn_ctx {
- 	char *default_naming_context;
- 	char *configuration_naming_context;
- 	char **supported_capabilities;
-+	char **supported_sasl_mechs;
- 
- 	/* Connect state */
- 	LDAP *ldap;
-@@ -845,6 +846,7 @@ connect_and_lookup_naming (adcli_conn *conn,
- 		"defaultNamingContext",
- 		"configurationNamingContext",
- 		"supportedCapabilities",
-+		"supportedSASLMechanisms",
- 		NULL
- 	};
- 
-@@ -897,6 +899,11 @@ connect_and_lookup_naming (adcli_conn *conn,
- 		                                                         "supportedCapabilities");
- 	}
- 
-+	if (conn->supported_sasl_mechs == NULL) {
-+		conn->supported_sasl_mechs = _adcli_ldap_parse_values (ldap, results,
-+		                                                       "supportedSASLMechanisms");
-+	}
-+
- 	ldap_msgfree (results);
- 
- 	if (conn->default_naming_context == NULL) {
-@@ -1022,6 +1029,7 @@ authenticate_to_directory (adcli_conn *conn)
- 	OM_uint32 minor;
- 	ber_len_t ssf;
- 	int ret;
-+	const char *mech = "GSSAPI";
- 
- 	if (conn->ldap_authenticated)
- 		return ADCLI_SUCCESS;
-@@ -1038,7 +1046,11 @@ authenticate_to_directory (adcli_conn *conn)
- 	ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
- 	return_unexpected_if_fail (ret == 0);
- 
--	ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, "GSSAPI", NULL, NULL,
-+	if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")) {
-+		mech =  "GSS-SPNEGO";
-+	}
-+
-+	ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, mech, NULL, NULL,
- 	                                    LDAP_SASL_QUIET, sasl_interact, NULL);
- 
- 	/* Clear the credential cache GSSAPI to use (for this thread) */
-@@ -1231,6 +1243,7 @@ conn_free (adcli_conn *conn)
- 	free (conn->default_naming_context);
- 	free (conn->configuration_naming_context);
- 	_adcli_strv_free (conn->supported_capabilities);
-+	_adcli_strv_free (conn->supported_sasl_mechs);
- 
- 	free (conn->computer_name);
- 	free (conn->host_fqdn);
-@@ -1606,6 +1619,26 @@ adcli_conn_server_has_capability (adcli_conn *conn,
- 	return 0;
- }
- 
-+bool
-+adcli_conn_server_has_sasl_mech (adcli_conn *conn,
-+                                 const char *mech)
-+{
-+	int i;
-+
-+	return_val_if_fail (conn != NULL, false);
-+	return_val_if_fail (mech != NULL, false);
-+
-+	if (!conn->supported_sasl_mechs)
-+		return false;
-+
-+	for (i = 0; conn->supported_sasl_mechs[i] != NULL; i++) {
-+		if (strcasecmp (mech, conn->supported_sasl_mechs[i]) == 0)
-+			return true;
-+	}
-+
-+	return false;
-+}
-+
- bool adcli_conn_is_writeable (adcli_conn *conn)
- {
- 	disco_dance_if_necessary (conn);
-diff --git a/library/adconn.h b/library/adconn.h
-index 1ad5715..37ebdd9 100644
---- a/library/adconn.h
-+++ b/library/adconn.h
-@@ -149,6 +149,9 @@ void                adcli_conn_set_krb5_conf_dir     (adcli_conn *conn,
- int                 adcli_conn_server_has_capability (adcli_conn *conn,
-                                                       const char *capability);
- 
-+bool                adcli_conn_server_has_sasl_mech  (adcli_conn *conn,
-+                                                      const char *mech);
-+
- bool                adcli_conn_is_writeable          (adcli_conn *conn);
- 
- #endif /* ADCONN_H_ */
--- 
-2.25.1
-

