[OpenAFS] mod_waklog question
Andreas Ladanyi
andreas.ladanyi@kit.edu
Thu, 13 Jul 2017 11:59:35 +0200
This is a cryptographically signed message in MIME format.
--------------ms060506010206030505030301
Content-Type: multipart/alternative;
boundary="------------5D721CBF36E9DCA382E7B016"
Content-Language: en-US
This is a multi-part message in MIME format.
--------------5D721CBF36E9DCA382E7B016
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hi Jason,
i tried out your systemd config as below. I have a CentOS 7 box.
k5start and Apache starts.
pstree:
=3D=3D=3D=3D
k5start=E2=94=80=E2=94=80=E2=94=80httpd=E2=94=80=E2=94=80=E2=94=8010*[htt=
pd=E2=94=80=E2=94=80=E2=94=802*[{httpd}]]
less /proc/fs/openafs/unixusers:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
UID/PAG Refs States Cell ViceID Tok Set=20
Tok Begin Tok Expire vno NFS Client UID/PAG Client UID Sysname(s=
)
0 0 0005 cellname 0 1499920292 1499920290
1499963490 256
1000 0 0005 cellname 1 1499930214 1499930215
1499966212 256
1091860458 0 0005 cellname 29787 1499931869 1499931870
1499967869 256
The VideID 29787 is the afs id of the correct afs username
(afsweb.fqdn_of_the_host) in pts. The keytab which k5start reads
contains the kerberos principal (afsweb/fqdn_of_the_host@REALM).
I set read (rl) permission for the afs username afsweb.fqdn_of_the_host
(29787) on the folder which contain the webfiles and "lookup" permission
to all parent folders of the webfolder. Apache tells me he cant access
to the webfolder (DocumentRoot).
Another problem i found out is apache cant open logfiles in the afs path
and cant start:
(13)Permission denied: AH00091: httpd: could not open error log file
/afs/.............
sestatus:
=3D=3D=3D=3D=3D
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: error (Success)
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
regards,
Andreas
> Hi Andreas,
>
> Getting systemd, apache, and kstart to play nice took a little bit of
> work. I have included a sanitized copy of my Apache systemd unit file.
> Be sure to modify the ExecStart line to have the correct keytab
> location and principal name.
>
> I have NOT tested this in selinux enforcing mode, so beware.
>
> I think that kstart does create a new PAG, but I'm not certain. Be
> sure to verify that by running bash via kstart, then running "id" to
> see if an extra high-numbered numeric group appears. If no new PAG is
> created, then you might play with the pagsh command.
>
> Sincerely,
> Jason
>
> ----------------------------cut----------------------------
> [Unit]
> # customized unit file to start apache with a kerberos keytab
> Description=3DThe Apache HTTP Server
> After=3Dnetwork.target remote-fs.target nss-lookup.target
> Documentation=3Dman:httpd(8)
> Documentation=3Dman:apachectl(8)
>
> [Service]
> Type=3Dnotify
> EnvironmentFile=3D/etc/sysconfig/httpd
> ExecStart=3D/usr/bin/k5start -o apache -K30 -f /etc/httpd.keytab
> httpd-principal-name -- /usr/sbin/httpd $OPTIONS -DFOREGROUND
> ExecReload=3D/usr/sbin/httpd $OPTIONS -k graceful
> ExecStop=3D/bin/kill -WINCH ${MAINPID}
> # We want systemd to give httpd some time to finish gracefully, but
> still want
> # it to kill httpd after TimeoutStopSec if something went wrong during =
the
> # graceful stop. Normally, Systemd sends SIGTERM signal right after the=
> # ExecStop, which would kill httpd. We are sending useless SIGCONT
> here to give
> # httpd time to finish.
