Re: [Users] can't add domain with rhevm-manage-domains

31 Aug 2012

      ...
From wireshark I see it doesn't even send an LDAP query; it breaks at KRB5 =
...
</p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US" st=
yle=3D"font-size:10.0pt; font-family:"Courier New"">Ticket cache:=
 FILE:/tmp/krb5cc_0</span></p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US" st=
yle=3D"font-size:10.0pt; font-family:"Courier New"">Default princ=
ipal:
<a href=3D"mailto:fptadmin02@FPT.LOCAL">fptadmin02@FPT.LOCAL</a></span></p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US" st=
yle=3D"font-size:10.0pt; font-family:"Courier New""> </span>=
</p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US" st=
yle=3D"font-size:10.0pt; font-family:"Courier New"">Valid startin=
g     Expires       =
     Service principal</span></p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US" st=
yle=3D"font-size:10.0pt; font-family:"Courier New"">08/30/12 15:5=
5:46  08/31/12 01:55:51 
<a href=3D"mailto:krbtgt/FPT.LOCAL@FPT.LOCAL">krbtgt/FPT.LOCAL@FPT.LOCAL</a=
</span></p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US" st=
yle=3D"font-size:10.0pt; font-family:"Courier New"">  &=
nbsp;     renew until 09/06/12 15:55:46</span></p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US" st=
yle=3D"font-size:10.0pt; font-family:"Courier New""> </span>=
</p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US" st=
yle=3D"font-size:10.0pt; font-family:"Courier New""> </span>=
</p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US">Th=
ank you very much in advance</span></p>
</div>
<p class=3D"MsoNormal" style=3D"margin-right:0cm; margin-bottom:12.0pt; mar=
gin-left:35.4pt">
<span style=3D"font-size:12.0pt; font-family:"Times New Roman",&q=
uot;serif""> </span></p>
<p style=3D"margin-left:35.4pt"><b><span style=3D"font-size:10.0pt; font-fa=
mily:"Calibri","sans-serif"; color:black">Alberto Scott=
o</span></b><span style=3D"font-size:10.0pt; font-family:"Calibri"=
;,"sans-serif"">
<br>
<br>
<span style=3D"color:black"><img border=3D"0" width=3D"140" height=3D"50" i=
d=3D"_x0000_i1025" src=3D"cid:image001.png@01CD87A0.E9EB6E10" alt=3D"Blue">=
</span><br>
<span style=3D"color:gray">Via Cardinal Massaia, 83<br>
10147 - Torino - ITALY <br>
--_005_C8B8517ADA90DB40A482797D59EB838964199C6DCED01MBXS08repl_
Content-Type: multipart/alternative;
	boundary="_000_C8B8517ADA90DB40A482797D59EB838964199C6DCED01MBXS08repl_"

--_000_C8B8517ADA90DB40A482797D59EB838964199C6DCED01MBXS08repl_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Ok, now it works.

Thanks to tcpdump/wireshark I could undesrstand that:

-          Rhevm-manage-domains sends DNS queries asking for PTR of RHEV-H =
and another redundant domain server, so I

-          The LDAP query it sends is (&(sAMAccountType=3D805306368)(userPr=
incipalName=3D fptadmin02@DOMAIN.LOCAL)<mailto:fptadmin02@DOMAIN.LOCAL)>) b=
ut the account "fptadmin02" I was using had a different userPrincipalName

So here is how I solved:

-          adding the missing PTRs in the reverse zone of the DNS server

-          logging in with another username that has a correct userPrincipa=
lName

Anyhow, after restarting jbossas, still I can't log in the console with a d=
omain username.
packets with "error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)"

Here are the logs from rhevm.log
http://pastebin.com/kZqn3kzz

Alberto Scotto

[Blue]
Via Cardinal Massaia, 83
10147 - Torino - ITALY
phone: +39 011 29100
al.scotto@reply.it
www.reply.it

From: users-bounces@ovirt.org [mailto:users-bounces@ovirt.org] On Behalf Of=
 Scotto Alberto
Sent: venerd=EC 31 agosto 2012 11:35
To: users@ovirt.org
Subject: [Users] can't add domain with rhevm-manage-domains

Hi all,
I'm trying to add a domain (active directory), but I can't get it to work.

The command I execute is:
rhevm-manage-domains -action=3Dadd -domain=3D'FPT.LOCAL' -user=3D'fptadmin'=
 -interactive

Attached you can find:

-          Output of the command

-          Logs from /var/log/rhevm/rhevm-manage-domains/rhevm-manage-domai=
ns.log

I found a RHEV KB saying:

For Error: LDAP query Failed, make sure the Active Directory server and the=
 RHEVM server have the correct PTR records in the DNS reverse lookup zone f=
ile

And another one says:

It's required to create PTR entry into DNS for the following:

*         Name Server (NS) - Start of Authority (SOA)
Example: WIN-TL8JB8JAG8.ad.mydomain.com.

