From andreas.haupt@desy.de  Wed Jul  2 08:29:21 2025
From: andreas.haupt@desy.de (Andreas Haupt)
Date: Wed, 02 Jul 2025 09:29:21 +0200
Subject: [OpenAFS] AFS via SSH tunnel
In-Reply-To: <CAOckuXDdzT23JxcDP1ZBgLgw5Cnm1_7VJ=vDKRtgu3JotKeB0g@mail.gmail.com>
References: <CAOckuXDdzT23JxcDP1ZBgLgw5Cnm1_7VJ=vDKRtgu3JotKeB0g@mail.gmail.com>
Message-ID: <798f8f72813148b2378dce9f8be27481fe74212c.camel@desy.de>

--=-ShcfpOqHrHj6LOJPdBze
Content-Type: multipart/alternative; boundary="=-aFBwIKX3uYurCH09RkL9"


--=-aFBwIKX3uYurCH09RkL9
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi,

although maybe a bit more complicated, I managed to make AFS client
work with sshuttle (tproxy mode). Callbacks sent by the servers might
be an issue, though.

Cheers,
Andreas

On Sun, 2025-06-29 at 20:25 -0400, Ernesto Alfonso wrote:
> I have an AFS server at home that's not exposed to the public
> internet. When I'm not home, occasionally I'd like to have secure
> access to the file system.
>=20
> At first I tried to VPN into my home network to have access to the
> AFS server as a local host, but I'm having trouble setting this up
> right now for reasons not related to AFS--some openvpn server issue
> where I'm able to establish the VPN connection but unable to see any
> other hosts except the VPN server itself.
>=20
> My current attempt is to use SSH to forward all the relevant openafs
> ports as local services, and then try to trick my AFS client into
> connecting to 127.0.0.1. I'm forwarding the ports 88, 7000-7007,
> using a command similar to this:
>=20
> =C2=A0 =C2=A0 ssh -N myhome.com -L 88:afsserver:88 -L 7000:afsserver:7000=
 -L
> 7001:afsserver:7001 -L 7002:afsserver:7002 -L 7003:afsserver:7003 -L
> 7004:afsserver:7004 -L 7005:afsserver:7005 -L 7006:afsserver:7006 -L
> 7007:afsserver:7007
>=20
> myhome.com is an intermediate host that exposes an SSH server, and
> can locally access afsserver.local. The ports are forwarded to my
> laptop's localhost. I then manipulate /etc/hosts to name 127.0.0.1 as
> afsserver, and I also update CellServDB.
>=20
> After this, I try to run=C2=A0kinit myuser && aklog -d
>=20
> The kinit command succeeds, but aklog -d fails, curiously with exit
> status 0.
>=20
> =C2=A0 =C2=A0=C2=A0
> =C2=A0 =C2=A0 $ aklog -d
> =C2=A0 =C2=A0 Authenticating to cell afs.example.com (server afs.example.=
com).
> =C2=A0 =C2=A0 Trying to authenticate to user's realm AFS.EXAMPLE.COM.
> =C2=A0 =C2=A0 Getting tickets: afs/afs.example.com@AFS.EXAMPLE.COM
> =C2=A0 =C2=A0 Using Kerberos V5 ticket natively
> =C2=A0 =C2=A0 About to resolve name admin to id in cell afs.example.com.
> =C2=A0 =C2=A0 Error -1
> =C2=A0 =C2=A0 Setting tokens. admin @ afs.example.com
> =C2=A0 =C2=A0 =E2=96=88[laptop][Downloads][0]$
>=20
> I'm also unable to read any AFS files:
>=20
> =C2=A0 =C2=A0 cat /afs/afs.example.com/public/hola
> =C2=A0 =C2=A0 cat: /afs/afs.example.com/public/hola: Connection timed out
>=20
> How should human users of AFS interpret this "Error -1", and what can
> I do about it?=C2=A0
>=20
> I would also welcome suggestions as to how to alternative ways to
> achieve my original goal, though I wouldn't feel inclined to open up
> all the AFS ports directly to the public.
>=20
> Thanks,
>=20
> Ernesto

--=20
| Andreas Haupt | E-Mail: andreas.haupt@desy.de
| DESY, Zeuthen | WWW: http://www.zeuthen.desy.de/~ahaupt
| Platanenallee 6 | Phone: +49/33762/7-7359
| D-15738 Zeuthen |