0005-add-option-use-ldaps.patch

@@ -1,378 +0,0 @@
-From 85097245b57f190337225dbdbf6e33b58616c092 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Thu, 19 Dec 2019 07:22:33 +0100
-Subject: [PATCH 5/6] add option use-ldaps
-
-In general using the LDAP port with GSS-SPNEGO should satifiy all
-requirements an AD DC should have for authentication on an encrypted
-LDAP connection.
-
-But if e.g. the LDAP port is blocked by a firewall using the LDAPS port
-with TLS encryption might be an alternative. For this use case the
---use-ldaps option is added.
-
-Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
----
- doc/adcli.xml    | 24 +++++++++++++++
- library/adconn.c | 79 ++++++++++++++++++++++++++++++++++++++++++------
- library/adconn.h |  4 +++
- tools/computer.c | 10 ++++++
- tools/entry.c    | 11 +++++++
- 5 files changed, 119 insertions(+), 9 deletions(-)
-
-diff --git a/doc/adcli.xml b/doc/adcli.xml
-index dd30435..acced25 100644
---- a/doc/adcli.xml
-+++ b/doc/adcli.xml
-@@ -128,6 +128,30 @@
- 			If not specified, then an appropriate domain controller
- 			is automatically discovered.</para></listitem>
- 		</varlistentry>
-+		<varlistentry>
-+			<term><option>--use-ldaps</option></term>
-+			<listitem><para>Connect to the domain controller
-+			with LDAPS. By default the LDAP port is used and SASL
-+			GSS-SPNEGO or GSSAPI is used for authentication and to
-+			establish encryption. This should satisfy all
-+			requirements set on the server side and LDAPS should
-+			only be used if the LDAP port is not accessible due to
-+			firewalls or other reasons.</para>
-+			<para> Please note that the place where CA certificates
-+			can be found to validate the AD DC certificates
-+			must be configured in the OpenLDAP configuration
-+			file, e.g. <filename>/etc/openldap/ldap.conf</filename>.
-+			As an alternative it can be specified with the help of
-+			an environment variable, e.g.
-+<programlisting>
-+$ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com
-+...
-+</programlisting>
-+			Please see
-+			<citerefentry><refentrytitle>ldap.conf</refentrytitle>
-+			<manvolnum>5</manvolnum></citerefentry> for details.
-+			</para></listitem>
-+		</varlistentry>
- 		<varlistentry>
- 			<term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>
- 			<listitem><para>Use the specified kerberos credential
-diff --git a/library/adconn.c b/library/adconn.c
-index ffb54f9..7bab852 100644
---- a/library/adconn.c
-+++ b/library/adconn.c
-@@ -70,6 +70,7 @@ struct _adcli_conn_ctx {
- 	char *domain_name;
- 	char *domain_realm;
- 	char *domain_controller;
-+	bool use_ldaps;
- 	char *canonical_host;
- 	char *domain_short;
- 	char *domain_sid;
-@@ -773,7 +774,8 @@ int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap
- 
- static LDAP *
- connect_to_address (const char *host,
--                    const char *canonical_host)
-+                    const char *canonical_host,
-+                    bool use_ldaps)
- {
- 	struct addrinfo *res = NULL;
- 	struct addrinfo *ai;
-@@ -783,6 +785,16 @@ connect_to_address (const char *host,
- 	char *url;
- 	int sock;
- 	int rc;
-+	int opt_rc;
-+	const char *port = "389";
-+	const char *proto = "ldap";
-+	const char *errmsg = NULL;
-+
-+	if (use_ldaps) {
-+		port = "636";
-+		proto = "ldaps";
-+		_adcli_info ("Using LDAPS to connect to %s", host);
-+	}
- 
- 	memset (&hints, '\0', sizeof(hints));
- #ifdef AI_ADDRCONFIG
-@@ -794,7 +806,7 @@ connect_to_address (const char *host,
- 	if (!canonical_host)
- 		canonical_host = host;
- 
--	rc = getaddrinfo (host, "389", &hints, &res);
-+	rc = getaddrinfo (host, port, &hints, &res);
- 	if (rc != 0) {
- 		_adcli_err ("Couldn't resolve host name: %s: %s", host, gai_strerror (rc));
- 		return NULL;
-@@ -810,7 +822,7 @@ connect_to_address (const char *host,
- 			close (sock);
- 		} else {
- 			error = 0;
--			if (asprintf (&url, "ldap://%s", canonical_host) < 0)
-+			if (asprintf (&url, "%s://%s", proto, canonical_host) < 0)
- 				return_val_if_reached (NULL);
- 			rc = ldap_init_fd (sock, 1, url, &ldap);
- 			free (url);
-@@ -820,6 +832,25 @@ connect_to_address (const char *host,
- 				            ldap_err2string (rc));
- 				break;
- 			}
-+
-+			if (use_ldaps) {
-+				rc = ldap_install_tls (ldap);
-+				if (rc != LDAP_SUCCESS) {
-+					opt_rc = ldap_get_option (ldap,
-+					                          LDAP_OPT_DIAGNOSTIC_MESSAGE,
-+					                          (void *) &errmsg);
-+					if (opt_rc != LDAP_SUCCESS) {
-+						errmsg = NULL;
-+					}
-+					_adcli_err ("Couldn't initialize TLS [%s]: %s",
-+					            ldap_err2string (rc),
-+					            errmsg == NULL ? "- no details -"
-+					                           : errmsg);
-+					ldap_unbind_ext_s (ldap, NULL, NULL);
-+					ldap = NULL;
-+					break;
-+				}
-+			}
- 		}
- 	}
- 
-@@ -856,7 +887,8 @@ connect_and_lookup_naming (adcli_conn *conn,
- 	if (!canonical_host)
- 		canonical_host = disco->host_addr;
- 
--	ldap = connect_to_address (disco->host_addr, canonical_host);
-+	ldap = connect_to_address (disco->host_addr, canonical_host,
-+	                           adcli_conn_get_use_ldaps (conn));