*         Active Directory Name
Example: ad.mydomain.com.

*         RHEVM machine
Example: rhevm.ad.mydomain.com.
We are fulfilling this requirement, as nslookup of these 3 machines' IP wor=
k.

Additional info.

These commands work (if you need I can paste the full output):

#dig SRV _kerberos._tcp.FPT.LOCAL

#dig SRV _kerberos._udp.FPT.LOCAL

#dig SRV _ldap._tcp.FPT.LOCAL

# kinit fptadmin02@FPT.LOCAL<mailto:fptadmin02@FPT.LOCAL>
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: fptadmin02@FPT.LOCAL<mailto:fptadmin02@FPT.LOCAL>

Valid starting     Expires            Service principal
08/30/12 15:55:46  08/31/12 01:55:51  krbtgt/FPT.LOCAL@FPT.LOCAL<mailto:krb=
tgt/FPT.LOCAL@FPT.LOCAL>
        renew until 09/06/12 15:55:46

Thank you very much in advance

Alberto Scotto

[Blue]
Via Cardinal Massaia, 83
10147 - Torino - ITALY
phone: +39 011 29100
al.scotto@reply.it
www.reply.it

________________________________

--
The information transmitted is intended for the person or entity to which i=
t is addressed and may contain confidential and/or privileged material. Any=
 review, retransmission, dissemination or other use of, or taking of any ac=
tion in reliance upon, this information by persons or entities other than t=
he intended recipient is prohibited. If you received this in error, please =
contact the sender and delete the material from any computer.

________________________________

--
The information transmitted is intended for the person or entity to which i=
t is addressed and may contain confidential and/or privileged material. Any=
 review, retransmission, dissemination or other use of, or taking of any ac=
tion in reliance upon, this information by persons or entities other than t=
he intended recipient is prohibited. If you received this in error, please =
contact the sender and delete the material from any computer.

