diff --git a/0001-Fix-for-issues-found-by-Coverity.patch b/0001-Fix-for-issues-found-by-Coverity.patch
new file mode 100644
index 0000000..7be7248
--- /dev/null
+++ b/0001-Fix-for-issues-found-by-Coverity.patch
@@ -0,0 +1,43 @@
+From 3c93c96eb6ea2abd3869921ee4c89e1a4d9e4c44 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 14 Aug 2018 13:08:52 +0200
+Subject: [PATCH] Fix for issues found by Coverity
+
+---
+ library/adenroll.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/library/adenroll.c b/library/adenroll.c
+index 02bd9e3..de2242a 100644
+--- a/library/adenroll.c
++++ b/library/adenroll.c
+@@ -1575,7 +1575,7 @@ load_host_keytab (adcli_enroll *enroll)
+ 	}
+ 
+ 	krb5_free_context (k5);
+-	return ADCLI_SUCCESS;
++	return res;
+ }
+ 
+ typedef struct {
+@@ -1756,12 +1756,12 @@ add_principal_to_keytab (adcli_enroll *enroll,
+ 		                                       enroll->kvno, &password, enctypes, &salts[*which_salt]);
+ 
+ 		free_principal_salts (k5, salts);
++	}
+ 
+-		if (code != 0) {
+-			_adcli_err ("Couldn't add keytab entries: %s: %s",
+-			            enroll->keytab_name, krb5_get_error_message (k5, code));
+-			return ADCLI_ERR_FAIL;
+-		}
++	if (code != 0) {
++		_adcli_err ("Couldn't add keytab entries: %s: %s",
++		            enroll->keytab_name, krb5_get_error_message (k5, code));
++		return ADCLI_ERR_FAIL;
+ 	}
+ 
+ 
+-- 
+2.20.1
+
diff --git a/0002-adenroll-make-sure-only-allowed-enctypes-are-used-in.patch b/0002-adenroll-make-sure-only-allowed-enctypes-are-used-in.patch
new file mode 100644
index 0000000..568028b
--- /dev/null
+++ b/0002-adenroll-make-sure-only-allowed-enctypes-are-used-in.patch
@@ -0,0 +1,80 @@
+From 341974aae7d0755fc32a0b7e2b34d8e1ef60d195 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 20 Dec 2018 21:05:35 +0100
+Subject: [PATCH] adenroll: make sure only allowed enctypes are used in FIPS
+ mode
+
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1717355
+---
+ library/adenroll.c | 36 +++++++++++++++++++++++++++++++++++-
+ 1 file changed, 35 insertions(+), 1 deletion(-)
+
+diff --git a/library/adenroll.c b/library/adenroll.c
+index 52aa8a8..f617f28 100644
+--- a/library/adenroll.c
++++ b/library/adenroll.c
+@@ -41,11 +41,19 @@
+ #include <netdb.h>
+ #include <stdio.h>
+ #include <unistd.h>
++#include <sys/stat.h>
++#include <fcntl.h>
+ 
+ #ifndef SAMBA_DATA_TOOL
+ #define SAMBA_DATA_TOOL "/usr/bin/net"
+ #endif
+ 
++static krb5_enctype v60_later_enctypes_fips[] = {
++	ENCTYPE_AES256_CTS_HMAC_SHA1_96,
++	ENCTYPE_AES128_CTS_HMAC_SHA1_96,
++	0
++};
++
+ static krb5_enctype v60_later_enctypes[] = {
+ 	ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ 	ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+@@ -2594,6 +2602,28 @@ adcli_enroll_set_keytab_name (adcli_enroll *enroll,
+ 	enroll->keytab_name_is_krb5 = 0;
+ }
+ 
++#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled"
++
++static bool adcli_fips_enabled (void)
++{
++	int fd;
++	ssize_t len;
++	char buf[8];
++
++	fd = open (PROC_SYS_FIPS, O_RDONLY);
++	if (fd != -1) {
++		len = read (fd, buf, sizeof (buf));
++		close (fd);
++		/* Assume FIPS in enabled if PROC_SYS_FIPS contains a