- 	if (ldap == NULL)
- 		return ADCLI_ERR_DIRECTORY;
- 
-@@ -1041,14 +1073,28 @@ authenticate_to_directory (adcli_conn *conn)
- 	status = gss_krb5_ccache_name (&minor, conn->login_ccache_name, NULL);
- 	return_unexpected_if_fail (status == 0);
- 
--	/* Clumsily tell ldap + cyrus-sasl that we want encryption */
--	ssf = 1;
--	ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
--	return_unexpected_if_fail (ret == 0);
-+	if (adcli_conn_get_use_ldaps (conn)) {
-+		/* do not use SASL encryption on LDAPS connection */
-+		ssf = 0;
-+		ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
-+		return_unexpected_if_fail (ret == 0);
-+		ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MAX, &ssf);
-+		return_unexpected_if_fail (ret == 0);
-+	} else {
-+		/* Clumsily tell ldap + cyrus-sasl that we want encryption */
-+		ssf = 1;
-+		ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
-+		return_unexpected_if_fail (ret == 0);
-+	}
- 
--	if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")) {
-+	/* There are issues with cryrus-sasl and GSS-SPNEGO with TLS even if
-+	 * ssf_max is set to 0. To be on the safe side GSS-SPNEGO is only used
-+	 * without LDAPS. */
-+	if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")
-+	                     && !adcli_conn_get_use_ldaps (conn)) {
- 		mech =  "GSS-SPNEGO";
- 	}
-+	_adcli_info ("Using %s for SASL bind", mech);
- 
- 	ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, mech, NULL, NULL,
- 	                                    LDAP_SASL_QUIET, sasl_interact, NULL);
-@@ -1230,6 +1276,7 @@ adcli_conn_new (const char *domain_name)
- 	conn->refs = 1;
- 	conn->logins_allowed = ADCLI_LOGIN_COMPUTER_ACCOUNT | ADCLI_LOGIN_USER_ACCOUNT;
- 	adcli_conn_set_domain_name (conn, domain_name);
-+	adcli_conn_set_use_ldaps (conn, false);
- 	return conn;
- }
- 
-@@ -1389,6 +1436,20 @@ adcli_conn_set_domain_controller (adcli_conn *conn,
- 	no_more_disco (conn);
- }
- 
-+bool
-+adcli_conn_get_use_ldaps (adcli_conn *conn)
-+{
-+	return_val_if_fail (conn != NULL, NULL);
-+	return conn->use_ldaps;
-+}
-+
-+void
-+adcli_conn_set_use_ldaps (adcli_conn *conn, bool value)
-+{
-+	return_if_fail (conn != NULL);
-+	conn->use_ldaps = value;
-+}
-+
- const char *
- adcli_conn_get_domain_short (adcli_conn *conn)
- {
-diff --git a/library/adconn.h b/library/adconn.h
-index 37ebdd9..1d5faa8 100644
---- a/library/adconn.h
-+++ b/library/adconn.h
-@@ -89,6 +89,10 @@ const char *        adcli_conn_get_domain_controller (adcli_conn *conn);
- void                adcli_conn_set_domain_controller (adcli_conn *conn,
-                                                       const char *value);
- 
-+bool                adcli_conn_get_use_ldaps         (adcli_conn *conn);
-+void                adcli_conn_set_use_ldaps         (adcli_conn *conn,
-+                                                      bool value);
-+
- const char *        adcli_conn_get_domain_short      (adcli_conn *conn);
- 
- const char *        adcli_conn_get_domain_sid        (adcli_conn *conn);
-diff --git a/tools/computer.c b/tools/computer.c
-index 840e334..292c4d8 100644
---- a/tools/computer.c
-+++ b/tools/computer.c
-@@ -113,12 +113,14 @@ typedef enum {
- 	opt_add_service_principal,
- 	opt_remove_service_principal,
- 	opt_description,
-+	opt_use_ldaps,
- } Option;
- 
- static adcli_tool_desc common_usages[] = {
- 	{ opt_domain, "active directory domain name" },
- 	{ opt_domain_realm, "kerberos realm for the domain" },
- 	{ opt_domain_controller, "domain controller to connect to" },
-+	{ opt_use_ldaps, "use LDAPS port for communication" },
- 	{ opt_host_fqdn, "override the fully qualified domain name of the\n"
- 	                 "local machine" },
- 	{ opt_host_keytab, "filename for the host kerberos keytab" },
-@@ -311,6 +313,9 @@ parse_option (Option opt,
- 	case opt_description:
- 		adcli_enroll_set_description (enroll, optarg);
- 		return ADCLI_SUCCESS;
-+	case opt_use_ldaps:
-+		adcli_conn_set_use_ldaps (conn, true);
-+		return ADCLI_SUCCESS;
- 	case opt_verbose:
- 		return ADCLI_SUCCESS;
- 
-@@ -357,6 +362,7 @@ adcli_tool_computer_join (adcli_conn *conn,
- 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
- 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
- 		{ "domain-server", required_argument, NULL, opt_domain_controller }, /* compat */
-+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
- 		{ "login-user", required_argument, NULL, opt_login_user },
- 		{ "user", required_argument, NULL, opt_login_user }, /* compat */
- 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
-@@ -688,6 +694,7 @@ adcli_tool_computer_preset (adcli_conn *conn,
- 		{ "domain", required_argument, NULL, opt_domain },
- 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
- 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
-+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
- 		{ "domain-ou", required_argument, NULL, opt_domain_ou },
- 		{ "login-user", required_argument, NULL, opt_login_user },
- 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
-@@ -800,6 +807,7 @@ adcli_tool_computer_reset (adcli_conn *conn,
- 		{ "domain", required_argument, NULL, opt_domain },
