ovirt-engine-extension-aaa-ldap and sysprep domain join
Hi, I tried to migrate to ovirt-engine-extension-aaa-ldap from engine-manage-domains. Everything seems to work fine so far except the automatic join to domain during sysprep. Is it supposed to work? Where should I investigate further? Thank you
Hi, The usage of the engine-manage-domain user to anything else but ldap searches is something that is unexpected and insecure. As a solution, you may either paste a modified sysprep file into the pool at UI or set up a different osinfo profile with modified sysprep file, this modified sysprep file can contain the credentials of the user that is being used for joining the domain. CCing Shahar which may assist farther. Regards, Alon ----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "users" <users@ovirt.org> Sent: Monday, October 26, 2015 12:01:54 PM Subject: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
Hi, I tried to migrate to ovirt-engine-extension-aaa-ldap from engine-manage-domains. Everything seems to work fine so far except the automatic join to domain during sysprep.
Is it supposed to work? Where should I investigate further?
Thank you _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 26.10.15 06:23, Alon Bar-Lev wrote:
Hi, The usage of the engine-manage-domain user to anything else but ldap searches is something that is unexpected and insecure. As a solution, you may either paste a modified sysprep file into the pool at UI or set up a different osinfo profile with modified sysprep file, this modified sysprep file can contain the credentials of the user that is being used for joining the domain. CCing Shahar which may assist farther. Hi, You can paste a modified sysprep file to "new Pool"->"Initial run"->"Custom Script" As Alon mentioned. Regards, Alon
----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "users" <users@ovirt.org> Sent: Monday, October 26, 2015 12:01:54 PM Subject: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
Hi, I tried to migrate to ovirt-engine-extension-aaa-ldap from engine-manage-domains. Everything seems to work fine so far except the automatic join to domain during sysprep.
Is it supposed to work? Where should I investigate further?
Thank you _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Thank you Il 26/10/2015 12:43, Shahar Havivi ha scritto:
On 26.10.15 06:23, Alon Bar-Lev wrote:
Hi, The usage of the engine-manage-domain user to anything else but ldap searches is something that is unexpected and insecure. As a solution, you may either paste a modified sysprep file into the pool at UI or set up a different osinfo profile with modified sysprep file, this modified sysprep file can contain the credentials of the user that is being used for joining the domain. CCing Shahar which may assist farther. Hi, You can paste a modified sysprep file to "new Pool"->"Initial run"->"Custom Script"
So just pasting there the contents of a modified /usr/share/ovirt-engine/conf/sysprep/sysprep.w7x64 (for example) should work right? The variables like '![CDATA[$OrgName$' will be replaced? Il 26/10/2015 12:43, Shahar Havivi ha scritto:
On 26.10.15 06:23, Alon Bar-Lev wrote:
Hi, The usage of the engine-manage-domain user to anything else but ldap searches is something that is unexpected and insecure. As a solution, you may either paste a modified sysprep file into the pool at UI or set up a different osinfo profile with modified sysprep file, this modified sysprep file can contain the credentials of the user that is being used for joining the domain. CCing Shahar which may assist farther. Hi, You can paste a modified sysprep file to "new Pool"->"Initial run"->"Custom Script" As Alon mentioned.
-- Mammoli Cristian System administrator T. +39 0731 22911 Via Brodolini 6 | 60035 Jesi (an)
yes, you should probably only customize: $JoinDomain$, $DomainAdminPassword$, $DomainAdmin$ maybe, not sure: $JoinDomain$, $MachineObjectOU$ the rest should be the same as any other. ----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "Shahar Havivi" <shaharh@redhat.com>, "Alon Bar-Lev" <alonbl@redhat.com> Cc: "users" <users@ovirt.org> Sent: Tuesday, October 27, 2015 11:19:02 AM Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
So just pasting there the contents of a modified /usr/share/ovirt-engine/conf/sysprep/sysprep.w7x64 (for example) should work right?
The variables like '![CDATA[$OrgName$' will be replaced?
Il 26/10/2015 12:43, Shahar Havivi ha scritto:
On 26.10.15 06:23, Alon Bar-Lev wrote:
Hi, The usage of the engine-manage-domain user to anything else but ldap searches is something that is unexpected and insecure. As a solution, you may either paste a modified sysprep file into the pool at UI or set up a different osinfo profile with modified sysprep file, this modified sysprep file can contain the credentials of the user that is being used for joining the domain. CCing Shahar which may assist farther. Hi, You can paste a modified sysprep file to "new Pool"->"Initial run"->"Custom Script" As Alon mentioned.
-- Mammoli Cristian System administrator T. +39 0731 22911 Via Brodolini 6 | 60035 Jesi (an)
On 27.10.15 05:25, Alon Bar-Lev wrote:
yes, you should probably only customize: $JoinDomain$, $DomainAdminPassword$, $DomainAdmin$ maybe, not sure: $JoinDomain$, $MachineObjectOU$ the rest should be the same as any other. Please make sure that the file is the full sysprep file such as you can find in /packaging/conf/sysprep/sysprep.w7 which is a windows 7 sysprep file. You can leave the variables such as $OrgName$ which will be replaces (exept from the variables that Alon mentioned which where the original problem).
----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "Shahar Havivi" <shaharh@redhat.com>, "Alon Bar-Lev" <alonbl@redhat.com> Cc: "users" <users@ovirt.org> Sent: Tuesday, October 27, 2015 11:19:02 AM Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
So just pasting there the contents of a modified /usr/share/ovirt-engine/conf/sysprep/sysprep.w7x64 (for example) should work right?
The variables like '![CDATA[$OrgName$' will be replaced?
Il 26/10/2015 12:43, Shahar Havivi ha scritto:
On 26.10.15 06:23, Alon Bar-Lev wrote:
Hi, The usage of the engine-manage-domain user to anything else but ldap searches is something that is unexpected and insecure. As a solution, you may either paste a modified sysprep file into the pool at UI or set up a different osinfo profile with modified sysprep file, this modified sysprep file can contain the credentials of the user that is being used for joining the domain. CCing Shahar which may assist farther. Hi, You can paste a modified sysprep file to "new Pool"->"Initial run"->"Custom Script" As Alon mentioned.
-- Mammoli Cristian System administrator T. +39 0731 22911 Via Brodolini 6 | 60035 Jesi (an)
This is a multi-part message in MIME format. --------------000908080408080501060102 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit It works fine, but it kills SSO as user... Poking in the windows logs I see a failed login as: myuser@mydomain.tld-authz !! Il 27/10/2015 11:51, Shahar Havivi ha scritto:
On 27.10.15 05:25, Alon Bar-Lev wrote:
yes, you should probably only customize: $JoinDomain$, $DomainAdminPassword$, $DomainAdmin$ maybe, not sure: $JoinDomain$, $MachineObjectOU$ the rest should be the same as any other. Please make sure that the file is the full sysprep file such as you can find in /packaging/conf/sysprep/sysprep.w7 which is a windows 7 sysprep file. You can leave the variables such as $OrgName$ which will be replaces (exept from the variables that Alon mentioned which where the original problem).
----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "Shahar Havivi" <shaharh@redhat.com>, "Alon Bar-Lev" <alonbl@redhat.com> Cc: "users" <users@ovirt.org> Sent: Tuesday, October 27, 2015 11:19:02 AM Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
So just pasting there the contents of a modified /usr/share/ovirt-engine/conf/sysprep/sysprep.w7x64 (for example) should work right?
The variables like '![CDATA[$OrgName$' will be replaced?