++		 * non-0 value. */
++		if ( ! (len == 2 && buf[0] == '0' && buf[1] == '\n')) {
++			return true;
++		}
++	}
++
++	return false;
++}
++
+ krb5_enctype *
+ adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)
+ {
+@@ -2602,7 +2632,11 @@ adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)
+ 		return enroll->keytab_enctypes;
+ 
+ 	if (adcli_conn_server_has_capability (enroll->conn, ADCLI_CAP_V60_OID))
+-		return v60_later_enctypes;
++		if (adcli_fips_enabled ()) {
++			return v60_later_enctypes_fips;
++		} else {
++			return v60_later_enctypes;
++		}
+ 	else
+ 		return v51_earlier_enctypes;
+ }
+-- 
+2.20.1
+
diff --git a/0003-adconn-add-adcli_conn_set_krb5_context.patch b/0003-adconn-add-adcli_conn_set_krb5_context.patch
new file mode 100644
index 0000000..b92b757
--- /dev/null
+++ b/0003-adconn-add-adcli_conn_set_krb5_context.patch
@@ -0,0 +1,52 @@
+From 2fc259a88be618871cea8ff8b8a13bd3e040aea4 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 13 Jun 2019 17:23:47 +0200
+Subject: [PATCH 1/3] adconn: add adcli_conn_set_krb5_context
+
+Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3
+---
+ library/adconn.c | 13 +++++++++++++
+ library/adconn.h |  3 +++
+ 2 files changed, 16 insertions(+)
+
+diff --git a/library/adconn.c b/library/adconn.c
+index f6c23d3..bcaced8 100644
+--- a/library/adconn.c
++++ b/library/adconn.c
+@@ -1406,6 +1406,19 @@ adcli_conn_get_krb5_context (adcli_conn *conn)
+ 	return conn->k5;
+ }
+ 
++void
++adcli_conn_set_krb5_context (adcli_conn *conn,
++                             krb5_context k5)
++{
++	return_if_fail (conn != NULL);
++
++	if (conn->k5 != NULL) {
++		krb5_free_context (conn->k5);
++	}
++
++	conn->k5 = k5;
++}
++
+ const char *
+ adcli_conn_get_login_user (adcli_conn *conn)
+ {
+diff --git a/library/adconn.h b/library/adconn.h
+index 13cfd32..1ad5715 100644
+--- a/library/adconn.h
++++ b/library/adconn.h
+@@ -97,6 +97,9 @@ LDAP *              adcli_conn_get_ldap_connection   (adcli_conn *conn);
+ 
+ krb5_context        adcli_conn_get_krb5_context      (adcli_conn *conn);
+ 
++void                adcli_conn_set_krb5_context      (adcli_conn *conn,
++                                                      krb5_context k5);
++
+ const char *        adcli_conn_get_computer_name     (adcli_conn *conn);
+ 
+ void                adcli_conn_set_computer_name     (adcli_conn *conn,
+-- 
+2.20.1
+
diff --git a/0004-adenroll-add-adcli_enroll_get_permitted_keytab_encty.patch b/0004-adenroll-add-adcli_enroll_get_permitted_keytab_encty.patch
new file mode 100644
index 0000000..397f7d0
--- /dev/null
+++ b/0004-adenroll-add-adcli_enroll_get_permitted_keytab_encty.patch
@@ -0,0 +1,196 @@
+From 0c09070e8beec734e3f0c70e14b0a04788077b73 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 13 Jun 2019 17:25:52 +0200
+Subject: [PATCH 2/3] adenroll: add adcli_enroll_get_permitted_keytab_enctypes
+ with tests
+
+The new call does not only return the current encryption types set in AD
+or a default list but filters them with the list of permitted encryption
+types on the client. This makes sure the client can create and use the
+keys.
