[OpenAFS] mod_waklog question
Andreas Ladanyi
andreas.ladanyi@kit.edu
Tue, 11 Jul 2017 10:44:01 +0200
This is a cryptographically signed message in MIME format.
--------------ms070307040004020302000203
Content-Type: multipart/alternative;
boundary="------------5793B4E0DCA628F911B6E8D2"
Content-Language: en-US
This is a multi-part message in MIME format.
--------------5793B4E0DCA628F911B6E8D2
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
> =E2=80=8Bmod_waklog is meant to be used as an .htaccess-style mechanism=
=E2=80=8B to
> let users supply credentials via a web browser so that apache can use
> those credentials to access user files. In this case, the apache
> process switches between multiple AFS users and the tokens only need
> to live for the brief life of the http request/session.
>
> Your timeout issues suggest that you are running apache with
> long-running tokens as a single user and those tokens need to be
> automatically renewed. If you're using this "apache needs persistent
> AFS access via a service account" use case, then you need to use
> k5start and a local keytab:
> https://www.eyrie.org/~eagle/software/kstart/k5start.html
> <https://www.eyrie.org/%7Eeagle/software/kstart/k5start.html>
Ok. So i have to add k5start [options] ...... /usr/bin/httpd ..... in
the default systemd start script from apache.
Something like:
ExecStart=3D/usr/bin/k5start -b -t -k /tmp/k5start_httpd -f keytab -K 10
-l 10h principal_from_keytab /usr/sbin/httpd $OPTIONS -DFOREGROUND
I i understand it correctly the k5start will take a new tgt, create a
new pag and call aklog to get a afs token which is put into the pag of
the parent process.
So i have to play with the flags -b, -K, -t
Does kinit/k5start or aklog create a new pag in general ? I would say akl=
og.
>
> k5start is available in EPEL. I think there are debian packages as well=
=2E
>
> Jason
>
>
> -----------------------------------------------------------------------=
----
> Jason Edgecombe | Linux Administrator
> UNC Charlotte | The William States Lee College of Engineering
> 9201 University City Blvd. | Charlotte, NC 28223-0001
> Phone: 704-687-1943 <tel:704-687-1943>
> jwedgeco@uncc.edu <mailto:jwedgeco@uncc.edu> | http://engr.uncc.edu |
> Facebook
> -----------------------------------------------------------------------=
----
> If you are not the intended recipient of this transmission or a person
> responsible for delivering it to the intended recipient, any
> disclosure, copying, distribution, or other use of any of the
> information in this transmission is strictly prohibited. If you have
> received this transmission in error, please notify me immediately by
> reply e-mail or by telephone at
> 704-687-1943 <tel:704-687-1943>. Thank you.
--------------5793B4E0DCA628F911B6E8D2
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf=
-8">
</head>
