Ubuntu
adcli package

Merge ~ahasenack/ubuntu/+source/adcli:groovy-adcli-upstream-fixes into ubuntu/+source/adcli:ubuntu/devel

Proposed by Andreas Hasenack on 2020-09-02

Status:

Merged

Approved by:

Andreas Hasenack on 2020-09-16

Approved revision:

778a64390fe2bd9c6a78f898a268dc9dacaa3fd7

Merged at revision:

778a64390fe2bd9c6a78f898a268dc9dacaa3fd7

Proposed branch:

~ahasenack/ubuntu/+source/adcli:groovy-adcli-upstream-fixes

Merge into:

ubuntu/+source/adcli:ubuntu/devel

Diff against target:

1448 lines (+1356/-1)

14 files modified

debian/changelog (+33/-0)
debian/control (+2/-1)
debian/patches/Use-GSS-SPNEGO-if-available.patch (+127/-0)
debian/patches/add-description-option-to-join-and-update.patch (+186/-0)
debian/patches/add-option-use-ldaps.patch (+383/-0)
debian/patches/delete-do-not-exit-if-keytab-cannot-be-read.patch (+34/-0)
debian/patches/discovery-fix.patch (+29/-0)
debian/patches/man-explain-optional-parameter-of-login-ccache-bette.patch (+46/-0)
debian/patches/man-make-handling-of-optional-credential-cache-more-.patch (+43/-0)
debian/patches/man-move-note-to-the-right-section.patch (+50/-0)
debian/patches/series (+11/-0)
debian/patches/tools-add-show-computer-command.patch (+341/-0)
debian/patches/tools-disable-SSSD-s-locator-plugin.patch (+43/-0)
debian/patches/tools-fix-typo-in-show-password-help-output.patch (+28/-0)

Related bugs:

Bug #1868703: Support "ad_use_ldaps" flag for new AD requirements (ADV190023)	Undecided	Fix Released
Bug #1893784: [FFe]: apply some useful upstream changes	Undecided	Fix Released

Link a bug report

Reviewer	Date Requested	Status
Christian Ehrhardt  (community)		Approve on 2020-09-03
Canonical Server	2020-09-02	Pending
Review via email: mp+390164@code.launchpad.net

Description of the change

I cherry picked many fixes from upstream's git repo. They are not yet released, but fedora has them, and they are upstream essentially.

There are 4 groups of fixes:
- documentation fixes: no FFe needed
- fix for new AD settings introduced this year: bug #1868703 which already existed for sssd. I added an adcli task and an FFe request/justification. Initially I didn't think this needed an FFe, but changed my mind. Happy to discuss.
- new features that I thought were useful: new FFe bug #1893784
- other random fixes, no FFe

Not all of these can be tested/verified without an AD server lying around. Others you can check that the manpage was updated/fixed, or the new command and parameter exist when you check "adcli --help".

PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/adcli-fixes

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-09-03:

This missed a review slot, I created one and grabbed it - but I'll need some more time after Lunch to complete.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-09-03:

FFe is required but already present - ok

Thanks for explaining yesterday that they have rare releases and a stack of packaging patches seems to be a common way - otherwise I'd have asked just that.

I think on the mechanical side (changelog, version, filenames, ...) everything is fine.
I'll next go through the patches one by one to see if I spot anything concerning.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-09-03:

tools-add-show-computer-command.patch - FFe, but ok
add-description-option-to-join-and-update.patch - FFe, but ok
Use-GSS-SPNEGO-if-available.patch - FFe, but ok
add-option-use-ldaps.patch - FFe, but ok
man-move-note-to-the-right-section.patch - ok
man-explain-optional-parameter-of-login-ccache-bette.patch - ok
man-make-handling-of-optional-credential-cache-more-.patch - ok
tools-fix-typo-in-show-password-help-output.patch - ok
discovery-fix.patch - ok
delete-do-not-exit-if-keytab-cannot-be-read.patch - ok
tools-disable-SSSD-s-locator-plugin.patch - FFe, but ok

The latter IMHO could cause a FFe worthy behavior change, but since you have an FFe bug already that isn't important.

-> All patches are upstream accepted.
-> No Further patches in the upload.
-> No patch forgotten in Changelog.

P.S. I have no test setup for adcli either and as you said "Not all of these can be tested/verified without an AD server lying around" :-/ But I have no better suggestion right now.
OTOH if these changes would be part of an upstream release we'd also not test them one by one.

LGTM +1!

Just curious, do you intend to submit that to Debian as well?
Or are we waiting on the (known to be slow) upstream release to drop this?

review: Approve

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2020-09-16:

Marking as approved, pending FFe verification.

Yes, I intend to submit all of this to debian

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2020-09-28:

Both ffes were just approved.

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2020-09-28:

Tagging and uploading 778a64390fe2bd9c6a78f898a268dc9dacaa3fd7

$ git push pkg upload/0.9.0-1ubuntu1
Enumerating objects: 74, done.
Counting objects: 100% (74/74), done.
Delta compression using up to 4 threads
Compressing objects: 100% (69/69), done.
Writing objects: 100% (70/70), 23.07 KiB | 3.84 MiB/s, done.
Total 70 (delta 42), reused 0 (delta 0)
To ssh://git.launchpad.net/ubuntu/+source/adcli
* [new tag] upload/0.9.0-1ubuntu1 -> upload/0.9.0-1ubuntu1

$ dput ubuntu ../adcli_0.9.0-1ubuntu1_source.changes
Checking signature on .changes
gpg: ../adcli_0.9.0-1ubuntu1_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../adcli_0.9.0-1ubuntu1.dsc: Valid signature from AC983EB5BF6BCBA9
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading adcli_0.9.0-1ubuntu1.dsc: done.
  Uploading adcli_0.9.0-1ubuntu1.debian.tar.xz: done.
  Uploading adcli_0.9.0-1ubuntu1_source.buildinfo: done.
  Uploading adcli_0.9.0-1ubuntu1_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Andreas Hasenack