Il 26/10/2015 12:43, Shahar Havivi ha scritto:
On 26.10.15 06:23, Alon Bar-Lev wrote:
Hi, The usage of the engine-manage-domain user to anything else but ldap searches is something that is unexpected and insecure. As a solution, you may either paste a modified sysprep file into the pool at UI or set up a different osinfo profile with modified sysprep file, this modified sysprep file can contain the credentials of the user that is being used for joining the domain. CCing Shahar which may assist farther. Hi, You can paste a modified sysprep file to "new Pool"->"Initial run"->"Custom Script" As Alon mentioned. -- Mammoli Cristian System administrator T. +39 0731 22911 Via Brodolini 6 | 60035 Jesi (an)
-- Mammoli Cristian System administrator T. +39 0731 22911 Via Brodolini 6 | 60035 Jesi (an) --------------000908080408080501060102 Content-Type: multipart/related; boundary="------------070409000103030101070908" --------------070409000103030101070908 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: 7bit <html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> It works fine, but it kills SSO as user...<br> <br> Poking in the windows logs I see a failed login as:<br> <br> <a class="moz-txt-link-abbreviated" href="mailto:myuser@mydomain.tld-authz">myuser@mydomain.tld-authz</a> !!<br> <br> <div class="moz-cite-prefix">Il 27/10/2015 11:51, Shahar Havivi ha scritto:<br> </div> <blockquote cite="mid:20151027105144.GA16392@redhat.com" type="cite"> <pre wrap="">On 27.10.15 05:25, Alon Bar-Lev wrote: </pre> <blockquote type="cite"> <pre wrap="">yes, you should probably only customize: $JoinDomain$, $DomainAdminPassword$, $DomainAdmin$ maybe, not sure: $JoinDomain$, $MachineObjectOU$ the rest should be the same as any other. </pre> </blockquote> <pre wrap="">Please make sure that the file is the full sysprep file such as you can find in /packaging/conf/sysprep/sysprep.w7 which is a windows 7 sysprep file. You can leave the variables such as $OrgName$ which will be replaces (exept from the variables that Alon mentioned which where the original problem). </pre> <blockquote type="cite"> <pre wrap=""> ----- Original Message ----- </pre> <blockquote type="cite"> <pre wrap="">From: "Cristian Mammoli" <a class="moz-txt-link-rfc2396E" href="mailto:c.mammoli@apra.it"><c.mammoli@apra.it></a> To: "Shahar Havivi" <a class="moz-txt-link-rfc2396E" href="mailto:shaharh@redhat.com"><shaharh@redhat.com></a>, "Alon Bar-Lev" <a class="moz-txt-link-rfc2396E" href="mailto:alonbl@redhat.com"><alonbl@redhat.com></a> Cc: "users" <a class="moz-txt-link-rfc2396E" href="mailto:users@ovirt.org"><users@ovirt.org></a> Sent: Tuesday, October 27, 2015 11:19:02 AM Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join So just pasting there the contents of a modified /usr/share/ovirt-engine/conf/sysprep/sysprep.w7x64 (for example) should work right? The variables like '![CDATA[$OrgName$' will be replaced? Il 26/10/2015 12:43, Shahar Havivi ha scritto: </pre> <blockquote type="cite"> <pre wrap="">On 26.10.15 06:23, Alon Bar-Lev wrote: </pre> <blockquote type="cite"> <pre wrap="">Hi, The usage of the engine-manage-domain user to anything else but ldap searches is something that is unexpected and insecure. As a solution, you may either paste a modified sysprep file into the pool at UI or set up a different osinfo profile with modified sysprep file, this modified sysprep file can contain the credentials of the user that is being used for joining the domain. CCing Shahar which may assist farther. </pre> </blockquote> <pre wrap="">Hi, You can paste a modified sysprep file to "new Pool"->"Initial run"->"Custom Script" As Alon mentioned. </pre> <blockquote type="cite"> <pre wrap=""> </pre> </blockquote> </blockquote> <pre wrap=""> -- Mammoli Cristian System administrator T. +39 0731 22911 Via Brodolini 6 | 60035 Jesi (an) </pre> </blockquote> </blockquote> </blockquote> <br> <div