ldap_sasl_mech EXTERNAL and SSL client authc
by Michael Ströder
HI!
Is it possible to use SASL/EXTERNAL when connecting to a LDAP server with
StartTLS or LDAPS using client certs?
In a project they have certs in all systems anyway (because of using puppet)
and I'd like to let the sssd instances on all the systems authenticate to the
LDAP server to restrict visibility of LDAP entries by ACL. I'd like to avoid
having to set/configure passwords for each system's sssd.
Ciao, Michael.
8 years, 8 months
sssd_sudo receives 0 rules but ldap search returns 5, what is wrong?
by Teemu Keinonen
Hello,
I’m configuring CentOS 6.5 server to authenticate users and sudo rights against local Samba 4.1.8 (compiled from source). Sssd is 1.9.2 from package repository. User authentication works OK, I can log in with user that exists only in Samba but sudoing with the same user fails. After hours of trying I still can’t get it right, sssd_sudo receives 0 rules from samba. Doing ldapsearch with criteria from logs do return sudoer entries as below. Am I missing something obvious?
Below are (in order) ldapsearch, ssssd.conf and sssd_default.log (part which I think relevant).
[root@dc1 sssd]# ldapsearch -h dc1 -Y GSSAPI -b OU=SUDOers,DC=teemu,DC=local '(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=Host01)(sudoHost=Host01.example.com)(sudoHost=192.168.0.21)(sudoHost=192.168.0.0/24)(sudoHost=fe80::786b:f4ff:fe87:3314)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))'
SASL/GSSAPI authentication started
SASL username: administrator(a)TEEMU.LOCAL
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <OU=SUDOers,DC=teemu,DC=local> with scope subtree
# filter: (&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=Host01)(sudoHost=Host01.example.com)(sudoHost=192.168.0.21)(sudoHost=192.168.0.0/24)(sudoHost=fe80::786b:f4ff:fe87:3314)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))
# requesting: ALL
#
# defaults, SUDOers, teemu.local
dn: CN=defaults,OU=SUDOers,DC=teemu,DC=local
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
instanceType: 4
whenCreated: 20140625194645.0Z
whenChanged: 20140625194645.0Z
uSNCreated: 3798
uSNChanged: 3798
name: defaults
objectGUID:: vrCxbL/QkUGFyZWvELWj/w==
objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=teemu,DC=local
sudoOption: env_keep+=SSH_AUTH_SOCK
distinguishedName: CN=defaults,OU=SUDOers,DC=teemu,DC=local
# %wheel, SUDOers, teemu.local
dn: CN=%wheel,OU=SUDOers,DC=teemu,DC=local
objectClass: top
objectClass: sudoRole
cn: %wheel
instanceType: 4
whenCreated: 20140626094147.0Z
whenChanged: 20140626094147.0Z
uSNCreated: 3800
uSNChanged: 3800
name: %wheel
objectGUID:: jpGX5AmGUkimPw1yl+oZkA==
objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=teemu,DC=local
sudoUser: %wheel
sudoHost: ALL
sudoCommand: ALL
distinguishedName: CN=%wheel,OU=SUDOers,DC=teemu,DC=local
# reima, SUDOers, teemu.local
dn: CN=reima,OU=SUDOers,DC=teemu,DC=local
objectClass: top
objectClass: sudoRole
cn: reima
instanceType: 4
whenCreated: 20140625194650.0Z
whenChanged: 20140625194650.0Z
uSNCreated: 3799
uSNChanged: 3799
name: reima
objectGUID:: U1paZdVOSke2zmInSenFTg==
objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=teemu,DC=local
sudoUser: reima
sudoHost: ALL
sudoCommand: ALL
distinguishedName: CN=reima,OU=SUDOers,DC=teemu,DC=local
# search result
search: 4
result: 0 Success
# numResponses: 4
# numEntries: 3
Sssd.conf:
[sssd]
services = nss, pam, sudo
config_file_version = 2
domains = default
debug_level = 10
[nss]
[pam]
[sudo]
debug_level = 10
[domain/default]