git-ubuntu developers

 diff --git a/debian/changelog b/debian/changelog
 index 716a3a6..3445006 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,36 @@
++adcli (0.9.0-1ubuntu1) groovy; urgency=medium
++
++  * New features (LP: #1893784):
++    - d/p/tools-add-show-computer-command.patch: add a show-computer
++      command to print the LDAP attrs of the computer object
++    - d/p/add-description-option-to-join-and-update.patch: allow setting
++      an optional description on the computer account
++  * Handle new Active Directory requirements from
++    https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
++    (LP: #1868703):
++    - d/p/Use-GSS-SPNEGO-if-available.patch: prefer GSS-SPNEGO over
++      GSSAPI if available, as that can handle some of the more advanced
++      features which can be required by an AD server
++    - d/p/add-option-use-ldaps.patch: add option to use LDAPS, useful
++      if for some reason the LDAP port is blocked.
++  * Documentation fixes:
++    - d/p/man-move-note-to-the-right-section.patch: move note about
++      password lifetime to the update section
++    - d/p/man-explain-optional-parameter-of-login-ccache-bette.patch,
++      d/p/man-make-handling-of-optional-credential-cache-more-.patch:
++      better explain the login-ccache and -C parameters
++    - d/p/tools-fix-typo-in-show-password-help-output.patch: typo fix
++  * Other fixes:
++    - d/p/discovery-fix.patch: do not continue processing on a closed
++      connection
++    - d/p/delete-do-not-exit-if-keytab-cannot-be-read.patch: fix computer
++      deletion when keytab cannot be read
++    - d/p/tools-disable-SSSD-s-locator-plugin.patch: ignore MIT's locator
++      plugin to avoid conflicts if it returns a different DC than the one
++      used for the LDAP connection
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 02 Sep 2020 09:50:18 -0300
++
  adcli (0.9.0-1) unstable; urgency=medium
    * New upstream release. (Closes: #941583)
 diff --git a/debian/control b/debian/control
 index 642e623..f529834 100644
 --- a/debian/control
 +++ b/debian/control
@@ -1,7 +1,8 @@
  Source: adcli
  Section: admin
  Priority: optional
--Maintainer: Laurent Bigonville <bigon@debian.org>
++Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
++XSBC-Original-Maintainer: Laurent Bigonville <bigon@debian.org>
  Build-Depends: debhelper (>= 12),
                 libkrb5-dev,
                 libldap2-dev,
 diff --git a/debian/patches/Use-GSS-SPNEGO-if-available.patch b/debian/patches/Use-GSS-SPNEGO-if-available.patch
 new file mode 100644
 index 0000000..f61ef39
 --- /dev/null
 +++ b/debian/patches/Use-GSS-SPNEGO-if-available.patch
@@ -0,0 +1,127 @@
++From a6f795ba3d6048b32d7863468688bf7f42b2cafd Mon Sep 17 00:00:00 2001
++From: Sumit Bose <sbose@redhat.com>
++Date: Fri, 11 Oct 2019 16:39:25 +0200
++Subject: [PATCH] Use GSS-SPNEGO if available
++
++Currently adcli uses the GSSAPI SASL mechanism for LDAP authentication
++and to establish encryption. While this works in general it does not
++handle some of the more advanced features which can be required by AD
++DCs.
++
++The GSS-SPNEGO mechanism can handle them and is used with this patch by
++adcli if the AD DC indicates that it supports it.
++
++Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
++---
++ library/adconn.c | 35 ++++++++++++++++++++++++++++++++++-
++ library/adconn.h |  3 +++
++ 2 files changed, 37 insertions(+), 1 deletion(-)
++
++Origin: upstream, https://gitlab.freedesktop.org/realmd/adcli/-/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd
++Bug-Ubuntu: https://bugs.launchpad.net/bugs/1868703
++Last-Update: 2020-09-01
++diff --git a/library/adconn.c b/library/adconn.c
++index bcaced8..ffb54f9 100644
++--- a/library/adconn.c
+++++ b/library/adconn.c
++@@ -77,6 +77,7 @@ struct _adcli_conn_ctx {
++ 	char *default_naming_context;
++ 	char *configuration_naming_context;
++ 	char **supported_capabilities;
+++	char **supported_sasl_mechs;
++
++ 	/* Connect state */
++ 	LDAP *ldap;
++@@ -845,6 +846,7 @@ connect_and_lookup_naming (adcli_conn *conn,
++ 		"defaultNamingContext",
++ 		"configurationNamingContext",
++ 		"supportedCapabilities",
+++		"supportedSASLMechanisms",
++ 		NULL
++ 	};
++
++@@ -897,6 +899,11 @@ connect_and_lookup_naming (adcli_conn *conn,
++ 		                                                         "supportedCapabilities");
++ 	}
++
+++	if (conn->supported_sasl_mechs == NULL) {
+++		conn->supported_sasl_mechs = _adcli_ldap_parse_values (ldap, results,
+++		                                                       "supportedSASLMechanisms");
+++	}
+++
++ 	ldap_msgfree (results);
++
++ 	if (conn->default_naming_context == NULL) {
++@@ -1022,6 +1029,7 @@ authenticate_to_directory (adcli_conn *conn)
++ 	OM_uint32 minor;
++ 	ber_len_t ssf;
++ 	int ret;
+++	const char *mech = "GSSAPI";
++
++ 	if (conn->ldap_authenticated)
++ 		return ADCLI_SUCCESS;
++@@ -1038,7 +1046,11 @@ authenticate_to_directory (adcli_conn *conn)
++ 	ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
++ 	return_unexpected_if_fail (ret == 0);
++
++-	ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, "GSSAPI", NULL, NULL,
+++	if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")) {
+++		mech =  "GSS-SPNEGO";
+++	}
+++
+++	ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, mech, NULL, NULL,
++ 	                                    LDAP_SASL_QUIET, sasl_interact, NULL);
++
++ 	/* Clear the credential cache GSSAPI to use (for this thread) */
++@@ -1231,6 +1243,7 @@ conn_free (adcli_conn *conn)
++ 	free (conn->default_naming_context);
++ 	free (conn->configuration_naming_context);
++ 	_adcli_strv_free (conn->supported_capabilities);
+++	_adcli_strv_free (conn->supported_sasl_mechs);
++
++ 	free (conn->computer_name);
++ 	free (conn->host_fqdn);
++@@ -1606,6 +1619,26 @@ adcli_conn_server_has_capability (adcli_conn *conn,
++ 	return 0;
++ }
++
+++bool
+++adcli_conn_server_has_sasl_mech (adcli_conn *conn,
+++                                 const char *mech)
+++{
+++	int i;
+++
+++	return_val_if_fail (conn != NULL, false);
+++	return_val_if_fail (mech != NULL, false);
+++
+++	if (!conn->supported_sasl_mechs)
+++		return false;
+++
+++	for (i = 0; conn->supported_sasl_mechs[i] != NULL; i++) {
+++		if (strcasecmp (mech, conn->supported_sasl_mechs[i]) == 0)
+++			return true;
+++	}
+++
+++	return false;
+++}
+++
++ bool adcli_conn_is_writeable (adcli_conn *conn)
++ {
++ 	disco_dance_if_necessary (conn);
++diff --git a/library/adconn.h b/library/adconn.h
++index 1ad5715..37ebdd9 100644
++--- a/library/adconn.h
+++++ b/library/adconn.h
++@@ -149,6 +149,9 @@ void                adcli_conn_set_krb5_conf_dir     (adcli_conn *conn,
++ int                 adcli_conn_server_has_capability (adcli_conn *conn,
++                                                       const char *capability);
++
+++bool                adcli_conn_server_has_sasl_mech  (adcli_conn *conn,
+++                                                      const char *mech);
+++
++ bool                adcli_conn_is_writeable          (adcli_conn *conn);
++
++ #endif /* ADCONN_H_ */
++--
++GitLab
++
 diff --git a/debian/patches/add-description-option-to-join-and-update.patch b/debian/patches/add-description-option-to-join-and-update.patch
 new file mode 100644
 index 0000000..e8de6eb
 --- /dev/null
 +++ b/debian/patches/add-description-option-to-join-and-update.patch
@@ -0,0 +1,186 @@
++From 3937a2a7db90611aa7a93248233b0c5d31e85a3e Mon Sep 17 00:00:00 2001
++From: Sumit Bose <sbose@redhat.com>
++Date: Wed, 27 Nov 2019 14:48:32 +0100
++Subject: [PATCH] add description option to join and update
++
++This new option allows to set the description LDAP attribute for the AD
++computer object.
++
++Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342
++---
++ doc/adcli.xml      | 10 ++++++++++
++ library/adenroll.c | 29 +++++++++++++++++++++++++++++
++ library/adenroll.h |  4 ++++
++ tools/computer.c   |  7 +++++++
++ 4 files changed, 50 insertions(+)
++
++Origin: upstream, https://gitlab.freedesktop.org/realmd/adcli/-/commit/3937a2a7db90611aa7a93248233b0c5d31e85a3e