class="moz-signature">-- <br> <span style=" font-family:'Helvetica Neue', Helvetica, Arial, sans-serif; font-size:16px; font-weight:bold; color:#000; margin-left:10px;">Mammoli Cristian</span><br> <span style=" font-family:'Helvetica Neue', Helvetica, Arial, sans-serif; font-size:12px;color:#000;margin-left:10px;">System administrator</span><br> <span style=" font-family:'Helvetica Neue', Helvetica, Arial, sans-serif; font-size:12px;color:#000;margin-left:10px;">T. +39 0731 22911</span><br> <span style=" font-family:'Helvetica Neue', Helvetica, Arial, sans-serif; font-size:12px;color:#000;margin-left:10px;">Via Brodolini 6 | 60035 Jesi (an)</span><br> <br> <img src="cid:part1.00060709.09020100@apra.it" alt="" usemap="#Map"> <map name="Map"> <area shape="rect" coords="9,4,27,24" href="https://www.facebook.com/aprainformatica" style=" cursor:pointer" title="Facebook"> <area shape="rect" coords="40,4,60,22" href="https://twitter.com/ApraInformatica" style=" cursor:pointer" title="Twitter"> <area shape="rect" coords="75,3,94,25" href="https://plus.google.com/u/0/+ApraIt/posts" style=" cursor:pointer" title="Google Plus"> <area shape="rect" coords="106,4,126,22" href="http://www.linkedin.com/company/apra_2" style=" cursor:pointer" title="Linkedin"> <area shape="rect" coords="7,60,182,117" href="http://www.apra.it/" style=" cursor:pointer" title="Apra"> </map> </div> </body> </html> --------------070409000103030101070908 Content-Type: image/jpeg; name="Firma2.jpg" Content-Transfer-Encoding: base64 Content-ID: <part1.00060709.09020100@apra.it> Content-Disposition: inline; filename="Firma2.jpg" /9j/4QAYRXhpZgAASUkqAAgAAAAAAAAAAAAAAP/sABFEdWNreQABAAQAAABQAAD/4QP4aHR0 cDovL25zLmFkb2JlLmNvbS94YXAvMS4wLwA8P3hwYWNrZXQgYmVnaW49Iu+7vyIgaWQ9Ilc1 TTBNcENlaGlIenJlU3pOVGN6a2M5ZCI/PiA8eDp4bXBtZXRhIHhtbG5zOng9ImFkb2JlOm5z Om1ldGEvIiB4OnhtcHRrPSJBZG9iZSBYTVAgQ29yZSA1LjUtYzAyMSA3OS4xNTQ5MTEsIDIw MTMvMTAvMjktMTE6NDc6MTYgICAgICAgICI+IDxyZGY6UkRGIHhtbG5zOnJkZj0iaHR0cDov L3d3dy53My5vcmcvMTk5OS8wMi8yMi1yZGYtc3ludGF4LW5zIyI+IDxyZGY6RGVzY3JpcHRp b24gcmRmOmFib3V0PSIiIHhtbG5zOnhtcE1NPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8x LjAvbW0vIiB4bWxuczpzdFJlZj0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL3NUeXBl L1Jlc291cmNlUmVmIyIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAv IiB4bWxuczpkYz0iaHR0cDovL3B1cmwub3JnL2RjL2VsZW1lbnRzLzEuMS8iIHhtcE1NOk9y aWdpbmFsRG9jdW1lbnRJRD0ieG1wLmRpZDphYzgzNzU2NS00ZDU3LTQ2MzktODU1OC1kYTI4 MjczNDhlMDciIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6RURGMjgyREQ5M0QwMTFFMzhE Mjg4RDRGNzEzQzA1Q0YiIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6RURGMjgyREM5M0Qw MTFFMzhEMjg4RDRGNzEzQzA1Q0YiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9w IENDIChNYWNpbnRvc2gpIj4gPHhtcE1NOkRlcml2ZWRGcm9tIHN0UmVmOmluc3RhbmNlSUQ9 InhtcC5paWQ6RDc5NzEzQkU4NEU5MTFFMzhCMTZDOUZENkZCN0M4NjciIHN0UmVmOmRvY3Vt ZW50SUQ9InhtcC5kaWQ6RDc5NzEzQkY4NEU5MTFFMzhCMTZDOUZENkZCN0M4NjciLz4gPGRj OnRpdGxlPiA8cmRmOkFsdD4gPHJkZjpsaSB4bWw6bGFuZz0ieC1kZWZhdWx0Ij5GaXJtYTwv cmRmOmxpPiA8L3JkZjpBbHQ+IDwvZGM6dGl0bGU+IDwvcmRmOkRlc2NyaXB0aW9uPiA8L3Jk ZjpSREY+IDwveDp4bXBtZXRhPiA8P3hwYWNrZXQgZW5kPSJyIj8+/+0ASFBob3Rvc2hvcCAz LjAAOEJJTQQEAAAAAAAPHAFaAAMbJUccAgAAAgACADhCSU0EJQAAAAAAEPzhH4nIt8l4LzRi NAdYd+v/7gAOQWRvYmUAZMAAAAAB/9sAhAACAgICAgICAgICAwICAgMEAwICAwQFBAQEBAQF BgUFBQUFBQYGBwcIBwcGCQkKCgkJDAwMDAwMDAwMDAwMDAwMAQMDAwUEBQkGBgkNCwkLDQ8O Dg4ODw8MDAwMDA8PDAwMDAwMDwwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAz/wAARCAB/ AV4DAREAAhEBAxEB/8QApQABAAEEAwEBAAAAAAAAAAAAAAkFBwgKAwQGAQIBAQEBAAMBAQEA AAAAAAAAAAABAgMEBQYHCBAAAQMDAwIEBQMDAwQDAQAAAgEDBAAFBhESByEIMRMUCUEilVYX USMVYTIWQlIkcZEzU4GzdDURAAIBAgIIBQMEAQIHAAAAAAABAhEDIRIxQZJTBAUVFlEik1QG YTITcYGRQqFScrHB0fFDFAf/2gAMAwEAAhEDEQA/AJ758r0MGbNUFd9Gw4+rSLopeWKlpr8N dKA12E95zm9/c8xw/g7cdwiKO25JuRGIKq7RIkcRCVE6KqImvjonhVoZzF6uHPcN74Of5V1j cRdsOJZg1YfLS93JuZLiQ4puopA05KmSmGvMJE1QBJS066aUoE6kiHZ1z5nncBgGb3fk3C7f