debug_level = 10
id_provider = ldap
sudo_provider = ldap
ldap_schema = rfc2307bis
ldap_referrals = false
ldap_uri = ldap://dc1.teemu.local
ldap_search_base = cn=Users,dc=teemu,dc=local
ldap_sudo_search_base = ou=sudoers,dc=teemu,dc=local
ldap_force_upper_case_realm = true
# See man sssd-simple
access_provider = simple
# Uncomment to check for account expiration in DC
# access_provider = ldap
# ldap_access_order = expire
# ldap_account_expire_policy = ad
# Enumeration is discouraged for performance reasons.
# enumerate = true
ldap_default_bind_dn = cn=Administrator,cn=Users,dc=teemu,dc=local
ldap_default_authtok = XXXXXX
auth_provider = krb5
chpass_provider = krb5
ldap_sasl_mech = gssapi
ldap_sasl_authid = dc1$(a)TEEMU.LOCAL
krb5_realm = TEEMU.LOCAL
krb5_server = dc1.teemu.local
krb5_kpasswd = dc1.teemu.local
ldap_krb5_keytab = /etc/krb5.sssd.keytab
ldap_user_object_class = user
ldap_user_name = samAccountName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_user_shell = loginShell
ldap_group_object_class = group
sssd_default.log:
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with base [ou=sudoers,dc=teemu,dc=local]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)\
(sudoHost=dc1)(sudoHost=dc1)(sudoHost=10.0.2.15)(sudoHost=10.0.2.0/24)(sudoHost=192.168.1.1)(sudoHost=192.168.1.0/24)(sudoHost=fe80::a00:27ff:fede:ba44)(sudoHost=fe80::/6\
4)(sudoHost=fe80::a00:27ff:fef3:dc1)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))][ou=sudoers,dc=teemu,dc=local].
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoCommand]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoHost]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoUser]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOption]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsUser]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsGroup]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotBefore]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotAfter]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOrder]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 12
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0xfed4e0], connected[1], ops[0xff7c20], ldap[0xfedba0]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_get_generic_ext_done] (0x1000): Total count [0]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_sudo_load_sudoers_process] (0x0400): Receiving sudo rules with base [ou=sudoers,dc=teemu,dc=local]
(Fri Jun 27 14:56:27 2014) [sssd[be[default]]] [sdap_sudo_load_sudoers_done] (0x0400): Received 0 rules
9 years, 4 months
Re: [SSSD-users] 1.11.5 ddns failure on Ubuntu 14.04[SOLVED]
by Longina Przybyszewska
I installed another machine, using the same procedure as for the previous one;
DNS entry is created, but dyndns updates fail exactly as for the first one:
both machines discover the same active DNS server, to which try to send updated A records
(I have no access to the log, but asked my AD-admins colleges to look into).
sssd.conf :
[nss]
debug_level = 9
filter_groups = root
filter_users = root,lightdm,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd
[sssd]
debug_level = 6
domains =nat.domain.org
config_file_version = 2
services = nss, pam
[domain/nat.domain.org]
debug_level = 7
ad_domain = nat.domain.org
krb5_realm = NAT.DOMAIN.ORG
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
auth_provider = ad
access_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
#
dyndns_update = true
Best
Longina
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of steve
Sent: 20. juni 2014 17:42
To: sssd-users(a)lists.fedorahosted.org
Subject: Re: [SSSD-users] 1.11.5 ddns failure on Ubuntu 14.04[SOLVED] (fwd)
On Fri, 2014-06-20 at 07:37 +0000, Longina Przybyszewska wrote:
>
> The same happened to the keytab file. Here the right one, corresponding to the log file.
> 2 05/19/2014 10:36:55 SKYWALKER$(a)NAT.DOMAIN.ORG
>
Hi
And the corresponding sssd.conf?
Anyway, sssd is sending the correct stuff to nsupdate for the forward rr but the log ends there, so assuming it fails for the reverse too.
Another good way of debugging it is to perform the update by hand using nsupdate -g Do you have access to the AD dns logs?
HTH
Steve
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
9 years, 5 months
Get error "Incorrect Password" when su to a ldap user with password prompt
by XuQing Tan
Hi folks
i setup sssd 1.9.2 on centos 6 x64
i can get the user info via 'id <user>'
i can su to that user as root (no password prompt since i'm root)
[root@nick-ldap ~]# su - nick
-sh-4.1$ exit
logout
but i can't su to this user as non-root (with password prompt but get
incorrect password error)
[root@nick-ldap ~]# su - demo
[demo@nick-ldap ~]$ su - nick
Password:
su: incorrect password
[demo@nick-ldap ~]$
do you have anyideas why i got this?
thanks
Thanks & Best Regards!
///
(. .)