++Bug-Ubuntu: https://bugs.launchpad.net/bugs/1893784
++Last-Update: 2020-09-02
++diff --git a/doc/adcli.xml b/doc/adcli.xml
++index 1f93186..dd30435 100644
++--- a/doc/adcli.xml
+++++ b/doc/adcli.xml
++@@ -275,6 +275,11 @@ Password for Administrator:
++ 			<listitem><para>Set the operating system version on the computer
++ 			account. Not set by default.</para></listitem>
++ 		</varlistentry>
+++		<varlistentry>
+++			<term><option>--description=<parameter>description</parameter></option></term>
+++			<listitem><para>Set the description attribute on the computer
+++			account. Not set by default.</para></listitem>
+++		</varlistentry>
++ 		<varlistentry>
++ 			<term><option>--service-name=<parameter>service</parameter></option></term>
++ 			<listitem><para>Additional service name for a kerberos
++@@ -416,6 +421,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123
++ 			<listitem><para>Set the operating system version on the computer
++ 			account. Not set by default.</para></listitem>
++ 		</varlistentry>
+++		<varlistentry>
+++			<term><option>--description=<parameter>description</parameter></option></term>
+++			<listitem><para>Set the description attribute on the computer
+++			account. Not set by default.</para></listitem>
+++		</varlistentry>
++ 		<varlistentry>
++ 			<term><option>--service-name=<parameter>service</parameter></option></term>
++ 			<listitem><para>Additional service name for a Kerberos
++diff --git a/library/adenroll.c b/library/adenroll.c
++index 8d2adeb..246f658 100644
++--- a/library/adenroll.c
+++++ b/library/adenroll.c
++@@ -83,6 +83,7 @@ static char *default_ad_ldap_attrs[] =  {
++ 	"operatingSystemServicePack",
++ 	"pwdLastSet",
++ 	"userAccountControl",
+++	"description",
++ 	NULL,
++ };
++
++@@ -143,6 +144,7 @@ struct _adcli_enroll {
++ 	char *samba_data_tool;
++ 	bool trusted_for_delegation;
++ 	int trusted_for_delegation_explicit;
+++	char *description;
++ };
++
++ static adcli_result
++@@ -756,6 +758,8 @@ create_computer_account (adcli_enroll *enroll,
++ 	char *vals_userPrincipalName[] = { enroll->user_principal, NULL };
++ 	LDAPMod userPrincipalName = { LDAP_MOD_ADD, "userPrincipalName", { vals_userPrincipalName, }, };
++ 	LDAPMod servicePrincipalName = { LDAP_MOD_ADD, "servicePrincipalName", { enroll->service_principals, } };
+++	char *vals_description[] = { enroll->description, NULL };
+++	LDAPMod description = { LDAP_MOD_ADD, "description", { vals_description, }, };
++
++ 	char *val = NULL;
++
++@@ -774,6 +778,7 @@ create_computer_account (adcli_enroll *enroll,
++ 		&operatingSystemServicePack,
++ 		&userPrincipalName,
++ 		&servicePrincipalName,
+++		&description,
++ 		NULL
++ 	};
++
++@@ -1460,6 +1465,14 @@ update_computer_account (adcli_enroll *enroll)
++ 		res |= update_computer_attribute (enroll, ldap, mods);
++ 	}
++
+++	if (res == ADCLI_SUCCESS && enroll->description != NULL) {
+++		char *vals_description[] = { enroll->description, NULL };
+++		LDAPMod description = { LDAP_MOD_REPLACE, "description", { vals_description, }, };
+++		LDAPMod *mods[] = { &description, NULL, };
+++
+++		res |= update_computer_attribute (enroll, ldap, mods);
+++	}
+++
++ 	if (res != 0)
++ 		_adcli_info ("Updated existing computer account: %s", enroll->computer_dn);
++ }
++@@ -2899,6 +2912,22 @@ adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll,
++ 	enroll->trusted_for_delegation_explicit = 1;
++ }
++
+++void
+++adcli_enroll_set_description (adcli_enroll *enroll, const char *value)
+++{
+++	return_if_fail (enroll != NULL);
+++	if (value != NULL && value[0] != '\0') {
+++		_adcli_str_set (&enroll->description, value);
+++	}
+++}
+++
+++const char *
+++adcli_enroll_get_desciption (adcli_enroll *enroll)
+++{
+++	return_val_if_fail (enroll != NULL, NULL);
+++	return enroll->description;
+++}
+++
++ const char **
++ adcli_enroll_get_service_principals_to_add (adcli_enroll *enroll)
++ {
++diff --git a/library/adenroll.h b/library/adenroll.h
++index 11eb517..0606169 100644
++--- a/library/adenroll.h
+++++ b/library/adenroll.h
++@@ -126,6 +126,10 @@ bool               adcli_enroll_get_trusted_for_delegation (adcli_enroll *enroll
++ void               adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll,
++                                                             bool value);
++
+++const char *       adcli_enroll_get_desciption          (adcli_enroll *enroll);
+++void               adcli_enroll_set_description         (adcli_enroll *enroll,
+++                                                         const char *value);
+++
++ krb5_kvno          adcli_enroll_get_kvno                (adcli_enroll *enroll);
++
++ void               adcli_enroll_set_kvno                (adcli_enroll *enroll,
++diff --git a/tools/computer.c b/tools/computer.c
++index c8b96a4..840e334 100644
++--- a/tools/computer.c
+++++ b/tools/computer.c
++@@ -112,6 +112,7 @@ typedef enum {
++ 	opt_trusted_for_delegation,
++ 	opt_add_service_principal,
++ 	opt_remove_service_principal,
+++	opt_description,
++ } Option;
++
++ static adcli_tool_desc common_usages[] = {
++@@ -142,6 +143,7 @@ static adcli_tool_desc common_usages[] = {
++ 	                              "in the userAccountControl attribute", },
++ 	{ opt_add_service_principal, "add the given service principal to the account\n" },
++ 	{ opt_remove_service_principal, "remove the given service principal from the account\n" },
+++	{ opt_description, "add a description to the account\n" },
++ 	{ opt_no_password, "don't prompt for or read a password" },
++ 	{ opt_prompt_password, "prompt for a password if necessary" },
++ 	{ opt_stdin_password, "read a password from stdin (until EOF) if\n"
++@@ -306,6 +308,9 @@ parse_option (Option opt,
++ 	case opt_remove_service_principal:
++ 		adcli_enroll_add_service_principal_to_remove (enroll, optarg);
++ 		return ADCLI_SUCCESS;
+++	case opt_description:
+++		adcli_enroll_set_description (enroll, optarg);
+++		return ADCLI_SUCCESS;
++ 	case opt_verbose:
++ 		return ADCLI_SUCCESS;
++
++@@ -369,6 +374,7 @@ adcli_tool_computer_join (adcli_conn *conn,
++ 		{ "os-name", required_argument, NULL, opt_os_name },
++ 		{ "os-version", required_argument, NULL, opt_os_version },
++ 		{ "os-service-pack", optional_argument, NULL, opt_os_service_pack },
+++		{ "description", optional_argument, NULL, opt_description },
++ 		{ "user-principal", optional_argument, NULL, opt_user_principal },
++ 		{ "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation },
++ 		{ "add-service-principal", required_argument, NULL, opt_add_service_principal },
++@@ -487,6 +493,7 @@ adcli_tool_computer_update (adcli_conn *conn,
++ 		{ "os-name", required_argument, NULL, opt_os_name },
++ 		{ "os-version", required_argument, NULL, opt_os_version },
++ 		{ "os-service-pack", optional_argument, NULL, opt_os_service_pack },
+++		{ "description", optional_argument, NULL, opt_description },
++ 		{ "user-principal", optional_argument, NULL, opt_user_principal },
++ 		{ "computer-password-lifetime", optional_argument, NULL, opt_computer_password_lifetime },
++ 		{ "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation },
++--
++GitLab
++
 diff --git a/debian/patches/add-option-use-ldaps.patch b/debian/patches/add-option-use-ldaps.patch
 new file mode 100644
 index 0000000..47d9431
 --- /dev/null
 +++ b/debian/patches/add-option-use-ldaps.patch
@@ -0,0 +1,383 @@
++From 85097245b57f190337225dbdbf6e33b58616c092 Mon Sep 17 00:00:00 2001
++From: Sumit Bose <sbose@redhat.com>
++Date: Thu, 19 Dec 2019 07:22:33 +0100
++Subject: [PATCH] add option use-ldaps
++
++In general using the LDAP port with GSS-SPNEGO should satifiy all
++requirements an AD DC should have for authentication on an encrypted
++LDAP connection.
++
++But if e.g. the LDAP port is blocked by a firewall using the LDAPS port
++with TLS encryption might be an alternative. For this use case the
++--use-ldaps option is added.
++
++Related to https://bugzilla.redhat.com/show_bug.cgi?id=1762420
++---
++ doc/adcli.xml    | 24 +++++++++++++++
++ library/adconn.c | 79 ++++++++++++++++++++++++++++++++++++++++++------
++ library/adconn.h |  4 +++
++ tools/computer.c | 10 ++++++