--=-aFBwIKX3uYurCH09RkL9
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<html><head></head><body><div>Hi,</div><div><br></div><div>although maybe a=
 bit more complicated, I managed to make AFS client work with sshuttle (tpr=
oxy mode). Callbacks sent by the servers might be an issue, though.</div><d=
iv><br></div><div>Cheers,</div><div>Andreas</div><div><br></div><div>On Sun=
, 2025-06-29 at 20:25 -0400, Ernesto Alfonso wrote:</div><blockquote type=
=3D"cite" style=3D"margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding=
-left:1ex"><div dir=3D"ltr">I have an AFS server at home that's not exposed=
 to the public internet. When I'm not home, occasionally I'd like to have s=
ecure access to the file system.<div><br></div><div>At first I tried to VPN=
 into my home network to have access to the AFS server as a local host, but=
 I'm having trouble setting this up right now for reasons not related to AF=
S--some openvpn server issue where I'm able to establish the VPN connection=
 but unable to see any other hosts except the VPN server itself.</div><div>=
<br></div><div>My current attempt is to use SSH to forward all the relevant=
 openafs ports as local services, and then try to trick my AFS client into =
connecting to 127.0.0.1. I'm forwarding the ports 88, 7000-7007, using a co=
mmand similar to this:</div><div><br></div><div>&nbsp; &nbsp; ssh -N <a hre=
f=3D"http://myhome.com">myhome.com</a> -L 88:afsserver:88 -L 7000:afsserver=
:7000 -L 7001:afsserver:7001 -L 7002:afsserver:7002 -L 7003:afsserver:7003 =
-L 7004:afsserver:7004 -L 7005:afsserver:7005 -L 7006:afsserver:7006 -L 700=
7:afsserver:7007</div><div><br></div><div><a href=3D"http://myhome.com">myh=
ome.com</a> is an intermediate host that exposes an SSH server, and can loc=
ally access afsserver.local. The ports are forwarded to my laptop's localho=
st. I then manipulate /etc/hosts to name 127.0.0.1 as afsserver, and I also=
 update CellServDB.</div><div><br></div><div>After this, I try to run&nbsp;=
<span style=3D"color:rgb(0,0,0);font-family:monospace">kinit myuser &amp;&a=
mp; aklog -d</span></div><br><div><font face=3D"monospace">The kinit comman=
d succeeds, but aklog -d fails, curiously with exit status 0.</font></div><=
div><br></div>&nbsp; &nbsp;&nbsp;<br>&nbsp; &nbsp; $ aklog -d<br>&nbsp; &nb=
sp; Authenticating to cell <a href=3D"http://afs.example.com">afs.example.c=
om</a> (server <a href=3D"http://afs.example.com">afs.example.com</a>).<br>=
&nbsp; &nbsp; Trying to authenticate to user's realm <a href=3D"http://AFS.=
EXAMPLE.COM">AFS.EXAMPLE.COM</a>.<br>&nbsp; &nbsp; Getting tickets: afs/<a =
href=3D"mailto:afs.example.com@AFS.EXAMPLE.COM">afs.example.com@AFS.EXAMPLE=
.COM</a><br>&nbsp; &nbsp; Using Kerberos V5 ticket natively<br>&nbsp; &nbsp=
; About to resolve name admin to id in cell <a href=3D"http://afs.example.c=
om">afs.example.com</a>.<br>&nbsp; &nbsp; Error -1<br>&nbsp; &nbsp; Setting=
 tokens. admin @ <a href=3D"http://afs.example.com">afs.example.com</a><br>=
<div>&nbsp; &nbsp; =E2=96=88[laptop][Downloads][0]$</div><div><br></div><di=
v>I'm also unable to read any AFS files:</div><div><br></div><div>&nbsp; &n=
bsp; cat /afs/<a href=3D"http://afs.example.com/public/hola">afs.example.co=
m/public/hola</a></div><div>&nbsp; &nbsp; cat: /afs/<a href=3D"http://afs.e=
xample.com/public/hola">afs.example.com/public/hola</a>: Connection timed o=
ut</div><div><br></div><div>How should human users of AFS interpret this "E=
rror -1", and what can I do about it?&nbsp;</div><div><br></div><div>I woul=
d also welcome suggestions as to how to alternative ways to achieve my orig=
inal goal, though I wouldn't feel inclined to open up all the AFS ports dir=
ectly to the public.</div><div><br></div><div>Thanks,</div><div><br></div><=
div>Ernesto</div></div></blockquote><div><br></div><div><span><pre>-- <br><=
/pre><pre>| Andreas Haupt            | E-Mail: andreas.haupt@desy.de
| DESY, Zeuthen            | WWW:    http://www.zeuthen.desy.de/~ahaupt
| Platanenallee 6          | Phone: +49/33762/7-7359
| D-15738 Zeuthen          |