--_000_C8B8517ADA90DB40A482797D59EB838964199C6DCED01MBXS08repl_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
1">
<style>
<!--
@font-face
	{font-family:Wingdings}
@font-face
	{font-family:Wingdings}
@font-face
	{font-family:Calibri}
@font-face
	{font-family:Tahoma}
@font-face
	{font-family:Consolas}
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri","sans-serif"}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline}
p
	{margin-right:0cm;
	margin-left:0cm;
	font-size:12.0pt;
	font-family:"Times New Roman","serif"}
code
	{font-family:"Courier New"}
pre
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New"}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
	{margin-top:0cm;
	margin-right:0cm;
	margin-bottom:0cm;
	margin-left:36.0pt;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri","sans-serif"}
span.HTMLPreformattedChar
	{font-family:"Consolas","serif"}
span.emailstyle17
	{font-family:"Calibri","sans-serif";
	color:windowtext}
span.htmlpreformattedchar0
	{font-family:"Courier New"}
span.EmailStyle25
	{font-family:"Calibri","sans-serif";
	color:#1F497D}
.MsoChpDefault
	{font-size:10.0pt}
@page WordSection1
	{margin:70.85pt 2.0cm 2.0cm 2.0cm}
div.WordSection1
	{}
ol
	{margin-bottom:0cm}
ul
	{margin-bottom:0cm}
-->
</style>
</head>
<body lang=3D"IT" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">Ok, now it works.</spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"> </span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US" style=3D"color:#1F497D">Thanks =
to tcpdump/wireshark I could undesrstand that:</span></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-18.0pt"><span lang=3D"E=
N-US" style=3D"color:#1F497D"><span style=3D"">-<span style=3D"font:7.0pt &=
quot;Times New Roman"">        =
; 
</span></span></span><span lang=3D"EN-US" style=3D"color:#1F497D">Rhevm-man=
age-domains sends DNS queries asking for PTR of RHEV-H and another redundan=
t domain server, so I
</span></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-18.0pt"><span lang=3D"E=
N-US" style=3D"color:#1F497D"><span style=3D"">-<span style=3D"font:7.0pt &=
quot;Times New Roman"">        =
; 
</span></span></span><span lang=3D"EN-US" style=3D"color:#1F497D">The LDAP =
query it sends is (&(sAMAccountType=3D805306368)(userPrincipalName=3D
<a href=3D"mailto:fptadmin02@DOMAIN.LOCAL)">fptadmin02@DOMAIN.LOCAL)</a>) b=
ut the account “fptadmin02” I was using had a different userPri=
ncipalName</span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US" style=3D"color:#1F497D"> <=
/span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US" style=3D"color:#1F497D">So here=
 is how I solved:</span></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-18.0pt"><span lang=3D"E=
N-US" style=3D"color:#1F497D"><span style=3D"">-<span style=3D"font:7.0pt &=
quot;Times New Roman"">        =
; 
</span></span></span><span lang=3D"EN-US" style=3D"color:#1F497D">adding th=
e missing PTRs in the reverse zone of the DNS server</span></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-18.0pt"><span lang=3D"E=
N-US" style=3D"color:#1F497D"><span style=3D"">-<span style=3D"font:7.0pt &=
quot;Times New Roman"">        =
; 
</span></span></span><span lang=3D"EN-US" style=3D"color:#1F497D">logging i=
n with another username that has a correct userPrincipalName</span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US" style=3D"color:#1F497D"> <=
/span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US" style=3D"color:#1F497D">Anyhow,=
 after restarting jbossas, still I can’t log in the console with a do=
main username.</span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US" style=3D"color:#1F497D">From wi=
reshark I see it doesn’t even send an LDAP query; it breaks at KRB5 p=
ackets with “error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)”</=
span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US"> </span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US">Here are the logs from rhevm.lo=
g</span></p>
<p class=3D"MsoNormal"><a href=3D"http://pastebin.com/kZqn3kzz">http://past=
ebin.com/kZqn3kzz</a></p>
<p class=3D"MsoNormal"> </p>
<p class=3D"MsoNormal"><span lang=3D"EN-US" style=3D"color:#1F497D"> <=
/span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US" style=3D"color:#1F497D"> <=
/span></p>
<div><br>
<br>
<div align=3D"left">
<p style=3D"font-family:Calibri,Sans-Serif; font-size:10pt"><span style=3D"=
color:#000000; font-weight:bold">Alberto Scotto</span>
<span style=3D"color:#808080"></span><br>
<br>
<span style=3D"color:#000000"><img border=3D"0" alt=3D"Blue" src=3D"cid:ad1=
501dec7304928a9bdaa5a4ec912e3" style=3D"margin:0px">
</span><br>
<span style=3D"color:#808080">Via Cardinal Massaia, 83<br>
10147 - Torino - ITALY <br>
phone: +39 011 29100 <br>
<a href=3D"al.scotto@reply.it" target=3D"" style=3D"color:blue; text-decora=
tion:underline">al.scotto@reply.it</a>
<br>
<a title=3D"" href=3D"www.reply.it" target=3D"" style=3D"color:blue; text-d=
ecoration:underline">www.reply.it</a>
</span><br>
 </p>
</div>
<div style=3D"border:none; border-top:solid #B5C4DF 1.0pt; padding:3.0pt 0c=
m 0cm 0cm">
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><b><span lang=3D"EN-US"=
 style=3D"font-size:10.0pt; font-family:"Tahoma","sans-serif=
"">From:</span></b><span lang=3D"EN-US" style=3D"font-size:10.0pt; fon=
t-family:"Tahoma","sans-serif""> users-bounces@ovirt.or=
g [mailto:users-bounces@ovirt.org]
<b>On Behalf Of </b>Scotto Alberto<br>
<b>Sent:</b> venerd=EC 31 agosto 2012 11:35<br>
<b>To:</b> users@ovirt.org<br>
<b>Subject:</b> [Users] can't add domain with rhevm-manage-domains</span></=
p>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"> </p>
<div>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US">Hi=
 all,</span></p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US">I&=
#8217;m trying to add a domain (active directory), but I can’t get it=
 to work.</span></p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US">&n=
bsp;</span></p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US">Th=