gecce53eMGyPH7a+b7ASrQMdXepkehCbxNloZCu3ci6LokKjLqhSAXlT3dOYMK5S5JwqycTY g/ZsNyq749bJdwkXEpDwWyU5GQ3TaMG95o3v2iiaIunXTVbQzmKPaPdo7psht15vOO9uVhyK zY42juR3i1Rb9Ni28FTchS3mFMGk06/MqdOvhShamfvYP3k533YpyxFz3BLXhVy43kWgGQth yk84bo3KIgeZl6mBNrGRddeu7Tam3VTCZIrUKQ7c9+4ZzvgvcxyDwJxbxDjGTwsDitTp19vM uUz5EBq1s3O4XOe+LjMeLFjA6u4zXREROqkSDVoSp4Dkj3IO5vi/DsHzu8YLw1fcZ5IWQuEz 8evtxuSTxhKgTCDyi0H0zhI26JqJCfy7ei6KBuhensT9wPkHuq5WyjjnM8Bx7G41lxVzIodz sr8sjVxmbGiqy4EkjRUJJG5FRU02/Hd8poJ1JX6hSL7ux70uduI+4PGOA+DeF7dypfr/AIq1 kSR3yluTHScflg4LTUYmxBtluLuIjLru+GnzCVMFp/vEdwdrnzrVdOFMLtl2tUl2FdbZKcur UiNJjmrbzDzZOIQG2YqJCvVFSrQmYyD7Svc25Q5+7gcI4fyzjXF7LaMwaum+72iRN9THOBBe mASDIIwISVnYqaIvza69NFUClUmnqGhQCgFAKAUAoBQCgFAKAUAoBQCgFAKAUAoBQCgFAKAU AoBQCgFAUjIP/wCDe/8A8En/AOoqA0WIpq3AFwQUyBsiEE8SVNV0/wDmtnEbFnBfC+K2D28s jxTGe7ay4HEzi/w8ivnNVrfahNY9OnfxRyLLIfauLSo8PlDHNSfbJd6CoInyrg2tBdT2rIDd p4a5ntTGVJnjFr5qymIznYmTg3wGWIADc0MjcIklInm6qRKu7xXxqsqJPqhTX97P7JxFy53E 98vbly/ZG8pt2dZxecislilRxFoXLRdpzD8qLcG3G5MaU2MoEHyl1IFJdURDQqyIl74z4v4j 7PeHL5aMdkP2HjrFFuuU326XZ8X3mxJFkSXXn9gK5sAEEd2pbREdV0qFIzvaIzO88jZn3h57 kEl2VeMwvuP3ea+8gI4qy1uzooSAiCiiJImiJ8KrIibioU1secMwv+L+4l3U2i18cTeVce5J xD/D+ScWtzvpJjePXCyWspM5i4G24zDOM402SOPp5f8ApXRVFU2Z1nheUeOMYwrCu1rAbxkV xuvanPv0y/TOVLclvvEsstvSsjOsFyajTgjwPRR2vLcQX13L57w71HywwDIr26bRxlYe/fnu 0cQ3iZecEgYhfWLQ9KjtstMttZJFbbYgutypfqooNCHlSCNCcH5lEarKtJP9UKQy874eeee6 vxJjLeXZJgxS+J3XkyPE5yW+5tenK8ObAeJt4dh7dpiQKip/XRaGdZijcO2/tNxPhG59x3PV 15QvLzvMOS4xelstyYlzLurF5uUVk5JSAb0Mm4/nvvI4hmQkg9XESrUtC4vH3bbi/bL7n3Ae MYJeZt3wbMMWu2UY2NzNHZsQJNrukd2M48gh5goUfeBKKFtLaWqjuWEpibAdDQoBQCgFAKAU AoBQCgFAKAUAoBQCgFAKAUAoBQCgFAKAUAoBQCgKbd47su1XOKwiK/JiPNMiq6Ipm2Qiir8O q0Bp8tdkfd5EH0rvbvmJOxiJtw24rTgKQkqLsMXlEk18FRdF8U6Vqpx5SRrDe3PnKH7YHMHE k3iXIIvJN75GZudqwpyMHrpMNJlmdWQ20hrqCCy51Vf9C/DRayapgZr+1vxPyPw9275Bj3J2 HTsHvdzzq6XWBZrkgBIWE7Egsg6TYEWxFNk0RC0Xpr4KirWVEk9QprSrxL3dcNdzPMHI2Kdn 8DlYp3IF6veJXvI7OdyaYB64vSYky2yos6OrakBiXVC08FRCToJQ/fcRcfc77mrWmM51whkm P4MrwSH8Fxi1+kgSnGiQ2lmuPSnn5KNkKEIGexCRC2bkRUEdTM32m+DeYOHGeepXKvH11wJv KJOOjYW7uINOylhNT/UKDYmRbQ84PmXouuiaqhaViKoTFVDRBD3B8X80n3Dd3WOXLtvzTkvg zuRaxEpeX4Y9HZusRzG4sZ6I/Cdf81hwRkgYvRnwTdtEkIdEUgMM8r7bO4+HxxK4Z4w7Z+T2 8Cu2Tx8wyK6ZMzEO4TLhBiOQoTLUWGYxYrLTb7hGo73HTUd5ILYjQy0Ze+1n24c68T89Zrln JXFd8wTHJGBvWmLcbu22wLkxy5Q3m2WgQyIv22TVVRNE066ajrWypUJ7ahSHDu2x/uVwTvj4 /wC4rhfgq4cv22wcefwYDHL/AIvqn3ri1IbeJo/MbJtuSBjqOha9PBdBNZhJyRjXe7yXwPI4 Dndod+s9jk57c8+O/wARtxyUku5zZs44qNOu7PLbKcQCWuqiIqqaqtCGVnEFu7sOZe+HgbmL lntwn8R45xpitzx+dP3EsNI/orgjDhHINTUzeloCAKKunXwQlQXWTfUKKAUAoBQCgFAKAUAo BQCgFAKAUAoBQCgFAKAUAoBQCgFAKAUAoBQCgFAKAUAoBQCgFAKAUAoBQCgFAKAUAoBQCgFA KAUAoBQCgFAKAUAoBQCgFAKAUAoBQCgFAKAUBQr7frJjNufvGQ3SNZ7XFJsZFwluC002rpo2 CEZKiJqRIiVzcNwt3iZq3ai5SehLF4YnU43jrHBWndvzUIKlW3RYui/yVVp1t9tt1pwXWnRQ mnRVFEhVNUVFToqKlcLVMHpOzGSkk06pnYoaFAKAUAoBQCgFAKAUAoBQCgFAKAUAoBQCgFAK AUAoBQCgFAKAUAoBQCgFAKAUAoBQCgFAKAUAoDrPOK20bgtk6oCpI0GikWia7U1VE1X4daqx dDMnlTdKkZ3cQ7yhlFghZznEN3EMWO+fxeLcfO6k+2nlvKU+cors8wkbUQTVei/LonzH+w/E 48Bw158NwzVy5kzTuatK8kNdMcfrpxwX84//AEWXNuN4aPGcXWzZ/Jkt2cc2iTdyeqvlotdG 8qUcZZS8FXDLMVZTiDPIBpcsbiI/iWRxgcct9ytSKiCIPqKIjkdSQVEtC27enRVX4r5Na4fi n/7/AAsvLN0nF0UoT+q8JaaqqrXE/T/hV/jOBj0rjo+e3Gtuaq4XLfgpU0w0UdHlphhV5K18 kfoJxGG8CDco7kVNwroqa/FF+C0TxI1VUPAJx6yiaf5fln1d6vV6q91a2EeB29H3F/1ZH38f M/d2WfV3qvVXurWwh29H3F/1ZD8fM/d2WfV3qdVe6tbCHb0fcX/VkPx8z93ZZ9Xep1V7q1sI dvR9xf8AVkPx8z93ZZ9Xep1V7q1sIdvR9xf9WQ/HzP3dln1d6nVXurWwh29H3F/1ZD8fM/d2 WfV3qdVe6tbCHb0fcX/VkPx8z93ZZ9Xep1V7q1sIdvR9xf8AVkPx8z93ZZ9Xep1V7q1sIdvR 9xf9WQ/HzP3dln1d6nVXurWwh29H3F/1ZD8fM/d2WfV3qdVe6tbCHb0fcX/VkPx8z93ZZ9Xe p1V7q1sIdvR9xf8AVkPx8z93ZZ9Xep1V7q1sIdvR9xf9WQ/HzP3dln1d6nVXurWwh29H3F/1 ZD8fM/d2WfV3qdVe6tbCHb0fcX/VkPx8z93ZZ9Xep1V7q1sIdvR9xf8AVkPx8z93ZZ9Xep1V 7q1sIdvR9xf9WQ/HzP3dln1d6nVXurWwh29H3F/1ZD8fM/d2WfV3qdVe6tbCHb0fcX/VkPx8 z93ZZ9Xep1V7q1sIdvR9xf8AVkPx8z93ZZ9Xep1V7q1sIdvR9xf9WQ/HzP3dln1d6nVXurWw