<body text=3D"#000000" bgcolor=3D"#FFFFFF">
<div class=3D"moz-cite-prefix"><br>
</div>
<blockquote type=3D"cite"
cite=3D"mid:CAAR6MGBhaS1HrZ+ypMVQ1b1G8Hm7RMVBfOSmJeBLRRLv-FppxQ@mail.gmai=
l.com">
<div dir=3D"ltr">
<div class=3D"gmail_default"
style=3D"font-family:arial,helvetica,sans-serif">=E2=80=8Bmod_w=
aklog is
meant to be used as an .htaccess-style mechanism=E2=80=8B to le=
t users
supply credentials via a web browser so that apache can use
those credentials to access user files. In this case, the
apache process switches between multiple AFS users and the
tokens only need to live for the brief life of the http
request/session.</div>
<div class=3D"gmail_default"
style=3D"font-family:arial,helvetica,sans-serif"><br>
</div>
<div class=3D"gmail_default"
style=3D"font-family:arial,helvetica,sans-serif">Your timeout
issues suggest that you are running apache with long-running
tokens as a single user and those tokens need to be
automatically renewed. If you're using this "apache needs
persistent AFS access via a service account" use case, then
you need to use k5start and a local keytab:</div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif"><a
href=3D"https://www.eyrie.org/%7Eeagle/software/kstart/k5st=
art.html"
moz-do-not-send=3D"true">https://www.eyrie.org/~eagle/softw=
are/kstart/k5start.html</a></font><br>
</div>
</div>
</blockquote>
<font face=3D"arial, helvetica, sans-serif">Ok. So i have to add
k5start [options] ...... /usr/bin/httpd ..... in the default
systemd start script from apache.<br>
<br>
Something like: <br>
<br>
ExecStart=3D/usr/bin/k5start -b -t -k /tmp/k5start_httpd -f keytab
-K 10 -l 10h principal_from_keytab /usr/sbin/httpd $OPTIONS
-DFOREGROUND<br>
<br>
I i understand it correctly the k5start will take a new tgt,
create a new pag and call aklog to get a afs token which is put
into the pag of the parent process.<br>
<br>
So i have to play with the flags -b, -K, -t<br>
<br>
Does kinit/k5start or aklog create a new pag in general ? I would
say aklog.<br>
<br>
</font>
<blockquote type=3D"cite"
cite=3D"mid:CAAR6MGBhaS1HrZ+ypMVQ1b1G8Hm7RMVBfOSmJeBLRRLv-FppxQ@mail.gmai=
l.com">
<div dir=3D"ltr">
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif"><br>
</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">k5start is available in EPEL. I think there are
debian packages as well.</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif"><br>
</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">Jason</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif"><br>
</font></div>
<div class=3D"gmail_extra"><br clear=3D"all">
<div>
<div class=3D"gmail_signature"
data-smartmail=3D"gmail_signature">
<div dir=3D"ltr">------------------------------------------=
---------------------------------<br>
Jason Edgecombe | Linux Administrator<br>
UNC Charlotte | The William States Lee College of
Engineering<br>