--------ooO--(_)--Ooo--------
| Nick Tan |
------------------------------------
9 years, 5 months
Re: [SSSD-users] 1.11.5 ddns failure on Ubuntu 14.04[NOT-SOLVED]
by Longina Przybyszewska
> How SSSD resolves domainname for machine for supplying to nsupdate record?
sssd doesn't do anything. nsupdate sends the dns update calls to whatever you have put in /etc/resolv.conf
This is not true in my case:
----
/etc/resolv.conf:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 10.220.2.5
search c.sdu.dk
----
.(Wed Jun 25 12:09:18 2014) [sssd[be[nat.c.sdu.dk]]] [be_nsupdate_create_ptr_msg] (0x0400): -- Begin nsupdate message --
server nat-vdc0b.nat.c.sdu.dk
realm NAT.C.SDU.DK
update delete 254.4.144.10.in-addr.arpa. in PTR
update add 254.4.144.10.in-addr.arpa. 3600 in PTR eta.nat.c.sdu.dk.
send
(Wed Jun 25 12:09:18 2014) [sssd[be[nat.c.sdu.dk]]] [be_nsupdate_create_ptr_msg] (0x0400): -- End nsupdate message --
----
host nat-vdc0b.nat.c.sdu.dk
nat-vdc0b.nat.c.sdu.dk has address 10.144.5.18
---
Host nat-vdc0b.xxx.xxx.xxx is LDAP/AD _not_ DNSserver.
Best,
Longina
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
9 years, 5 months
How to specify objectClass in search_base?
by Sven Geggus
Hello,
with nslcd I do the following to simulate user private groups without
actually creating them in the directory server:
...
filter group (&(|(objectClass=Group)(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(objectClass=User)))(msSFU30NisDomain=example))
...
I tried porting this to sssd using the following:
ldap_group_search_base = DC=example,DC=com?subtree?(&(|(objectClass=Group)(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(objectClass=User)))(msSFU30NisDomain=example))
Unfortunately this does not work as expected.
Any Idea how this would be done in sssd?
Regards
Sven
--
"linux is evolution, not intelligent design"
(Linus Torvalds)
/me is giggls@ircnet, http://sven.gegg.us/ on the Web
9 years, 5 months
SSSD 1.11 for Ubuntu Lucid
by Jay McCanta
My apologies if this isn't the right place for this request.
I'm looking for sssd ad backend that supports AD domain trusts (within the same forest) and user filtering. As I understand things, that would be 1.11. Has anyone been able to build 1.11 for Ubuntu Lucid? I don't mind having to build some of the extra libraries. I'm just hoping it's been either done or at the very least doable.
Thanks to all involved.
Jay McCanta
F5 Networks, Inc.
Seattle, WA
There are two kinds of people in the world, those with cleaver signature lines, and me.
9 years, 5 months
Re: [SSSD-users] 1.11.5 ddns failure on Ubuntu 14.04[SOLVED] (fwd)
by Longina Przybyszewska
Log file d7 as attachment.
root@skywalker:/tmp# cat /etc/sssd/sssd.conf
[nss]
debug_level = 9
filter_groups = root
filter_users =
root,lightdm,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd
[sssd]
debug_level = 6
domains =nat.c.sdu.dk
config_file_version = 2
services = nss, pam
[domain/nat.c.sdu.dk]
debug_level = 7
ad_domain = nat.c.sdu.dk
krb5_realm = NAT.C.SDU.DK
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
auth_provider = ad
access_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
#
dyndns_update = true
best,
Longina
--
9 years, 5 months
Re: [SSSD-users] 1.11.5 ddns failure on Ubuntu 14.04 [SOLVED]]
by Longina Przybyszewska
I hit the same problem "ddns failure" with desktop client Ubuntu 14.04.
Following discussion, my setup seems to be correct, but host record disappeared from DNS and can't be updated.
After joining with 'realm' DNS A record was correct set up.
I work on laptop which I use to suspend overnight.
Debug output:
root@skywalker:/home-local/longinap# cat /etc/hostnames
skywalker
root@skywalker:/home-local/longinap# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 skywalker.domain.org skywalker
10.144.4.254 zeta.domain.org zeta
----------------------------
root@skywalker:/home-local/longinap# hostname -s
skywalker
root@skywalker:/home-local/longinap# hostname -f
skywalker.domain.org
root@skywalker:/home-local/longinap# dnsdomainname
domain.org
root@skywalker:/home-local/longinap# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat sss
group: compat sss
shadow: compat
#hosts: files mdns4_minimal [NOTFOUND=return] dns
hosts: files dns myhostname
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
---------------------------------
longinap@skywalker:~$ host skywalker.domain.org
Host skywalker.domain.org not found: 3(NXDOMAIN)
---------------/var/log/sssd...----------------------
[sssd[be[domain.org]]] [sdap_dyndns_update_done] (0x0080): nsupdate failed, retrying with server name
[sssd[be[domain.org]]] [nsupdate_msg_create_common] (0x0200): Creating update message for server [nat-vdc0a.domain.org] and realm [DOMAIN.ORG]
. [sssd[be[domain.org]]] [be_nsupdate_create_fwd_msg] (0x0400): -- Begin nsupdate message --
server nat-vdc0a.domain.org
realm DOMAIN.ORG
update delete skywalker. in A
send
update delete skywalker. in AAAA
send
update add skywalker. 3600 in A 10.80.8.91
send
[sssd[be[domain.org]]] [be_nsupdate_create_fwd_msg] (0x0400): -- End nsupdate message --
[sssd[be[domain.org]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [5338]
[sssd[be[domain.org]]] [child_handler_setup] (0x2000): Signal handler set up for pid [5338]
[sssd[be[domain.org]]] [write_pipe_handler] (0x0400): All data has been sent!