h29H3F/1ZD8fM/d2WfV3qdVe6tbCHb0fcX/VkPx8z93ZZ9Xep1V7q1sIdvR9xf8AVkPx8z93 ZZ9Xep1V7q1sIdvR9xf9WQ/HzP3dln1d6nVXurWwh29H3F/1ZD8fM/d2WfV3qdVe6tbCHb0f cX/VkPx8z93ZZ9Xep1V7q1sIdvR9xf8AVkPx8z93ZZ9Xep1V7q1sIdvR9xf9WQ/HzP3dln1d 6nVXurWwh29H3F/1ZD8fM/d2WfV3qdVe6tbCHb0fcX/VkPx8z93ZZ9Xep1V7q1sIdvR9xf8A VkPx8z93ZZ9Xep1V7q1sIdvR9xf9WQ/HzP3dln1d6nVXurWwh29H3F/1ZD8fM/d2WfV3qdVe 6tbCHb0fcX/VkPx8z93ZZ9Xep1V7q1sIdvR9xf8AVkPx8z93ZZ9Xep1V7q1sIdvR9xf9WQ/H zP3dln1d6nVXurWwh29H3F/1ZD8fM/d2WfV3qdVe6tbCHb0fcX/VkPx8z93ZZ9Xep1V7q1sI dvR9xf8AVkeeyLhXE8vgha8rn3/ILc08MhuDNuskmxeESEXEQCFdUQiROvxrn4X5DxPCTz2I 24SpSqgq08Dpcd8N4Pj4K3xU7tyKdUpXJNVxVdWNG/5LtMMNxmGY7SbWmQRtsNVXQRTRE1Xr 4JXhyk5Nt6WfVQgoRUVoSodqobFAKAUAoBQCgFAKAUAoBQCgFAKAUAoBQCgFAKAUAoBQCgFA KAUAoBQCgFAKAUAoBQCgFAKAUAoBQCgFAKAUAoBQHSlSo8KNIly324sSK2T0mQ6SA22AIpGZ kXREFE1VVqpOTUYqrehGJzjCLlJ0Sxb8EeD495WwLlS3yrlg2QsXlmA8TE5lEJp9kkJUFXGX EExE9NRLTQk8Frv8y5RxXLpqPEQcaqq8H+jWGGvwPP5ZzjhOZQcuHmpU0+K/YuTXnnpigFAK AUAoBQCgFAKAUAoBQCgFAKAUAoBQCgFAKAUAoBQCgFAKAUAoBQCgFAKAUAoBQCgFAKAUBTbj cINpgy7ncpTUC3QGTfmzXiQG2mm03EZEuiIiIlatW5XZqEE3JuiS1s4b96FmDuXGoxiqtvQk iKzuB5zzLmlnI8e48YlQOKcbaCRk14QSbdntk4LQlI6psYVwkQG+hH/cSaJon7B8b+OWOVOF zimnxE3SK/04Vw8ZU0vQtR+FfLfml7m0LtvgVJ8PbVZySpXFJVepVeC0vX9LMcC5zK4W5Atm ZGy9Kxq5iVmyMUEwFYzhAZuNkKKJuR1RHNnio6omm5Fr3vknK1zXhJWU0px80f1x/hS0V/6H yvw75LLlPGRvXIv8UvLJ40xp/lYP/uTeQZ8O6QYlyt8luZAnshIhS2l3A424KEBiqeKKi61+ A3IStycJKjTo19T+oLV2N2CnB1i1VNa0yoVk5RQCgFAKAUAoBQCgFAKAUAoBQCgFAKAUAoBQ CgFAKAUAoBQCgFAKAUAoBQCgFAKAUAoBQCgFARzc6d5XCcfPB4UyW0O5Zx+8ZQOTcyhvmjFq liYqyDIs/PIRhwdZBAX7fTRDJCFO1wXF3eDuxvWnScdD0/8AE6XMeXWOYWJWL8c0JaVVr/KL u8n4XguN9reW2zABZdxgrczdLbcYj3q/WIUlp8X1kApechp4FqqbdPglfTci5pf43nVq9elW TdPBJZWqJaj4r5NyPheX/Hb/AA/DxyxST8W3mTq3r/5Itb2j4xjnIHE/IGI5Pbm7paXL8hKB /wBzRuxGkR1ktdW3B26oQ6LXu/NuMvcDzCzfsyyyyfzSTwfivofLf/NOXcPzLlHEcNxEM0HP XqrFYrwappRY+5d6/HnalnVr4QstwuPLmEY/eZTXIGVh5aHjjbqIKQIDbKKk1yM9uckCm1AR VAEVz5E+K51zTqd787tqEmkpUr5mteOjDA/Tfj3JHyjhv/X/ACyuQT8uZYxj/prrxx1foSu4 xk+P5lj9oyrFbxFv+O36K3Ns15hOI6xIYdTUTAx8f6p4ovReteOe8ehoDxvIGZ2rjvB8szm9 OI3a8Ttcq6S9V03JHbI0bHX/AFGqIIp+qpQGv493191jpuPryU1DWS4bqQwtFtUWUMlJGhUm FVUbRduqrr01rNQSjdhvcNk3OeAZTB5Au7d4z/CburU+cLDMZZFunCr0J1WmBAE2qjjSqidd iKvVaqBVe/bljkHhvhKBlnG1/THchfyq121y4LGYl6xZAvK635cgDD5tiddNaMET+Ld4nfPn 16TG8Dy+bl+QlHclDZLVYLU9JVhlRRx3arAptBSTVdfjVB3bn3x98vFWRN2nkGakC6MoEp3F 8uxhiGrzCroiiTAxnFAtNN7ZqmtAZeZd355JyF2c5nypxuY8cct4LkFjsuV21G2bizHWfLaF H43qWyE2JLSlsUh3CqEK9R1UDBDGO9rvszq/RMWwfOJeWZNcAdcgWC14/aXpTwsArjqgCxxR UAEUl6+CUBVcr7z/AHCuJrnCi8jXK4YnLuAE5At+UYlBYalA2qb/ACTBltHNNfm8tzVP6UBJ v2N97z/c4uQ4Rm9hhY7ydikJu5G5a1c/jrrbzcRkpDDbxE4y404oo42pEnzCQloqoIGdGdZh Z+PsLyvOsgeSNZMPtMy8XV5V00Yhsk8aJ/VUHRP60BrFzPcj7x5sqXPj8oMWmPcJDsiJaRsd qMYrTpkbccSOOpF5YKg6qqqunWgJGO07u05q544H5FtVwvZXzmHBL8x6y8Q4bLDzthujLhw3 /IiMrtFuS0TLzjTRGLepCKkiLQEl3DE3Mp+DQZGapK/klcUYz05vypTjKAGpODtAlHzd6NEY iZtIBmiES0BdqgFAKAUAoBQCgFAKAUAoBQCgFAKAUAoBQCgFAKAUAoCLvvA7uXY4XXibh+6/ 81UOJm2dQHUX0viLkCA4Cr+94o66n/j6iP7mqhUiojG4+hcXsZZb3eXivQYLbkR6bZrDGR6X cSEk2xCM3WfJaLqrhoqkqfKOiluTRGTG433udv4cW5rkVgxy+2XD+Ko9qtqY6VrjxkfK5q6x AgwGG3yb6+QSKhbREU1VdNazRp1RJRTVHoKFx53x8BSeOeSuTYOD3fD3MNm2xc5xuHAiHPeS 6PpEhTAVh0GngU1USVSQh0XVPDXmvcRevKKuTcsuCq26fodfh+CscO5O1CMXLF0SVf1oRWd4 PIfbLzJfPyNxBasmw7kCe6KZfZ59qYjWq8CvT1m9mS55MsE03Eg6Op/d86IS8aqdkpvZ93j5 J2wZEliviSsi4Vv0rzMjxprV2RaH3V+e52sFXx+LzCdHE+YdHP7jVQbJ+KZXjmc47ZsuxC9R Mixi/wAVuZZr3BcR1iQw4mokBJ/2VF6ouqKiKlYBGd7pfOltwPjjEeLAkuldeR563C6QY3Vx bTaCBxUPVUQRdkk0PXx2kn61GCO7t44svHNvAndjyNAx9kbjgdkiMcdK9vfM7nAJLxO2abUU jjNgx0/9ipUQPPe3r3ET8E7mcKi3mUw1ivKrK4ndCEEbEX5ao9bHSVV06SRRvX9HFogSs+6r c27T2z2mW6yT7f8AndjbIAVEL5hk9U16VWCJ3s157wThfmqPyPlAXKfZ2MfuNscgWtgHpyPS yYJtfJccaRQTyl1VC6VED3fe93VY13L3zCX8axeZjOO4C1PRu7XpWW5s124eUhIoNG4LbTaM oqIpqqkvgmnXQKJiPGOWY72T8/8AJ98tki1WDkS/YXbsQGU2TRzWLZdN705sD0LyiN7Y2Wnz bSVNR0VQLQds/L1n4D5uxLli/wBonX61Y0xcmpFqtqtDJcKdDcjAoK+QBoJHquq+HhQF/O9H vgt3dNjeKYbjnH8rE7Bjt3/nJN2u77D05+SDDsdtlkI6mDTe14lNVNVJdqaIidQMnPan7f8A