Master -> replica through NAT?
by Kat
Here is an odd problem (I think).
I am using IPA in one environment, and want to set up a replica in
another environment through natted connections. I can setup the client
to the NAT server, but here is the tricky part - IPA is also DNS. So if
I try to bring the DNS setup over with --
ipa-replica-install --setup-dns --forwarder=10.x.x.x --setup-ca
It fails, because when it tries to lookup the master on the other side
of the NAT FW, of course it resolves incorrectly. The first failure is
conn-check, so even if I --skip-conncheck, it still fails since DNS will
not resolve.
Suggestions?
-K
6 years, 3 months
Expired certificates
by Ian Pilcher
After rebooting my CentOS 7 IdM server, pki-tomcatd is failing to start.
I see this (repeated many times) in the journal:
WARNING: Exception processing realm
com.netscape.cms.tomcat.ProxyRealm@383171f8 background process
javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
at
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1357)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1543)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1553)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1553)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1521)
at java.lang.Thread.run(Thread.java:748)
getcert list shows a number of expired certificates (which is EXTREMELY
frustrating, as I thought that certmonger, which is running, was
supposed to take care of these renewals):
Request ID '20170306100908':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to
https://asterisk.penurio.us:8443/ca/agent/ca/profileReview: Peer
certificate cannot be authenticated with given CA certificates.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PENURIO.US
subject: CN=CA Audit,O=PENURIO.US
expires: 2017-06-19 16:27:30 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170306100911':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to
https://asterisk.penurio.us:8443/ca/agent/ca/profileReview: Peer
certificate cannot be authenticated with given CA certificates.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PENURIO.US
subject: CN=OCSP Subsystem,O=PENURIO.US
expires: 2017-06-19 16:26:30 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170306100914':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to
https://asterisk.penurio.us:8443/ca/agent/ca/profileReview: Peer
certificate cannot be authenticated with given CA certificates.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PENURIO.US
subject: CN=CA Subsystem,O=PENURIO.US
expires: 2017-06-19 16:26:30 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Is there a published procedure to fix this? (I did find a procedure for
RHEL/CentOS 6 and IPA 3, on the Red Hat site, but I am using CentOS 7
with IPA 4.4.)
--
========================================================================
Ian Pilcher arequipeno(a)gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
6 years, 3 months
Frequent "LDAP query timed out" in named-pkcs11
by emil.flink@gmail.com
Hi,
I am running two FreeIPA servers up-to-date on Fedora 25, ie. v4.4.4 of FreeIPA, in a small office environment.
named-pkcs11 is logging quite many (~30 a day) errors like the below block:
LDAP error: Timed out: while modifying(replace) entry 'idnsname=ddns.ske1.bublar.,cn=dns,dc=ipa,dc=bublar'
retrying LDAP operation (modifying(replace)) on entry 'idnsname=ddns.ske1.bublar.,cn=dns,dc=ipa,dc=bublar'
LDAP query timed out. Try to adjust "timeout" parameter
zone ddns.ske1.bublar/IN: serial (1498025739) write back to LDAP failed
I am also seeing intermittent login issues in services configured with LDAP login, which further indicates the directory server is intermittently unresponsive.
However, the "errors" log for the directory server does not contain any errors.
How can I further debug/troubleshoot this issue?