++ tools/entry.c    | 11 +++++++
++ 5 files changed, 119 insertions(+), 9 deletions(-)
++
++ Ubuntu backport note: adjusted the ldap.conf path in the documentation
++
++Origin: backport, https://gitlab.freedesktop.org/realmd/adcli/-/commit/85097245b57f190337225dbdbf6e33b58616c092
++Bug-Ubuntu: https://bugs.launchpad.net/bugs/1868703
++Last-Update: 2020-09-01
++diff --git a/doc/adcli.xml b/doc/adcli.xml
++index dd30435..acced25 100644
++--- a/doc/adcli.xml
+++++ b/doc/adcli.xml
++@@ -128,6 +128,30 @@
++ 			If not specified, then an appropriate domain controller
++ 			is automatically discovered.</para></listitem>
++ 		</varlistentry>
+++		<varlistentry>
+++			<term><option>--use-ldaps</option></term>
+++			<listitem><para>Connect to the domain controller
+++			with LDAPS. By default the LDAP port is used and SASL
+++			GSS-SPNEGO or GSSAPI is used for authentication and to
+++			establish encryption. This should satisfy all
+++			requirements set on the server side and LDAPS should
+++			only be used if the LDAP port is not accessible due to
+++			firewalls or other reasons.</para>
+++			<para> Please note that the place where CA certificates
+++			can be found to validate the AD DC certificates
+++			must be configured in the OpenLDAP configuration
+++			file, e.g. <filename>/etc/ldap/ldap.conf</filename>.
+++			As an alternative it can be specified with the help of
+++			an environment variable, e.g.
+++<programlisting>
+++$ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com
+++...
+++</programlisting>
+++			Please see
+++			<citerefentry><refentrytitle>ldap.conf</refentrytitle>
+++			<manvolnum>5</manvolnum></citerefentry> for details.
+++			</para></listitem>
+++		</varlistentry>
++ 		<varlistentry>
++ 			<term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>
++ 			<listitem><para>Use the specified kerberos credential
++diff --git a/library/adconn.c b/library/adconn.c
++index ffb54f9..7bab852 100644
++--- a/library/adconn.c
+++++ b/library/adconn.c
++@@ -70,6 +70,7 @@ struct _adcli_conn_ctx {
++ 	char *domain_name;
++ 	char *domain_realm;
++ 	char *domain_controller;
+++	bool use_ldaps;
++ 	char *canonical_host;
++ 	char *domain_short;
++ 	char *domain_sid;
++@@ -773,7 +774,8 @@ int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap
++
++ static LDAP *
++ connect_to_address (const char *host,
++-                    const char *canonical_host)
+++                    const char *canonical_host,
+++                    bool use_ldaps)
++ {
++ 	struct addrinfo *res = NULL;
++ 	struct addrinfo *ai;
++@@ -783,6 +785,16 @@ connect_to_address (const char *host,
++ 	char *url;
++ 	int sock;
++ 	int rc;
+++	int opt_rc;
+++	const char *port = "389";
+++	const char *proto = "ldap";
+++	const char *errmsg = NULL;
+++
+++	if (use_ldaps) {
+++		port = "636";
+++		proto = "ldaps";
+++		_adcli_info ("Using LDAPS to connect to %s", host);
+++	}
++
++ 	memset (&hints, '\0', sizeof(hints));
++ #ifdef AI_ADDRCONFIG
++@@ -794,7 +806,7 @@ connect_to_address (const char *host,
++ 	if (!canonical_host)
++ 		canonical_host = host;
++
++-	rc = getaddrinfo (host, "389", &hints, &res);
+++	rc = getaddrinfo (host, port, &hints, &res);
++ 	if (rc != 0) {
++ 		_adcli_err ("Couldn't resolve host name: %s: %s", host, gai_strerror (rc));
++ 		return NULL;
++@@ -810,7 +822,7 @@ connect_to_address (const char *host,
++ 			close (sock);
++ 		} else {
++ 			error = 0;
++-			if (asprintf (&url, "ldap://%s", canonical_host) < 0)
+++			if (asprintf (&url, "%s://%s", proto, canonical_host) < 0)
++ 				return_val_if_reached (NULL);
++ 			rc = ldap_init_fd (sock, 1, url, &ldap);
++ 			free (url);
++@@ -820,6 +832,25 @@ connect_to_address (const char *host,
++ 				            ldap_err2string (rc));
++ 				break;
++ 			}
+++
+++			if (use_ldaps) {
+++				rc = ldap_install_tls (ldap);
+++				if (rc != LDAP_SUCCESS) {
+++					opt_rc = ldap_get_option (ldap,
+++					                          LDAP_OPT_DIAGNOSTIC_MESSAGE,
+++					                          (void *) &errmsg);
+++					if (opt_rc != LDAP_SUCCESS) {
+++						errmsg = NULL;
+++					}
+++					_adcli_err ("Couldn't initialize TLS [%s]: %s",
+++					            ldap_err2string (rc),
+++					            errmsg == NULL ? "- no details -"
+++					                           : errmsg);
+++					ldap_unbind_ext_s (ldap, NULL, NULL);
+++					ldap = NULL;
+++					break;
+++				}
+++			}
++ 		}
++ 	}
++
++@@ -856,7 +887,8 @@ connect_and_lookup_naming (adcli_conn *conn,
++ 	if (!canonical_host)
++ 		canonical_host = disco->host_addr;
++
++-	ldap = connect_to_address (disco->host_addr, canonical_host);
+++	ldap = connect_to_address (disco->host_addr, canonical_host,
+++	                           adcli_conn_get_use_ldaps (conn));
++ 	if (ldap == NULL)
++ 		return ADCLI_ERR_DIRECTORY;
++
++@@ -1041,14 +1073,28 @@ authenticate_to_directory (adcli_conn *conn)
++ 	status = gss_krb5_ccache_name (&minor, conn->login_ccache_name, NULL);
++ 	return_unexpected_if_fail (status == 0);
++
++-	/* Clumsily tell ldap + cyrus-sasl that we want encryption */
++-	ssf = 1;
++-	ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
++-	return_unexpected_if_fail (ret == 0);
+++	if (adcli_conn_get_use_ldaps (conn)) {
+++		/* do not use SASL encryption on LDAPS connection */
+++		ssf = 0;
+++		ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
+++		return_unexpected_if_fail (ret == 0);
+++		ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MAX, &ssf);
+++		return_unexpected_if_fail (ret == 0);
+++	} else {
+++		/* Clumsily tell ldap + cyrus-sasl that we want encryption */
+++		ssf = 1;
+++		ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf);
+++		return_unexpected_if_fail (ret == 0);
+++	}
++
++-	if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")) {
+++	/* There are issues with cryrus-sasl and GSS-SPNEGO with TLS even if
+++	 * ssf_max is set to 0. To be on the safe side GSS-SPNEGO is only used
+++	 * without LDAPS. */
+++	if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO")
+++	                     && !adcli_conn_get_use_ldaps (conn)) {
++ 		mech =  "GSS-SPNEGO";
++ 	}
+++	_adcli_info ("Using %s for SASL bind", mech);
++
++ 	ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, mech, NULL, NULL,
++ 	                                    LDAP_SASL_QUIET, sasl_interact, NULL);
++@@ -1230,6 +1276,7 @@ adcli_conn_new (const char *domain_name)
++ 	conn->refs = 1;
++ 	conn->logins_allowed = ADCLI_LOGIN_COMPUTER_ACCOUNT | ADCLI_LOGIN_USER_ACCOUNT;
++ 	adcli_conn_set_domain_name (conn, domain_name);
+++	adcli_conn_set_use_ldaps (conn, false);
++ 	return conn;
++ }
++
++@@ -1389,6 +1436,20 @@ adcli_conn_set_domain_controller (adcli_conn *conn,
++ 	no_more_disco (conn);
++ }
++
+++bool
+++adcli_conn_get_use_ldaps (adcli_conn *conn)
+++{
+++	return_val_if_fail (conn != NULL, NULL);
+++	return conn->use_ldaps;
+++}
+++
+++void
+++adcli_conn_set_use_ldaps (adcli_conn *conn, bool value)
+++{
+++	return_if_fail (conn != NULL);
+++	conn->use_ldaps = value;
+++}
+++
++ const char *
++ adcli_conn_get_domain_short (adcli_conn *conn)
++ {
++diff --git a/library/adconn.h b/library/adconn.h
++index 37ebdd9..1d5faa8 100644
++--- a/library/adconn.h
+++++ b/library/adconn.h
++@@ -89,6 +89,10 @@ const char *        adcli_conn_get_domain_controller (adcli_conn *conn);
++ void                adcli_conn_set_domain_controller (adcli_conn *conn,
++                                                       const char *value);
++
+++bool                adcli_conn_get_use_ldaps         (adcli_conn *conn);
+++void                adcli_conn_set_use_ldaps         (adcli_conn *conn,
+++                                                      bool value);
+++
++ const char *        adcli_conn_get_domain_short      (adcli_conn *conn);
++
++ const char *        adcli_conn_get_domain_sid        (adcli_conn *conn);
++diff --git a/tools/computer.c b/tools/computer.c
++index 840e334..292c4d8 100644
++--- a/tools/computer.c
+++++ b/tools/computer.c
++@@ -113,12 +113,14 @@ typedef enum {
++ 	opt_add_service_principal,
++ 	opt_remove_service_principal,
++ 	opt_description,
+++	opt_use_ldaps,
++ } Option;
++