+
+Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3
+---
+ library/Makefile.am |   5 ++
+ library/adenroll.c  | 124 ++++++++++++++++++++++++++++++++++++++++++++
+ library/adenroll.h  |   2 +
+ 3 files changed, 131 insertions(+)
+
+diff --git a/library/Makefile.am b/library/Makefile.am
+index 39e8fd1..4829555 100644
+--- a/library/Makefile.am
++++ b/library/Makefile.am
+@@ -40,6 +40,7 @@ check_PROGRAMS = \
+ 	test-util \
+ 	test-ldap \
+ 	test-attrs \
++	test-adenroll \
+ 	$(NULL)
+ 
+ test_seq_SOURCES = seq.c test.c test.h
+@@ -56,6 +57,10 @@ test_attrs_SOURCES = adattrs.c $(test_ldap_SOURCES)
+ test_attrs_CFLAGS = -DATTRS_TESTS
+ test_attrs_LDADD = $(test_ldap_LDADD)
+ 
++test_adenroll_SOURCES = adenroll.c $(test_ldap_SOURCES)
++test_adenroll_CFLAGS = -DADENROLL_TESTS
++test_adenroll_LDADD = $(KRB5_LIBS)
++
+ TESTS = $(check_PROGRAMS)
+ 
+ MEMCHECK_ENV = $(TEST_RUNNER) valgrind --error-exitcode=80 --quiet --trace-children=yes
+diff --git a/library/adenroll.c b/library/adenroll.c
+index f617f28..95c07cd 100644
+--- a/library/adenroll.c
++++ b/library/adenroll.c
+@@ -2641,6 +2641,50 @@ adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)
+ 		return v51_earlier_enctypes;
+ }
+ 
++krb5_enctype *
++adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll)
++{
++	krb5_enctype *cur_enctypes;
++	krb5_enctype *permitted_enctypes;
++	krb5_enctype *new_enctypes;
++	krb5_error_code code;
++	krb5_context k5;
++	size_t c;
++	size_t p;
++	size_t n;
++
++	return_val_if_fail (enroll != NULL, NULL);
++	cur_enctypes = adcli_enroll_get_keytab_enctypes (enroll);
++
++	k5 = adcli_conn_get_krb5_context (enroll->conn);
++	return_val_if_fail (k5 != NULL, NULL);
++
++	code = krb5_get_permitted_enctypes (k5, &permitted_enctypes);
++	return_val_if_fail (code == 0, NULL);
++
++	for (c = 0; cur_enctypes[c] != 0; c++);
++
++	new_enctypes = calloc (c + 1, sizeof (krb5_enctype));
++	return_val_if_fail (new_enctypes != NULL, NULL);
++
++	n = 0;
++	for (c = 0; cur_enctypes[c] != 0; c++) {
++		for (p = 0; permitted_enctypes[p] != 0; p++) {
++			if (cur_enctypes[c] == permitted_enctypes[p]) {
++				new_enctypes[n++] = cur_enctypes[c];
++				break;
++			}
++		}
++		if (permitted_enctypes[p] == 0) {
++			_adcli_info ("Encryption type [%d] not permitted.", cur_enctypes[c]);
++		}
++	}
++
++	krb5_free_enctypes (k5, permitted_enctypes);
++
++	return new_enctypes;
++}
++
+ void
+ adcli_enroll_set_keytab_enctypes (adcli_enroll *enroll,
+                                   krb5_enctype *value)
+@@ -2833,3 +2877,83 @@ adcli_enroll_add_service_principal_to_remove (adcli_enroll *enroll,
+ 							    strdup (value), NULL);
+ 	return_if_fail (enroll->service_principals_to_remove != NULL);
+ }
++
++#ifdef ADENROLL_TESTS
++
++#include "test.h"
++
++static void
++test_adcli_enroll_get_permitted_keytab_enctypes (void)
++{
++	krb5_enctype *enctypes;
++	krb5_error_code code;
++	krb5_enctype *permitted_enctypes;
++	krb5_enctype check_enctypes[3] = { 0 };
++	adcli_conn *conn;
++	adcli_enroll *enroll;
++	adcli_result res;
++	krb5_context k5;
++	size_t c;
++
++	conn = adcli_conn_new ("test.dom");
++	assert_ptr_not_null (conn);
++
++	enroll = adcli_enroll_new (conn);
++	assert_ptr_not_null (enroll);
++
++	enctypes = adcli_enroll_get_permitted_keytab_enctypes (NULL);
++	assert_ptr_eq (enctypes, NULL);
++
++	/* krb5 context missing */
++	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
++	assert_ptr_eq (enctypes, NULL);
++
++	/* check that all permitted enctypes can pass */
++	res = _adcli_krb5_init_context (&k5);
++	assert_num_eq (res, ADCLI_SUCCESS);
++
++	adcli_conn_set_krb5_context (conn, k5);
++
++	code = krb5_get_permitted_enctypes (k5, &permitted_enctypes);
++	assert_num_eq (code, 0);
++	assert_ptr_not_null (permitted_enctypes);
