diff --git a/SOURCES/0001-Make-adcli-info-DC-location-mechanism-more-compliant.patch b/SOURCES/0001-Make-adcli-info-DC-location-mechanism-more-compliant.patch
new file mode 100644
index 0000000..f37f2f1
--- /dev/null
+++ b/SOURCES/0001-Make-adcli-info-DC-location-mechanism-more-compliant.patch
@@ -0,0 +1,216 @@
+From 0a0d0f66409eb83e06b7dc50543c2f6c15a36bc4 Mon Sep 17 00:00:00 2001
+From: Alexey A Nikitin <nikitin@amazon.com>
+Date: Mon, 29 Oct 2018 20:40:36 -0700
+Subject: [PATCH] Make 'adcli info' DC location mechanism more compliant with
+ [MS-ADTS] and [MS-NRPC]
+
+AD specifications say that DC locator must attempt to find a suitable DC for the client. That means going through all of the DCs in SRV RRs one by one until one of them answers.
+
+The problem with adcli's original behavior is that it queries only five DCs from SRV, ever. This becomes a problem if for any reason there is a large number of DCs in the domain from which the client cannot get a CLDAP response.
+---
+ library/addisco.c | 146 +++++++++++++++++++++++++++++-----------------
+ 1 file changed, 94 insertions(+), 52 deletions(-)
+
+diff --git a/library/addisco.c b/library/addisco.c
+index 8cc5bf0..6e73ead 100644
+--- a/library/addisco.c
++++ b/library/addisco.c
+@@ -41,8 +41,10 @@
+ #include <string.h>
+ #include <time.h>
+
+-/* Number of servers to do discovery against */
+-#define DISCO_COUNT 5
++/* Number of servers to do discovery against.
++ * For AD DS maximum number of DCs is 1200.
++ */
++#define DISCO_COUNT 1200
+
+ /* The time period in which to do rapid requests */
+ #define DISCO_FEVER 1
+@@ -453,6 +455,51 @@ parse_disco (LDAP *ldap,
+ return usability;
+ }
+
++static int
++ldap_disco_poller (LDAP **ldap,
++ LDAPMessage **message,
++ adcli_disco **results,
++ const char **addrs)
++{
++ int found = ADCLI_DISCO_UNUSABLE;
++ int close_ldap;
++ int parsed;
++ int ret = 0;
++ struct timeval tvpoll = { 0, 0 };
++
++ switch (ldap_result (*ldap, LDAP_RES_ANY, 1, &tvpoll, message)) {
++ case LDAP_RES_SEARCH_ENTRY:
++ case LDAP_RES_SEARCH_RESULT:
++ parsed = parse_disco (*ldap, *addrs, *message, results);
++ if (parsed > found)
++ found = parsed;
++ ldap_msgfree (*message);
++ close_ldap = 1;
++ break;
++ case -1:
++ ldap_get_option (*ldap, LDAP_OPT_RESULT_CODE, &ret);
++ close_ldap = 1;
++ break;
++ default:
++ ldap_msgfree (*message);
++ close_ldap = 0;
++ break;
++ }
++
++ if (ret != LDAP_SUCCESS) {
++ _adcli_ldap_handle_failure (*ldap, ADCLI_ERR_CONFIG,
++ "Couldn't perform discovery search");
++ }
++
++ /* Done with this connection */
++ if (close_ldap) {
++ ldap_unbind_ext_s (*ldap, NULL, NULL);
++ *ldap = NULL;
++ }
++
++ return found;
++}
++
+ static int
+ ldap_disco (const char *domain,
+ srvinfo *srv,
+@@ -477,6 +524,7 @@ ldap_disco (const char *domain,
+ int num, i;
+ int ret;
+ int have_any = 0;
++ struct timeval interval;
+
+ if (domain) {
+ value = _adcli_ldap_escape_filter (domain);
+@@ -540,7 +588,6 @@ ldap_disco (const char *domain,
+ version = LDAP_VERSION3;
+ ldap_set_option (ldap[num], LDAP_OPT_PROTOCOL_VERSION, &version);
+ ldap_set_option (ldap[num], LDAP_OPT_REFERRALS , 0);
+- _adcli_info ("Sending netlogon pings to domain controller: %s", url);
+ addrs[num] = srv->hostname;
+ have_any = 1;
+ num++;
+@@ -555,70 +602,65 @@ ldap_disco (const char *domain,
+ freeaddrinfo (res);
+ }
+
+- /* Wait for the first response. Poor mans fd watch */
+- for (started = now = time (NULL);
+- have_any && found != ADCLI_DISCO_USABLE && now < started + DISCO_TIME;
+- now = time (NULL)) {