</pre></span></div></body></html>

--=-aFBwIKX3uYurCH09RkL9--

--=-ShcfpOqHrHj6LOJPdBze
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Disposition: attachment; filename="smime.p7s"
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgIFADCABgkqhkiG9w0BBwEAAKCCDjQw
ggbmMIIEzqADAgECAhAxAnDUNb6bJJr4VtDh4oVJMA0GCSqGSIb3DQEBDAUAMIGIMQswCQYDVQQG
EwJVUzETMBEGA1UECBMKTmV3IEplcnNleTEUMBIGA1UEBxMLSmVyc2V5IENpdHkxHjAcBgNVBAoT
FVRoZSBVU0VSVFJVU1QgTmV0d29yazEuMCwGA1UEAxMlVVNFUlRydXN0IFJTQSBDZXJ0aWZpY2F0
aW9uIEF1dGhvcml0eTAeFw0yMDAyMTgwMDAwMDBaFw0zMzA1MDEyMzU5NTlaMEYxCzAJBgNVBAYT
Ak5MMRkwFwYDVQQKExBHRUFOVCBWZXJlbmlnaW5nMRwwGgYDVQQDExNHRUFOVCBQZXJzb25hbCBD
QSA0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAs0riIl4nW+kEWxQENTIgFK600jFA
xs1QwB6hRMqvnkphfy2Q3mKbM2otpELKlgE8/3AQPYBo7p7yeORuPMnAuA+oMGRb2wbeSaLcZbpw
XgfCvnKxmq97/kQkOFX706F9O7/h0yehHhDjUdyMyT0zMs4AMBDRrAFn/b2vR3j0BSYgoQs16oSq
adM3p+d0vvH/YrRMtOhkvGpLuzL8m+LTAQWvQJ92NwCyKiHspoP4mLPJvVpEpDMnpDbRUQdftSpZ
zVKTNORvPrGPRLnJ0EEVCHR82LL6oz915WkrgeCY9ImuulBn4uVsd9ZpubCgM/EXvVBlViKqusCh
SsZEn7juIsGIiDyaIhhLsd3amm8BS3bgK6AxdSMROND6hiHT182Lmf8C+gRHxQG9McvG35uUvRu8
v7bPZiJRaT7ZC2f50P4lTlnbLvWpXv5yv7hheO8bMXltiyLweLB+VNvg+GnfL6TW3Aq1yF1yrZAZ
zR4MbpjTWdEdSLKvz8+0wCwscQ81nbDOwDt9vyZ+0eJXbRkWZiqScnwAg5/B1NUD4TrYlrI4n6zF
p2pyYUOiuzP+as/AZnz63GvjFK69WODR2W/TK4D7VikEMhg18vhuRf4hxnWZOy0vhfDR/g3aJbds
Gac+diahjEwzyB+UKJOCyzvecG8bZ/u/U8PsEMZg07iIPi8CAwEAAaOCAYswggGHMB8GA1UdIwQY
MBaAFFN5v1qqK0rPVIDh2JvAnfKyA2bLMB0GA1UdDgQWBBRpAKHHIVj44MUbILAK3adRvxPZ5DAO
BgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAgYI
KwYBBQUHAwQwOAYDVR0gBDEwLzAtBgRVHSAAMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGln
by5jb20vQ1BTMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9VU0VS
VHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2BggrBgEFBQcBAQRqMGgwPwYIKwYB
BQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNy
dDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOC
AgEACgVOew2PHxM5AP1v7GLGw+3tF6rjAcx43D9Hl110Q+BABABglkrPkES/VyMZsfuds8fcDGvG
E3o5UfjSno4sij0xdKut8zMazv8/4VMKPCA3EUS0tDUoL01ugDdqwlyXuYizeXyH2ICAQfXMtS+r