6 years, 3 months
Replication conflict woes
by John Bowman
After a lot of patching in order to get the environment up to date in order
to add a new CA replica and remove our IPA 3.0 servers we ended up with a
bunch of conflicts and other inconsistencies:
$ ldapsearch -o ldif-wrap=no -ZZ -LLLx -h "ipa0.domain.tld" -D
"cn=directory manager" -w secret -b "dc=domain,dc=tld"
"nsds5ReplConflict=*" \ nsds5ReplConflict
dn:
cn=ipaservers+nsuniqueid=e8d2f705-512111e7-9205b5bf-43202000,cn=hostgroups,cn=accounts,dc=domain,dc=tld
dn:
cn=ipaservers+nsuniqueid=e8d2f707-512111e7-9205b5bf-43202000,cn=ng,cn=alt,dc=domain,dc=tld
dn:
cn=domain+nsuniqueid=e8d2f70e-512111e7-9205b5bf-43202000,cn=topology,cn=ipa,cn=etc,dc=domain,dc=tld
dn:
cn=locations+nsuniqueid=e8d2f712-512111e7-9205b5bf-43202000,cn=etc,dc=domain,dc=tld
dn: cn=DNS
Administrators+nsuniqueid=e8d2f718-512111e7-9205b5bf-43202000,cn=privileges,cn=pbac,dc=domain,dc=tld
dn: cn=DNS
Servers+nsuniqueid=e8d2f71a-512111e7-9205b5bf-43202000,cn=privileges,cn=pbac,dc=domain,dc=tld
dn:
cn=cas+nsuniqueid=e8d2f71c-512111e7-9205b5bf-43202000,cn=ca,dc=domain,dc=tld
dn:
cn=dogtag+nsuniqueid=e8d2f74d-512111e7-9205b5bf-43202000,cn=custodia,cn=ipa,cn=etc,dc=domain,dc=tld
dn:
cn=ca+nsuniqueid=e8d2f750-512111e7-9205b5bf-43202000,cn=topology,cn=ipa,cn=etc,dc=domain,dc=tld
dn: cn=System: Add
CA+nsuniqueid=e8d2f75d-512111e7-9205b5bf-43202000,cn=permissions,cn=pbac,dc=domain,dc=tld
dn: cn=System: Delete
CA+nsuniqueid=e8d2f761-512111e7-9205b5bf-43202000,cn=permissions,cn=pbac,dc=domain,dc=tld
dn: cn=System: Modify
CA+nsuniqueid=e8d2f765-512111e7-9205b5bf-43202000,cn=permissions,cn=pbac,dc=domain,dc=tld
dn: cn=System: Read
CAs+nsuniqueid=e8d2f769-512111e7-9205b5bf-43202000,cn=permissions,cn=pbac,dc=domain,dc=tld
dn: cn=System: Modify DNS Servers
Configuration+nsuniqueid=e8d2f77a-512111e7-9205b5bf-43202000,cn=permissions,cn=pbac,dc=domain,dc=tld
dn: cn=System: Read DNS Servers
Configuration+nsuniqueid=e8d2f77e-512111e7-9205b5bf-43202000,cn=permissions,cn=pbac,dc=domain,dc=tld
dn: cn=System: Add IPA
Locations+nsuniqueid=e8d2f807-512111e7-9205b5bf-43202000,cn=permissions,cn=pbac,dc=domain,dc=tld
dn: cn=System: Modify IPA
Locations+nsuniqueid=e8d2f80b-512111e7-9205b5bf-43202000,cn=permissions,cn=pbac,dc=domain,dc=tld
dn: cn=System: Read IPA
Locations+nsuniqueid=e8d2f80f-512111e7-9205b5bf-43202000,cn=permissions,cn=pbac,dc=domain,dc=tld
dn: cn=System: Remove IPA
Locations+nsuniqueid=e8d2f813-512111e7-9205b5bf-43202000,cn=permissions,cn=pbac,dc=domain,dc=tld
dn: cn=System: Read Locations of IPA
Servers+nsuniqueid=e8d2f82c-512111e7-9205b5bf-43202000,cn=permissions,cn=pbac,dc=domain,dc=tld
dn: cn=System: Read Status of Services on IPA
Servers+nsuniqueid=e8d2f830-512111e7-9205b5bf-43202000,cn=permissions,cn=pbac,dc=domain,dc=tld
dn: cn=System: Manage Service
Principals+nsuniqueid=e8d2f834-512111e7-9205b5bf-43202000,cn=permissions,cn=pbac,dc=domain,dc=tld
dn: cn=System: Manage User
Principals+nsuniqueid=e8d2f866-512111e7-9205b5bf-43202000,cn=permissions,cn=pbac,dc=domain,dc=tld
dn:
dnaHostname=ipa1.domain.tld+dnaPortNum=0+nsuniqueid=c90407a3-51e311e7-9205b5bf-43202000,cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=domain,dc=tld
Looking only at the first one I see two entries for it:
$ ldapsearch -o ldif-wrap=no -ZZ -LLLx -h "ipa0.domain.tld" -D