++ /* Initial send and short time wait */
++ interval.tv_sec = 0;
++ for (i = 0; ADCLI_DISCO_UNUSABLE == found && i < num; ++i) {
++ int parsed;
++
++ if (NULL == ldap[i])
++ continue;
+
+- struct timeval tvpoll = { 0, 0 };
+- struct timeval interval;
++ have_any = 1;
++ _adcli_info ("Sending NetLogon ping to domain controller: %s", addrs[i]);
+
+- /* If in the initial period, send feverishly */
+- if (now < started + DISCO_FEVER) {
+- interval.tv_sec = 0;
+- interval.tv_usec = 100 * 1000;
++ ret = ldap_search_ext (ldap[i], "", LDAP_SCOPE_BASE,
++ filter, attrs, 0, NULL, NULL, NULL,
++ -1, &msgidp);
++
++ if (ret != LDAP_SUCCESS) {
++ _adcli_ldap_handle_failure (ldap[i], ADCLI_ERR_CONFIG,
++ "Couldn't perform discovery search");
++ ldap_unbind_ext_s (ldap[i], NULL, NULL);
++ ldap[i] = NULL;
++ }
++
++ /* From https://msdn.microsoft.com/en-us/library/ff718294.aspx first
++ * five DCs are given 0.4 seconds timeout, next five are given 0.2
++ * seconds, and the rest are given 0.1 seconds
++ */
++ if (i < 5) {
++ interval.tv_usec = 400000;
++ } else if (i < 10) {
++ interval.tv_usec = 200000;
+ } else {
+- interval.tv_sec = 1;
+- interval.tv_usec = 0;
++ interval.tv_usec = 100000;
+ }
++ select (0, NULL, NULL, NULL, &interval);
++
++ parsed = ldap_disco_poller (&(ldap[i]), &message, results, &(addrs[i]));
++ if (parsed > found)
++ found = parsed;
++ }
++
++ /* Wait some more until LDAP timeout (DISCO_TIME) */
++ for (started = now = time (NULL);
++ have_any && ADCLI_DISCO_UNUSABLE == found && now < started + DISCO_TIME;
++ now = time (NULL)) {
+
+ select (0, NULL, NULL, NULL, &interval);
+
+ have_any = 0;
+- for (i = 0; found != ADCLI_DISCO_USABLE && i < num; i++) {
+- int close_ldap;
++ for (i = 0; ADCLI_DISCO_UNUSABLE == found && i < num; ++i) {
+ int parsed;
+
+ if (ldap[i] == NULL)
+ continue;
+
+- ret = 0;
+ have_any = 1;
+- switch (ldap_result (ldap[i], LDAP_RES_ANY, 1, &tvpoll, &message)) {
+- case LDAP_RES_SEARCH_ENTRY:
+- case LDAP_RES_SEARCH_RESULT:
+- parsed = parse_disco (ldap[i], addrs[i], message, results);
+- if (parsed > found)
+- found = parsed;
+- ldap_msgfree (message);
+- close_ldap = 1;
+- break;
+- case 0:
+- ret = ldap_search_ext (ldap[i], "", LDAP_SCOPE_BASE,
+- filter, attrs, 0, NULL, NULL, NULL,
+- -1, &msgidp);
+- close_ldap = (ret != 0);
+- break;
+- case -1:
+- ldap_get_option (ldap[i], LDAP_OPT_RESULT_CODE, &ret);
+- close_ldap = 1;
+- break;
+- default:
+- ldap_msgfree (message);
+- close_ldap = 0;
+- break;
+- }
+-
+- if (ret != LDAP_SUCCESS) {
+- _adcli_ldap_handle_failure (ldap[i], ADCLI_ERR_CONFIG,
+- "Couldn't perform discovery search");
+- }
+
+- /* Done with this connection */
+- if (close_ldap) {
+- ldap_unbind_ext_s (ldap[i], NULL, NULL);
+- ldap[i] = NULL;
+- }
++ parsed = ldap_disco_poller (&(ldap[i]), &message, results, &(addrs[i]));
++ if (parsed > found)
++ found = parsed;
+ }
+ }
+
+--
+2.26.2
+
diff --git a/SOURCES/0001-delete-do-not-exit-if-keytab-cannot-be-read.patch b/SOURCES/0001-delete-do-not-exit-if-keytab-cannot-be-read.patch
new file mode 100644
index 0000000..15aaf07
--- /dev/null
+++ b/SOURCES/0001-delete-do-not-exit-if-keytab-cannot-be-read.patch
@@ -0,0 +1,32 @@
+From 40d3be22f6e518e4354aa7c3d0278291fcbed32f Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 5 Jun 2020 17:06:58 +0200
+Subject: [PATCH] delete: do not exit if keytab cannot be read
+
+Reading the keytab is not required when deleting a host object in AD. It
+is only needed in the case where the host was added with a manual set