++ static adcli_tool_desc common_usages[] = {
++ 	{ opt_domain, "active directory domain name" },
++ 	{ opt_domain_realm, "kerberos realm for the domain" },
++ 	{ opt_domain_controller, "domain controller to connect to" },
+++	{ opt_use_ldaps, "use LDAPS port for communication" },
++ 	{ opt_host_fqdn, "override the fully qualified domain name of the\n"
++ 	                 "local machine" },
++ 	{ opt_host_keytab, "filename for the host kerberos keytab" },
++@@ -311,6 +313,9 @@ parse_option (Option opt,
++ 	case opt_description:
++ 		adcli_enroll_set_description (enroll, optarg);
++ 		return ADCLI_SUCCESS;
+++	case opt_use_ldaps:
+++		adcli_conn_set_use_ldaps (conn, true);
+++		return ADCLI_SUCCESS;
++ 	case opt_verbose:
++ 		return ADCLI_SUCCESS;
++
++@@ -357,6 +362,7 @@ adcli_tool_computer_join (adcli_conn *conn,
++ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
++ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
++ 		{ "domain-server", required_argument, NULL, opt_domain_controller }, /* compat */
+++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
++ 		{ "login-user", required_argument, NULL, opt_login_user },
++ 		{ "user", required_argument, NULL, opt_login_user }, /* compat */
++ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
++@@ -688,6 +694,7 @@ adcli_tool_computer_preset (adcli_conn *conn,
++ 		{ "domain", required_argument, NULL, opt_domain },
++ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
++ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
+++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
++ 		{ "domain-ou", required_argument, NULL, opt_domain_ou },
++ 		{ "login-user", required_argument, NULL, opt_login_user },
++ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
++@@ -800,6 +807,7 @@ adcli_tool_computer_reset (adcli_conn *conn,
++ 		{ "domain", required_argument, NULL, opt_domain },
++ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
++ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
+++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
++ 		{ "login-user", required_argument, NULL, opt_login_user },
++ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
++ 		{ "login-type", required_argument, NULL, opt_login_type },
++@@ -888,6 +896,7 @@ adcli_tool_computer_delete (adcli_conn *conn,
++ 		{ "domain", required_argument, NULL, opt_domain },
++ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
++ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
+++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
++ 		{ "login-user", required_argument, NULL, opt_login_user },
++ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
++ 		{ "no-password", no_argument, 0, opt_no_password },
++@@ -985,6 +994,7 @@ adcli_tool_computer_show (adcli_conn *conn,
++ 		{ "domain", required_argument, NULL, opt_domain },
++ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
++ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
+++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
++ 		{ "login-user", required_argument, NULL, opt_login_user },
++ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
++ 		{ "login-type", required_argument, NULL, opt_login_type },
++diff --git a/tools/entry.c b/tools/entry.c
++index f361845..05e4313 100644
++--- a/tools/entry.c
+++++ b/tools/entry.c
++@@ -53,6 +53,7 @@ typedef enum {
++ 	opt_unix_gid,
++ 	opt_unix_shell,
++ 	opt_nis_domain,
+++	opt_use_ldaps,
++ } Option;
++
++ static adcli_tool_desc common_usages[] = {
++@@ -67,6 +68,7 @@ static adcli_tool_desc common_usages[] = {
++ 	{ opt_domain, "active directory domain name" },
++ 	{ opt_domain_realm, "kerberos realm for the domain" },
++ 	{ opt_domain_controller, "domain directory server to connect to" },
+++	{ opt_use_ldaps, "use LDAPS port for communication" },
++ 	{ opt_login_ccache, "kerberos credential cache file which contains\n"
++ 	                    "ticket to used to connect to the domain" },
++ 	{ opt_login_user, "user (usually administrative) login name of\n"
++@@ -136,6 +138,9 @@ parse_option (Option opt,
++ 			stdin_password = 1;
++ 		}
++ 		return ADCLI_SUCCESS;
+++	case opt_use_ldaps:
+++		adcli_conn_set_use_ldaps (conn, true);
+++		return ADCLI_SUCCESS;
++ 	case opt_verbose:
++ 		return ADCLI_SUCCESS;
++ 	default:
++@@ -172,6 +177,7 @@ adcli_tool_user_create (adcli_conn *conn,
++ 		{ "domain", required_argument, NULL, opt_domain },
++ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
++ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
+++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
++ 		{ "login-user", required_argument, NULL, opt_login_user },
++ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
++ 		{ "no-password", no_argument, 0, opt_no_password },
++@@ -306,6 +312,7 @@ adcli_tool_user_delete (adcli_conn *conn,
++ 		{ "domain", required_argument, NULL, opt_domain },
++ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
++ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
+++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
++ 		{ "login-user", required_argument, NULL, opt_login_user },
++ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
++ 		{ "no-password", no_argument, 0, opt_no_password },
++@@ -394,6 +401,7 @@ adcli_tool_group_create (adcli_conn *conn,
++ 		{ "domain", required_argument, NULL, opt_domain },
++ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
++ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
+++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
++ 		{ "domain-ou", required_argument, NULL, opt_domain_ou },
++ 		{ "login-user", required_argument, NULL, opt_login_user },
++ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
++@@ -496,6 +504,7 @@ adcli_tool_group_delete (adcli_conn *conn,
++ 		{ "domain", required_argument, NULL, opt_domain },
++ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
++ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
+++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
++ 		{ "login-user", required_argument, NULL, opt_login_user },
++ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
++ 		{ "no-password", no_argument, 0, opt_no_password },
++@@ -622,6 +631,7 @@ adcli_tool_member_add (adcli_conn *conn,
++ 		{ "domain", required_argument, NULL, opt_domain },
++ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
++ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
+++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
++ 		{ "login-user", required_argument, NULL, opt_login_user },
++ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
++ 		{ "no-password", no_argument, 0, opt_no_password },
++@@ -722,6 +732,7 @@ adcli_tool_member_remove (adcli_conn *conn,
++ 		{ "domain", required_argument, NULL, opt_domain },
++ 		{ "domain-realm", required_argument, NULL, opt_domain_realm },
++ 		{ "domain-controller", required_argument, NULL, opt_domain_controller },
+++		{ "use-ldaps", no_argument, 0, opt_use_ldaps },
++ 		{ "login-user", required_argument, NULL, opt_login_user },
++ 		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
++ 		{ "no-password", no_argument, 0, opt_no_password },
++--
++GitLab
++
 diff --git a/debian/patches/delete-do-not-exit-if-keytab-cannot-be-read.patch b/debian/patches/delete-do-not-exit-if-keytab-cannot-be-read.patch
 new file mode 100644
 index 0000000..d5f8ac8
 --- /dev/null
 +++ b/debian/patches/delete-do-not-exit-if-keytab-cannot-be-read.patch
@@ -0,0 +1,34 @@
++From 40d3be22f6e518e4354aa7c3d0278291fcbed32f Mon Sep 17 00:00:00 2001
++From: Sumit Bose <sbose@redhat.com>
++Date: Fri, 5 Jun 2020 17:06:58 +0200
++Subject: [PATCH] delete: do not exit if keytab cannot be read
++
++Reading the keytab is not required when deleting a host object in AD. It
++is only needed in the case where the host was added with a manual set
++NetBIOS name (--computer-name option) which does not match the short
++hostname and no computer name was given at the delete-computer command
++line.
++
++Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1840752
++---
++ tools/computer.c | 2 --
++ 1 file changed, 2 deletions(-)
++
++Origin: upstream, https://gitlab.freedesktop.org/realmd/adcli/-/commit/40d3be22f6e518e4354aa7c3d0278291fcbed32f