e command I execute is:</span></p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US">rh=
evm-manage-domains -action=3Dadd -domain=3D'FPT.LOCAL' -user=3D'fptadmin' &=
#8211;interactive</span></p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US">&n=
bsp;</span></p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US">At=
tached you can find:</span></p>
<p class=3D"MsoListParagraph" style=3D"margin-left:71.4pt; text-indent:-18.=
0pt"><span lang=3D"EN-US">-</span><span lang=3D"EN-US" style=3D"font-size:7=
.0pt; font-family:"Times New Roman","serif""> &nbs=
p;       
</span><span lang=3D"EN-US">Output of the command</span></p>
<p class=3D"MsoListParagraph" style=3D"margin-left:71.4pt; text-indent:-18.=
0pt"><span lang=3D"EN-US">-</span><span lang=3D"EN-US" style=3D"font-size:7=
.0pt; font-family:"Times New Roman","serif""> &nbs=
p;       
</span><span lang=3D"EN-US">Logs from /var/log/rhevm/rhevm-manage-domains/r=
hevm-manage-domains.log</span></p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US">&n=
bsp;</span></p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US">&n=
bsp;</span></p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US">I =
found a RHEV KB saying:
</span></p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US">&n=
bsp;</span></p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US">Fo=
r <strong><span style=3D"font-family:"Calibri","sans-serif&q=
uot;">Error: LDAP query Failed</span></strong>, make sure the Active Direct=
ory server
<strong><span style=3D"font-family:"Calibri","sans-serif&quo=
t;">and</span></strong> the RHEVM server have the correct PTR records in th=
e DNS reverse lookup zone file</span></p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US">&n=
bsp;</span></p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US">An=
d another one says:</span></p>
<p style=3D"margin-left:35.4pt"><span lang=3D"EN-US">It's required to creat=
e PTR entry into DNS for the following:</span></p>
<p style=3D"margin-left:71.4pt; text-indent:-18.0pt"><span lang=3D"EN-US" s=
tyle=3D"font-size:10.0pt; font-family:Symbol">=B7</span><span lang=3D"EN-US=
" style=3D"font-size:7.0pt">        =
;
</span><span lang=3D"EN-US">Name Server (NS) - Start of Authority (SOA)<br>
Example: WIN-TL8JB8JAG8.ad.mydomain.com.</span></p>
<p style=3D"margin-left:71.4pt; text-indent:-18.0pt"><span lang=3D"EN-US" s=
tyle=3D"font-size:10.0pt; font-family:Symbol">=B7</span><span lang=3D"EN-US=
" style=3D"font-size:7.0pt">        =
;
</span><span lang=3D"EN-US">Active Directory Name<br>
Example: ad.mydomain.com.</span></p>
<p style=3D"margin-left:71.4pt; text-indent:-18.0pt"><span lang=3D"EN-US" s=
tyle=3D"font-size:10.0pt; font-family:Symbol">=B7</span><span lang=3D"EN-US=
" style=3D"font-size:7.0pt">        =
;
</span><span lang=3D"EN-US">RHEVM machine<br>
Example: rhevm.ad.mydomain.com.</span></p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US">We=
 are fulfilling this requirement, as nslookup of these 3 machines’ IP=
 work.</span></p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US">&n=
bsp;</span></p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US">Ad=
ditional info.</span></p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US">&n=
bsp;</span></p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US">Th=
ese commands work (if you need I can paste the full output):</span></p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US">&n=
bsp;</span></p>
<pre style=3D"margin-left:35.4pt"><code><span lang=3D"EN-US">#dig SRV _kerb=
eros._tcp.FPT.LOCAL</span></code></pre>
<pre style=3D"margin-left:35.4pt"><code><span lang=3D"EN-US">#dig SRV _kerb=
eros._udp.FPT.LOCAL</span></code></pre>
<pre style=3D"margin-left:35.4pt"><code><span lang=3D"EN-US">#dig SRV _ldap=
._tcp.FPT.LOCAL</span></code></pre>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US">&n=
bsp;</span></p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US" st=
yle=3D"font-size:10.0pt; font-family:"Courier New""># kinit
<a href=3D"mailto:fptadmin02@FPT.LOCAL">fptadmin02@FPT.LOCAL</a></span></p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span lang=3D"EN-US" st=
yle=3D"font-size:10.0pt; font-family:"Courier New""># klist</span=
phone: +39 011 29100 <br>
<a href=3D"al.scotto@reply.it">al.scotto@reply.it</a> <br>
<a href=3D"www.reply.it" title=3D"">www.reply.it</a> </span><br>
 </span></p>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span style=3D"font-siz=
e:12.0pt; font-family:"Times New Roman","serif""> =
</span></p>
<div class=3D"MsoNormal" align=3D"center" style=3D"margin-left:35.4pt; text=
-align:center">
<span style=3D"font-size:12.0pt; font-family:"Times New Roman",&q=
uot;serif"">
<hr size=3D"2" width=3D"100%" align=3D"center">
</span></div>
<p class=3D"MsoNormal" style=3D"margin-left:35.4pt"><span style=3D"font-siz=
e:7.5pt; font-family:"Arial","sans-serif"; color:gray">=
<br>
--<br>
The information transmitted is intended for the person or entity to which i=
t is addressed and may contain confidential and/or privileged material. Any=
 review, retransmission, dissemination or other use of, or taking of any ac=
tion in reliance upon, this information
 by persons or entities other than the intended recipient is prohibited. If=
 you received this in error, please contact the sender and delete the mater=
ial from any computer.</span><span style=3D"font-size:12.0pt; font-family:&=
quot;Times New Roman","serif""></span></p>
</div>
<br>
<hr>
<font face=3D"Arial" color=3D"Gray" size=3D"1"><br>
--<br>
The information transmitted is intended for the person or entity to which i=
t is addressed and may contain confidential and/or privileged material. Any=
 review, retransmission, dissemination or other use of, or taking of any ac=
tion in reliance upon, this information
 by persons or entities other than the intended recipient is prohibited. If=
 you received this in error, please contact the sender and delete the mater=
ial from any computer.<br>
</font>
</body>
</html>