az7mf741CZvO50OxMUMxqljeRfVPDJQJNHOYi2pxuxgjKDYx4hdZ9G2o+oLlHhu5+anMDkE8g0tf
fjRKn8I1D1BmrDdWR/IdbBOj6870abYvqys1qYlPotv5N5dm+XxQ8vlrvY7+kfQaAYeO3rP1DM8B
GdpEqyFVa+I0rpJPhaZkeWW7cImDQFerHW9bKzBrCC815a3WrEhNpxh72ZJZNs1HYJ+29NTB6uu4
NJjaMxpk+g2puNSm4b9uVjBbPO9V6sFSG+IBqE9ckX/1XjzJtY8Grqoo4SiRb6zcHhp3mxj3oqWi
8SKNohAOKnUc7RIP6ss1hqIFyv0xXZor4N9tnzD0Fo0JDIURjDPEgo5WTdti/MdGTmKFQNqxyZuT
9uSI2Xvhz8p+4pCYkiZqpahZlHqMFxdw9XRZQgrP+cgtOkWEaiNkRBbvtvLdp7MCL2OsQhQEdEbU
vDM9slzZXdI7NjJokVBq3O4pls3VD2z3L/bHVBe0rBERjyM2C/HSIh84rfmAqBgklzIOqXhd+4Rz
adUwggdGMIIFLqADAgECAhEAra/kSKV1AoCk06wfRY3CLTANBgkqhkiG9w0BAQwFADBGMQswCQYD
VQQGEwJOTDEZMBcGA1UEChMQR0VBTlQgVmVyZW5pZ2luZzEcMBoGA1UEAxMTR0VBTlQgUGVyc29u
YWwgQ0EgNDAeFw0yNDExMTMwMDAwMDBaFw0yNjExMTMyMzU5NTlaMIG/MQswCQYDVQQGEwJERTEQ
MA4GA1UECBMHSGFtYnVyZzEuMCwGA1UEChMlRGV1dHNjaGVzIEVsZWt0cm9uZW4tU3luY2hyb3Ry
b24gREVTWTEOMAwGA1UEYRMFR09WREUxJDAiBgkqhkiG9w0BCQEWFWFuZHJlYXMuaGF1cHRAZGVz
eS5kZTEOMAwGA1UEBBMFSGF1cHQxEDAOBgNVBCoTB0FuZHJlYXMxFjAUBgNVBAMTDUFuZHJlYXMg
SGF1cHQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCpO6QZmT8g4US0YUiFzCUuHKB7
6GFcxtRzjViRUVB9kFyliIVlJ6Orfb6ttgXFeJ3xw4hGhTZUJLkV9rcWb/bKuOEER1rTGUDWU9K/
rRBNH6QbsZSlLKJPODwQfbHEqiZVgzuLGBgt6D1iEnbu36BY5y21K7O1KcH3DBLj6KWBf+SjEbVH
io4hMvhv42BC2bE3HTLafI4MrKXF4rWw0z8i9Xu2iRNAsjELLU2GGAXJYAnOHjQQ9iRbal1bi8MH
/ISjyO3rffhWfWi1hgikrkIi6GHM2jvNPEIS/Xwp1fOX0Y99toPFrM4SF70cMI9TNzuKl5aNkGAB
7AlmViy/behaSWcdFD71Nxocl9ETw8JYNjM9Es3ugdZbfrIzy2m8bIN3iK9uff6LHkOSUYQfDvgu
HQOXZigEe/XMtQKdicLK4KlFvAl+rUV6zPdyOjjbJDyXCWPZifjCbvkd5R3XP4YOUNTN9C2jgXcL
nbqX7ozP4qD4jNRiAbE0JN2R4w7likLuSQiZ8G7Jb5yBt0pBF77YO961ra0C0B34tCKzwhEuMUbK
VesxFZInvMyVImyuplIbFBH5rPk77oclQOnDS2C0sx8JseNVGKCP56gTTQOLapkS/MH0OdV1gFPf
d9ws5bf1e6bKIlVuJl9HF/oT/0B9VzPRqOo/2jlSZzO9RViTuQIDAQABo4IBszCCAa8wHwYDVR0j
BBgwFoAUaQChxyFY+ODFGyCwCt2nUb8T2eQwHQYDVR0OBBYEFKdKweAk+c0OGX1eL8A0Qjl+X4UL
MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEF
BQcDAjBQBgNVHSAESTBHMDoGDCsGAQQBsjEBAgEKBDAqMCgGCCsGAQUFBwIBFhxodHRwczovL3Nl
Y3RpZ28uY29tL1NNSU1FQ1BTMAkGB2eBDAEFAwIwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL0dF