ILddck7ib49EYsl4s543hVvYlMyJDyHIB+ZJktsmfp9qsgANuaOLqRKIjt3AXc92Pl7/ABPh XH+JbZJ8u78u3REuzYloSWS0EEmTuTx0dfVlv+qKSUBF52sdtMjnHijuvyxIXqZuFYg3DwJx RQl/ngL+VcJpV/1+RFFldPg8v60BQ/b65nHiPuc4+uEmV6bGOSR/w3JEItAEboQFAcPX/wBU wG01+CEX60Btc0AoBQCgFAKAUAoBQCgFAKAUAoBQCgFAKAUAoBQCgFAKAhM9wD2/np53vnzt +tDoXv8Acncj8bWxCD13ibtztbLemkjxJ5kf/N1Mf3dUclARJcK5RhX+a2qBzDleW2njq6f8 abkGPyGnJFrdMkQJbzEtiSjzAdUdARQxT5k127VJsE6OYdtfbrwt2vcwZddsxy7OeNsmt9jv 0q/2h23y5jZW+Qv8fOtaNhHjuLrM1JDLYQapWqgtN2m8WdsXPnHvM/F+BZFn8p+/fwEvMc1u se3W+SkeJLORDhw2GTlA2IuskTm8dxa+PRNFQYh92PE3b7wvfl4+4xy3KM8z6A6K5bMmy4bl qtAIiqsQ0YjNk7LPVFUULRpP7/mVBrSYOl2jdnWRdzuTLdLssrHuG8dlI3lOTt6tv3J5tUU7 ZbDVP718Hnk6NJ0TVxURNN0BsmYnieN4Jjlmw/DrLExzGMeihDs1kgto2xHZbTRBEU/7qq9V XVVVVVVriBqpd9nMicz9zfJGRR5nn4vhr3+IYo5u3NejsxGMh4P6OyyePX4ppWWD3XGnD3uM 43hUGLxNYeRMYwHJG/5mHbbPcrfDiShuDYEskmXH0PV5vbruRF00TRK0DDTLMRzTjDLLjimT 2iXhOeYjKjuyLa/tGRBloLcyK6itEQr0JtwVElRUWsAmw74eXInOnt08R8pRVAZGUZNjTl7j Aqf8e5sDJYns6fDZIbNE1+Gi1sGAXt7cWYBzJ3KxcJ5NxqPluLLil3uX8PJN5sPVRnIosuoT BtmiijhafN8aygbDOM9nfbBiFwZuli4Rxhq4R1QmJUuKs8gIV1Qh9YTyIqfr41oFk/cwKNC7 R8q3KEaMze8dAURNBFEuTCCiIidE+FAQ1di9hwvkDun46xLLLRbctsFziXs5tguTAyYrysW1 51sjacFRJQIUJNfBaAzD90HgTh7ijCeNM747wK2YNcblkjlivf8ABxxisS47sJ+Q0jrDeje8 DY1E0RF0VUVVRegHjPaFy+Y3zLyzhsd55uyXrEo97kwVLRlZsGaEcX9idN6tyFFS8VRERfBK iYMVPcD5rXl7ufzyVBli9i/HKJhmOOIqEG22kRXB4VToqOSzcTX/AGgP6UbBVeKeJfcTx/Db fK4YsvIeN4LloN3+C1Y7jAhRpyTWW1CWTTr6Hq60If3Ii7dOlUGHuc4Rm3GuVXbDc4sszDs3 shsvz7XIUEkRXXwGVHeQmSIF1QhcFRJUrANtrtW5ja544B405LUxK63i1NxsoZFU/au8FViz wVE8P3myJE/2qlbBkNQCgFAKAUAoBQCgFAKAUAoBQCgFAKAUAoBQCgFAKAUAoCJjum9vviWd m917jYlivU/GrTEm5ByfwjisdFkZVOjijjIwiQh9N6g9fVoCKrg6kG01JSlARa3/AL7uUM74 55q4sy23W0+POU7SzCwfGLOy1Di4csN1hYkaAIgPmRUZYRtwC+bf+4OmpCsqC23BPcvmnbti /L0Djkf4/MuU2LVAiZgWw/4eLBKQUh1hkxJDkOecgtkXyh1JUVdqUqCQzgThW1e4BbrVyxk9 vncaZFYLuNp5svVohI1aM5FlpS/kLW4hIkW4Eoi1NURIfm3D8+mm1IE5WK4rjuD45ZsRxGzR bBjWPxW4dms8MEbYYZbTRBFE8VXxVV6kqqqqqqq1AdjIbbMvNgvdot92esU+6wJMOFfI4C49 DdfaJsJDYH8pE0pISIXTVOtARDRvZr4uB2N6zmjMLhFbdA5kRyJb09QCGhOARo3uTzE1RV11 661KAmKhxY0CJGgw2Rjw4TQMRY4JoLbbYoICKfoiIiJVBHn3Me3Nx93J8ovcqXDPb9hN4nWq HbbtBtUeG8zJKErgtSCWQBEh+WaAui6aCNSgKSx7beLh29XHtzkcw5PMxSRmjGaW26ORIPqo UltogdjtIgbFbdNfMXVNULX9Vqgq3bN7dWGds/KTfKdk5MyHLLg3Z5lnG1XONDaY8uaTREe5 gBLUfKTSpQEi9UFhO5Lge09yXFN34pveQzsYt93mQJrl4tzbTkhsoEkJICIvIoKhKGi6pQGJ nb37auEdvnLeM8uWflLJMmuOMsz2Y9muEWE1HdSfFcikpky2JptRzcmnxSpQGTXdJ20Yr3T8 dw+P8ovdxxpLZeI18tF9taNG+xJjg40qK28JAYm28Yqip8dfhVBjDwN7b1r7eOQWuRMF52yx LkVtm2i4wJMG3LHlxJjaogOoLaL+08jbwqiou4ETwVUqUBZsvZs40fMym84ZnNSS6TtwRyJb tz6uHve3H5e7VxVXVddetKAmFtdsh2W2W6zW1gY1utMVmHAjimgtssAjbYIn6IIolUGAndB7 eOAdznJMbk2551fMIvKWaPZ7kxaWIjzUsYjjhsvOeoAlQxF1Q6fBEqUBeHtR7XoPapiOR4TZ c+vGbWK+3b+ZisXdiO0sKQ40LUjyljiKKLuwCVFToqap4rVBlXQCgFAKAUAoBQCgFAKAUAoB QCgFAKAUAoBQCgFAKAUAoBQEIfuCe32c877z7wHYt1yNXLhyZxtAb6zPE3rpa2QT/wA/iTzI p+7/AHgnmaocaBgp2Vdl2R91OSDfbwsrHuE8fkoGTZQ0itvXR4NCK2WwlT+9U0R53waRdE1c VESJA2gcTxPGsExqyYbh1li49jGORG4VkssJtG2I7DaaIIinxXxVV6kqqqqqqq1oHpqAp82Q 9FhyH2IbtweaBSbhsqAuOqn+kVcIRRV/qqVq3FSkk3ReL1fwcV6bhByjFya1KlX/ADRFsF5U jhCt8t3F7nEW6SZMe3syXoDKuek3I+Sm5JQBQSHaiKWq/BNK9fozzyirkXlSbopP7tH9anzz +RxyRm7M1mbSTcFXL92LlTSqaasrH+fNElykM45dJFptIyEn3sEY8gXorROOttoTqG5tIFb3 iKjv6a6da4OmvypzipSpSONaN0T0UXjR40O31pPNJWpuEa1lhlrFVaWNXR+WqVM2vWcJcm2R yJbZFvh3C4v3hhpy2W9llBfcdcdNlYxC4Qo240TZ+YhqiBtLVelaXJ7qlJScUot1beFEk82G lOqy001Rh/ILDjFwjKTmllSWLbbjlxapKLTzV+2jqVK0ZrEutzSyPWydaby2shJkCUAfs+nF ktVcbMwIXBfFQUVVF666KmlcN/l8rUPyKSlHCjWutdTxwyutfodjhebQvXfwuEozxqmlhlyv Sm001JUarr8CjflC1tx2brNs91t+OTReW15C6yCsSfJAnB2tgZOh5wgvlbwTf0ROqoi9hcnu N5Iyi5qlY1xVcNNKOn9qPA6ncVpRV2cJxtOuWbSpKib0J5lmp5KpZv3RU4GbDIeZYuFhnWaR ImR4LUeQcZ098ltx0FcFh5xW9EbXchaL1Txrhu8vcU3Gakkm8KrQ0sKpV06js2ebqTUZ25Qb kopPK35k3jlk6aManNBzywzrLfr8KyGIGPPSG5qutKjhgwm4Xmmx1IweFUJtdPmRazc5bdhd hbwcppUx8dTepr+3gW1znh7lm5exUbbdcMaLGqWlqSxj4nAznTDJwEyC0TcTG6SPIgO3Q4wN