+NetBIOS name (--computer-name option) which does not match the short
+hostname and no computer name was given at the delete-computer command
+line.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1840752
+---
+ tools/computer.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/tools/computer.c b/tools/computer.c
+index 292c4d8..a90c4b2 100644
+--- a/tools/computer.c
++++ b/tools/computer.c
+@@ -952,8 +952,6 @@ adcli_tool_computer_delete (adcli_conn *conn,
+ if (res != ADCLI_SUCCESS) {
+ warnx ("couldn't lookup domain info from keytab: %s",
+ adcli_get_last_error ());
+- adcli_enroll_unref (enroll);
+- return -res;
+ }
+
+ res = adcli_conn_connect (conn);
+--
+2.26.2
+
diff --git a/SOURCES/0001-discovery-fix.patch b/SOURCES/0001-discovery-fix.patch
new file mode 100644
index 0000000..7c1018d
--- /dev/null
+++ b/SOURCES/0001-discovery-fix.patch
@@ -0,0 +1,27 @@
+From 08bac0946de29f3e5de90743ce6dfc7118d4ad20 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 11 Feb 2020 17:42:03 +0100
+Subject: [PATCH] discovery fix
+
+Do not continue processing on closed connection.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1802258
+---
+ library/addisco.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/library/addisco.c b/library/addisco.c
+index 6e73ead..f3b3546 100644
+--- a/library/addisco.c
++++ b/library/addisco.c
+@@ -622,6 +622,7 @@ ldap_disco (const char *domain,
+ "Couldn't perform discovery search");
+ ldap_unbind_ext_s (ldap[i], NULL, NULL);
+ ldap[i] = NULL;
++ continue;
+ }
+
+ /* From https://msdn.microsoft.com/en-us/library/ff718294.aspx first
+--
+2.26.2
+
diff --git a/SOURCES/0001-man-explain-optional-parameter-of-login-ccache-bette.patch b/SOURCES/0001-man-explain-optional-parameter-of-login-ccache-bette.patch
new file mode 100644
index 0000000..191fa3e
--- /dev/null
+++ b/SOURCES/0001-man-explain-optional-parameter-of-login-ccache-bette.patch
@@ -0,0 +1,44 @@
+From 93a39bd12db11dd407676f428cfbc30406a88c36 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 15 Jun 2020 15:57:47 +0200
+Subject: [PATCH] man: explain optional parameter of login-ccache better
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791545
+---
+ doc/adcli.xml | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index acced25..ecf8726 100644
+--- a/doc/adcli.xml
++++ b/doc/adcli.xml
+@@ -155,13 +155,19 @@ $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.exa
+ <varlistentry>
+ <term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>
+ <listitem><para>Use the specified kerberos credential
+- cache to authenticate with the domain. If no credential
+- cache is specified, the default kerberos credential
+- cache will be used. Credential caches of type FILE can
+- be given with the path to the file. For other
+- credential cache types, e.g. DIR, KEYRING or KCM, the
+- type must be specified explicitly together with a
+- suitable identifier.</para></listitem>
++ cache to authenticate with the domain. If no credential
++ cache is specified, the default kerberos credential
++ cache will be used. Credential caches of type FILE can
++ be given with the path to the file. For other
++ credential cache types, e.g. DIR, KEYRING or KCM, the
++ type must be specified explicitly together with a
++ suitable identifier.</para>
++ <para>Please note that since the
++ <parameter>ccache_name</parameter> is optional the
++ =(equal) sign is mandatory. If = is missing the
++ parameter is treated as optionless extra argument. How
++ this is handled depends on the specific sub-command.
++ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>-U, --login-user=<parameter>User</parameter></option></term>
+--
+2.26.2
+
diff --git a/SOURCES/0001-man-make-handling-of-optional-credential-cache-more-.patch b/SOURCES/0001-man-make-handling-of-optional-credential-cache-more-.patch
new file mode 100644
index 0000000..3d5955a
--- /dev/null
+++ b/SOURCES/0001-man-make-handling-of-optional-credential-cache-more-.patch
@@ -0,0 +1,41 @@
+From 88fbb7e2395dec20b37697a213a097909870c21f Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 13 Aug 2020 17:10:01 +0200
+Subject: [PATCH] man: make handling of optional credential cache more clear
+
+The optional Kerberos credential cache can only be used with the long
+option name --login-ccache and not with the short version -C. To make
+this more clear each option get its own entry.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791545
+---
+ doc/adcli.xml | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index ecf8726..1437679 100644
+--- a/doc/adcli.xml
++++ b/doc/adcli.xml
+@@ -153,10 +153,16 @@ $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.exa
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+- <term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>
+- <listitem><para>Use the specified kerberos credential
++ <term><option>-C</option></term>
++ <listitem><para>Use the default Kerberos credential
++ cache to authenticate with the domain.
++ </para></listitem>
++ </varlistentry>
++ <varlistentry>
++ <term><option>--login-ccache<parameter>[=ccache_name]</parameter></option></term>
++ <listitem><para>Use the specified Kerberos credential
+ cache to authenticate with the domain. If no credential
+- cache is specified, the default kerberos credential
++ cache is specified, the default Kerberos credential
+ cache will be used. Credential caches of type FILE can
+ be given with the path to the file. For other
+ credential cache types, e.g. DIR, KEYRING or KCM, the
+--
+2.26.2
+
diff --git a/SOURCES/0001-tools-disable-SSSD-s-locator-plugin.patch b/SOURCES/0001-tools-disable-SSSD-s-locator-plugin.patch
new file mode 100644
index 0000000..07d791e
--- /dev/null
+++ b/SOURCES/0001-tools-disable-SSSD-s-locator-plugin.patch
@@ -0,0 +1,41 @@
+From 50d580c58dab5928cadfc6ca82aedccee58eaced Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 5 Jun 2020 17:28:28 +0200
+Subject: [PATCH] tools: disable SSSD's locator plugin
+
+MIT's libkrb5 checks available locator plugins first before checking the
+config file. This might cause issues when the locator plugin returns a
+different DC than the one used for the LDAP connection if some data must
+be replicated.