"cn=directory manager" -w secret -b
cn=ipaservers+nsuniqueid=e8d2f705-512111e7-9205b5bf-43202000,cn=hostgroups,cn=accounts,dc=domain,dc=tld
-s base
dn:
cn=ipaservers+nsuniqueid=e8d2f705-512111e7-9205b5bf-43202000,cn=hostgroups,cn=accounts,dc=domain,dc=tld
ipaUniqueID: fe7226e4-5121-11e7-82f1-005056972fd9
cn: ipaservers
description: IPA server hosts
objectClass: top
objectClass: ipahostgroup
objectClass: ipaobject
objectClass: groupOfNames
objectClass: nestedGroup
objectClass: mepOriginEntry
mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=domain,dc=tld
member: fqdn=ipa1.domain.tld,cn=computers,cn=accounts,dc=domain,dc=tld
[jbowman@idm ipa_check_consistency]$ ldapsearch -o ldif-wrap=no -ZZ -LLLx
-h "ipa0.domain.tld" -D "cn=directory manager" -w secret -b
cn=ipaservers,cn=hostgroups,cn=accounts,dc=domain,dc=tld -s base
dn: cn=ipaservers,cn=hostgroups,cn=accounts,dc=domain,dc=tld
ipaUniqueID: 319cb1ce-c21b-11e6-bab9-005056977521
cn: ipaservers
description: IPA server hosts
objectClass: top
objectClass: ipahostgroup
objectClass: ipaobject
objectClass: groupOfNames
objectClass: nestedGroup
objectClass: mepOriginEntry
mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=domain,dc=tld
member: fqdn=ipa1.domain.tld,cn=computers,cn=accounts,dc=domain,dc=tld
member: fqdn=ipa4.domain.tld,cn=computers,cn=accounts,dc=domain,dc=tld
member: fqdn=ipa5.domain.tld,cn=computers,cn=accounts,dc=domain,dc=tld
memberOf: cn=replication
administrators,cn=privileges,cn=pbac,dc=domain,dc=tld
memberOf: cn=add replication
agreements,cn=permissions,cn=pbac,dc=domain,dc=tld
memberOf: cn=modify replication
agreements,cn=permissions,cn=pbac,dc=domain,dc=tld
memberOf: cn=remove replication
agreements,cn=permissions,cn=pbac,dc=domain,dc=tld
memberOf: cn=read passsync managers
configuration,cn=permissions,cn=pbac,dc=domain,dc=tld
memberOf: cn=modify passsync managers
configuration,cn=permissions,cn=pbac,dc=domain,dc=tld
memberOf: cn=read ldbm database
configuration,cn=permissions,cn=pbac,dc=domain,dc=tld
memberOf: cn=add configuration
sub-entries,cn=permissions,cn=pbac,dc=domain,dc=tld
memberOf: cn=modify dna range,cn=permissions,cn=pbac,dc=domain,dc=tld
memberOf: cn=read dna range,cn=permissions,cn=pbac,dc=domain,dc=tld
memberOf: cn=read replication
agreements,cn=permissions,cn=pbac,dc=domain,dc=tld
memberOf:
ipauniqueid=87c611a4-3753-11e3-a382-0050568e07ed,cn=sudorules,cn=sudo,dc=domain,dc=tld
memberOf: cn=ipaservers,cn=ng,cn=alt,dc=domain,dc=tld
memberOf:
cn=ipaservers+nsuniqueid=e8d2f707-512111e7-9205b5bf-43202000,cn=ng,cn=alt,dc=domain,dc=tld
I made the mistake of trying to delete:
cn=ipaservers+nsuniqueid=e8d2f705-512111e7-9205b5bf-43202000,cn=hostgroups,cn=accounts,dc=domain,dc=tld
After a successful deletion with ldapmodify, the entry is removed on 5 of
the 6 servers but 1 server (in this case ipa1.domain.tld) it deletes the
valid entry on that server. I'm concerned these errors could cause other
issues further down the road and would like to get them cleared up but not
having much success which doesn't build confidence unfortunately. Any tips
would be appreciated.
If it helps ipa0 = RHEL 6 with IPA 3.0
ipa1 = RHEL 7 with IPA 4.4 (recently updated from 4.2)
ipa2 = RHEL 6 with IPA 3.0
ipa3 = RHEL 6 with IPA 3.0
ipa4 = RHEL 7 with IPA 4.4
ipa5 = RHEL 7 with IPA 4.4
Thanks!