--_000_C8B8517ADA90DB40A482797D59EB838964199C6DCED01MBXS08repl_--

--_005_C8B8517ADA90DB40A482797D59EB838964199C6DCED01MBXS08repl_
Content-Type: image/png; name="image001.png"
Content-Description: image001.png
Content-Disposition: inline; filename="image001.png"; size=2834;
	creation-date="Fri, 31 Aug 2012 15:45:15 GMT";
	modification-date="Fri, 31 Aug 2012 15:45:15 GMT"
Content-ID: <image001.png@01CD87A0.E9EB6E10>
Content-Transfer-Encoding: base64

iVBORw0KGgoAAAANSUhEUgAAAIwAAAAyCAYAAACOADM7AAAABmJLR0QA/gD+AP7rGNSCAAAACXBI
WXMAAA3XAAAN1wFCKJt4AAAACXZwQWcAAACMAAAAMgCR0D3bAAAKaUlEQVR42u2ce5AUxRnAf313
3Al4eCAYFaIgyMNEUF6KlYoVIDBArDxqopWxQgViQlWsPHA0MUlZVoyKRsdSE4lGomjIaHS0UlHL
wTIPpEgQFQUUjYIWdfIIScyBHi/Z6/zRM1xP3yzs7t3unOX8qra2H9M9vb3f9Pf19/WukFKSk1Mq
dVkPIOejRS4wOWXR6wVGuP5I4foDsh5HjkL0VhtGuP5A4CFgNrAD+Lb0nKeyHtfHnd68wixGCQvA
qcA9wvWPy3pQH3caan1D4fonAYeBDwEZjaFflAaok56zHRhsNG0B+gAHSrhHarn0nFp/3NLnxbKP
B06I5kECO2UYZD2sLtRcYIBJwK+BoYBACU89cAjoAIRw/TuAJcClQGy//FJ6zvvH6ly4/qXAz4vU
HQA2A4H0nIcz+OxH41eAHaU3AhdkPaA0MrFhhOuPB2YA5wBnA6ehni5dgKcBu4C5wLZS7Rfh+g8A
80u49HHgEuk5h2s+AeaYLbsO2AKMiIqWyzBYkPW40shihUF6zkbUUwSAcP0G4FHgS9pl10rPmQMs
LbXfSBVNLPHyrwDfBO7JYg4MRqEempjnsh5QMXqL0Xsl8EUt3w5cXUE/w4AztfzzwGSUGrwoyuvM
yfqDR5yLUssxL2U9oGJkssLoCNdfjLJXdBZIz9lQQXcTgSYt/4z0nHjy1wvX3wW8oNX3O8q4TgKm
AGegjNB/As9JzzmYer1lTwKGoOyyV2UYtArLngLMQ9lh64EVRQxZ3V5pje4V9zsVGBRl22QYrDXu
e0HUvwD+K8NgXbe/lKOQqcAI178MuM0ovk16zqMVdjnNyL9g5E2DrTVlTP1RRvM3gIFG9RvC9RdK
z/lHoo2yQQJgeFR0hbDsT6FUns544Icp456qpV+RYaAL5RJgepR+FWXzxfcdA6zRrr0SqKrAZKaS
hOt/DbjXKH5Geo7bjW71iT8AvGLUzzXyfzfGNBBlPyymq7AAjAWeFK5/slE+AvhklC4At6KEZb9x
3cJo+9x5T8s+ERinFa012uzU0vuMuu9r6W3AXd2Yu5LIRGCE618E/D6l6rpu9Hk8MEEr2iQ9p1Wr
n4wShJgPgCeMbh6g02jeB9wILASe1q4ZBHzBaDeRThukHghRdskoQF+NmlH+JJ0JqB1ijCkw72np
jiOfx7JPQrkdYm6QYXBMH1V3qYlKEq7fhNLvw1CTeztK55rcJlz/s8XshGPwaeBELd8sXP961Bd4
Bsqo1u2bm6Tn7NbGeCHKMI6ZLz3nsajuT6gtfjxfpxr31lXhThkG8470a9mrtPp2uq4652np94FN
Rr0uMM1a+jI6fVTvAMsrmLOy6VGBEa5fB3wOpctHaK9TgVOAxmN0MRXlwPpWBbefYuTHAj8tcu39
0nNuMMq+qqXfjoUl4mSSq/HbRlv9S3/ZqBumpXcB/zPqz9fSm2UY/Nuo1wWmCUBYdiPwHa3ck2Hw
YQVzVjbVWGFmkW7YmewDfga8CNwHnB6VXyZcf7X0nAfLvG8pntE3gSXSc5an1Olf+hDh+i+jVieJ