++	assert_num_cmp (permitted_enctypes[0], !=, 0);
++
++	adcli_enroll_set_keytab_enctypes (enroll, permitted_enctypes);
++
++	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
++	assert_ptr_not_null (enctypes);
++	for (c = 0; permitted_enctypes[c] != 0; c++) {
++		assert_num_eq (enctypes[c], permitted_enctypes[c]);
++	}
++	assert_num_eq (enctypes[c], 0);
++	krb5_free_enctypes (k5, enctypes);
++
++	/* check that ENCTYPE_UNKNOWN is filtered out */
++	check_enctypes[0] = permitted_enctypes[0];
++	check_enctypes[1] = ENCTYPE_UNKNOWN;
++	check_enctypes[2] = 0;
++	adcli_enroll_set_keytab_enctypes (enroll, check_enctypes);
++
++	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
++	assert_ptr_not_null (enctypes);
++	assert_num_eq (enctypes[0], permitted_enctypes[0]);
++	assert_num_eq (enctypes[1], 0);
++	krb5_free_enctypes (k5, enctypes);
++
++	krb5_free_enctypes (k5, permitted_enctypes);
++
++	adcli_enroll_unref (enroll);
++	adcli_conn_unref (conn);
++}
++
++int
++main (int argc,
++      char *argv[])
++{
++	test_func (test_adcli_enroll_get_permitted_keytab_enctypes,
++	           "/attrs/adcli_enroll_get_permitted_keytab_enctypes");
++	return test_run (argc, argv);
++}
++
++#endif /* ADENROLL_TESTS */
+diff --git a/library/adenroll.h b/library/adenroll.h
+index abbbfd4..1d5d00d 100644
+--- a/library/adenroll.h
++++ b/library/adenroll.h
+@@ -138,6 +138,8 @@ krb5_enctype *     adcli_enroll_get_keytab_enctypes     (adcli_enroll *enroll);
+ void               adcli_enroll_set_keytab_enctypes     (adcli_enroll *enroll,
+                                                          krb5_enctype *enctypes);
+ 
++krb5_enctype *     adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll);
++
+ const char *       adcli_enroll_get_os_name             (adcli_enroll *enroll);
+ 
+ void               adcli_enroll_set_os_name             (adcli_enroll *enroll,
+-- 
+2.20.1
+
diff --git a/0005-adenroll-use-only-enctypes-permitted-by-Kerberos-con.patch b/0005-adenroll-use-only-enctypes-permitted-by-Kerberos-con.patch
new file mode 100644
index 0000000..5c5e979
--- /dev/null
+++ b/0005-adenroll-use-only-enctypes-permitted-by-Kerberos-con.patch
@@ -0,0 +1,103 @@
+From cc3ef52884a48863a81acbfc741735fe09cd85f7 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 13 Jun 2019 18:27:49 +0200
+Subject: [PATCH 3/3] adenroll: use only enctypes permitted by Kerberos config
+
+Realted to https://gitlab.freedesktop.org/realmd/adcli/issues/3
+---
+ doc/adcli.xml      | 10 ++++++++++
+ library/adenroll.c | 22 +++++++++++++++++++---
+ 2 files changed, 29 insertions(+), 3 deletions(-)
+
+diff --git a/doc/adcli.xml b/doc/adcli.xml
+index 9605b4a..094f577 100644
+--- a/doc/adcli.xml
++++ b/doc/adcli.xml
+@@ -342,6 +342,11 @@ Password for Administrator:
+ 		</varlistentry>
+ 	</variablelist>
+ 
++	<para>If supported on the AD side the
++	<option>msDS-supportedEncryptionTypes</option> attribute will be set as
++	well. Either the current value or the default list of AD's supported
++	encryption types filtered by the permitted encryption types of the
++	client's Kerberos configuration are written.</para>
+ </refsect1>
+ 
+ <refsect1 id='updating'>
+@@ -475,6 +480,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123
+ 		</varlistentry>
+ 	</variablelist>
+ 
++	<para>If supported on the AD side the
++	<option>msDS-supportedEncryptionTypes</option> attribute will be set as
++	well. Either the current value or the default list of AD's supported
++	encryption types filtered by the permitted encryption types of the
++	client's Kerberos configuration are written.</para>
+ </refsect1>
+ 
+ <refsect1 id='testjoin'>
+diff --git a/library/adenroll.c b/library/adenroll.c
+index 95c07cd..53cd812 100644
+--- a/library/adenroll.c
