OpenDirectory + Solaris 10 = major league hair-pullage

[zamoose]

Howdy all,

I’m having a devil of a time getting Solaris 10 hosts set up to tie to our existing OpenDirectory setup. Does anyone have any experience tying the two together? Additionally, we’d really like to keep our NIS setup in place for a bit, as we’re far more comfortable with it than with LDAP at the moment.

What we really want to do is have Solaris clients get user and group info from the OD master and the rest (auto.*, netgroup, hosts, etc.) from our existing NIS infrastructure.

Help is desperately needed and would be most appreciated. Thanks!

[chwilk]

zamoose,

It looks like you haven’t gotten any posted replies to your question, so I was wondering if you’d made any progress on your own? I have a similar problem and would like to see if you’ve since figured out how to get authentication working from Solaris 10 to an Apple OD server.

I was able to get as far as getting account info working under solaris, but not the actual authentication, i.e. I could see ldap entries with getent passwd, but I was stuck trying to figure out the actual auth issue.

The second half of your question, mixing ldap and nis is actually pretty trivial, you just have to edit /etc/nsswitch.conf to your needs and watch that the solaris auth setup tools don’t try to change it.

—
Chandler Wilkerson

[jerkyjerk]

Earlier this year I spent time hacking on this. I had worked on it off and on for a year on one of my Sun boxes it
my home lab. On my last attempt my search yielded someone on the apple disussions talking about his trying to
do that. I then got motiviated to pick it up again since I might have someone to bounce ideas off of.

It appears, at least where I am, the apple discussions are running a bit slow but the thread can
be found at.

http://discussions.apple.com/thread.jspa?messageID=1827113&#1827113

below is the text of the thread in case anyone is impatient and doesn’t want to currently wait. My next thing I wanted to do
is get TLS to work but if you are using Kerberos I don’t think it’s such a major thing on a closed network. I’d be interested
in hearing about any attempts of using LDAP-TLS with Solaris. I’ve gotten it working rather easily on Linux but having had
the time to work out the Solaris thing yet.

Solaris authentication with 10.4 Server Open Directory
Posted: Feb 27, 2006 2:38 PM

I have 10.4.4 Server running on a dual 2.3G G5, and it’s working very well… Mac clients and Windows clients can authenticate, change passwords, mount home directories and all is well.

The Mac is an Open Directory Master and SSL is not enabled ( I don’t need that, it’s a private network )..

Does anyone know how to get a Solaris 9 machine to authenticate against the Mac ?

PowerBook G4 (15-inch Titanium Mac OS X (10.4.5)

Did this topic solve your issue?

Jerky

Posts: 11
From: Midwest
Registered: Feb 20, 2006
Re: Solaris authentication with 10.4 Server Open Directory
Posted: Feb 27, 2006 9:35 PM in response to: Mike Ingram

Have you attempted it at all? If so how far did you get. I’ve been working on that off and on for quite a while. I recently picked it up again and I’ve gotten a little further. I’ve gotten the command ldaplist to output all of the directory’s top level list like:

dn: cn=config,dc=foo,dc=net
dn: cn=users,dc=foo,dc=net
dn: cn=groups,dc=foo,dc=net
dn: cn=mounts,dc=foo,dc=net
<...snip...>
dn: cn=autoserversetup,dc=foo,dc=net
dn: cn=neighborhoods,dc=foo,dc=net

I’m still a bit off since getent passwd/group doesn’t yield any LDAP users or groups but at least I know it’s talking to the LDAP server somewhat.

In the research I’ve done Solaris’s LDAP and Kerberos (SEAM) libraries appear to be a little funky in getting to interop with other LDAP and Kerberos implementations. A lot of people complain about them in the various place I’ve read and any that did get it working recommend just forgoing the stock libraries altogether and build OpenLDAP along with MIT or Heimdal kerberos instead. I’ve been stubborn and haven’t wanted to do that sticking with the stock libs seems easier from a support standpoint. I don’t want to have to rebuild the OpenLDAP and Kerberos libs from source when I need update due to some gaping security hole. It’s easier to just install a Sun provided patch I think.

Since I’ve made some headway. I’m a bit encouraged to continue hacking away at it. I’ll post anything I can regarding what I did if I do get it to work. My goal is the get both LDAP and Kerberos working for the single sign effect. I’ve got it working with a Linux client and it’s really convenient.

jerky

PowerMac G4 Mac OS X (10.3.9)
Did this topic solve your issue?

Mike Ingram

Posts: 7
Registered: Jan 5, 2005
Re: Solaris authentication with 10.4 Server Open Directory
Posted: Feb 28, 2006 9:35 AM in response to: Jerky

Yes, I have attempted it… The Solaris box ( Solaris 9 and 10 by the way ), seems to “see” the Mac LDAP server, ldaplist comes back with the same information that I get when I use LDAP Browser to view the directory entries..

