diff --git a/SOURCES/0001-man-explain-optional-parameter-of-login-ccache-bette.patch b/SOURCES/0001-man-explain-optional-parameter-of-login-ccache-bette.patch
new file mode 100644
index 0000000..46dad64
--- /dev/null
+++ b/SOURCES/0001-man-explain-optional-parameter-of-login-ccache-bette.patch
@@ -0,0 +1,44 @@
+From 93a39bd12db11dd407676f428cfbc30406a88c36 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 15 Jun 2020 15:57:47 +0200
+Subject: [PATCH] man: explain optional parameter of login-ccache better
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791545
+---
+ doc/adcli.xml | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index acced25..ecf8726 100644
+--- a/doc/adcli.xml
++++ b/doc/adcli.xml
+@@ -155,13 +155,19 @@ $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.exa
+ 		<varlistentry>
+ 			<term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>
+ 			<listitem><para>Use the specified kerberos credential
+-                        cache to authenticate with the domain. If no credential
+-                        cache is specified, the default kerberos credential
+-                        cache will be used. Credential caches of type FILE can
+-                        be given with the path to the file. For other
+-                        credential cache types, e.g. DIR, KEYRING or KCM, the
+-                        type must be specified explicitly together with a
+-                        suitable identifier.</para></listitem>
++			cache to authenticate with the domain. If no credential
++			cache is specified, the default kerberos credential
++			cache will be used. Credential caches of type FILE can
++			be given with the path to the file. For other
++			credential cache types, e.g. DIR, KEYRING or KCM, the
++			type must be specified explicitly together with a
++			suitable identifier.</para>
++			<para>Please note that since the
++			<parameter>ccache_name</parameter> is optional the
++			=(equal) sign is mandatory. If = is missing the
++			parameter is treated as optionless extra argument. How
++			this is handled depends on the specific sub-command.
++			</para></listitem>
+ 		</varlistentry>
+ 		<varlistentry>
+ 			<term><option>-U, --login-user=<parameter>User</parameter></option></term>
+-- 
+2.28.0
+
diff --git a/SOURCES/0002-man-make-handling-of-optional-credential-cache-more-.patch b/SOURCES/0002-man-make-handling-of-optional-credential-cache-more-.patch
new file mode 100644
index 0000000..0b6ced5
--- /dev/null
+++ b/SOURCES/0002-man-make-handling-of-optional-credential-cache-more-.patch
@@ -0,0 +1,42 @@
+From 88fbb7e2395dec20b37697a213a097909870c21f Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 13 Aug 2020 17:10:01 +0200
+Subject: [PATCH 2/2] man: make handling of optional credential cache more
+ clear
+
+The optional Kerberos credential cache can only be used with the long
+option name --login-ccache and not with the short version -C. To make
+this more clear each option get its own entry.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791545
+---
+ doc/adcli.xml | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index ecf8726..1437679 100644
+--- a/doc/adcli.xml
++++ b/doc/adcli.xml
+@@ -153,10 +153,16 @@ $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.exa
+ 			</para></listitem>
+ 		</varlistentry>
+ 		<varlistentry>
+-			<term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>
+-			<listitem><para>Use the specified kerberos credential
++			<term><option>-C</option></term>
++			<listitem><para>Use the default Kerberos credential
++			cache to authenticate with the domain.
++			</para></listitem>
++		</varlistentry>
++		<varlistentry>
++			<term><option>--login-ccache<parameter>[=ccache_name]</parameter></option></term>
++			<listitem><para>Use the specified Kerberos credential
+ 			cache to authenticate with the domain. If no credential
+-			cache is specified, the default kerberos credential
++			cache is specified, the default Kerberos credential
+ 			cache will be used. Credential caches of type FILE can
+ 			be given with the path to the file. For other
+ 			credential cache types, e.g. DIR, KEYRING or KCM, the
+-- 
+2.28.0
+
diff --git a/SPECS/adcli.spec b/SPECS/adcli.spec
index d5eed34..b459314 100644
--- a/SPECS/adcli.spec
+++ b/SPECS/adcli.spec
@@ -1,6 +1,6 @@
 Name:           adcli
 Version:        0.8.1
-Release:        15%{?dist}
+Release:        16%{?dist}.1
 Summary:        Active Directory enrollment
 License:        LGPLv2+
 URL:            http://cgit.freedesktop.org/realmd/adcli
@@ -125,6 +125,10 @@ Patch69:         0001-delete-do-not-exit-if-keytab-cannot-be-read.patch
 # rhbz#1762633 - adcli: presetting $computer in $domain domain failed: Cannot set computer password: Authentication error
 Patch70:         0001-tools-disable-SSSD-s-locator-plugin.patch
 
+# rhbz#1871436 - adcli: couldn't connect to KEYRING:persistent:0:krb_ccache_jgrrBI8
+Patch71:         0001-man-explain-optional-parameter-of-login-ccache-bette.patch
+Patch72:         0002-man-make-handling-of-optional-credential-cache-more-.patch
+
 BuildRequires:  intltool pkgconfig
 BuildRequires:  libtool
 BuildRequires:  gettext-devel
@@ -173,6 +177,12 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
 %doc %{_mandir}/*/*
 
 %changelog
+* Mon Nov 23 2020 Sumit Bose <sbose@redhat.com> - 0.8.1-16.1
+- add missing patch for [#1871436]
+
+* Mon Nov 23 2020 Sumit Bose <sbose@redhat.com> - 0.8.1-16
+- adcli: couldn't connect to KEYRING:persistent:0:krb_ccache_jgrrBI8 [#1871436]
+
 * Mon Jun 08 2020 Sumit Bose <sbose@redhat.com> - 0.8.1-15
 - More fixes for RHEL-7.9
 - No longer able to delete computer from AD using adcli [#1840752]