QU5ULmNybC5zZWN0aWdvLmNvbS9HRUFOVFBlcnNvbmFsQ0E0LmNybDB4BggrBgEFBQcBAQRsMGow
PQYIKwYBBQUHMAKGMWh0dHA6Ly9HRUFOVC5jcnQuc2VjdGlnby5jb20vR0VBTlRQZXJzb25hbENB
NC5jcnQwKQYIKwYBBQUHMAGGHWh0dHA6Ly9HRUFOVC5vY3NwLnNlY3RpZ28uY29tMCAGA1UdEQQZ
MBeBFWFuZHJlYXMuaGF1cHRAZGVzeS5kZTANBgkqhkiG9w0BAQwFAAOCAgEAW0hfwzYY/GSzTFAx
vOVO0ay0OwCCffxcM+J63Dhhgt8GaU53kt1Qk0mUaajayQiOKG99D7XRqKCqh5CTM4M9v9iF5k4/
kZwA0Yn38NiJq7BZqCAULfrszyVb/eQgf+nEfHPJMtBecezvN1I+xzV4/uBcDwBro9Twx/4ZycUq
jqYvCGVKWlVFgPSxfzIKfIfSCGeTXRFvsEFgK1cuuRF4kSK9Yre18+JkH927a9hXFbkBoC4sAhi9
P6NlCzVxdf2lRzBxg2/ZiYllJZxsMP+fOR7AP8DShPwFSMyWthnluuEvkGXN/I3BFgLN5y3NuSq/
WUzSghwowZLaKR+BZ0bpHufSFr/7FGpkIzC4XOWFknnWQ9UIMas1dRx1DgPTiIJoojYlG6B+PG4e
ehtc5l9x+siQ5SE8XaJZZXN5xO6wk7I+YBNxN3ogtx8yCDg5V4ggwc55x47Q+PSqMsTEqI7P7UjN
QVOo5XuZHdzOOOOcfviuChiY+cPb1azcaMMmvhK+/AI764twX0pkwp5nvcYrs2BW9wwdQrnSLfSJ
EcEc1hbQMJcdB/m6YFr0K9rC/V8VnQMTVew0pCtAPpr32ki1YP4Fv4CRErpu23GDJbS7nAeCpdeR
Wf+pD94z4WbNR0pl+zvJ1q0eXz5z6rTa2k8ht/dpTisoT+AV6+KijMU05kMxggMBMIIC/QIBATBb
MEYxCzAJBgNVBAYTAk5MMRkwFwYDVQQKExBHRUFOVCBWZXJlbmlnaW5nMRwwGgYDVQQDExNHRUFO
VCBQZXJzb25hbCBDQSA0AhEAra/kSKV1AoCk06wfRY3CLTANBglghkgBZQMEAgIFAKB5MBgGCSqG
SIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTI1MDcwMjA3MjkyMVowPwYJKoZI
hvcNAQkEMTIEMNOf7GOKjNOyUUKSwBwkt60sk5K07WxfDsafkrcnWcVcbVK8MyTGVym4cPh9cIXk
cDANBgkqhkiG9w0BAQEFAASCAgBwwRi9HhGU0yXLOu2Eq4S/aPdFu8xJI5BNB52qzMCbiykZbf0Q
b7Vcm9KfKvq75QVkmyIKCi0S2PdbMoqEBBFRffDKIS/TaAWEsxmHptkNpH9UmOUpAZvVdRpdKDnT
IO6hpwLa+Yflm0tZPGruJrSiV9AYtzF+0v1U4qabpNF4G3z2btIh9E+Vvp7uhhGnAgk+9k70qzFU
z3Bin/Q763x1lrGkwnpMpaHdvaw1RIbiz05BHsZNRDDFVYupisbwNQTbhqaEKWcCpXxsL9yi2Zic
YQeR+Cvc7BwhTGxJgsXIYjFJmc0AVCM6SFTfiUuODS85F0XT5jgUowBnU5DmTQ+jqZSGe0pcrdQD
5QwDLEdBEYQn3URlatIJ69sMTD47U2MmU67dQGFRehah7D7ggkgtj4XtEigTbUzF7AdunhYVFGHy
vidRWDe8OLHWCpuFeLWV+6qBEV2LJRl+YHKOxAZaDdGOGY8p9Pj0pQBy5B35VQJMWovTmM0XD4Yo
1TZj8KK0Le7VdORAj5mSCkgQDsmGtc2NaN7spKkclFHdQDMVJlU+EGYRS0X9Fcz0/dovVnRy1/aY
/xj2RBPYArxFbtM238URPmmee82GVcC0QUHuVles0uyyFIC9GiUZARY/wHz3cZsWZj3fWh7uXPkp
LCX4wZ3yECauNgohC+wTB/gRjgAAAAAAAA==