[sssd[be[domain.org]]] [be_nsupdate_args] (0x0200): [sssd[be[domain.org]]] [nsupdate_child_stdin_done] (0x1000): nsupdate auth type: GSS-TSIG
Sending nsupdate data complete
[sssd[be[domain.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x1cbdca0
[sssd[be[domain.org]]] [sbus_dispatch] (0x4000): Dispatching.
[sssd[be[domain.org]]] [sbus_message_handler] (0x4000): Received SBUS method [ping]
[sssd[be[domain.org]]] [nsupdate_child_timeout] (0x0020): Timeout reached for dynamic DNS update
[sssd[be[domain.org]]] [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158229]: Dynamic DNS update timed out
[sssd[be[domain.org]]] [sdap_id_op_destroy] (0x4000): releasing operation connection
[sssd[be[domain.org]]] [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158229]: Dynamic DNS update timed out
[sssd[be[domain.org]]] [ad_dyndns_nsupdate_done] (0x0040): Updating DNS entry failed [1432158229]: Dynamic DNS update timed out
[sssd[be[domain.org]]] [child_sig_handler] (0x1000): Waiting for child [5338].
[sssd[be[domain.org]]] [child_sig_handler] (0x0020): child [5338] was terminated by signal [9].
Best,
Longina
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Stephen Gallagher
Sent: 22. maj 2014 15:44
To: sssd-users(a)lists.fedorahosted.org
Subject: Re: [SSSD-users] 1.11.5 ddns failure on Ubuntu 14.04 [SOLVED]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/22/2014 09:28 AM, Rowland Penny wrote:
> On 22/05/14 14:06, Stephen Gallagher wrote: On 05/22/2014 08:55 AM,
> Rowland Penny wrote:
>>>> On 22/05/14 13:50, John Hodrien wrote:
>>>>> On Thu, 22 May 2014, Rowland Penny wrote:
>>>>>
>>>>>> Not on Ubuntu it isn't ;-)
>>>>> I'd argue that Ubuntu just has incorrect behaviour then.
>>>>>
>>>>> If you look at man hosts on an ubuntu machine (13.10), you'll see
>>>>> how they describe it, and the example they provide. The format
>>>>> described is:
>>>>>
>>>>> IP_address canonical_hostname [aliases...]
>>>>>
>>>>> The example is:
>>>>>
>>>>> 127.0.0.1 localhost 192.168.1.10 foo.mydomain.org
>>>>> foo 192.168.1.13 bar.mydomain.org bar
>>>>>
>>>>> That's the correct format, whether or not Ubuntu applies it.
>>>> Thats all very well for a machine with a fixed ip but what about
>>>> DHCP ?
>>>>
> Well, once they adopt systemd, they'll get to start using hosts:
> files dns myhostname
>
>> OK, 'files dns' I understand but 'myhostname' ? I think that means
>> that DHCP will store the machines identity in a file somewhere, is
>> this correct and if so where ?
myhostname is a name-service module that just asks systemd to tell it what IP addresses the system has and what the system's hostname is supposed to be. Then it "magically" returns all the correct and up-to-the-minute information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlN9/zAACgkQeiVVYja6o6P8hQCggdW2ZtWNYzS9ARsVdXhpDyvH
7+4AoIHnHW4BCv4mm+VwDZxHZuBJkrrK
=VGKa
-----END PGP SIGNATURE-----
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
9 years, 5 months
sssd + realm + SPN
by Longina Przybyszewska
It could be very convenient to have the same method for both joining machine and adding service principal names with 'realmd', everything done from Linux box.
Do you have plans for that option in realmd?
Best,
Longina
9 years, 5 months