9201 University City Blvd. | Charlotte, NC 28223-0001<br>=
Phone: <a href=3D"tel:704-687-1943" value=3D"+17046871943=
"
target=3D"_blank" moz-do-not-send=3D"true"><span>704</s=
pan>-<span>687</span>-<span>1943</span></a><br>
<a href=3D"mailto:jwedgeco@uncc.edu" target=3D"_blank"
moz-do-not-send=3D"true">jwedgeco@uncc.edu</a> | <a
href=3D"http://engr.uncc.edu" target=3D"_blank"
moz-do-not-send=3D"true">http://engr.uncc.edu</a> |
=C2=A0Facebook<br>
-------------------------------------------------------------------------=
--<br>
If you are not the intended recipient of this
transmission or a person responsible for delivering it
to the intended recipient, any disclosure, copying,
distribution, or other use of any of the information in
this transmission is strictly prohibited. If you have
received this transmission in error, please notify me
immediately by reply e-mail or by telephone at<br>
<a href=3D"tel:704-687-1943" value=3D"+17046871943"
target=3D"_blank" moz-do-not-send=3D"true"><span>704</s=
pan>-<span>687</span>-<span>1943</span></a>.=C2=A0
Thank you.</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>
--------------5793B4E0DCA628F911B6E8D2--
--------------ms070307040004020302000203
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
D/owggTVMIIDvaADAgECAghQTsb1PRG0ZDANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJE
RTEcMBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxlU2VjIFRy
dXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290IENBIDIwHhcNMTQw
NzIyMTIwODI2WhcNMTkwNzA5MjM1OTAwWjBaMQswCQYDVQQGEwJERTETMBEGA1UEChMKREZO
LVZlcmVpbjEQMA4GA1UECxMHREZOLVBLSTEkMCIGA1UEAxMbREZOLVZlcmVpbiBQQ0EgR2xv
YmFsIC0gRzAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6ZvDZ4X5Da71jVTD
llA1PWLpbkztlNcAW5UidNQg6zSP1uzAMQQLmYHiphTSUqAoI4SLdIkEXlvg4njBeMsWyyg1
OXstkEXQ7aAAeny/Sg4bAMOG6VwrMRF7DPOCJEOMHDiLamgAmu7cT3ir0sYTm3at7t4m6O8B
r3QPwQmi9mvOvdPNFDBP9eXjpMhim4IaAycwDQJlYE3t0QkjKpY1WCfTdsZxtpAdxO3/NYZ9
bzOz2w/FEcKKg6GUXUFr2NIQ9Uz9ylGs2b3vkoO72uuLFlZWQ8/h1RM9ph8nMM1JVNvJEzSa
cXXFbOqnC5j5IZ0nrz6jOTlIaoytyZn7wxLyvQIDAQABo4IBhjCCAYIwDgYDVR0PAQH/BAQD
AgEGMB0GA1UdDgQWBBRJt8bP6D0ff+pEexMp9/EKcD7eZDAfBgNVHSMEGDAWgBQxw3kbuvVT
1xfgiXotF2wKsyudMzASBgNVHRMBAf8ECDAGAQH/AgECMGIGA1UdIARbMFkwEQYPKwYBBAGB
rSGCLAEBBAICMBEGDysGAQQBga0hgiwBAQQDADARBg8rBgEEAYGtIYIsAQEEAwEwDwYNKwYB
BAGBrSGCLAEBBDANBgsrBgEEAYGtIYIsHjA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vcGtp
MDMzNi50ZWxlc2VjLmRlL3JsL0RUX1JPT1RfQ0FfMi5jcmwweAYIKwYBBQUHAQEEbDBqMCwG
CCsGAQUFBzABhiBodHRwOi8vb2NzcDAzMzYudGVsZXNlYy5kZS9vY3NwcjA6BggrBgEFBQcw
AoYuaHR0cDovL3BraTAzMzYudGVsZXNlYy5kZS9jcnQvRFRfUk9PVF9DQV8yLmNlcjANBgkq
hkiG9w0BAQsFAAOCAQEAYyAo/ZwhhnK+OUZZOTIlvKkBmw3Myn1BnIZtCm4ssxNZdbEzkhth
Jxb/w7LVNYL7hCoBSb1mu2YvssIGXW4/buMBWlvKQ2NclbbhMacf1QdfTeZlgk4y+cN8ekvN
TVx07iHydQLsUj7SyWrTkCNuSWc1vn9NVqTszC/Pt6GXqHI+ybxA1lqkCD3WvILDt7cyjrEs