6 years, 3 months
Overcoming hurdles installing freeipa-server on ubuntu 17.10
by David Harvey
Hope this helps to save some of some time digging. And I know,
freeipa-server on a non LTS release is daft..
apt-get install freeipa-server-trust-ad
#This has been mentioned elsewhere, and it should either be a dependency OR
it's absence should not break things as it currently does
sudo mkdir /etc/krb5.conf.d/
#Apparently this is expected by ipa-server to have been generated by one of
the kerberos packages but is not..
mkdir -p /usr/libexec/ipa
sudo ln -s /usr/lib/ipa/ipa-httpd-kdcproxy
/usr/libexec/ipa/ipa-httpd-kdcproxy
#The last two lines are a pretty dirty hack as I couldn't work out where in
the ipa-server-install the file
/etc/systemd/system/apache2.service.d/ipa.conf is created or updated. This
file has a bad path to ipa-httpd-kdcproxy so ideally there should be some
logic to check where it is before defining a path to it.
6 years, 3 months
admin account locked due to external ssh authentication attempts
by peter@husen.dk
I manage a small FreeIPA domain that has one server that can be accessed through ssh from the internet. I occasionally find that the admin account is locked, when I try to log in to the FreeIPA admin interface (not available from the Internet), and it seems that this is due to an endless stream of incoming ssh authentication attempts for common names like "root" and "admin", and in the latter case, the authentication is forwarded to the FreeIPA server (since the user exists in the directory, I suppose), and the account gets locked out temporarily now and then due to too many failed attempts. Now, admin is not actually supposed to be able to login through ssh (or as a POSIX account in general), so I have tried to add:
DenyUsers admin
to sshd_config on that server to filter out these attempts, but it seems (as far as I can see in the logs) that the authentication is still tried against the FreeIPA server, before it gets blocked by sshd. What is the best way to prevent the evil bots of the Internet from locking out my admin account?
6 years, 3 months
new replica install?
by Kat
Trying to find the new replica installation procedure for doing it.
Apparently ipa-replica-prepare, etc is no longer the way, although all
the Rehdat docs say it is.
:-(
6 years, 3 months
Migration from freeipa to samba-ad
by Николай Савельев
Hello.
I have about 60 linux clients in free-ipa and about 20 clients in AD.
I want to use only one system for users identication. Freeipa can't identication and autentication windows client.
So I shoud to use AD.
For migration I should only deleting freeipa-client from host and then registering that hosts in AD?
Best regards, Nik.
6 years, 3 months
FreeIPA master and replica behind an Elastic load balancer
by ridha.zorgui@infor.com
I set up a FreeIPA master and replica behind an elastic load balancer in AWS cloud. FreeIPA Clients will be contacting the replica and the master sever through the load balancer so the dns name used when configurting the clients is the ELB CNAME. The problem is when retreiving data and during the authentication, the SSL handshake fail as the certificate send back from the master or replica has a hostname different than the one used in the sssd. so the connection is terminated. There is a workaround which is the use reqcert=allow but this b ring a security issue with a MITM attack. another solution i found is the use SAN but i don't seem to make it right. any thought on how to solve that will be very helpful.
6 years, 3 months
Announcing FreeIPA 4.5.2
by Tomas Krizek
ReleaseDate: 2017-06-18
The FreeIPA team would like to announce FreeIPA 4.5.2 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for
Fedora 25/26 will be available in the official COPR repository
https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-5/ .
== Highlights in 4.5.2 ==
* 5860: depracate --no-sssd option
Option '--no-sssd' has been deprecated because SSSD is recommened to use
on modern platforms - Fedora, RHEL 6, RHEL 7, Debian.
=== Enhancements ===
=== Known Issues ===
=== Bug fixes ===
FreeIPA 4.5.2 is a stabilization release for the features delivered as a
part of 4.5.0. There are more than 20 bug-fixes details of which can be
seen in
the list of resolved tickets below.
== Upgrading ==
Upgrade instructions are available on page:
https://www.freeipa.org/page/Upgrade
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing
list
(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...)
or #freeipa channel on Freenode.
== Resolved tickets ==
* 7020 Installation of KRA replica fails
* 7015 allow to modify list of UPNs of a trusted forest
* 7001 Do not send Max-Age in ipa_session cookie to avoid breaking older
clients
* 7000 Provide a simple command to issue KDC certificates on a IPA master
* 6993 certauth: use canonical principal for lookups
* 6982 Provide a tooling automating the configuration of Smart Card
authentication on a FreeIPA master
* 6981 Enabling OCSP checks in mod_nss breaks certificate issuance when
ipa-ca records are not resolvable
* 6977 Simple service uninstallers must be able to handle missing
service files gracefully
* 6972 Replica installation grants HTTP principal access in WebUI
* 6966 Document that port 8080 needs to be open on IPA masters for cert-find
* 6965 ipa-replica-manage del replica.name fails
* 6963 ipa certmaprule change not reflected in krb5kdc workers
* 6958 [tracker] SELinux policy denies IPA framework to perform
anonymous PKINIT on localhost during FAST armoring
* 6948 services entries missing krbCanonicalName attribute.