> KillSignal=3DSIGCONT
>
> # allow k5start child processes (i.e. apache) to notify system that
> it's up
> NotifyAccess=3Dall
> PrivateTmp=3Dfalse
>
> [Install]
> WantedBy=3Dmulti-user.target
> ----------------------------cut----------------------------
>
--------------5D721CBF36E9DCA382E7B016
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf=
-8">
</head>
<body text=3D"#000000" bgcolor=3D"#FFFFFF">
<div class=3D"moz-cite-prefix">Hi Jason,<br>
<br>
i tried out your systemd config as below. I have a CentOS 7 box.<br=
>
<br>
k5start and Apache starts.<br>
<br>
pstree:<br>
=3D=3D=3D=3D<br>
<br>
k5start=E2=94=80=E2=94=80=E2=94=80httpd=E2=94=80=E2=94=80=E2=94=801=
0*[httpd=E2=94=80=E2=94=80=E2=94=802*[{httpd}]]<br>
<br>
<br>
less /proc/fs/openafs/unixusers:<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
<br>
UID/PAG Refs States=C2=A0 Cell=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ViceID=C2=A0=C2=A0=C2=A0=C2=A0 Tok
Set=C2=A0 Tok Begin Tok Expire vno=C2=A0 NFS Client=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 UID/PAG Client
UID Sysname(s)<br>
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 0=C2=A0=C2=A0=C2=A0=
0 0005=C2=A0=C2=A0=C2=A0 cellname =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 0=C2=A0 1499920292
1499920290 1499963490 256<br>
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 1000=C2=A0=C2=A0=C2=A0 0 0005=C2=A0=C2=
=A0=C2=A0 cellname =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 1=C2=A0 1499930214
1499930215 1499966212 256<br>
1091860458=C2=A0=C2=A0=C2=A0 0 0005=C2=A0=C2=A0=C2=A0 cellname =C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 29787=C2=A0 1499931869
1499931870 1499967869 256<br>
<br>
<br>
<br>
The VideID 29787 is the afs id of the correct afs username
(afsweb.fqdn_of_the_host) in pts. The keytab which k5start reads
contains the kerberos principal (afsweb/fqdn_of_the_host@REALM).<br=
>
<br>
I set read (rl) permission for the afs username
afsweb.fqdn_of_the_host (29787) on the folder which contain the
webfiles and "lookup" permission to all parent folders of the
webfolder. Apache tells me he cant access to the webfolder
(DocumentRoot).<br>
<br>
Another problem i found out is apache cant open logfiles in the
afs path and cant start:<br>
(13)Permission denied: AH00091: httpd: could not open error log
file /afs/.............<br>
<br>
sestatus:<br>
=3D=3D=3D=3D=3D<br>
<br>
SELinux status:=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 enabled<br>
SELinuxfs mount:=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 /sys/fs/selinux<br>
SELinux root directory:=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0 /etc/selinux<br>
Loaded policy name:=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0 targeted<br>
Current mode:=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 permissive<br>
Mode from config file:=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0 error (Success)<br>
Policy MLS status:=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0 enabled<br>