--=-ShcfpOqHrHj6LOJPdBze--


From jaltman@auristor.com  Thu Jul  3 20:38:51 2025
From: jaltman@auristor.com (Jeffrey E Altman)
Date: Thu, 3 Jul 2025 15:38:51 -0400
Subject: [OpenAFS] AFS via SSH tunnel
In-Reply-To: <CAOckuXDdzT23JxcDP1ZBgLgw5Cnm1_7VJ=vDKRtgu3JotKeB0g@mail.gmail.com>
References: <CAOckuXDdzT23JxcDP1ZBgLgw5Cnm1_7VJ=vDKRtgu3JotKeB0g@mail.gmail.com>
Message-ID: <f453b187-2e8d-4f9f-b334-5f223a531aef@auristor.com>

This is a cryptographically signed message in MIME format.

--------------ms080209070506020705050404
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64

T24gNi8yOS8yMDI1IDg6MjUgUE0sIEVybmVzdG8gQWxmb25zbyB3cm90ZToNCj4gTXkgY3Vy
cmVudCBhdHRlbXB0IGlzIHRvIHVzZSBTU0ggdG8gZm9yd2FyZCBhbGwgdGhlIHJlbGV2YW50
IG9wZW5hZnMgDQo+IHBvcnRzIGFzIGxvY2FsIHNlcnZpY2VzLCBhbmQgdGhlbiB0cnkgdG8g
dHJpY2sgbXkgQUZTIGNsaWVudCBpbnRvIA0KPiBjb25uZWN0aW5nIHRvIDEyNy4wLjAuMS4g
SSdtIGZvcndhcmRpbmcgdGhlIHBvcnRzIDg4LCA3MDAwLTcwMDcsIHVzaW5nIA0KPiBhIGNv
bW1hbmQgc2ltaWxhciB0byB0aGlzOg0KPg0KPiDCoCDCoCBzc2ggLU4gbXlob21lLmNvbSA8
aHR0cDovL215aG9tZS5jb20+IC1MIDg4OmFmc3NlcnZlcjo4OCAtTCANCj4gNzAwMDphZnNz
ZXJ2ZXI6NzAwMCAtTCA3MDAxOmFmc3NlcnZlcjo3MDAxIC1MIDcwMDI6YWZzc2VydmVyOjcw
MDIgLUwgDQo+IDcwMDM6YWZzc2VydmVyOjcwMDMgLUwgNzAwNDphZnNzZXJ2ZXI6NzAwNCAt
TCA3MDA1OmFmc3NlcnZlcjo3MDA1IC1MIA0KPiA3MDA2OmFmc3NlcnZlcjo3MDA2IC1MIDcw
MDc6YWZzc2VydmVyOjcwMDcNCg0KQWx0aG91Z2ggdGhpcyBhcHByb2FjaCBtaWdodCBwZXJt
aXQgYWtsb2cgYW5kIHRoZSBjYWNoZSBtYW5hZ2VyIHRvIA0KY29udGFjdCB0aGUgbG9jYXRp
b24gc2VydmljZSAoNzAwMy91ZHApIGFuZCB0aGUgcHJvdGVjdGlvbiBzZXJ2aWNlIA0KKDcw
MDIvdWRwKSwgaXQgd2lsbCBub3QgcmVzdWx0IGluIHRoZSBjYWNoZSBtYW5hZ2VyIGJlaW5n
IGFibGUgdG8gDQpjb250YWN0IHRoZSBmaWxlc2VydmVyICg3MDAwL3VkcCkgYmVjYXVzZSB0
aGUgSVB2NCBhZGRyZXNzIHVzZWQgdG8gDQpjb250YWN0IHRoZSBmaWxlc2VydmVyKHMpIHdp
bGwgYmUgb2J0YWluZWQgZnJvbSB0aGUgbG9jYXRpb24gc2VydmljZSANCndoZW4gdGhlIGNh
Y2hlIG1hbmFnZXIgYXR0ZW1wdHMgdG8gcmVzb2x2ZSB0aGUgbG9jYXRpb24gb2YgdGhlIHJl
cXVpcmVkIA0Kdm9sdW1lcy4NCg0KInZvcyBsaXN0YWRkcnMgLXByaW50dXVpZCAtbm9yZXNv
bHZlIiB3aWxsIHNob3cgeW91IHRoZSBhZGRyZXNzZXMgd2hpY2ggDQp0aGUgY2FjaGUgbWFu
YWdlciB3aWxsIGJlIGluc3RydWN0ZWQgdG8gdXNlLsKgIMKgQWx0aG91Z2ggdGhlIGZpbGVz
ZXJ2ZXIgDQpjYW4gYmUgY29uZmlndXJlZCB0byByZWdpc3RlciBmYWtlIGFkZHJlc3Nlcywg
bG9jYWxob3N0IGFkZHJlc3NlcyANCjEyNy4wLngueSBhcmUgcHJvaGliaXRlZC4NCg0KSmVm
ZnJleSBBbHRtYW4NCg0KDQo=