UiOxwBSiMQMgLLsFOEtr+7xWB8rQjdkgw0BXK40o1RWTZrDu0dKx0X4xylMOynZZVuZcVUyPCoz0
nA7gR8L1N6FWmQIqZtRGpwoSwF7gRek5WwCE658P3A9Y0TV3C9ffUOrWOlrZdIfdXuBhlCqaqZU/
myYs0RZaNzybUV7oNFqBt7T8BJJ2iW6zDAPGFKkDGE1yBTLtF0gKTCF6/4FWtsTYVVWVqtgw0nNW
lHn9LmCOcP2bgKuAvsAtqNWqFGLVF7NGes4i4fpjgNfpFNbzi7QfD/TX8vtQMa40VkvPKWh5fWfW
DuhCfg5Ju8nc5k/RxpZYuTR0gWkTlj0D5YgEeJca2S4xvcXTC4D0nKvpdNWXc2hqEiqSHROrhR0k
bYAzhesPTmmvG61tKAE6PXoNRRnTg6OX6VvRhfB1GQa7tbyu5v6D8qNQpH4bsDVlbLrADACu0fK/
qOXqAr1MYCLip7AcI+48I78WIIpuv6mVN5NUPWntN0nP2So9p016ThtwEKU6RpIMOyAsuw9JVWiu
INO19AYZBma0fbKWXi/DoEBX9tBpu4wDLozS2+jqx6o6vVFgYt+JKKON/pTvJ6kWzKc6LTg5XEtv
MeruAF5DqbZVgH6IayTJoOHf4oSw7LNICuKTeqfCsj9BUnhN+yamPXqZc3JrLfwuJpnHklKIBaa+
lIuF67eQ3KW8HtlEMabhPCmlG/3JnhX5ZHaifDeLtLqlxpmcySQfuvnCstdH6WXaZ9iPMsJ1xpOM
ZaXZL6DsqfcB3UO8A7WzrDm9T2DqG7dTOHSIEgUGIc5GyhatZJ1Rv4HkmZ/xKb08o5UPRa0UkuQT
vY6uQVJTFc5D7fQ6SNpUN8ow2GVcq7sB2ugq2DGHUYfLdG6SYbCPDMhcYIRlJwWjcGg/Z1/yATBE
zJxXT0Pf4o0P7pWcO39W4nuVHS+JGfPq6dMXOjpgzNyt9En0MUF877fDee3x1iPlo2beTOPxnwGh
qzahuhUAjwCLpOeYKkDfIT2BUl1XkxT2+2QYXJ8yen0H+JYMgz2kY9o126mh38UkITBRYGwp5e1Q
usNjwL/Ql3VRX2D35mUI0UB90wyOZmc19i+wa+NB+vTrnMA9re00RO3q6iRbVtYxeOzt1NXHS3od
e96dRkPT6CN9v/HUIRr738Dg0bMRDSdQVzeAjsJh+ra8SfMpf5S3XNzFoSYsewhJVbhKhoEnLDtE
HV4vRGXPprQFFTdrRklk2u4opoVkyMOTYbCfjEgc0RSWPQhlQ/SruMfymCrD4IXud1N7In+ILgzT
ZRj8tYfvcSLwOzoPer0DjKv1VlrHVEltqBhMafZD99mR1QfvAXT1tYfiNkhZCMvuD1yLCtbORsXg
Yi7PUljAEJgoztFaYV8fN8yg4XsV95TkLJS32+QaGQZPl9tZT5O50ftRJLL1Pq8V9cjqEjHdyG8D
rpdhkJmhq5MLTGX0QR2diLdnYQ/2vRq1wsRe6nUyDNq712XP0Wt/W53TO+mNoYGcXkwuMDll0eM2
TPRbnGnAvaaDSVj2bOA0GQY1j7Lm9AzVWGG+jIrwphlH3wXuzvpD51RONXZJ7aizLFcIyx4O3CXD
IN527kUdJAJAWPbFqBXnVmHZV6FO3K+I6oahzgYPAX7T017UnMqoxgpTQAniONRJ/AeFZRc72+IA
P47SPwEWAAjLbgL+jPJ1NAF/EZZd6o/sc6pINQSmARAyDL6OOm45mmSoX+cDVDiC6D0+azI0arcS
FSkG9fcgORlTbcfdXtR5jqOdnpPGO3QK8nzU33KsoutvgXIyoBorjP7FN6OEsph3sE6rq9fS8RmQ
RTIMTgP+QPJsbk5GVENgjgMQlv0QcDnwBp0nxgaQ/O+6dmCUsOxHUGdj459kbI/a3Sksew3qjE5L
1pOVUx2VtBJljxxAhf3v0v4TZRnKmI25ObruLdTZkvcAZBgcEpY9E3BRu6TrZBisznqycvJYUk6Z
5KGBnLLIBSanLHKBySmLXGByyiIXmJyy+D/P9uGVPOu6DAAAACh6VFh0U29mdHdhcmUAAHja801M
LsrPTU3JTFRwyyxKLc8vyi5WsAAAYBUIJ4KDNosAAAAASUVORK5CYII=