- 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
- 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
-+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
- 		{ "login-user", required_argument, NULL, opt_login_user },
- 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
- 		{ "login-type", required_argument, NULL, opt_login_type },
-@@ -888,6 +896,7 @@ adcli_tool_computer_delete (adcli_conn *conn,
- 		{ "domain", required_argument, NULL, opt_domain },
- 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
- 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
-+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
- 		{ "login-user", required_argument, NULL, opt_login_user },
- 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
- 		{ "no-password", no_argument, 0, opt_no_password },
-@@ -985,6 +994,7 @@ adcli_tool_computer_show (adcli_conn *conn,
- 		{ "domain", required_argument, NULL, opt_domain },
- 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
- 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
-+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
- 		{ "login-user", required_argument, NULL, opt_login_user },
- 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
- 		{ "login-type", required_argument, NULL, opt_login_type },
-diff --git a/tools/entry.c b/tools/entry.c
-index f361845..05e4313 100644
---- a/tools/entry.c
-+++ b/tools/entry.c
-@@ -53,6 +53,7 @@ typedef enum {
- 	opt_unix_gid,
- 	opt_unix_shell,
- 	opt_nis_domain,
-+	opt_use_ldaps,
- } Option;
- 
- static adcli_tool_desc common_usages[] = {
-@@ -67,6 +68,7 @@ static adcli_tool_desc common_usages[] = {
- 	{ opt_domain, "active directory domain name" },
- 	{ opt_domain_realm, "kerberos realm for the domain" },
- 	{ opt_domain_controller, "domain directory server to connect to" },
-+	{ opt_use_ldaps, "use LDAPS port for communication" },
- 	{ opt_login_ccache, "kerberos credential cache file which contains\n"
- 	                    "ticket to used to connect to the domain" },
- 	{ opt_login_user, "user (usually administrative) login name of\n"
-@@ -136,6 +138,9 @@ parse_option (Option opt,
- 			stdin_password = 1;
- 		}
- 		return ADCLI_SUCCESS;
-+	case opt_use_ldaps:
-+		adcli_conn_set_use_ldaps (conn, true);
-+		return ADCLI_SUCCESS;
- 	case opt_verbose:
- 		return ADCLI_SUCCESS;
- 	default:
-@@ -172,6 +177,7 @@ adcli_tool_user_create (adcli_conn *conn,
- 		{ "domain", required_argument, NULL, opt_domain },
- 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
- 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
-+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
- 		{ "login-user", required_argument, NULL, opt_login_user },
- 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
- 		{ "no-password", no_argument, 0, opt_no_password },
-@@ -306,6 +312,7 @@ adcli_tool_user_delete (adcli_conn *conn,
- 		{ "domain", required_argument, NULL, opt_domain },
- 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
- 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
-+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
- 		{ "login-user", required_argument, NULL, opt_login_user },
- 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
- 		{ "no-password", no_argument, 0, opt_no_password },
-@@ -394,6 +401,7 @@ adcli_tool_group_create (adcli_conn *conn,
- 		{ "domain", required_argument, NULL, opt_domain },
- 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
- 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
-+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
- 		{ "domain-ou", required_argument, NULL, opt_domain_ou },
- 		{ "login-user", required_argument, NULL, opt_login_user },
- 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
-@@ -496,6 +504,7 @@ adcli_tool_group_delete (adcli_conn *conn,
- 		{ "domain", required_argument, NULL, opt_domain },
- 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
- 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
-+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
- 		{ "login-user", required_argument, NULL, opt_login_user },
- 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
- 		{ "no-password", no_argument, 0, opt_no_password },
-@@ -622,6 +631,7 @@ adcli_tool_member_add (adcli_conn *conn,
- 		{ "domain", required_argument, NULL, opt_domain },
- 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
- 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
-+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
- 		{ "login-user", required_argument, NULL, opt_login_user },
- 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
- 		{ "no-password", no_argument, 0, opt_no_password },
-@@ -722,6 +732,7 @@ adcli_tool_member_remove (adcli_conn *conn,
- 		{ "domain", required_argument, NULL, opt_domain },
- 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
- 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
-+		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
- 		{ "login-user", required_argument, NULL, opt_login_user },
- 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
- 		{ "no-password", no_argument, 0, opt_no_password },
--- 
-2.25.1
-