Policy deny_unknown status:=C2=A0=C2=A0=C2=A0=C2=A0 allowed<br>
Max kernel policy version:=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 28<br>
<br>
<br>
regards,<br>
Andreas<br>
<br>
</div>
<blockquote type=3D"cite"
cite=3D"mid:CAAR6MGDmwEMkxr_du_NbpQn+XcdV67YoVK1-eay_sSNV1Ya_2g@mail.gmai=
l.com">
<div dir=3D"ltr">
<div class=3D"gmail_default">
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">Hi Andreas,</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif"><br>
</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">Getting systemd, apache, and kstart to play
nice took a little bit of work. I have included a
sanitized copy of my Apache systemd unit file. Be sure to
modify the ExecStart line to have the correct keytab
location and principal name.</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif"><br>
</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">I have NOT tested this in selinux enforcing
mode, so beware.</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif"><br>
</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">I think that kstart does create a new PAG, but
I'm not certain. Be sure to verify that by running bash
via kstart, then running "id" to see if an extra
high-numbered numeric group appears. If no new PAG is
created, then you might play with the pagsh command.</font>=
</div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif"><br>
</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">Sincerely,</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">Jason</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif"><br>
</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">----------------------------<wbr>cut-----------=
----------------<wbr>-</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">[Unit]</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif"># customized unit file to start apache with a
kerberos keytab</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">Description=3DThe Apache HTTP Server</font></di=
v>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">After=3Dnetwork.target remote-fs.target
nss-lookup.target</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">Documentation=3D<a class=3D"moz-txt-link-freete=
xt" href=3D"man:httpd(8)">man:httpd(8)</a></font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">Documentation=3D<a class=3D"moz-txt-link-freete=
xt" href=3D"man:apachectl(8)">man:apachectl(8)</a></font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif"><br>
</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">[Service]</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">Type=3Dnotify</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">EnvironmentFile=3D/etc/<wbr>sysconfig/httpd</fo=
nt></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">ExecStart=3D/usr/bin/k5start -o apache -K30 -f
/etc/httpd.keytab httpd-principal-name -- /usr/sbin/httpd
$OPTIONS -DFOREGROUND</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">ExecReload=3D/usr/sbin/httpd $OPTIONS -k