--------------ms080209070506020705050404
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
DHEwggXSMIIEuqADAgECAhBAAYJpmi/rPn/F0fJyDlzMMA0GCSqGSIb3DQEBCwUAMDoxCzAJ
BgNVBAYTAlVTMRIwEAYDVQQKEwlJZGVuVHJ1c3QxFzAVBgNVBAMTDlRydXN0SUQgQ0EgQTEz
MB4XDTIyMDgwNDE2MDQ0OFoXDTI1MTAzMTE2MDM0OFowcDEvMC0GCgmSJomT8ixkAQETH0Ew
MTQxMEQwMDAwMDE4MjY5OUEyRkQyMDAwMjMzQ0QxGTAXBgNVBAMTEEplZmZyZXkgRSBBbHRt
YW4xFTATBgNVBAoTDEF1cmlTdG9yIEluYzELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCkC7PKBBZnQqDKPtZPMLAy77zo2DPvwtGnd1hNjPvbXrpGxUb3
xHZRtv179LHKAOcsY2jIctzieMxf82OMyhpBziMPsFAG/ukihBMFj3/xEeZVso3K27pSAyyN
fO/wJ0rX7G+ges22Dd7goZul8rPaTJBIxbZDuaykJMGpNq4PQ8VPcnYZx+6b+nJwJJoJ46kI
EEfNh3UKvB/vM0qtxS690iAdgmQIhTl+qfXq4IxWB6b+3NeQxgR6KLU4P7v88/tvJTpxIKkg
9xj89ruzeThyRFd2DSe3vfdnq9+g4qJSHRXyTft6W3Lkp7UWTM4kMqOcc4VSRdufVKBQNXjG
IcnhAgMBAAGjggKcMIICmDAOBgNVHQ8BAf8EBAMCBPAwgYQGCCsGAQUFBwEBBHgwdjAwBggr
BgEFBQcwAYYkaHR0cDovL2NvbW1lcmNpYWwub2NzcC5pZGVudHJ1c3QuY29tMEIGCCsGAQUF
BzAChjZodHRwOi8vdmFsaWRhdGlvbi5pZGVudHJ1c3QuY29tL2NlcnRzL3RydXN0aWRjYWEx
My5wN2MwHwYDVR0jBBgwFoAULbfeG1l+KpguzeHUG+PFEBJe6RQwCQYDVR0TBAIwADCCASsG
A1UdIASCASIwggEeMIIBGgYLYIZIAYb5LwAGAgEwggEJMEoGCCsGAQUFBwIBFj5odHRwczov
L3NlY3VyZS5pZGVudHJ1c3QuY29tL2NlcnRpZmljYXRlcy9wb2xpY3kvdHMvaW5kZXguaHRt
bDCBugYIKwYBBQUHAgIwga0MgapUaGlzIFRydXN0SUQgQ2VydGlmaWNhdGUgaGFzIGJlZW4g
aXNzdWVkIGluIGFjY29yZGFuY2Ugd2l0aCBJZGVuVHJ1c3QncyBUcnVzdElEIENlcnRpZmlj
YXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL3NlY3VyZS5pZGVudHJ1c3QuY29tL2NlcnRp
ZmljYXRlcy9wb2xpY3kvdHMvaW5kZXguaHRtbDBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8v
dmFsaWRhdGlvbi5pZGVudHJ1c3QuY29tL2NybC90cnVzdGlkY2FhMTMuY3JsMB8GA1UdEQQY
MBaBFGphbHRtYW5AYXVyaXN0b3IuY29tMB0GA1UdDgQWBBQB+nzqgljLocLTsiUn2yWqEc2s
gjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZIhvcNAQELBQADggEBAJwV
eycprp8Ox1npiTyfwc5QaVaqtoe8Dcg2JXZc0h4DmYGW2rRLHp8YL43snEV93rPJVk6B2v4c
WLeQfaMrnyNeEuvHx/2CT44cdLtaEk5zyqo3GYJYlLcRVz6EcSGHv1qPXgDT0xB/25etwGYq
utYF4Chkxu4KzIpq90eDMw5ajkexw+8ARQz4N5+d6NRbmMCovd7wTGi8th/BZvz8hgKUiUJo
Qle4wDxrdXdnIhCP7g87InXKefWgZBF4VX21t2+hkc04qrhIJlHrocPG9mRSnnk2WpsY0MXt
a8ivbVKtfpY7uSNDZSKTDi1izEFH5oeQdYRkgIGb319a7FjslV8wggaXMIIEf6ADAgECAhBA
AXA7OrqBjMk8rp4OuNQSMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNVBAYTAlVTMRIwEAYDVQQK
EwlJZGVuVHJ1c3QxJzAlBgNVBAMTHklkZW5UcnVzdCBDb21tZXJjaWFsIFJvb3QgQ0EgMTAe
Fw0yMDAyMTIyMTA3NDlaFw0zMDAyMTIyMTA3NDlaMDoxCzAJBgNVBAYTAlVTMRIwEAYDVQQK
EwlJZGVuVHJ1c3QxFzAVBgNVBAMTDlRydXN0SUQgQ0EgQTEzMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAu6sUO01SDD99PM+QdZkNxKxJNt0NgQE+Zt6ixaNP0JKSjTd+SG5L
wqxBWjnOgI/3dlwgtSNeN77AgSs+rA4bK4GJ75cUZZANUXRKw/et8pf9Qn6iqgB63OdHxBN/
15KbM3HR+PyiHXQoUVIevCKW8nnlWnnZabT1FejOhRRKVUg5HACGOTfnCOONrlxlg+m1Vjgn
o1uNqNuLM/jkD1z6phNZ/G9IfZGI0ppHX5AA/bViWceX248VmefNhSR14ADZJtlAAWOi2un0
3bqrBPHA9nDyXxI8rgWLfUP5rDy8jx2hEItg95+ORF5wfkGUq787HBjspE86CcaduLka/Bk2
VwIDAQABo4IChzCCAoMwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwgYkG
CCsGAQUFBwEBBH0wezAwBggrBgEFBQcwAYYkaHR0cDovL2NvbW1lcmNpYWwub2NzcC5pZGVu