0006-discovery-fix.patch

@@ -1,27 +0,0 @@
-From 08bac0946de29f3e5de90743ce6dfc7118d4ad20 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Tue, 11 Feb 2020 17:42:03 +0100
-Subject: [PATCH 6/6] discovery fix
-
-Do not continue processing on closed connection.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1802258
----
- library/addisco.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/library/addisco.c b/library/addisco.c
-index 6e73ead..f3b3546 100644
---- a/library/addisco.c
-+++ b/library/addisco.c
-@@ -622,6 +622,7 @@ ldap_disco (const char *domain,
- 			                            "Couldn't perform discovery search");
- 			ldap_unbind_ext_s (ldap[i], NULL, NULL);
- 			ldap[i] = NULL;
-+			continue;
- 		}
- 
- 		/* From https://msdn.microsoft.com/en-us/library/ff718294.aspx first
--- 
-2.25.1
-

adcli.spec

@@ -1,40 +1,66 @@
-Name:		adcli
-Version:	0.9.0
-Release:	4%{?dist}
-Summary:	Active Directory enrollment
-License:	LGPLv2+
-URL:		http://cgit.freedesktop.org/realmd/adcli
-Source0:	https://gitlab.freedesktop.org/realmd/adcli/uploads/02d8757266c24fdc10822306582287bf/adcli-%{version}.tar.gz
+%global with_selinux 1
+%global selinuxtype targeted
+%global modulename adcli
 