kvpzkakYPGgKgtqiiXXdolaly5yr+KSuZVV5a+KXhjp/gxHnMYuKvwlazOiz5UvtctKbpopR 41Oi1ybaZt0g2u3Qn5qTS0Scj8RppB9W9DQw818SdRSYIk8tC6afFdK5ZcouQtuc2lTVSTf2 qWpYYSWmhww+Q2bl2Nu3FyrrrFL7pQqqyTljFvy1wprOebyHAgXaZb37TPWHBuDFqk3kPJVk ZcloHGwRvzUeVF8wR3IGmv8ARFWs2+VTnbU1JVcXJRxrlTaeNKavE3e57btXpW3CWWMlBywp mkk0qVza0q0/wdeNybZpUmUAw5TcC3Qxn3W4unHH0zJxBmbiY83zyHYYpuAFHcu1FXRas+U3 IxWKq3RLHF5summXTqbrTEzb+QWZydIvLGOaUnl8qyqf21zNUaVVFquB+m+R4zRxQu+O3iyF cUZctSSW2S9Q29Iaj6/tOnsIFeAiE9CQV1TXRaPlUpVyTjKla0rhRN60q1yujWFQufRjRXbU 4ZqONUvMnJR1N0azJtOjoVaZnFohLPGQ1JGTbroNrdiI2iuE4bPqBcBNeoKzqev6CXxSuGHL rk8tGqOOaurTlp+tcP3R2bvOLNvMpJ1jPJSmNWs1V9Mvmr4JnJiOXsZfCOfGgPQWEFpxnzX4 rxELwbxVUjPO7FRPFC0Wpx3AvhJZXKrx1NaP9yVf2N8r5nHj4OcYuKw0uL0qv9XKn70Pa10j 0xQCgFAKAUAoBQCgFAKAUAoBQCgFAKAUAoBQCgFAKAUB81RPjQDcP60BTLZa7VZIbdus9uiW i3tG44EGEyDDIm84TrpI22giimZkRLp1VVVeq0BU9w/rQH3VP1oBQFtZvHcCVDtERie8wVkf mvxjeZjS0JZxk46htyGjDopfKqIion/Va9O3zWcJSk4p5lFOjcftwWKdf1PCvcjtzhCMZNZH JqqjL7226qSa/Q/SYGqNXKAOSXBuxXhJCzrKIR/L82W2oPK04rSm2BESubBXRCXpoPy1FzLG MvxxzxpSWOiLwqq0b1V8PriXouE4K7JW51rHy0rJUlR0qk35sqwzaMMDhk8aWc7k/d4Fwn2u 5ujDNl6O4Cg1Kh7kSSLRgQ73QPy3UX5THTVN3zVqHNrigoSjGUcdNcVL+ta6E8Y60/pgZucg su47sJSjPy4qmEoV81GqVknlnqktVcT63gL7M4Ly1lVw/wAgM3yn3Q2Yp+cD4Mt+X5JNKAAA sDtQURf7tVVVWo+Zpx/G7ccmFFV4Uq61rVt1da/QR5JKM/yq9L8uNZUi61SVMtKJLKqU+ta1 OsfGMJ+HHss6/wBynYzAF0bXYTJoRj+YBgC+eLaOueQhr5W4vl6Ku5RSt9XlGTuRhFXHSssc f2rRZqeamn6VMP49CUFZncm7Ua5YYeWqaXmpmeWvkq8MNNEfseNYzsqRcbhfJk27vCDY3UGo sd1AbB0BUvJZFDNfN1UyReojpomqKfNpKKhGCUfCsmtKet4LDQvFlXIYym7k7knN0WakYuiT WpYvzaX4KlDsweMcatsO626GU9u3Xq2NWufDOW66nlsIQtONm4pEBgJqiKK6eHTpWLnN79yU Zyy5oyck6JadKdNKZuz8e4azCduGbLOCg1mbwVaNN4pqur+DttYUMh23u5HepOU/xT6vwW5z MVG0/YcY+cG2RQiVHFVSXrqiaaJ0rEuYZVJWoKGZUdG/FPW8NGg5Y8pzuLv3HdyOqzKNNDji ksdNa+J0I/G9ugXSNcrdMKKMctfSHEiPgg+qfloLROMqTKIUgh/bVOmnxTWuSfNZzg4TVa66 yX9VHGj832rScMOQ27V1XLcqU1ZYv+0p4VVY4ya8tMKazuSOPLC/encjUXBvZz1mpctrSuoh xRhmwhK2q+UTY66KuqF1RUrjjzS7G3+L+mWlMafdmrp01/wck+R8PK87/wD5M2bNhX7cjjo+ 1rV44opsrjG2XD+LjT7lJmWi0MtsQ4BtRxdEGmFYQElA0LyAqKpEKF1Vf9vy1zW+bzt5nGKU pNturpi6/bXLX60/zicFz49au5Izm3CCSSpGuCy0zpZqa2q6fpgfJHHJzmmkueW3a4PwGmmb HJMYwlGRp9l/eoiygumasAJEaLqOuiJqq1I81UH5LcUm25LHGqa8cEszolrE+RO6l+S9OTik oPy+WjUq6KSbypNy1eFWVEsChyLol5ud1mT562163ySTymWnCe3gMlW2wREebacNoSTptJdU VetcfUpRh+OEUo5lLW2qf1q39raUmvFHM+TQnd/LcnKUsji9CTrVZ6JfdGLcU/BvAqOJYo1i cFYDM31rAgy20XpY8ckFkNib1jNt71VPFSri47jHxUszVHjrb0/7m6HY5Zy5cDDIpVWC+2Md CpjlSr+rPZ10z0xQCgFAKAUAoBQCgFAKAUAoBQCgFAKAUAoBQCgFAKA6z3maLt8f6UBQ5BTt V2CS/pQFEfO+Iv7QKv8A1RaA4m3MhVfnbVEoCpslc1/vEkoCsxlkrpvRUoCrhrp1oD9UAoBQ CgFAKAUAoBQCgFAKAUAoBQCgFAKAUAoBQCgFAKAUAoBQCgFAKAUAoBQCgFAKA//Z --------------070409000103030101070908-- --------------000908080408080501060102--
What do you mean? Maybe the password delegation into the virtual machine? If engine does not know the password, it cannot delegate it to virtual machine. Solution is described here[1], so far no resources were allocated. [1] http://www.ovirt.org/Features/SSO ----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "Shahar Havivi" <shaharh@redhat.com>, "Alon Bar-Lev" <alonbl@redhat.com> Cc: "users" <users@ovirt.org> Sent: Friday, October 30, 2015 9:33:02 PM Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
It works fine, but it kills SSO as user...
Poking in the windows logs I see a failed login as:
myuser@mydomain.tld-authz !!
Il 27/10/2015 11:51, Shahar Havivi ha scritto:
On 27.10.15 05:25, Alon Bar-Lev wrote:
yes, you should probably only customize: $JoinDomain$, $DomainAdminPassword$, $DomainAdmin$ maybe, not sure: $JoinDomain$, $MachineObjectOU$ the rest should be the same as any other. Please make sure that the file is the full sysprep file such as you can find in /packaging/conf/sysprep/sysprep.w7 which is a windows 7 sysprep file. You can leave the variables such as $OrgName$ which will be replaces (exept from the variables that Alon mentioned which where the original problem).