--_005_C8B8517ADA90DB40A482797D59EB838964199C6DCED01MBXS08repl_
Content-Type: image/png; name="blue.png"
Content-Description: blue.png
Content-Disposition: inline; filename="blue.png"; size=2834;
	creation-date="Fri, 31 Aug 2012 15:45:18 GMT";
	modification-date="Fri, 31 Aug 2012 15:45:18 GMT"
Content-ID: <ad1501dec7304928a9bdaa5a4ec912e3>
Content-Transfer-Encoding: base64

iVBORw0KGgoAAAANSUhEUgAAAIwAAAAyCAYAAACOADM7AAAABmJLR0QA/gD+AP7rGNSCAAAACXBI
WXMAAA3XAAAN1wFCKJt4AAAACXZwQWcAAACMAAAAMgCR0D3bAAAKaUlEQVR42u2ce5AUxRnAf313
3Al4eCAYFaIgyMNEUF6KlYoVIDBArDxqopWxQgViQlWsPHA0MUlZVoyKRsdSE4lGomjIaHS0UlHL
wTIPpEgQFQUUjYIWdfIIScyBHi/Z6/zRM1xP3yzs7t3unOX8qra2H9M9vb3f9Pf19/WukFKSk1Mq
dVkPIOejRS4wOWXR6wVGuP5I4foDsh5HjkL0VhtGuP5A4CFgNrAD+Lb0nKeyHtfHnd68wixGCQvA
qcA9wvWPy3pQH3caan1D4fonAYeBDwEZjaFflAaok56zHRhsNG0B+gAHSrhHarn0nFp/3NLnxbKP
B06I5kECO2UYZD2sLtRcYIBJwK+BoYBACU89cAjoAIRw/TuAJcClQGy//FJ6zvvH6ly4/qXAz4vU
HQA2A4H0nIcz+OxH41eAHaU3AhdkPaA0MrFhhOuPB2YA5wBnA6ehni5dgKcBu4C5wLZS7Rfh+g8A
80u49HHgEuk5h2s+AeaYLbsO2AKMiIqWyzBYkPW40shihUF6zkbUUwSAcP0G4FHgS9pl10rPmQMs
LbXfSBVNLPHyrwDfBO7JYg4MRqEempjnsh5QMXqL0Xsl8EUt3w5cXUE/w4AztfzzwGSUGrwoyuvM
yfqDR5yLUssxL2U9oGJkssLoCNdfjLJXdBZIz9lQQXcTgSYt/4z0nHjy1wvX3wW8oNX3O8q4TgKm
AGegjNB/As9JzzmYer1lTwKGoOyyV2UYtArLngLMQ9lh64EVRQxZ3V5pje4V9zsVGBRl22QYrDXu
e0HUvwD+K8NgXbe/lKOQqcAI178MuM0ovk16zqMVdjnNyL9g5E2DrTVlTP1RRvM3gIFG9RvC9RdK
z/lHoo2yQQJgeFR0hbDsT6FUns544Icp456qpV+RYaAL5RJgepR+FWXzxfcdA6zRrr0SqKrAZKaS
hOt/DbjXKH5Geo7bjW71iT8AvGLUzzXyfzfGNBBlPyymq7AAjAWeFK5/slE+AvhklC4At6KEZb9x
3cJo+9x5T8s+ERinFa012uzU0vuMuu9r6W3AXd2Yu5LIRGCE618E/D6l6rpu9Hk8MEEr2iQ9p1Wr
n4wShJgPgCeMbh6g02jeB9wILASe1q4ZBHzBaDeRThukHghRdskoQF+NmlH+JJ0JqB1ijCkw72np
jiOfx7JPQrkdYm6QYXBMH1V3qYlKEq7fhNLvw1CTeztK55rcJlz/s8XshGPwaeBELd8sXP961Bd4
Bsqo1u2bm6Tn7NbGeCHKMI6ZLz3nsajuT6gtfjxfpxr31lXhThkG8470a9mrtPp2uq4652np94FN
Rr0uMM1a+jI6fVTvAMsrmLOy6VGBEa5fB3wOpctHaK9TgVOAxmN0MRXlwPpWBbefYuTHAj8tcu39
0nNuMMq+qqXfjoUl4mSSq/HbRlv9S3/ZqBumpXcB/zPqz9fSm2UY/Nuo1wWmCUBYdiPwHa3ck2Hw
YQVzVjbVWGFmkW7YmewDfga8CNwHnB6VXyZcf7X0nAfLvG8pntE3gSXSc5an1Olf+hDh+i+jVieJ
UiOxwBSiMQMgLLsFOEtr+7xWB8rQjdkgw0BXK40o1RWTZrDu0dKx0X4xylMOynZZVuZcVUyPCoz0