++Last-Update: 2020-09-02
++diff --git a/tools/computer.c b/tools/computer.c
++index 292c4d8..a90c4b2 100644
++--- a/tools/computer.c
+++++ b/tools/computer.c
++@@ -952,8 +952,6 @@ adcli_tool_computer_delete (adcli_conn *conn,
++ 	if (res != ADCLI_SUCCESS) {
++ 		warnx ("couldn't lookup domain info from keytab: %s",
++ 		       adcli_get_last_error ());
++-		adcli_enroll_unref (enroll);
++-		return -res;
++ 	}
++
++ 	res = adcli_conn_connect (conn);
++--
++GitLab
++
 diff --git a/debian/patches/discovery-fix.patch b/debian/patches/discovery-fix.patch
 new file mode 100644
 index 0000000..ebd1adf
 --- /dev/null
 +++ b/debian/patches/discovery-fix.patch
@@ -0,0 +1,29 @@
++From 08bac0946de29f3e5de90743ce6dfc7118d4ad20 Mon Sep 17 00:00:00 2001
++From: Sumit Bose <sbose@redhat.com>
++Date: Tue, 11 Feb 2020 17:42:03 +0100
++Subject: [PATCH] discovery fix
++
++Do not continue processing on closed connection.
++
++Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1802258
++---
++ library/addisco.c | 1 +
++ 1 file changed, 1 insertion(+)
++
++Origin: upstream, https://gitlab.freedesktop.org/realmd/adcli/-/commit/08bac0946de29f3e5de90743ce6dfc7118d4ad20
++Last-Update: 2020-09-02
++diff --git a/library/addisco.c b/library/addisco.c
++index 6e73ead..f3b3546 100644
++--- a/library/addisco.c
+++++ b/library/addisco.c
++@@ -622,6 +622,7 @@ ldap_disco (const char *domain,
++ 			                            "Couldn't perform discovery search");
++ 			ldap_unbind_ext_s (ldap[i], NULL, NULL);
++ 			ldap[i] = NULL;
+++			continue;
++ 		}
++
++ 		/* From https://msdn.microsoft.com/en-us/library/ff718294.aspx first
++--
++GitLab
++
 diff --git a/debian/patches/man-explain-optional-parameter-of-login-ccache-bette.patch b/debian/patches/man-explain-optional-parameter-of-login-ccache-bette.patch
 new file mode 100644
 index 0000000..0f3919b
 --- /dev/null
 +++ b/debian/patches/man-explain-optional-parameter-of-login-ccache-bette.patch
@@ -0,0 +1,46 @@
++From 93a39bd12db11dd407676f428cfbc30406a88c36 Mon Sep 17 00:00:00 2001
++From: Sumit Bose <sbose@redhat.com>
++Date: Mon, 15 Jun 2020 15:57:47 +0200
++Subject: [PATCH] man: explain optional parameter of login-ccache better
++
++Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791545
++---
++ doc/adcli.xml | 20 +++++++++++++-------
++ 1 file changed, 13 insertions(+), 7 deletions(-)
++
++Origin: upstream, https://gitlab.freedesktop.org/realmd/adcli/-/commit/93a39bd12db11dd407676f428cfbc30406a88c36
++Last-Update: 2020-09-02
++diff --git a/doc/adcli.xml b/doc/adcli.xml
++index acced25..ecf8726 100644
++--- a/doc/adcli.xml
+++++ b/doc/adcli.xml
++@@ -155,13 +155,19 @@ $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.exa
++ 		<varlistentry>
++ 			<term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>
++ 			<listitem><para>Use the specified kerberos credential
++-                        cache to authenticate with the domain. If no credential
++-                        cache is specified, the default kerberos credential
++-                        cache will be used. Credential caches of type FILE can
++-                        be given with the path to the file. For other
++-                        credential cache types, e.g. DIR, KEYRING or KCM, the
++-                        type must be specified explicitly together with a
++-                        suitable identifier.</para></listitem>
+++			cache to authenticate with the domain. If no credential
+++			cache is specified, the default kerberos credential
+++			cache will be used. Credential caches of type FILE can
+++			be given with the path to the file. For other
+++			credential cache types, e.g. DIR, KEYRING or KCM, the
+++			type must be specified explicitly together with a
+++			suitable identifier.</para>
+++			<para>Please note that since the
+++			<parameter>ccache_name</parameter> is optional the
+++			=(equal) sign is mandatory. If = is missing the
+++			parameter is treated as optionless extra argument. How
+++			this is handled depends on the specific sub-command.
+++			</para></listitem>
++ 		</varlistentry>
++ 		<varlistentry>
++ 			<term><option>-U, --login-user=<parameter>User</parameter></option></term>
++--
++GitLab
++
 diff --git a/debian/patches/man-make-handling-of-optional-credential-cache-more-.patch b/debian/patches/man-make-handling-of-optional-credential-cache-more-.patch
 new file mode 100644
 index 0000000..da13c13
 --- /dev/null
 +++ b/debian/patches/man-make-handling-of-optional-credential-cache-more-.patch
@@ -0,0 +1,43 @@
++From 88fbb7e2395dec20b37697a213a097909870c21f Mon Sep 17 00:00:00 2001
++From: Sumit Bose <sbose@redhat.com>
++Date: Thu, 13 Aug 2020 17:10:01 +0200
++Subject: [PATCH] man: make handling of optional credential cache more clear
++
++The optional Kerberos credential cache can only be used with the long
++option name --login-ccache and not with the short version -C. To make
++this more clear each option get its own entry.
++
++Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791545
++---
++ doc/adcli.xml | 12 +++++++++---
++ 1 file changed, 9 insertions(+), 3 deletions(-)
++
++Origin: upstream, https://gitlab.freedesktop.org/realmd/adcli/-/commit/88fbb7e2395dec20b37697a213a097909870c21f
++Last-Update: 2020-09-02
++diff --git a/doc/adcli.xml b/doc/adcli.xml
++index ecf8726..1437679 100644
++--- a/doc/adcli.xml
+++++ b/doc/adcli.xml
++@@ -153,10 +153,16 @@ $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.exa
++ 			</para></listitem>
++ 		</varlistentry>
++ 		<varlistentry>
++-			<term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>
++-			<listitem><para>Use the specified kerberos credential
+++			<term><option>-C</option></term>
+++			<listitem><para>Use the default Kerberos credential
+++			cache to authenticate with the domain.
+++			</para></listitem>
+++		</varlistentry>
+++		<varlistentry>
+++			<term><option>--login-ccache<parameter>[=ccache_name]</parameter></option></term>
+++			<listitem><para>Use the specified Kerberos credential
++ 			cache to authenticate with the domain. If no credential
++-			cache is specified, the default kerberos credential
+++			cache is specified, the default Kerberos credential
++ 			cache will be used. Credential caches of type FILE can
++ 			be given with the path to the file. For other
++ 			credential cache types, e.g. DIR, KEYRING or KCM, the
++--
++GitLab
++
 diff --git a/debian/patches/man-move-note-to-the-right-section.patch b/debian/patches/man-move-note-to-the-right-section.patch
 new file mode 100644
 index 0000000..0b25c4d
 --- /dev/null
 +++ b/debian/patches/man-move-note-to-the-right-section.patch
@@ -0,0 +1,50 @@
++From d2d3879bdfcea70757a8b0527882e79e8b5c6e70 Mon Sep 17 00:00:00 2001
++From: Sumit Bose <sbose@redhat.com>
++Date: Wed, 27 Nov 2019 18:26:44 +0100
++Subject: [PATCH] man: move note to the right section
++
++Unfortunately the note about the password lifetime was added to the join
++section. This patch move it to the update section where it belongs to.
++
++Related to https://bugzilla.redhat.com/show_bug.cgi?id=1738573
++           https://bugzilla.redhat.com/show_bug.cgi?id=1745931
++           https://bugzilla.redhat.com/show_bug.cgi?id=1774622
++---
++ doc/adcli.xml | 12 ++++++------
++ 1 file changed, 6 insertions(+), 6 deletions(-)
++
++Origin: upstream, https://gitlab.freedesktop.org/realmd/adcli/-/commit/d2d3879bdfcea70757a8b0527882e79e8b5c6e70
++Last-Update: 2020-09-02
++diff --git a/doc/adcli.xml b/doc/adcli.xml
++index 4f201e0..9faf96a 100644
++--- a/doc/adcli.xml
+++++ b/doc/adcli.xml
++@@ -330,11 +330,7 @@ Password for Administrator:
++ 			important here is currently the
++ 			<option>workgroup</option> option, see
++ 			<citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
++-			for details.</para>
++-			<para>Note that if the machine account password is not
++-			older than 30 days, you have to pass
++-			<option>--computer-password-lifetime=0</option> to
++-			force the update.</para></listitem>
+++			for details.</para></listitem>
++ 		</varlistentry>
++ 		<varlistentry>
++ 			<term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