-Patch1:		0001-man-move-note-to-the-right-section.patch
-Patch2:		0002-tools-add-show-computer-command.patch
-Patch3:		0003-add-description-option-to-join-and-update.patch
-Patch4:		0004-Use-GSS-SPNEGO-if-available.patch
-Patch5:		0005-add-option-use-ldaps.patch
-Patch6:		0006-discovery-fix.patch
-Patch7:		0001-delete-do-not-exit-if-keytab-cannot-be-read.patch
-Patch8:		0001-tools-disable-SSSD-s-locator-plugin.patch
+Name:    adcli
+Version: 0.9.3.1
+Release: 4%{?dist}
+Summary: Active Directory enrollment
+License: LGPL-2.1-or-later
+URL:     https://gitlab.freedesktop.org/realmd/adcli
+Source0: https://gitlab.freedesktop.org/-/project/1196/uploads/5a1c55410c0965835b81fbd28d820d46/adcli-%{version}.tar.gz
 
+Patch1: 0001-enroll-fix-issues-if-default-keytab-is-used.patch
 
-BuildRequires:	gcc
-BuildRequires:	intltool pkgconfig
-BuildRequires:	libtool
-BuildRequires:	gettext-devel
-BuildRequires:	krb5-devel
-BuildRequires:	openldap-devel
-BuildRequires:	libxslt
-BuildRequires:	xmlto
+BuildRequires: gcc
+BuildRequires: intltool pkgconfig
+BuildRequires: libtool
+BuildRequires: gettext-devel
+BuildRequires: krb5-devel
+BuildRequires: openldap-devel
+BuildRequires: libxslt
+BuildRequires: xmlto
+BuildRequires: make
+BuildRequires: libnetapi-devel
 
-Requires:	cyrus-sasl-gssapi
+# Build dependencies for SELinux policy
+%if %{with selinux}
+BuildRequires:  libselinux-devel
+BuildRequires:  selinux-policy-devel
+%endif
+
+Requires: cyrus-sasl-gssapi
+Conflicts: adcli-doc < %{version}-%{release}
 
 # adcli no longer has a library of development files
 # the adcli tool itself is to be used by callers
-Obsoletes:	adcli-devel < 0.5
+Obsoletes: adcli-devel < 0.5
+
+%if %{with selinux}
+# This ensures that the *-selinux package and all it’s dependencies are not
+# pulled into containers and other systems that do not use SELinux. The
+# policy defines types and file contexts for client and server.
+Requires:       (%{name}-selinux if selinux-policy-%{selinuxtype})
+%endif
 
 %description
 adcli is a tool for joining an Active Directory domain using
 standard LDAP and Kerberos calls.
 
+%if %{with selinux}
+# SELinux subpackage
+%package selinux
+Summary:             The adcli SELinux policy
+BuildArch:           noarch
+Requires:            selinux-policy-%{selinuxtype}
+Requires(post):      selinux-policy-%{selinuxtype}
+%{?selinux_requires_min}
+
+%description selinux
+Custom SELinux policy module for adcli to make sure generated Kerberos keytab
+files have the right SELinux context.
+%endif
+
 %define _hardened_build 1
 
 %prep
@@ -42,26 +68,50 @@ standard LDAP and Kerberos calls.
 
 %build
 autoreconf --force --install --verbose
-%configure --disable-static --disable-silent-rules
-make %{?_smp_mflags}
+%configure --disable-static --disable-silent-rules \
+%if 0%{?rhel}
+    --with-vendor-error-message='Please check\n    https://red.ht/support_rhel_ad \nto get help for common issues.' \
+%endif
+    %{nil}
+%make_build
 
 %check
 make check
 
 %install
-make install DESTDIR=%{buildroot}
+%make_install
 find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
 
 %ldconfig_scriptlets
 
+%if %{with selinux}
+# SELinux contexts are saved so that only affected files can be
+# relabeled after the policy module installation
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
+fi
+
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype}
+
+%endif
+
 %files
 %{_sbindir}/adcli
 %doc AUTHORS COPYING ChangeLog NEWS README
 %doc %{_mandir}/*/*
 