dHJ1c3QuY29tMEcGCCsGAQUFBzAChjtodHRwOi8vdmFsaWRhdGlvbi5pZGVudHJ1c3QuY29t
L3Jvb3RzL2NvbW1lcmNpYWxyb290Y2ExLnA3YzAfBgNVHSMEGDAWgBTtRBnA0/AGi+6ke75C
5yZUyI42djCCASQGA1UdIASCARswggEXMIIBEwYEVR0gADCCAQkwSgYIKwYBBQUHAgEWPmh0
dHBzOi8vc2VjdXJlLmlkZW50cnVzdC5jb20vY2VydGlmaWNhdGVzL3BvbGljeS90cy9pbmRl
eC5odG1sMIG6BggrBgEFBQcCAjCBrQyBqlRoaXMgVHJ1c3RJRCBDZXJ0aWZpY2F0ZSBoYXMg
YmVlbiBpc3N1ZWQgaW4gYWNjb3JkYW5jZSB3aXRoIElkZW5UcnVzdCdzIFRydXN0SUQgQ2Vy
dGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vc2VjdXJlLmlkZW50cnVzdC5jb20v
Y2VydGlmaWNhdGVzL3BvbGljeS90cy9pbmRleC5odG1sMEoGA1UdHwRDMEEwP6A9oDuGOWh0
dHA6Ly92YWxpZGF0aW9uLmlkZW50cnVzdC5jb20vY3JsL2NvbW1lcmNpYWxyb290Y2ExLmNy
bDAdBgNVHQ4EFgQULbfeG1l+KpguzeHUG+PFEBJe6RQwHQYDVR0lBBYwFAYIKwYBBQUHAwIG
CCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4ICAQB/7BKcygLX6Nl4a03cDHt7TLdPxCzFvDF2
bkVYCFTRX47UfeomF1gBPFDee3H/IPlLRmuTPoNt0qjdpfQzmDWN95jUXLdLPRToNxyaoB5s
0hOhcV6H08u3FHACBif55i0DTDzVSaBv0AZ9h1XeuGx4Fih1Vm3Xxz24GBqqVudvPRLyMJ7u
6hvBqTIKJ53uCs3dyQLZT9DXnp+kJv8y7ZSAY+QVrI/dysT8avtn8d7k7azNBkfnbRq+0e88
QoBnel6u+fpwbd5NLRHywXeH+phbzULCa+bLPRMqJaW2lbhvSWrMHRDy3/d8HvgnLCBFK2s4
Spns4YCN4xVcbqlGWzgolHCKUH39vpcsDo1ymZFrJ8QR6ihIn8FmJ5oKwAnnd/G6ADXFC9bu
db9+532phSAXOZrrecIQn+vtP366PC+aClAPsIIDJDsotS5z4X2JUFsNIuEgXGqhiKE7SuZb
rFG9sdcLprSlJN7TsRDc0W2b9nqwD+rj/5MN0C+eKwha+8ydv0+qzTyxPP90KRgaegGowC4d
UsZyTk2n4Z3MuAHX5nAZL/Vh/SyDj/ajorV44yqZBzQ3ChKhXbfUSwe2xMmygA2Z5DRwMRJn
p/BscizYdNk2WXJMTnH+wVLN8sLEwEtQR4eTLoFmQvrK2AMBS9kW5sBkMzINt/ZbbcZ3F+eA
MDGCBAEwggP9AgEBME4wOjELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUlkZW5UcnVzdDEXMBUG
A1UEAxMOVHJ1c3RJRCBDQSBBMTMCEEABgmmaL+s+f8XR8nIOXMwwDQYJYIZIAWUDBAIBBQCg
ggKEMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTI1MDcwMzE5
Mzg1MVowLwYJKoZIhvcNAQkEMSIEIJZPtMYC1m8zNvawLkZh3d9bZ7LwcbJ1JuqctSt9uWAf
MF0GCSsGAQQBgjcQBDFQME4wOjELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUlkZW5UcnVzdDEX
MBUGA1UEAxMOVHJ1c3RJRCBDQSBBMTMCEEABgmmaL+s+f8XR8nIOXMwwXwYLKoZIhvcNAQkQ
AgsxUKBOMDoxCzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJZGVuVHJ1c3QxFzAVBgNVBAMTDlRy
dXN0SUQgQ0EgQTEzAhBAAYJpmi/rPn/F0fJyDlzMMIIBVwYJKoZIhvcNAQkPMYIBSDCCAUQw
CwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzANBggqhkiG9w0DAgIBBTAN
BggqhkiG9w0DAgIBBTAHBgUrDgMCBzANBggqhkiG9w0DAgIBBTAHBgUrDgMCGjALBglghkgB
ZQMEAgEwCwYJYIZIAWUDBAICMAsGCWCGSAFlAwQCAzALBglghkgBZQMEAgQwCwYJYIZIAWUD
BAIHMAsGCWCGSAFlAwQCCDALBglghkgBZQMEAgkwCwYJYIZIAWUDBAIKMAsGCSqGSIb3DQEB
ATALBgkrgQUQhkg/AAIwCAYGK4EEAQsAMAgGBiuBBAELATAIBgYrgQQBCwIwCAYGK4EEAQsD
MAsGCSuBBRCGSD8AAzAIBgYrgQQBDgAwCAYGK4EEAQ4BMAgGBiuBBAEOAjAIBgYrgQQBDgMw
DQYJKoZIhvcNAQEBBQAEggEAifUQybOYJUerMD30hcQCOAJoRazfcPO84fWLuXYYSOG8oeQP
44AFK4JqZPoJaJ9H6zbwbGbBcIyP+WtBIhwYEqyvGqf6jTJbNrQoEYNZ2XcQbQAJKMJqrWD1
YeyNro/hW/JjCED55n/xJCXbDYzIvzY8douooki4/GNh2L7FfKlWMsoeL6wOzir3oWZsNFzc
RAsuOTjAoQTDZnvaoPyVAK8mdYebt+ttVyl4vFJW43tlazxIMzjRexkKU6Reev8baX32fzol
YI/f1V1KzfWsTdeAqMbMW5HbbxuuFnyIuvtaNQRNZkxBSr4/mSMEi64AA0ZXP2ynN9dI4jHP
2GI0TAAAAAAAAA==
--------------ms080209070506020705050404--