----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "Shahar Havivi" <shaharh@redhat.com>, "Alon Bar-Lev" <alonbl@redhat.com> Cc: "users" <users@ovirt.org> Sent: Tuesday, October 27, 2015 11:19:02 AM Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
So just pasting there the contents of a modified /usr/share/ovirt-engine/conf/sysprep/sysprep.w7x64 (for example) should work right?
The variables like '![CDATA[$OrgName$' will be replaced?
Il 26/10/2015 12:43, Shahar Havivi ha scritto:
On 26.10.15 06:23, Alon Bar-Lev wrote:
Hi, The usage of the engine-manage-domain user to anything else but ldap searches is something that is unexpected and insecure. As a solution, you may either paste a modified sysprep file into the pool at UI or set up a different osinfo profile with modified sysprep file, this modified sysprep file can contain the credentials of the user that is being used for joining the domain. CCing Shahar which may assist farther. Hi, You can paste a modified sysprep file to "new Pool"->"Initial run"->"Custom Script" As Alon mentioned. -- Mammoli Cristian System administrator T. +39 0731 22911 Via Brodolini 6 | 60035 Jesi (an)
-- Mammoli Cristian System administrator T. +39 0731 22911 Via Brodolini 6 | 60035 Jesi (an)
As long as I user engine-manage-domains SSO with spice client worked fine: User logins in the user portal, clicks on a vm and get logged in the windows vm With ovirt-engine-extension-aaa-ldap, configured with ovirt-engine-extension-aaa-ldap-setup, the SSO didn't work. The vm says I tried t login with an invalid username or password. After enabling audit logs in the vm I see that the spice clients tries to login as user@domain-authz I changed "ovirt.engine.extension.name" from "domain-authz" to "domain" in "/etc/ovirt-engine/extensions.d/domain.net-authz.properties" and "ovirt.engine.aaa.authn.authz.plugin" from "domain-authz" to "domain" in "/etc/ovirt-engine/extensions.d/domain-authn.properties" And now SSO works fine Is it the correct way to go?? Il 30/10/2015 20:37, Alon Bar-Lev ha scritto:
What do you mean? Maybe the password delegation into the virtual machine? If engine does not know the password, it cannot delegate it to virtual machine. Solution is described here[1], so far no resources were allocated.
[1] http://www.ovirt.org/Features/SSO
----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "Shahar Havivi" <shaharh@redhat.com>, "Alon Bar-Lev" <alonbl@redhat.com> Cc: "users" <users@ovirt.org> Sent: Friday, October 30, 2015 9:33:02 PM Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
It works fine, but it kills SSO as user...
Poking in the windows logs I see a failed login as:
myuser@mydomain.tld-authz !!
Il 27/10/2015 11:51, Shahar Havivi ha scritto:
On 27.10.15 05:25, Alon Bar-Lev wrote:
yes, you should probably only customize: $JoinDomain$, $DomainAdminPassword$, $DomainAdmin$ maybe, not sure: $JoinDomain$, $MachineObjectOU$ the rest should be the same as any other. Please make sure that the file is the full sysprep file such as you can find in /packaging/conf/sysprep/sysprep.w7 which is a windows 7 sysprep file. You can leave the variables such as $OrgName$ which will be replaces (exept from the variables that Alon mentioned which where the original problem).
----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "Shahar Havivi" <shaharh@redhat.com>, "Alon Bar-Lev" <alonbl@redhat.com> Cc: "users" <users@ovirt.org> Sent: Tuesday, October 27, 2015 11:19:02 AM Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
So just pasting there the contents of a modified /usr/share/ovirt-engine/conf/sysprep/sysprep.w7x64 (for example) should work right?
The variables like '![CDATA[$OrgName$' will be replaced?
Il 26/10/2015 12:43, Shahar Havivi ha scritto:
On 26.10.15 06:23, Alon Bar-Lev wrote: > Hi, > The usage of the engine-manage-domain user to anything else but ldap > searches is something that is unexpected and insecure. > As a solution, you may either paste a modified sysprep file into the > pool > at UI or set up a different osinfo profile with modified sysprep file, > this modified sysprep file can contain the credentials of the user that > is being used for joining the domain. > CCing Shahar which may assist farther. Hi, You can paste a modified sysprep file to "new Pool"->"Initial run"->"Custom Script" As Alon mentioned. -- Mammoli Cristian System administrator T. +39 0731 22911 Via Brodolini 6 | 60035 Jesi (an)
-- Mammoli Cristian System administrator T. +39 0731 22911 Via Brodolini 6 | 60035 Jesi (an)
-- Mammoli Cristian System administrator T. +39 0731 22911 Via Brodolini 6 | 60035 Jesi (an)
----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Shahar Havivi" <shaharh@redhat.com>, "users" <users@ovirt.org> Sent: Friday, October 30, 2015 9:48:04 PM Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
As long as I user engine-manage-domains SSO with spice client worked fine: User logins in the user portal, clicks on a vm and get logged in the windows vm
With ovirt-engine-extension-aaa-ldap, configured with ovirt-engine-extension-aaa-ldap-setup, the SSO didn't work. The vm says I tried t login with an invalid username or password.
After enabling audit logs in the vm I see that the spice clients tries to login as
user@domain-authz
I changed "ovirt.engine.extension.name" from "domain-authz" to "domain" in "/etc/ovirt-engine/extensions.d/domain.net-authz.properties"
and "ovirt.engine.aaa.authn.authz.plugin" from "domain-authz" to "domain" in "/etc/ovirt-engine/extensions.d/domain-authn.properties"
And now SSO works fine
Is it the correct way to go??
Oh... I did not understand this is what you are trying to do. Yes, this is [1]. There are lots of invalid assumptions in the product, one of them is that the profile name within the ovirt application matches the domain name of the VM. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1133137#c7
Il 30/10/2015 20:37, Alon Bar-Lev ha scritto:
What do you mean? Maybe the password delegation into the virtual machine? If engine does not know the password, it cannot delegate it to virtual machine. Solution is described here[1], so far no resources were allocated.
[1] http://www.ovirt.org/Features/SSO
----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "Shahar Havivi" <shaharh@redhat.com>, "Alon Bar-Lev" <alonbl@redhat.com> Cc: "users" <users@ovirt.org> Sent: Friday, October 30, 2015 9:33:02 PM Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
It works fine, but it kills SSO as user...
Poking in the windows logs I see a failed login as:
myuser@mydomain.tld-authz !!
Il 27/10/2015 11:51, Shahar Havivi ha scritto:
On 27.10.15 05:25, Alon Bar-Lev wrote:
yes, you should probably only customize: $JoinDomain$, $DomainAdminPassword$, $DomainAdmin$ maybe, not sure: $JoinDomain$, $MachineObjectOU$ the rest should be the same as any other. Please make sure that the file is the full sysprep file such as you can find in /packaging/conf/sysprep/sysprep.w7 which is a windows 7 sysprep file. You can leave the variables such as $OrgName$ which will be replaces (exept from the variables that Alon mentioned which where the original problem).
----- Original Message -----
From: "Cristian Mammoli" <c.mammoli@apra.it> To: "Shahar Havivi" <shaharh@redhat.com>, "Alon Bar-Lev" <alonbl@redhat.com> Cc: "users" <users@ovirt.org> Sent: Tuesday, October 27, 2015 11:19:02 AM Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
So just pasting there the contents of a modified /usr/share/ovirt-engine/conf/sysprep/sysprep.w7x64 (for example) should work right?
The variables like '
Alon Bar-Lev -
Cristian Mammoli -
Shahar Havivi