 %package doc
-Summary: adcli documentation
+Summary: The adcli documentation package
 BuildArch: noarch
+Conflicts: adcli < %{version}-%{release}
 
 %description doc
 adcli is a tool for joining an Active Directory domain using
@@ -71,7 +121,102 @@ documentation.
 %files doc
 %doc %{_datadir}/doc/adcli/*
 
+%if %{with selinux}
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
+%endif
+
 %changelog
+* Fri Jan 16 2026 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.3.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
+
+* Fri Dec 19 2025 Sumit Bose <sbose@redhat.com> - 0.9.3.1-3
+- Fix issue with restoring SELinux file label
+
+* Tue Dec 16 2025 Sumit Bose <sbose@redhat.com> - 0.9.3.1-2
+- Use selinux_requires_min to avoid policycoreutils-python-utils dependency
+  Resolves: rhbz#2422451
+
+* Tue Dec 09 2025 Sumit Bose <sbose@redhat.com> - 0.9.3.1-1
+- Rebase to latest upstream version
+
+* Wed Jul 23 2025 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.2-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
+
+* Thu Jan 16 2025 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.2-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
+
+* Wed Nov 20 2024 Sumit Bose <sbose@redhat.com> - 0.9.2-8
+- support for Samba's offline join and static analyser fixes
+
+* Wed Jul 17 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.2-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.2-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.2-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Wed Oct 18 2023 Sumit Bose <sbose@redhat.com> - 0.9.2-4
+- migrated to SPDX license
+
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Thu Sep 29 2022 Sumit Bose <sbose@redhat.com> - 0.9.2-1
+- Update to upstream release 0.9.2
+
+* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.1-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.1-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Wed Jul 28 2021 Sumit Bose <sbose@redhat.com> - 0.9.1-9
+- Add ns_get16() and ns_get32() to configure check
+  Resolves: rhbz#1984891
+
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.1-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Mon Jun 28 2021 Sumit Bose <sbose@redhat.com> - 0.9.1-7
+- Add user-passwd sub-command
+- Add setattr/delattr option
+
+* Thu Jun 03 2021 Sumit Bose <sbose@redhat.com> - 0.9.1-6
+- Add fix for dont-expire-password option
+
+* Wed Jun 02 2021 Sumit Bose <sbose@redhat.com> - 0.9.1-5
+- Add dont-expire-password option and coverity fixes
+
+* Wed Apr 07 2021 Sumit Bose <sbose@redhat.com> - 0.9.1-4
+- Add macro updates for autoconf-2.71 and downstream gating
+
+* Mon Mar 29 2021 Sumit Bose <sbose@redhat.com> - 0.9.1-3
+- Add vendor error message
+  Resolves: rhbz#1889386
+
+* Sat Feb 20 2021 Sumit Bose <sbose@redhat.com> - 0.9.1-2
+- Add Conflicts to avoid update/downgrade issues
+
+* Sat Feb 20 2021 Sumit Bose <sbose@redhat.com> - 0.9.1-1
+- Update to upstream release 0.9.1
+
+* Mon Jan 25 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.0-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Fri Nov 13 2020 Sumit Bose <sbose@redhat.com> - 0.9.0-6
+- Include the latest upstream patches with use-ldaps fixes, man page
+  improvements and a new sub-command to create managed service accounts
+
+* Thu Aug 13 2020 Sumit Bose <sbose@redhat.com> - 0.9.0-5
+- man page and help output fixes
+
 * Fri Jul 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.0-4
 - Second attempt - Rebuilt for
   https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

sources

@@ -1 +1 @@
-SHA512 (adcli-0.9.0.tar.gz) = e9b210bf7a932750fc838d6f027ca1fbeca1bd6a0028b551c9a72c0fe3ee680d47031c614b74447613d06bd41462c489e8572d49e60b344d575ebb572c022344
+SHA512 (adcli-0.9.3.1.tar.gz) = 3f501173b5344b38f33a3f65faec9e894da81b44b37bb161da103d8a29459d8807dfe566a5dd0a8c7eec466567b6cca4331c81dd70158b5478a61b03be37355d