* 6937 Provide an API command to retrieve PKINIT status in the FreeIPA
topology
* 6936 Deprecate `ipa pkinit-anonymous` command in FreeIPA 4.5+
* 6935 ipa-replica-conncheck fails when there is no ssh executable on
the master
* 6885 ipa cert-show does not raise error if no file name specified
* 6867 [ipa-replica-install] - KDC has no support for encryption type
* 6800 Investigate how privilege separation feature will work after
DL0->DL1 update
* 6796 WSGI fails with recursion error in GSSAPI
* 6749 "ipa: ERROR: an internal error has occurred" on executing command
"ipa cert-request --add" after upgrade
* 6736 Add pkinit_indicator option to KDC configuration
* 6572 server-del doesn't remove dns-server configuration from ldap
* 5860 depracate --no-sssd option
* 5788 user-add postcallback is not efficient when --noprivate flag is set
* 5406 ipa-client-install should not use hardcoded admin principal
== Detailed changelog since 4.5.1 ==
=== Alexander Bokovoy (4) ===
* trust-mod: allow modifying list of UPNs of a trusted forest
* ipa-kdb: add pkinit authentication indicator in case of a successful
certauth
* Fix index definition for ipaAnchorUUID
* krb5: make sure KDC certificate is readable
=== David Kupka (1) ===
* kra: promote: Get ticket before calling custodia
=== Felipe Volpone (2) ===
* Changing cert-find to go through the proxy instead of using the port 8080
* Changing cert-find to do not use only primary key to search in LDAP.
=== Florence Blanc-Renaud (1) ===
* ipa-replica-conncheck: handle ssh not installed
=== Jan Cholasta (4) ===
* server upgrade: do not enable PKINIT by default
* pkinit manage: introduce ipa-pkinit-manage
* server certinstall: update KDC master entry
* httpinstance: wait until the service entry is replicated
=== Martin Babinsky (10) ===
* Prepare advise plugin for smart card auth configuration
* Extend the advice printing code by some useful abstractions
* fix incorrect suffix handling in topology checks
* only stop/disable simple service if it is installed
* test_serverroles: Get rid of MockLDAP and use ldap2 instead
* Add `pkinit-status` command
* Add the list of PKINIT servers as a virtual attribute to global config
* Add an attribute reporting client PKINIT-capable servers
* Refactor the role/attribute member reporting code
* Allow for multivalued server attributes
=== Martin Basti (4) ===
* Only warn when specified server IP addresses don't match intf
* Add remote_plugins subdirectories to RPM
* custodia dep: require explictly python2 version
* 4.5 set back to git snapshot
=== Pavel Vomacka (4) ===
* WebUI: add support for changing trust UPN suffixes
* Bump version of python-gssapi
* Turn off OCSP check
* Change python-cryptography to python2-cryptography
=== Sumit Bose (2) ===
* ipa-kdb: use canonical principal in certauth plugin
* ipa-kdb: reload certificate mapping rules periodically
=== Simo Sorce (3) ===
* Revert setting sessionMaxAge for old clients
* Add code to be able to set default kinit lifetime
* Fix rare race condition with missing ccache file
=== Stanislav Laznicka (6) ===
* rpc: avoid possible recursion in create_connection
* rpc: preparations for recursion fix
* Avoid possible endless recursion in RPC call
* kdc.key should not be visible to all
* Remove pkinit-anonymous command
* ca/cert-show: check certificate_out in options
=== Tibor Dudlák (3) ===
* server.py: Removes dns-server configuration from ldap
* sssd.py: Deprecating no-sssd option.
* client.py: Replace hardcoded 'admin' with options.principal
=== Tibor Dudlák (1) ===
* user.py: replace user_mod with ldap.update_entry()
=== Tomas Krizek (2) ===
* Become IPA 4.5.2
* Update translations
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
6 years, 3 months