++@@ -472,7 +468,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123
++ 			important here is currently the
++ 			<option>workgroup</option> option, see
++ 			<citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
++-			for details.</para></listitem>
+++			for details.</para>
+++			<para>Note that if the machine account password is not
+++			older than 30 days, you have to pass
+++			<option>--computer-password-lifetime=0</option> to
+++			force the update.</para></listitem>
++ 		</varlistentry>
++ 		<varlistentry>
++ 			<term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
++--
++GitLab
++
 diff --git a/debian/patches/series b/debian/patches/series
 new file mode 100644
 index 0000000..0d3657d
 --- /dev/null
 +++ b/debian/patches/series
@@ -0,0 +1,11 @@
++tools-add-show-computer-command.patch
++add-description-option-to-join-and-update.patch
++Use-GSS-SPNEGO-if-available.patch
++add-option-use-ldaps.patch
++man-move-note-to-the-right-section.patch
++man-explain-optional-parameter-of-login-ccache-bette.patch
++man-make-handling-of-optional-credential-cache-more-.patch
++tools-fix-typo-in-show-password-help-output.patch
++discovery-fix.patch
++delete-do-not-exit-if-keytab-cannot-be-read.patch
++tools-disable-SSSD-s-locator-plugin.patch
 diff --git a/debian/patches/tools-add-show-computer-command.patch b/debian/patches/tools-add-show-computer-command.patch
 new file mode 100644
 index 0000000..29bb77f
 --- /dev/null
 +++ b/debian/patches/tools-add-show-computer-command.patch
@@ -0,0 +1,341 @@
++From 0a169bd9b2687293f74bb57694eb82f9769610c9 Mon Sep 17 00:00:00 2001
++From: Sumit Bose <sbose@redhat.com>
++Date: Wed, 27 Nov 2019 12:34:45 +0100
++Subject: [PATCH] tools: add show-computer command
++
++The show-computer command prints the LDAP attributes of the related
++computer object from AD.
++
++Related to https://bugzilla.redhat.com/show_bug.cgi?id=1737342
++---
++ doc/adcli.xml      | 28 ++++++++++++++
++ library/adenroll.c | 78 +++++++++++++++++++++++++++++---------
++ library/adenroll.h |  5 +++
++ tools/computer.c   | 93 ++++++++++++++++++++++++++++++++++++++++++++++
++ tools/tools.c      |  1 +
++ tools/tools.h      |  4 ++
++ 6 files changed, 191 insertions(+), 18 deletions(-)
++
++Origin: upstream, https://gitlab.freedesktop.org/realmd/adcli/-/commit/0a169bd9b2687293f74bb57694eb82f9769610c9
++Bug-Ubuntu: https://bugs.launchpad.net/bugs/1893784
++Last-Update: 2020-09-02
++diff --git a/doc/adcli.xml b/doc/adcli.xml
++index 9faf96a..1f93186 100644
++--- a/doc/adcli.xml
+++++ b/doc/adcli.xml
++@@ -93,6 +93,11 @@
++ 		<arg choice="opt">--domain=domain.example.com</arg>
++ 		<arg choice="plain">computer</arg>
++ 	</cmdsynopsis>
+++	<cmdsynopsis>
+++		<command>adcli show-computer</command>
+++		<arg choice="opt">--domain=domain.example.com</arg>
+++		<arg choice="plain">computer</arg>
+++	</cmdsynopsis>
++ </refsynopsisdiv>
++
++ <refsect1 id='general_overview'>
++@@ -811,6 +816,29 @@ Password for Administrator:
++
++ </refsect1>
++
+++<refsect1 id='show_computer_account'>
+++	<title>Show Computer Account Attributes</title>
+++
+++	<para><command>adcli show-computer</command> show the computer account
+++	attributes stored in AD. The account must already exist.</para>
+++
+++<programlisting>
+++$ adcli show-computer --domain=domain.example.com host2
+++Password for Administrator:
+++</programlisting>
+++
+++	<para>If the computer name contains a dot, then it is
+++	treated as fully qualified host name, otherwise it is treated
+++	as short computer name.</para>
+++
+++	<para>If no computer name is specified, then the host name of the
+++	computer adcli is running on is used, as returned by
+++	<literal>gethostname()</literal>.</para>
+++
+++	<para>The various global options can be used.</para>
+++
+++</refsect1>
+++
++ <refsect1 id='bugs'>
++ 	<title>Bugs</title>
++ 	<para>
++diff --git a/library/adenroll.c b/library/adenroll.c
++index 524663a..8d2adeb 100644
++--- a/library/adenroll.c
+++++ b/library/adenroll.c
++@@ -71,6 +71,21 @@ static krb5_enctype v51_earlier_enctypes[] = {
++ 	0
++ };
++
+++static char *default_ad_ldap_attrs[] =  {
+++	"sAMAccountName",
+++	"userPrincipalName",
+++	"msDS-KeyVersionNumber",
+++	"msDS-supportedEncryptionTypes",
+++	"dNSHostName",
+++	"servicePrincipalName",
+++	"operatingSystem",
+++	"operatingSystemVersion",
+++	"operatingSystemServicePack",
+++	"pwdLastSet",
+++	"userAccountControl",
+++	NULL,
+++};
+++
++ /* Some constants for the userAccountControl AD LDAP attribute, see e.g.
++  * https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro
++  * for details. */
++@@ -1213,19 +1228,6 @@ retrieve_computer_account (adcli_enroll *enroll)
++ 	char *end;
++ 	int ret;
++
++-	char *attrs[] =  {
++-		"msDS-KeyVersionNumber",
++-		"msDS-supportedEncryptionTypes",
++-		"dNSHostName",
++-		"servicePrincipalName",
++-		"operatingSystem",
++-		"operatingSystemVersion",
++-		"operatingSystemServicePack",
++-		"pwdLastSet",
++-		"userAccountControl",
++-		NULL,
++-	};
++-
++ 	assert (enroll->computer_dn != NULL);
++ 	assert (enroll->computer_attributes == NULL);
++
++@@ -1233,7 +1235,8 @@ retrieve_computer_account (adcli_enroll *enroll)
++ 	assert (ldap != NULL);
++
++ 	ret = ldap_search_ext_s (ldap, enroll->computer_dn, LDAP_SCOPE_BASE,
++-	                         "(objectClass=*)", attrs, 0, NULL, NULL, NULL, -1,
+++	                         "(objectClass=*)", default_ad_ldap_attrs,
+++	                         0, NULL, NULL, NULL, -1,
++ 	                         &enroll->computer_attributes);
++
++ 	if (ret != LDAP_SUCCESS) {
++@@ -2179,12 +2182,11 @@ adcli_enroll_load (adcli_enroll *enroll)
++ }
++
++ adcli_result
++-adcli_enroll_update (adcli_enroll *enroll,
++-		     adcli_enroll_flags flags)
+++adcli_enroll_read_computer_account (adcli_enroll *enroll,
+++		                    adcli_enroll_flags flags)
++ {
++ 	adcli_result res = ADCLI_SUCCESS;
++ 	LDAP *ldap;
++-	char *value;
++
++ 	return_unexpected_if_fail (enroll != NULL);
++
++@@ -2214,7 +2216,18 @@ adcli_enroll_update (adcli_enroll *enroll,
++ 	}
++
++ 	/* Get information about the computer account */
++-	res = retrieve_computer_account (enroll);
+++	return retrieve_computer_account (enroll);
+++}
+++
+++adcli_result
+++adcli_enroll_update (adcli_enroll *enroll,
+++		     adcli_enroll_flags flags)
+++{
+++	adcli_result res = ADCLI_SUCCESS;
+++	LDAP *ldap;
+++	char *value;
+++
+++	res = adcli_enroll_read_computer_account (enroll, flags);
++ 	if (res != ADCLI_SUCCESS)
++ 		return res;
++
++@@ -2242,6 +2255,35 @@ adcli_enroll_update (adcli_enroll *enroll,
++ 	return enroll_join_or_update_tasks (enroll, flags);
++ }
++
+++adcli_result
+++adcli_enroll_show_computer_attribute (adcli_enroll *enroll)
+++{
+++	LDAP *ldap;
+++	size_t c;
+++	char **vals;
+++	size_t v;
+++
+++	ldap = adcli_conn_get_ldap_connection (enroll->conn);
+++	assert (ldap != NULL);
+++
+++	for (c = 0; default_ad_ldap_attrs[c] != NULL; c++) {
+++		vals = _adcli_ldap_parse_values (ldap,
+++		                                 enroll->computer_attributes,
+++		                                 default_ad_ldap_attrs[c]);
+++		printf ("%s:\n", default_ad_ldap_attrs[c]);
+++		if (vals == NULL) {
+++			printf (" - not set -\n");
+++		} else {
+++			for (v = 0; vals[v] != NULL; v++) {
+++				printf (" %s\n", vals[v]);
+++			}
+++		}
+++		_adcli_strv_free (vals);
+++	}
+++
+++	return ADCLI_SUCCESS;
+++}
+++
++ adcli_result
++ adcli_enroll_delete (adcli_enroll *enroll,
++                      adcli_enroll_flags delete_flags)
++diff --git a/library/adenroll.h b/library/adenroll.h
++index 1d5d00d..11eb517 100644
++--- a/library/adenroll.h
+++++ b/library/adenroll.h
++@@ -46,6 +46,11 @@ adcli_result       adcli_enroll_join                    (adcli_enroll *enroll,
++ adcli_result       adcli_enroll_update                  (adcli_enroll *enroll,
++ 		                                         adcli_enroll_flags flags);
++
+++adcli_result       adcli_enroll_read_computer_account   (adcli_enroll *enroll,
+++                                                         adcli_enroll_flags flags);
+++