graceful</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">ExecStop=3D/bin/kill -WINCH ${MAINPID}</font></=
div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif"># We want systemd to give httpd some time to
finish gracefully, but still want</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif"># it to kill httpd after TimeoutStopSec if
something went wrong during the</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif"># graceful stop. Normally, Systemd sends
SIGTERM signal right after the</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif"># ExecStop, which would kill httpd. We are
sending useless SIGCONT here to give</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif"># httpd time to finish.</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">KillSignal=3DSIGCONT</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif"><br>
</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif"># allow k5start child processes (i.e. apache)
to notify system that it's up</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">NotifyAccess=3Dall</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">PrivateTmp=3Dfalse</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif"><br>
</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">[Install]</font></div>
<div class=3D"gmail_default"><font face=3D"arial, helvetica,
sans-serif">WantedBy=3Dmulti-user.target</font></div>
<div style=3D"font-family:arial,helvetica,sans-serif">---------=
-------------------<wbr>cut---------------------------<wbr>-<br>
</div>
</div>
<div class=3D"gmail_extra"><br>
</div>
</div>
</blockquote>
<br>
</body>
</html>
--------------5D721CBF36E9DCA382E7B016--
--------------ms060506010206030505030301
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
D/owggTVMIIDvaADAgECAghQTsb1PRG0ZDANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJE
RTEcMBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxlU2VjIFRy
dXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290IENBIDIwHhcNMTQw
NzIyMTIwODI2WhcNMTkwNzA5MjM1OTAwWjBaMQswCQYDVQQGEwJERTETMBEGA1UEChMKREZO
LVZlcmVpbjEQMA4GA1UECxMHREZOLVBLSTEkMCIGA1UEAxMbREZOLVZlcmVpbiBQQ0EgR2xv
YmFsIC0gRzAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6ZvDZ4X5Da71jVTD
llA1PWLpbkztlNcAW5UidNQg6zSP1uzAMQQLmYHiphTSUqAoI4SLdIkEXlvg4njBeMsWyyg1
OXstkEXQ7aAAeny/Sg4bAMOG6VwrMRF7DPOCJEOMHDiLamgAmu7cT3ir0sYTm3at7t4m6O8B
r3QPwQmi9mvOvdPNFDBP9eXjpMhim4IaAycwDQJlYE3t0QkjKpY1WCfTdsZxtpAdxO3/NYZ9
bzOz2w/FEcKKg6GUXUFr2NIQ9Uz9ylGs2b3vkoO72uuLFlZWQ8/h1RM9ph8nMM1JVNvJEzSa
cXXFbOqnC5j5IZ0nrz6jOTlIaoytyZn7wxLyvQIDAQABo4IBhjCCAYIwDgYDVR0PAQH/BAQD
AgEGMB0GA1UdDgQWBBRJt8bP6D0ff+pEexMp9/EKcD7eZDAfBgNVHSMEGDAWgBQxw3kbuvVT
1xfgiXotF2wKsyudMzASBgNVHRMBAf8ECDAGAQH/AgECMGIGA1UdIARbMFkwEQYPKwYBBAGB
rSGCLAEBBAICMBEGDysGAQQBga0hgiwBAQQDADARBg8rBgEEAYGtIYIsAQEEAwEwDwYNKwYB
BAGBrSGCLAEBBDANBgsrBgEEAYGtIYIsHjA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vcGtp
MDMzNi50ZWxlc2VjLmRlL3JsL0RUX1JPT1RfQ0FfMi5jcmwweAYIKwYBBQUHAQEEbDBqMCwG
CCsGAQUFBzABhiBodHRwOi8vb2NzcDAzMzYudGVsZXNlYy5kZS9vY3NwcjA6BggrBgEFBQcw