jmpttzUCGc/1OURYY6ckABCwu/xOr24vOLulV0k/2G5QbyyXltwdRpplic+uzPLl2Z9Tsz6h
L5Kp2AvGhB8Exuse6J99tXulAvEkxSRjETTMWpMgKnmIOiVCkKllO3yG0xIVIyn8LNrMOVtU
FzCCBYUwggRtoAMCAQICBxhtyX6NkEowDQYJKoZIhvcNAQELBQAwgb8xCzAJBgNVBAYTAkRF
MRswGQYDVQQIExJCYWRlbi1XdWVydHRlbWJlcmcxEjAQBgNVBAcTCUthcmxzcnVoZTEqMCgG
A1UEChMhS2FybHNydWhlIEluc3RpdHV0ZSBvZiBUZWNobm9sb2d5MScwJQYDVQQLEx5TdGVp
bmJ1Y2ggQ2VudHJlIGZvciBDb21wdXRpbmcxDzANBgNVBAMTBktJVC1DQTEZMBcGCSqGSIb3
DQEJARYKY2FAa2l0LmVkdTAeFw0xNDEwMjcxMzQzMTBaFw0xNzEwMjYxMzQzMTBaMFMxCzAJ
BgNVBAYTAkRFMSowKAYDVQQKEyFLYXJsc3J1aGUgSW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kx
GDAWBgNVBAMTD0FuZHJlYXMgTGFkYW55aTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBALS9FLhBNDEFmD+TGTrfkgQQ5hh2Q3/fcVM7BcMsbwWqEt0wWQv4bpfMpTbDk6zrzW3S
RTj0wYs6n2EBn/iSMQID6JshuI6JkLzF4Sl3H/6G4X+ZY9ngTdJ6f8C5LTLxb4/hyBAYd/P9
aN2VxEleGjIbzVvVTtdeitH4d/+0xJZLGfeczY++47PyaBDEAfJhsNu4cObvFTiqwxFrs0wb
uDO1YDHcza2IvptwImL9ZtddIuqyeKLW04RkX3BGwx8KnzjX5op4nc8kuGh6Tcju1PfMZp9+
tJvKrKt7JhJ+10RkYFZac7u5TbifALymRj6zODidUYYMaOXp7ktV1cNvSAcCAwEAAaOCAe8w
ggHrMEAGA1UdIAQ5MDcwEQYPKwYBBAGBrSGCLAEBBAMCMBEGDysGAQQBga0hgiwCAQQDATAP
Bg0rBgEEAYGtIYIsAQEEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0GA1UdJQQWMBQGCCsG
AQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQUUgcXFlk6p+3d+XhNLFJVkl3zzoswHwYDVR0j
BBgwFoAUH3Rl9JodevYx6d9hG3MrDW3QM0kwIgYDVR0RBBswGYEXYW5kcmVhcy5sYWRhbnlp
QGtpdC5lZHUwdwYDVR0fBHAwbjA1oDOgMYYvaHR0cDovL2NkcDEucGNhLmRmbi5kZS9raXQt
Y2EvcHViL2NybC9jYWNybC5jcmwwNaAzoDGGL2h0dHA6Ly9jZHAyLnBjYS5kZm4uZGUva2l0
LWNhL3B1Yi9jcmwvY2FjcmwuY3JsMIGSBggrBgEFBQcBAQSBhTCBgjA/BggrBgEFBQcwAoYz
aHR0cDovL2NkcDEucGNhLmRmbi5kZS9raXQtY2EvcHViL2NhY2VydC9jYWNlcnQuY3J0MD8G
CCsGAQUFBzAChjNodHRwOi8vY2RwMi5wY2EuZGZuLmRlL2tpdC1jYS9wdWIvY2FjZXJ0L2Nh
Y2VydC5jcnQwDQYJKoZIhvcNAQELBQADggEBAC5rCfqimLg9U02MWAGHDlHOz8N0gSPj1/eN
c3tZ9nKAHrl2Ni3Xdpa48oq0vHh7jwmYoZm1ZTHv9ulqgcAyzf75OxQuXNGmrYnUM+jKKrli
Vpx0o9V5QfwDr/Wg+LSix1EcO3oxb2N4pqLbf76yya7dlo2Lz2jL8AKGSoE2Nm1xGUI1mJxi
UbYbitThuAhSZUKYURInsLqs4wsQAZwt0ZqOwVsv8hnjBkpDLE4ProTsL/OevCrSRN8+Lk1r
TdcNHU9biNf7ieY67MqKHVIP6t9ZRhoLa5hJQsKxyUpPuh6eigl4pc2PXfzfwkF5B5zS7umg
4HPIF5/WP3C3qUSimb8wggWUMIIEfKADAgECAgcXr/dvIyLpMA0GCSqGSIb3DQEBCwUAMFox
CzAJBgNVBAYTAkRFMRMwEQYDVQQKEwpERk4tVmVyZWluMRAwDgYDVQQLEwdERk4tUEtJMSQw
IgYDVQQDExtERk4tVmVyZWluIFBDQSBHbG9iYWwgLSBHMDEwHhcNMTQwNjA1MTQwODMxWhcN
MTkwNzA5MjM1OTAwWjCBvzELMAkGA1UEBhMCREUxGzAZBgNVBAgTEkJhZGVuLVd1ZXJ0dGVt
YmVyZzESMBAGA1UEBxMJS2FybHNydWhlMSowKAYDVQQKEyFLYXJsc3J1aGUgSW5zdGl0dXRl
IG9mIFRlY2hub2xvZ3kxJzAlBgNVBAsTHlN0ZWluYnVjaCBDZW50cmUgZm9yIENvbXB1dGlu
ZzEPMA0GA1UEAxMGS0lULUNBMRkwFwYJKoZIhvcNAQkBFgpjYUBraXQuZWR1MIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzLKoiomigEFRKS9tHTwdCHo00T62o0Su5sMF6aga
PwDzTfCD7XG9eqSE7W+cEAGnlT77vGAPm4uVNw5v8XhQWskEHL1AKdOHMJv56ob73gjDqbwu
NaoIqiv2UrA0JSK3u/M0A4J3SvSI0JhXb/Fwry0dIfDeYZeC/B9jQX2PXidQSD2d3mQ+rQDD