+++adcli_result       adcli_enroll_show_computer_attribute (adcli_enroll *enroll);
+++
++ adcli_result       adcli_enroll_delete                  (adcli_enroll *enroll,
++                                                          adcli_enroll_flags delete_flags);
++
++diff --git a/tools/computer.c b/tools/computer.c
++index ac8a203..c8b96a4 100644
++--- a/tools/computer.c
+++++ b/tools/computer.c
++@@ -964,3 +964,96 @@ adcli_tool_computer_delete (adcli_conn *conn,
++ 	adcli_enroll_unref (enroll);
++ 	return 0;
++ }
+++
+++int
+++adcli_tool_computer_show (adcli_conn *conn,
+++                          int argc,
+++                          char *argv[])
+++{
+++	adcli_enroll *enroll;
+++	adcli_result res;
+++	int opt;
+++
+++	struct option options[] = {
+++		{ "domain", required_argument, NULL, opt_domain },
+++		{ "domain-realm", required_argument, NULL, opt_domain_realm },
+++		{ "domain-controller", required_argument, NULL, opt_domain_controller },
+++		{ "login-user", required_argument, NULL, opt_login_user },
+++		{ "login-ccache", optional_argument, NULL, opt_login_ccache },
+++		{ "login-type", required_argument, NULL, opt_login_type },
+++		{ "no-password", no_argument, 0, opt_no_password },
+++		{ "stdin-password", no_argument, 0, opt_stdin_password },
+++		{ "prompt-password", no_argument, 0, opt_prompt_password },
+++		{ "verbose", no_argument, NULL, opt_verbose },
+++		{ "help", no_argument, NULL, 'h' },
+++		{ 0 },
+++	};
+++
+++	static adcli_tool_desc usages[] = {
+++		{ 0, "usage: adcli show-computer --domain=xxxx host1.example.com" },
+++		{ 0 },
+++	};
+++
+++	enroll = adcli_enroll_new (conn);
+++	if (enroll == NULL) {
+++		warnx ("unexpected memory problems");
+++		return -1;
+++	}
+++
+++	while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) {
+++		switch (opt) {
+++		case 'h':
+++		case '?':
+++		case ':':
+++			adcli_tool_usage (options, usages);
+++			adcli_tool_usage (options, common_usages);
+++			adcli_enroll_unref (enroll);
+++			return opt == 'h' ? 0 : 2;
+++		default:
+++			res = parse_option ((Option)opt, optarg, conn, enroll);
+++			if (res != ADCLI_SUCCESS) {
+++				adcli_enroll_unref (enroll);
+++				return res;
+++			}
+++			break;
+++		}
+++	}
+++
+++	argc -= optind;
+++	argv += optind;
+++
+++	res = adcli_conn_connect (conn);
+++	if (res != ADCLI_SUCCESS) {
+++		warnx ("couldn't connect to %s domain: %s",
+++		       adcli_conn_get_domain_name (conn),
+++		       adcli_get_last_error ());
+++		adcli_enroll_unref (enroll);
+++		return -res;
+++	}
+++
+++	if (argc == 1) {
+++		parse_fqdn_or_name (enroll, argv[0]);
+++	}
+++
+++	res = adcli_enroll_read_computer_account (enroll, 0);
+++	if (res != ADCLI_SUCCESS) {
+++		warnx ("couldn't read data for %s: %s",
+++		       adcli_enroll_get_host_fqdn (enroll) != NULL
+++		           ? adcli_enroll_get_host_fqdn (enroll)
+++		           : adcli_enroll_get_computer_name (enroll),
+++		       adcli_get_last_error ());
+++		adcli_enroll_unref (enroll);
+++		return -res;
+++	}
+++
+++	res = adcli_enroll_show_computer_attribute (enroll);
+++	if (res != ADCLI_SUCCESS) {
+++		warnx ("couldn't print data for %s: %s",
+++		       argv[0], adcli_get_last_error ());
+++		adcli_enroll_unref (enroll);
+++		return -res;
+++	}
+++
+++	adcli_enroll_unref (enroll);
+++	return 0;
+++}
++diff --git a/tools/tools.c b/tools/tools.c
++index fc9fa9a..9d422f2 100644
++--- a/tools/tools.c
+++++ b/tools/tools.c
++@@ -59,6 +59,7 @@ struct {
++ 	{ "preset-computer", adcli_tool_computer_preset, "Pre setup computers accounts", },
++ 	{ "reset-computer", adcli_tool_computer_reset, "Reset a computer account", },
++ 	{ "delete-computer", adcli_tool_computer_delete, "Delete a computer account", },
+++	{ "show-computer", adcli_tool_computer_show, "Show computer account attributes stored in AD", },
++ 	{ "create-user", adcli_tool_user_create, "Create a user account", },
++ 	{ "delete-user", adcli_tool_user_delete, "Delete a user account", },
++ 	{ "create-group", adcli_tool_group_create, "Create a group", },
++diff --git a/tools/tools.h b/tools/tools.h
++index 8cebbf9..3702875 100644
++--- a/tools/tools.h
+++++ b/tools/tools.h
++@@ -78,6 +78,10 @@ int       adcli_tool_computer_delete   (adcli_conn *conn,
++                                         int argc,
++                                         char *argv[]);
++
+++int       adcli_tool_computer_show     (adcli_conn *conn,
+++                                        int argc,
+++                                        char *argv[]);
+++
++ int       adcli_tool_user_create       (adcli_conn *conn,
++                                         int argc,
++                                         char *argv[]);
++--
++GitLab
++
 diff --git a/debian/patches/tools-disable-SSSD-s-locator-plugin.patch b/debian/patches/tools-disable-SSSD-s-locator-plugin.patch
 new file mode 100644
 index 0000000..8fa4ecb
 --- /dev/null
 +++ b/debian/patches/tools-disable-SSSD-s-locator-plugin.patch
@@ -0,0 +1,43 @@
++From 50d580c58dab5928cadfc6ca82aedccee58eaced Mon Sep 17 00:00:00 2001
++From: Sumit Bose <sbose@redhat.com>
++Date: Fri, 5 Jun 2020 17:28:28 +0200
++Subject: [PATCH] tools: disable SSSD's locator plugin
++
++MIT's libkrb5 checks available locator plugins first before checking the
++config file. This might cause issues when the locator plugin returns a
++different DC than the one used for the LDAP connection if some data must
++be replicated.
++
++This patch sets the SSSD_KRB5_LOCATOR_DISABLE environment variable to
++'true' to disable SSSD's locator plugin for adcli.
++
++Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1762633
++---
++ tools/tools.c | 2 ++
++ 1 file changed, 2 insertions(+)
++
++Origin: upstream, https://gitlab.freedesktop.org/realmd/adcli/-/commit/50d580c58dab5928cadfc6ca82aedccee58eaced
++Last-Update: 2020-09-02
++diff --git a/tools/tools.c b/tools/tools.c
++index 9d422f2..1b6d879 100644
++--- a/tools/tools.c
+++++ b/tools/tools.c
++@@ -296,6 +296,7 @@ cleanup_krb5_conf_directory (void)
++ 	}
++
++ 	unsetenv ("KRB5_CONFIG");
+++	unsetenv ("SSSD_KRB5_LOCATOR_DISABLE");
++ }
++
++ static void
++@@ -394,6 +395,7 @@ setup_krb5_conf_directory (adcli_conn *conn)
++ 		adcli_krb5_conf_filename = filename;
++ 		adcli_krb5_d_directory = snippets;
++ 		setenv ("KRB5_CONFIG", adcli_krb5_conf_filename, 1);
+++		setenv ("SSSD_KRB5_LOCATOR_DISABLE", "true", 1);
++
++ 	} else {
++ 		free (filename);
++--
++GitLab
++
 diff --git a/debian/patches/tools-fix-typo-in-show-password-help-output.patch b/debian/patches/tools-fix-typo-in-show-password-help-output.patch
 new file mode 100644
 index 0000000..cf712b2
 --- /dev/null
 +++ b/debian/patches/tools-fix-typo-in-show-password-help-output.patch
@@ -0,0 +1,28 @@
++From d70075c597e7ebc1683d407409c45b04110676a0 Mon Sep 17 00:00:00 2001
++From: Sumit Bose <sbose@redhat.com>
++Date: Mon, 15 Jun 2020 15:41:53 +0200
++Subject: [PATCH] tools: fix typo in show-password help output
++
++Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1791611
++---
++ tools/computer.c | 2 +-
++ 1 file changed, 1 insertion(+), 1 deletion(-)
++
++Origin: upstream, https://gitlab.freedesktop.org/realmd/adcli/-/commit/d70075c597e7ebc1683d407409c45b04110676a0
++Last-Update: 2020-09-02
++diff --git a/tools/computer.c b/tools/computer.c
++index a90c4b2..24ea258 100644
++--- a/tools/computer.c
+++++ b/tools/computer.c
++@@ -154,7 +154,7 @@ static adcli_tool_desc common_usages[] = {
++ 	                         "accounts" },
++ 	{ opt_show_details, "show information about joining the domain after\n"
++ 	                     "a successful join" },
++-	{ opt_show_password, "show computer account password after after a\n"
+++	{ opt_show_password, "show computer account password after a\n"
++ 	                     "successful join" },
++ 	{ opt_add_samba_data, "add domain SID and computer account password\n"
++ 	                      "to the Samba specific configuration database" },
++--
++GitLab
++

Ubuntuadcli package

Merge ~ahasenack/ubuntu/+source/adcli:groovy-adcli-upstream-fixes into ubuntu/+source/adcli:ubuntu/devel

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
adcli package