AoYuaHR0cDovL3BraTAzMzYudGVsZXNlYy5kZS9jcnQvRFRfUk9PVF9DQV8yLmNlcjANBgkq
hkiG9w0BAQsFAAOCAQEAYyAo/ZwhhnK+OUZZOTIlvKkBmw3Myn1BnIZtCm4ssxNZdbEzkhth
Jxb/w7LVNYL7hCoBSb1mu2YvssIGXW4/buMBWlvKQ2NclbbhMacf1QdfTeZlgk4y+cN8ekvN
TVx07iHydQLsUj7SyWrTkCNuSWc1vn9NVqTszC/Pt6GXqHI+ybxA1lqkCD3WvILDt7cyjrEs
jmpttzUCGc/1OURYY6ckABCwu/xOr24vOLulV0k/2G5QbyyXltwdRpplic+uzPLl2Z9Tsz6h
L5Kp2AvGhB8Exuse6J99tXulAvEkxSRjETTMWpMgKnmIOiVCkKllO3yG0xIVIyn8LNrMOVtU
FzCCBYUwggRtoAMCAQICBxhtyX6NkEowDQYJKoZIhvcNAQELBQAwgb8xCzAJBgNVBAYTAkRF
MRswGQYDVQQIExJCYWRlbi1XdWVydHRlbWJlcmcxEjAQBgNVBAcTCUthcmxzcnVoZTEqMCgG
A1UEChMhS2FybHNydWhlIEluc3RpdHV0ZSBvZiBUZWNobm9sb2d5MScwJQYDVQQLEx5TdGVp
bmJ1Y2ggQ2VudHJlIGZvciBDb21wdXRpbmcxDzANBgNVBAMTBktJVC1DQTEZMBcGCSqGSIb3
DQEJARYKY2FAa2l0LmVkdTAeFw0xNDEwMjcxMzQzMTBaFw0xNzEwMjYxMzQzMTBaMFMxCzAJ
BgNVBAYTAkRFMSowKAYDVQQKEyFLYXJsc3J1aGUgSW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kx
GDAWBgNVBAMTD0FuZHJlYXMgTGFkYW55aTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBALS9FLhBNDEFmD+TGTrfkgQQ5hh2Q3/fcVM7BcMsbwWqEt0wWQv4bpfMpTbDk6zrzW3S
RTj0wYs6n2EBn/iSMQID6JshuI6JkLzF4Sl3H/6G4X+ZY9ngTdJ6f8C5LTLxb4/hyBAYd/P9
aN2VxEleGjIbzVvVTtdeitH4d/+0xJZLGfeczY++47PyaBDEAfJhsNu4cObvFTiqwxFrs0wb
uDO1YDHcza2IvptwImL9ZtddIuqyeKLW04RkX3BGwx8KnzjX5op4nc8kuGh6Tcju1PfMZp9+
tJvKrKt7JhJ+10RkYFZac7u5TbifALymRj6zODidUYYMaOXp7ktV1cNvSAcCAwEAAaOCAe8w
ggHrMEAGA1UdIAQ5MDcwEQYPKwYBBAGBrSGCLAEBBAMCMBEGDysGAQQBga0hgiwCAQQDATAP
Bg0rBgEEAYGtIYIsAQEEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0GA1UdJQQWMBQGCCsG
AQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQUUgcXFlk6p+3d+XhNLFJVkl3zzoswHwYDVR0j
BBgwFoAUH3Rl9JodevYx6d9hG3MrDW3QM0kwIgYDVR0RBBswGYEXYW5kcmVhcy5sYWRhbnlp
QGtpdC5lZHUwdwYDVR0fBHAwbjA1oDOgMYYvaHR0cDovL2NkcDEucGNhLmRmbi5kZS9raXQt
Y2EvcHViL2NybC9jYWNybC5jcmwwNaAzoDGGL2h0dHA6Ly9jZHAyLnBjYS5kZm4uZGUva2l0
LWNhL3B1Yi9jcmwvY2FjcmwuY3JsMIGSBggrBgEFBQcBAQSBhTCBgjA/BggrBgEFBQcwAoYz
aHR0cDovL2NkcDEucGNhLmRmbi5kZS9raXQtY2EvcHViL2NhY2VydC9jYWNlcnQuY3J0MD8G
CCsGAQUFBzAChjNodHRwOi8vY2RwMi5wY2EuZGZuLmRlL2tpdC1jYS9wdWIvY2FjZXJ0L2Nh
Y2VydC5jcnQwDQYJKoZIhvcNAQELBQADggEBAC5rCfqimLg9U02MWAGHDlHOz8N0gSPj1/eN
c3tZ9nKAHrl2Ni3Xdpa48oq0vHh7jwmYoZm1ZTHv9ulqgcAyzf75OxQuXNGmrYnUM+jKKrli
Vpx0o9V5QfwDr/Wg+LSix1EcO3oxb2N4pqLbf76yya7dlo2Lz2jL8AKGSoE2Nm1xGUI1mJxi
UbYbitThuAhSZUKYURInsLqs4wsQAZwt0ZqOwVsv8hnjBkpDLE4ProTsL/OevCrSRN8+Lk1r
TdcNHU9biNf7ieY67MqKHVIP6t9ZRhoLa5hJQsKxyUpPuh6eigl4pc2PXfzfwkF5B5zS7umg
4HPIF5/WP3C3qUSimb8wggWUMIIEfKADAgECAgcXr/dvIyLpMA0GCSqGSIb3DQEBCwUAMFox
CzAJBgNVBAYTAkRFMRMwEQYDVQQKEwpERk4tVmVyZWluMRAwDgYDVQQLEwdERk4tUEtJMSQw
IgYDVQQDExtERk4tVmVyZWluIFBDQSBHbG9iYWwgLSBHMDEwHhcNMTQwNjA1MTQwODMxWhcN
MTkwNzA5MjM1OTAwWjCBvzELMAkGA1UEBhMCREUxGzAZBgNVBAgTEkJhZGVuLVd1ZXJ0dGVt
YmVyZzESMBAGA1UEBxMJS2FybHNydWhlMSowKAYDVQQKEyFLYXJsc3J1aGUgSW5zdGl0dXRl
IG9mIFRlY2hub2xvZ3kxJzAlBgNVBAsTHlN0ZWluYnVjaCBDZW50cmUgZm9yIENvbXB1dGlu
ZzEPMA0GA1UEAxMGS0lULUNBMRkwFwYJKoZIhvcNAQkBFgpjYUBraXQuZWR1MIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzLKoiomigEFRKS9tHTwdCHo00T62o0Su5sMF6aga