nA7gR8L1N6FWmQIqZtRGpwoSwF7gRek5WwCE658P3A9Y0TV3C9ffUOrWOlrZdIfdXuBhlCqaqZU/
myYs0RZaNzybUV7oNFqBt7T8BJJ2iW6zDAPGFKkDGE1yBTLtF0gKTCF6/4FWtsTYVVWVqtgw0nNW
lHn9LmCOcP2bgKuAvsAtqNWqFGLVF7NGes4i4fpjgNfpFNbzi7QfD/TX8vtQMa40VkvPKWh5fWfW
DuhCfg5Ju8nc5k/RxpZYuTR0gWkTlj0D5YgEeJca2S4xvcXTC4D0nKvpdNWXc2hqEiqSHROrhR0k
bYAzhesPTmmvG61tKAE6PXoNRRnTg6OX6VvRhfB1GQa7tbyu5v6D8qNQpH4bsDVlbLrADACu0fK/
qOXqAr1MYCLip7AcI+48I78WIIpuv6mVN5NUPWntN0nP2So9p016ThtwEKU6RpIMOyAsuw9JVWiu
INO19AYZBma0fbKWXi/DoEBX9tBpu4wDLozS2+jqx6o6vVFgYt+JKKON/pTvJ6kWzKc6LTg5XEtv
MeruAF5DqbZVgH6IayTJoOHf4oSw7LNICuKTeqfCsj9BUnhN+yamPXqZc3JrLfwuJpnHklKIBaa+
lIuF67eQ3KW8HtlEMabhPCmlG/3JnhX5ZHaifDeLtLqlxpmcySQfuvnCstdH6WXaZ9iPMsJ1xpOM
ZaXZL6DsqfcB3UO8A7WzrDm9T2DqG7dTOHSIEgUGIc5GyhatZJ1Rv4HkmZ/xKb08o5UPRa0UkuQT
vY6uQVJTFc5D7fQ6SNpUN8ow2GVcq7sB2ugq2DGHUYfLdG6SYbCPDMhcYIRlJwWjcGg/Z1/yATBE
zJxXT0Pf4o0P7pWcO39W4nuVHS+JGfPq6dMXOjpgzNyt9En0MUF877fDee3x1iPlo2beTOPxnwGh
qzahuhUAjwCLpOeYKkDfIT2BUl1XkxT2+2QYXJ8yen0H+JYMgz2kY9o126mh38UkITBRYGwp5e1Q
usNjwL/Ql3VRX2D35mUI0UB90wyOZmc19i+wa+NB+vTrnMA9re00RO3q6iRbVtYxeOzt1NXHS3od
e96dRkPT6CN9v/HUIRr738Dg0bMRDSdQVzeAjsJh+ra8SfMpf5S3XNzFoSYsewhJVbhKhoEnLDtE
HV4vRGXPprQFFTdrRklk2u4opoVkyMOTYbCfjEgc0RSWPQhlQ/SruMfymCrD4IXud1N7In+ILgzT
ZRj8tYfvcSLwOzoPer0DjKv1VlrHVEltqBhMafZD99mR1QfvAXT1tYfiNkhZCMvuD1yLCtbORsXg
Yi7PUljAEJgoztFaYV8fN8yg4XsV95TkLJS32+QaGQZPl9tZT5O50ftRJLL1Pq8V9cjqEjHdyG8D
rpdhkJmhq5MLTGX0QR2diLdnYQ/2vRq1wsRe6nUyDNq712XP0Wt/W53TO+mNoYGcXkwuMDll0eM2
TPRbnGnAvaaDSVj2bOA0GQY1j7Lm9AzVWGG+jIrwphlH3wXuzvpD51RONXZJ7aizLFcIyx4O3CXD
IN527kUdJAJAWPbFqBXnVmHZV6FO3K+I6oahzgYPAX7T017UnMqoxgpTQAniONRJ/AeFZRc72+IA
P47SPwEWAAjLbgL+jPJ1NAF/EZZd6o/sc6pINQSmARAyDL6OOm45mmSoX+cDVDiC6D0+azI0arcS
FSkG9fcgORlTbcfdXtR5jqOdnpPGO3QK8nzU33KsoutvgXIyoBorjP7FN6OEsph3sE6rq9fS8RmQ
RTIMTgP+QPJsbk5GVENgjgMQlv0QcDnwBp0nxgaQ/O+6dmCUsOxHUGdj459kbI/a3Sksew3qjE5L
1pOVUx2VtBJljxxAhf3v0v4TZRnKmI25ObruLdTZkvcAZBgcEpY9E3BRu6TrZBisznqycvJYUk6Z
5KGBnLLIBSanLHKBySmLXGByyiIXmJyy+D/P9uGVPOu6DAAAACh6VFh0U29mdHdhcmUAAHja801M
LsrPTU3JTFRwyyxKLc8vyi5WsAAAYBUIJ4KDNosAAAAASUVORK5CYII=

--_005_C8B8517ADA90DB40A482797D59EB838964199C6DCED01MBXS08repl_--