+
+This patch sets the SSSD_KRB5_LOCATOR_DISABLE environment variable to
+'true' to disable SSSD's locator plugin for adcli.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1762633
+---
+ tools/tools.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/tools.c b/tools/tools.c
+index 9d422f2..1b6d879 100644
+--- a/tools/tools.c
++++ b/tools/tools.c
+@@ -296,6 +296,7 @@ cleanup_krb5_conf_directory (void)
+ }
+
+ unsetenv ("KRB5_CONFIG");
++ unsetenv ("SSSD_KRB5_LOCATOR_DISABLE");
+ }
+
+ static void
+@@ -394,6 +395,7 @@ setup_krb5_conf_directory (adcli_conn *conn)
+ adcli_krb5_conf_filename = filename;
+ adcli_krb5_d_directory = snippets;
+ setenv ("KRB5_CONFIG", adcli_krb5_conf_filename, 1);
++ setenv ("SSSD_KRB5_LOCATOR_DISABLE", "true", 1);
+
+ } else {
+ free (filename);
+--
+2.26.2
+
diff --git a/SOURCES/0001-tools-fix-typo-in-show-password-help-output.patch b/SOURCES/0001-tools-fix-typo-in-show-password-help-output.patch
new file mode 100644
index 0000000..d82d49c
--- /dev/null
+++ b/SOURCES/0001-tools-fix-typo-in-show-password-help-output.patch
@@ -0,0 +1,26 @@
+From d70075c597e7ebc1683d407409c45b04110676a0 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 15 Jun 2020 15:41:53 +0200
+Subject: [PATCH] tools: fix typo in show-password help output
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791611
+---
+ tools/computer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/computer.c b/tools/computer.c
+index a90c4b2..24ea258 100644
+--- a/tools/computer.c
++++ b/tools/computer.c
+@@ -154,7 +154,7 @@ static adcli_tool_desc common_usages[] = {
+ "accounts" },
+ { opt_show_details, "show information about joining the domain after\n"
+ "a successful join" },
+- { opt_show_password, "show computer account password after after a\n"
++ { opt_show_password, "show computer account password after a\n"
+ "successful join" },
+ { opt_add_samba_data, "add domain SID and computer account password\n"
+ "to the Samba specific configuration database" },
+--
+2.26.2
+
diff --git a/SPECS/adcli.spec b/SPECS/adcli.spec
index 022476f..df51d54 100644
--- a/SPECS/adcli.spec
+++ b/SPECS/adcli.spec
@@ -1,6 +1,6 @@
Name: adcli
Version: 0.8.2
-Release: 5%{?dist}
+Release: 7%{?dist}
Summary: Active Directory enrollment
License: LGPLv2+
URL: http://cgit.freedesktop.org/realmd/adcli
@@ -107,6 +107,24 @@ Patch60: 0002-add-description-option-to-join-and-update.patch
Patch61: 0001-Use-GSS-SPNEGO-if-available.patch
Patch62: 0002-add-option-use-ldaps.patch
+# rhbz#1806260 - [abrt] [faf] adcli: raise(): /usr/sbin/adcli killed by 6
+Patch63: 0001-Make-adcli-info-DC-location-mechanism-more-compliant.patch
+Patch64: 0001-discovery-fix.patch
+
+# rhbz#1846882 - No longer able to delete computer from AD using adcli
+Patch65: 0001-delete-do-not-exit-if-keytab-cannot-be-read.patch
+
+# rhbz#1846878 - adcli: presetting $computer in $domain domain failed: Cannot
+# set computer password: Authentication error
+Patch66: 0001-tools-disable-SSSD-s-locator-plugin.patch
+
+# rhbz#1791611 - Typo in adcli update --help option
+Patch67: 0001-tools-fix-typo-in-show-password-help-output.patch
+
+# rhbz#1791545 - Manpage and help does not explain the use of "-C" option
+Patch68: 0001-man-explain-optional-parameter-of-login-ccache-bette.patch
+Patch69: 0001-man-make-handling-of-optional-credential-cache-more-.patch
+
BuildRequires: gcc
BuildRequires: intltool pkgconfig
BuildRequires: libtool
@@ -167,6 +185,17 @@ documentation.
%doc %{_datadir}/doc/adcli/*
%changelog
+* Thu Aug 13 2020 Sumit Bose <sbose@redhat.com> - 0.8.2-7
+- Improve "-C" option description in man page even more [#1791545]
+
+* Mon Jun 15 2020 Sumit Bose <sbose@redhat.com> - 0.8.2-6
+- [abrt] [faf] adcli: raise(): /usr/sbin/adcli killed by 6 [#1806260]
+- No longer able to delete computer from AD using adcli [#1846882]
+- adcli: presetting $computer in $domain domain failed: Cannot set computer
+ password: Authentication error [#1846878]
+- Typo in adcli update --help option [#1791611]
+- Manpage and help does not explain the use of "-C" option [#1791545]
+
* Wed Jan 29 2020 Sumit Bose <sbose@redhat.com> - 0.8.2-5
- adcli should be able to Force LDAPS over 636 with AD Access Provider w.r.t
sssd [#1762420]