PwDzTfCD7XG9eqSE7W+cEAGnlT77vGAPm4uVNw5v8XhQWskEHL1AKdOHMJv56ob73gjDqbwu
NaoIqiv2UrA0JSK3u/M0A4J3SvSI0JhXb/Fwry0dIfDeYZeC/B9jQX2PXidQSD2d3mQ+rQDD
2JAcO5ic7PcDw1VOlelMLOJBMJklBgRMOwL6fKdA3ay8CYBXdXUclF78APqJ3L/oc3QS0Ag4
+UTWnHXg0VLhJmpST8Xi8PynFLP9hTBsIYrggfftX1txtCYDw000oG0UupfX2i+5CffaVHBJ
b8LPceP7NJE/cwIDAQABo4IB9zCCAfMwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8E
BAMCAQYwEQYDVR0gBAowCDAGBgRVHSAAMB0GA1UdDgQWBBQfdGX0mh169jHp32EbcysNbdAz
STAfBgNVHSMEGDAWgBRJt8bP6D0ff+pEexMp9/EKcD7eZDAVBgNVHREEDjAMgQpjYUBraXQu
ZWR1MIGIBgNVHR8EgYAwfjA9oDugOYY3aHR0cDovL2NkcDEucGNhLmRmbi5kZS9nbG9iYWwt
cm9vdC1jYS9wdWIvY3JsL2NhY3JsLmNybDA9oDugOYY3aHR0cDovL2NkcDIucGNhLmRmbi5k
ZS9nbG9iYWwtcm9vdC1jYS9wdWIvY3JsL2NhY3JsLmNybDCB1wYIKwYBBQUHAQEEgcowgccw
MwYIKwYBBQUHMAGGJ2h0dHA6Ly9vY3NwLnBjYS5kZm4uZGUvT0NTUC1TZXJ2ZXIvT0NTUDBH
BggrBgEFBQcwAoY7aHR0cDovL2NkcDEucGNhLmRmbi5kZS9nbG9iYWwtcm9vdC1jYS9wdWIv
Y2FjZXJ0L2NhY2VydC5jcnQwRwYIKwYBBQUHMAKGO2h0dHA6Ly9jZHAyLnBjYS5kZm4uZGUv
Z2xvYmFsLXJvb3QtY2EvcHViL2NhY2VydC9jYWNlcnQuY3J0MA0GCSqGSIb3DQEBCwUAA4IB
AQA6Fib/1FcgfZ37KMpvcSqfGu7Di2uF0j1P8ayheA6d1HZSncwytib8ws4hedEoh+eGbim7
ClGumF8B4lhzu7bFFtvq+nJ23+hRnL8pcnjrXrULKCrwdmzIRBtH59QePvZOSLlyaXEEh4im
YUWv5ajVjveYSh74bVDvHZU2LZU2khJr+kQHH8NiXGCogdhgve4d2KcIpgwtebH88GHZ4U3U
lxeeAlT4MBzy/OXEf2COypULY7yOss9eJpmu332Delu1AQzz3P+XpomCIMW8BARWeaK35Lz7
X3iVLk9xSO0QZhPJj5f23rXn3Wc6hdRd+e3pq6bhh/YGWyaffEoK7kKoMYIEkjCCBI4CAQEw
gcswgb8xCzAJBgNVBAYTAkRFMRswGQYDVQQIExJCYWRlbi1XdWVydHRlbWJlcmcxEjAQBgNV
BAcTCUthcmxzcnVoZTEqMCgGA1UEChMhS2FybHNydWhlIEluc3RpdHV0ZSBvZiBUZWNobm9s
b2d5MScwJQYDVQQLEx5TdGVpbmJ1Y2ggQ2VudHJlIGZvciBDb21wdXRpbmcxDzANBgNVBAMT
BktJVC1DQTEZMBcGCSqGSIb3DQEJARYKY2FAa2l0LmVkdQIHGG3Jfo2QSjANBglghkgBZQME
AgEFAKCCApcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTcw
NzEzMDk1OTM1WjAvBgkqhkiG9w0BCQQxIgQgTZYO0QFFXz07fgMlav+3q6rYeI13Z1Ol34N7
Wf5GWIAwbAYJKoZIhvcNAQkPMV8wXTALBglghkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqG
SIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG
9w0DAgIBKDCB3AYJKwYBBAGCNxAEMYHOMIHLMIG/MQswCQYDVQQGEwJERTEbMBkGA1UECBMS
QmFkZW4tV3VlcnR0ZW1iZXJnMRIwEAYDVQQHEwlLYXJsc3J1aGUxKjAoBgNVBAoTIUthcmxz
cnVoZSBJbnN0aXR1dGUgb2YgVGVjaG5vbG9neTEnMCUGA1UECxMeU3RlaW5idWNoIENlbnRy
ZSBmb3IgQ29tcHV0aW5nMQ8wDQYDVQQDEwZLSVQtQ0ExGTAXBgkqhkiG9w0BCQEWCmNhQGtp
dC5lZHUCBxhtyX6NkEowgd4GCyqGSIb3DQEJEAILMYHOoIHLMIG/MQswCQYDVQQGEwJERTEb
MBkGA1UECBMSQmFkZW4tV3VlcnR0ZW1iZXJnMRIwEAYDVQQHEwlLYXJsc3J1aGUxKjAoBgNV
BAoTIUthcmxzcnVoZSBJbnN0aXR1dGUgb2YgVGVjaG5vbG9neTEnMCUGA1UECxMeU3RlaW5i
dWNoIENlbnRyZSBmb3IgQ29tcHV0aW5nMQ8wDQYDVQQDEwZLSVQtQ0ExGTAXBgkqhkiG9w0B
CQEWCmNhQGtpdC5lZHUCBxhtyX6NkEowDQYJKoZIhvcNAQEBBQAEggEAQXPSoCETmohzEVBs
bNmdutCQXynJvpQBP1eCr24qQiso+GhrZ8DdNGWsoFg/Y9Yeoyjab5VwtpNzZ3houO20uCfM
6VJVMQ7MehOXya35i4uDQ9jiJXUk3KuOCFihI9Kp6EhQxc3plXlMkuRWfInLRx9lZkM3hw+O
UbtJgvB0Na9Xe5EIpe0s8sEzs/H4oU+n8wnRxoKGiIyNenzREM0rpa2js8mMJ6pNY/cWdyHC
JLRt2Drmjz/r3f9fTtHY41pCYDDdiIR8hlbRE3PU7L7OXmbf8wR3fBGKyzrVsK4c+A0CRC5N
vFHZ7qvS/M34EPGPGxOtxxJY9mG+P/wGw7qovQAAAAAAAA==
--------------ms060506010206030505030301--