++++ b/library/adenroll.c
+@@ -639,6 +639,7 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype)
+ {
+ 	char *value = NULL;
+ 	krb5_enctype *read_enctypes;
++	krb5_enctype *new_enctypes;
+ 	char *new_value = NULL;
+ 	int is_2008_or_later;
+ 	LDAP *ldap;
+@@ -685,7 +686,14 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype)
+ 		value = _adcli_krb5_format_enctypes (v51_earlier_enctypes);
+ 	}
+ 
+-	new_value = _adcli_krb5_format_enctypes (adcli_enroll_get_keytab_enctypes (enroll));
++	new_enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
++	if (new_enctypes == NULL) {
++		_adcli_warn ("No permitted encryption type found.");
++		return ADCLI_ERR_UNEXPECTED;
++	}
++
++	new_value = _adcli_krb5_format_enctypes (new_enctypes);
++	krb5_free_enctypes (adcli_conn_get_krb5_context (enroll->conn), new_enctypes);
+ 	if (new_value == NULL) {
+ 		free (value);
+ 		_adcli_warn ("The encryption types desired are not available in active directory");
+@@ -1758,7 +1766,11 @@ add_principal_to_keytab (adcli_enroll *enroll,
+ 		             enroll->keytab_name);
+ 	}
+ 
+-	enctypes = adcli_enroll_get_keytab_enctypes (enroll);
++	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
++	if (enctypes == NULL) {
++		_adcli_warn ("No permitted encryption type found.");
++		return ADCLI_ERR_UNEXPECTED;
++	}
+ 
+ 	if (flags & ADCLI_ENROLL_PASSWORD_VALID) {
+ 		code = _adcli_krb5_keytab_copy_entries (k5, enroll->keytab, principal,
+@@ -1774,7 +1786,10 @@ add_principal_to_keytab (adcli_enroll *enroll,
+ 		 */
+ 
+ 		salts = build_principal_salts (enroll, k5, principal);
+-		return_unexpected_if_fail (salts != NULL);
++		if (salts == NULL) {
++			krb5_free_enctypes (k5, enctypes);
++			return ADCLI_ERR_UNEXPECTED;
++		}
+ 
+ 		if (*which_salt < 0) {
+ 			code = _adcli_krb5_keytab_discover_salt (k5, principal, enroll->kvno, &password,
+@@ -1794,6 +1809,7 @@ add_principal_to_keytab (adcli_enroll *enroll,
+ 
+ 		free_principal_salts (k5, salts);
+ 	}
++	krb5_free_enctypes (k5, enctypes);
+ 
+ 	if (code != 0) {
+ 		_adcli_err ("Couldn't add keytab entries: %s: %s",
+-- 
+2.20.1
+
diff --git a/adcli.spec b/adcli.spec
index d7c6dca..e46d4c0 100644
--- a/adcli.spec
+++ b/adcli.spec
@@ -1,6 +1,6 @@
 Name:		adcli
 Version:	0.8.2
-Release:	5%{?dist}
+Release:	6%{?dist}
 Summary:	Active Directory enrollment
 License:	LGPLv2+
 URL:		http://cgit.freedesktop.org/realmd/adcli
@@ -84,6 +84,14 @@ Patch48:        0005-tools-remove-errx-from-setup_krb5_conf_directory.patch
 Patch49:        0006-tools-entry-remove-errx-from-parse_option.patch
 Patch50:        0007-tools-computer-remove-errx-from-parse_option.patch
 
+# rhbz#1727144 - adcli join fails with new krb5-libs; adcli needs to
+#                backport patches to only use permitted enctypes from upstream
+Patch51:        0001-Fix-for-issues-found-by-Coverity.patch
+Patch52:        0002-adenroll-make-sure-only-allowed-enctypes-are-used-in.patch
+Patch53:        0003-adconn-add-adcli_conn_set_krb5_context.patch
+Patch54:        0004-adenroll-add-adcli_enroll_get_permitted_keytab_encty.patch
+Patch55:        0005-adenroll-use-only-enctypes-permitted-by-Kerberos-con.patch
+
 BuildRequires:	gcc
 BuildRequires:	intltool pkgconfig
 BuildRequires:	libtool
@@ -140,6 +148,11 @@ documentation.
 %doc %{_datadir}/doc/adcli/*
 
 %changelog
+* Fri Jul  5 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.8.2-6
+- Resolves: rhbz#1727144 - adcli join fails with new krb5-libs; adcli
+                           needs to backport patches to only use permitted
+                           enctypes from upstream
+
 * Tue Apr 30 2019 Sumit Bose <sbose@redhat.com> - 0.8.2-5
 - addition patch for rhbz#1630187 and new ones for rhbz#1588596
   Resolves: rhbz#1630187, rhbz#1588596