2JAcO5ic7PcDw1VOlelMLOJBMJklBgRMOwL6fKdA3ay8CYBXdXUclF78APqJ3L/oc3QS0Ag4
+UTWnHXg0VLhJmpST8Xi8PynFLP9hTBsIYrggfftX1txtCYDw000oG0UupfX2i+5CffaVHBJ
b8LPceP7NJE/cwIDAQABo4IB9zCCAfMwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8E
BAMCAQYwEQYDVR0gBAowCDAGBgRVHSAAMB0GA1UdDgQWBBQfdGX0mh169jHp32EbcysNbdAz
STAfBgNVHSMEGDAWgBRJt8bP6D0ff+pEexMp9/EKcD7eZDAVBgNVHREEDjAMgQpjYUBraXQu
ZWR1MIGIBgNVHR8EgYAwfjA9oDugOYY3aHR0cDovL2NkcDEucGNhLmRmbi5kZS9nbG9iYWwt
cm9vdC1jYS9wdWIvY3JsL2NhY3JsLmNybDA9oDugOYY3aHR0cDovL2NkcDIucGNhLmRmbi5k
ZS9nbG9iYWwtcm9vdC1jYS9wdWIvY3JsL2NhY3JsLmNybDCB1wYIKwYBBQUHAQEEgcowgccw
MwYIKwYBBQUHMAGGJ2h0dHA6Ly9vY3NwLnBjYS5kZm4uZGUvT0NTUC1TZXJ2ZXIvT0NTUDBH
BggrBgEFBQcwAoY7aHR0cDovL2NkcDEucGNhLmRmbi5kZS9nbG9iYWwtcm9vdC1jYS9wdWIv
Y2FjZXJ0L2NhY2VydC5jcnQwRwYIKwYBBQUHMAKGO2h0dHA6Ly9jZHAyLnBjYS5kZm4uZGUv
Z2xvYmFsLXJvb3QtY2EvcHViL2NhY2VydC9jYWNlcnQuY3J0MA0GCSqGSIb3DQEBCwUAA4IB
AQA6Fib/1FcgfZ37KMpvcSqfGu7Di2uF0j1P8ayheA6d1HZSncwytib8ws4hedEoh+eGbim7
ClGumF8B4lhzu7bFFtvq+nJ23+hRnL8pcnjrXrULKCrwdmzIRBtH59QePvZOSLlyaXEEh4im
YUWv5ajVjveYSh74bVDvHZU2LZU2khJr+kQHH8NiXGCogdhgve4d2KcIpgwtebH88GHZ4U3U
lxeeAlT4MBzy/OXEf2COypULY7yOss9eJpmu332Delu1AQzz3P+XpomCIMW8BARWeaK35Lz7
X3iVLk9xSO0QZhPJj5f23rXn3Wc6hdRd+e3pq6bhh/YGWyaffEoK7kKoMYIEkjCCBI4CAQEw
gcswgb8xCzAJBgNVBAYTAkRFMRswGQYDVQQIExJCYWRlbi1XdWVydHRlbWJlcmcxEjAQBgNV
BAcTCUthcmxzcnVoZTEqMCgGA1UEChMhS2FybHNydWhlIEluc3RpdHV0ZSBvZiBUZWNobm9s
b2d5MScwJQYDVQQLEx5TdGVpbmJ1Y2ggQ2VudHJlIGZvciBDb21wdXRpbmcxDzANBgNVBAMT
BktJVC1DQTEZMBcGCSqGSIb3DQEJARYKY2FAa2l0LmVkdQIHGG3Jfo2QSjANBglghkgBZQME
AgEFAKCCApcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTcw
NzExMDg0NDAxWjAvBgkqhkiG9w0BCQQxIgQgQWzzyajS82XFtcJ9O9fCHk0vfxcdCKxtCJgS
sMTr7a4wbAYJKoZIhvcNAQkPMV8wXTALBglghkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqG
SIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG
9w0DAgIBKDCB3AYJKwYBBAGCNxAEMYHOMIHLMIG/MQswCQYDVQQGEwJERTEbMBkGA1UECBMS
QmFkZW4tV3VlcnR0ZW1iZXJnMRIwEAYDVQQHEwlLYXJsc3J1aGUxKjAoBgNVBAoTIUthcmxz
cnVoZSBJbnN0aXR1dGUgb2YgVGVjaG5vbG9neTEnMCUGA1UECxMeU3RlaW5idWNoIENlbnRy
ZSBmb3IgQ29tcHV0aW5nMQ8wDQYDVQQDEwZLSVQtQ0ExGTAXBgkqhkiG9w0BCQEWCmNhQGtp
dC5lZHUCBxhtyX6NkEowgd4GCyqGSIb3DQEJEAILMYHOoIHLMIG/MQswCQYDVQQGEwJERTEb
MBkGA1UECBMSQmFkZW4tV3VlcnR0ZW1iZXJnMRIwEAYDVQQHEwlLYXJsc3J1aGUxKjAoBgNV
BAoTIUthcmxzcnVoZSBJbnN0aXR1dGUgb2YgVGVjaG5vbG9neTEnMCUGA1UECxMeU3RlaW5i
dWNoIENlbnRyZSBmb3IgQ29tcHV0aW5nMQ8wDQYDVQQDEwZLSVQtQ0ExGTAXBgkqhkiG9w0B
CQEWCmNhQGtpdC5lZHUCBxhtyX6NkEowDQYJKoZIhvcNAQEBBQAEggEAE+ziUd1PR1Aeh+GV
l0wOYxqdjNuPbJCvBNYfM7Qj0JfXWI4m8mwTghGcIRG2kCdwn8hyP2AaZVTwpB+0zHeB0igU
AbeChQbYFv2M81RXdCAKcon1qcv88Z8JYYB6F4efZOVdBo+bNtHdVS7PsJgBgwQvKRSItX6Y
LK2f2PEAJyxLQ0K8q4nN6hlQI1R2bwW+VaE/AQbB2k6N4/javoL7GdZHntsbGNXNy1yFAn33
u+gAySoDadYJjZAT2hpsrhRXNf6QG9ztlGDRG9x7u9OpZI0aTV47ML+k8ee5b5P8m28enaBH
qkCQLDqtaFN+CF9jngYJHQs+oF7tWI2koLfdbAAAAAAAAA==
--------------ms070307040004020302000203--