On the Mac I have added the DUAConfig and solaris schemas into /etc/openldap/schemas and altered /etc/openldap/slapd.conf to include them, restarted the Mac and OpenDirectory was still alive ( Yay ! )

On the Solaris box I have:

set the domainname to be the same as the LDAP domain
example.com where LDAP domain is dc=example,dc=com

ldapclient manual \
-a credentialLevel=anonymous \
-a authenticationMethod=simple \
-a defaultSearchBase=dc=example,dc=com \
-a defaultServerList=zeus.example.com \
-a domainName=example.com

But this is about as far as I get… I started working with changing /etc/pam.conf per some man pages and some examples that recommend replacing auth required pam_unix_auth.so.1
with auth binding pam_unix_auth.so.1 server_policy

and then adding auth required pam_ldap.so.1

But it still doesn’t work… can’t get the Sun to find a user that definately exists as a loginable user on the Mac and on the Windows boxen..

That’s my story so far !

PowerBook G4 (15-inch Titanium Mac OS X (10.3.7)

PowerBook G4 (15-inch Titanium Mac OS X (10.3.7)

PowerBook G4 (15-inch Titanium Mac OS X (10.4.4)
Did this topic solve your issue?

Jerky

Posts: 11
From: Midwest
Registered: Feb 20, 2006
Re: Solaris authentication with 10.4 Server Open Directory
Posted: Mar 8, 2006 9:12 PM in response to: Mike Ingram

I’m still hacking away at this one. I think I’ve made some headway so I figured I’d share what I got so far so I don’t lose the info. I’m actually getting ldap users returned. I think my next step is to start tackling PAM and then start working on Kerberos. I’m getting sleepy so I think I’ll let this rest for a bit. I’ll post more when I make some more progress.

The following is the relevent output from my terminal session on my Solaris 10 box:

bash-3.00# ldapclient manual -v -a domainName=foo.bar
-a serviceSearchDescriptor=passwd:cn=users,dc=foo,dc=bar
-a serviceSearchDescriptor=group:cn=groups,dc=foo,dc=bar
-a authenticationMethod=none -a credentialLevel=proxy
-a defaultSearchBase=dc=foo,dc=bar
-a searchTimeLimit=60
-a proxyDN=uid=root,cn=users,dc=foo,dc=bar
-a proxyPassword=password 172.1.1.10
Parsing domainName=foo.bar
Parsing serviceSearchDescriptor=passwd:cn=users,dc=foo,dc=bar
Parsing serviceSearchDescriptor=group:cn=groups,dc=foo,dc=bar
Parsing authenticationMethod=none
Parsing credentialLevel=proxy
Parsing defaultSearchBase=dc=foo,dc=bar
Parsing searchTimeLimit=60
Parsing profileTTL=3600
Parsing proxyDN=uid=root,cn=users,dc=foo,dc=bar
Parsing proxyPassword=password
Arguments parsed:
authenticationMethod: none
defaultSearchBase: dc=foo,dc=bar
credentialLevel: proxy
domainName: foo.bar
proxyDN: uid=root,cn=users,dc=foo,dc=bar
profileTTL: 3600
searchTimeLimit: 60
serviceSearchDescriptor:
arg[0]: passwd:cn=users,dc=foo,dc=bar
arg[1]: group:cn=groups,dc=foo,dc=bar
proxyPassword: password
defaultServerList: 192.168.50.46
Handling manual option
Manual aborted: profileTTL is not supported in manual mode.
<=60 -a proxyDN=uid=root,cn=users,dc=foo,dc=bar -a proxyPassword=password 1>
Parsing domainName=foo.bar
Parsing serviceSearchDescriptor=passwd:cn=users,dc=foo,dc=bar
Parsing serviceSearchDescriptor=group:cn=groups,dc=foo,dc=bar
Parsing authenticationMethod=none
Parsing credentialLevel=proxy
Parsing defaultSearchBase=dc=foo,dc=bar
Parsing searchTimeLimit=60
Parsing proxyDN=uid=root,cn=users,dc=foo,dc=bar
Parsing proxyPassword=password
Arguments parsed:
authenticationMethod: none
defaultSearchBase: dc=foo,dc=bar
credentialLevel: proxy
domainName: foo.bar
proxyDN: uid=root,cn=users,dc=foo,dc=bar
searchTimeLimit: 60
serviceSearchDescriptor:
arg[0]: passwd:cn=users,dc=foo,dc=bar
arg[1]: group:cn=groups,dc=foo,dc=bar
proxyPassword: password
defaultServerList: 192.168.50.46
Handling manual option
Proxy DN: uid=root,cn=users,dc=foo,dc=bar
Proxy password: {NS1} 1a2b3c4d5e6f7g8h
Credential level: 1
Authentication method: 0
No proxyDN/proxyPassword required
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: network/smtp:sendmail… success
Stopping nscd
stop: sleep 100000 microseconds
stop: system/name-service-cache:default… success
Stopping autofs
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: sleep 1600000 microseconds
stop: sleep 3200000 microseconds
stop: system/filesystem/autofs:default… success
ldap not running
nisd not running
nis(yp) not running
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is “foo.bar”
file_backup: stat(/var/yp/binding/foo.bar)=-1
file_backup: No /var/yp/binding/foo.bar directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting network services
start: /usr/bin/domainname foo.bar… success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: sleep 400000 microseconds
start: network/ldap/client:default… success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: system/filesystem/autofs:default… success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: system/name-service-cache:default… success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: network/smtp:sendmail… success
restart: sleep 100000 microseconds
restart: sleep 200000 microseconds
restart: milestone/name-services:default… success
System successfully configured
bash-3.00# listusers
ldapuser1
ldapuser2
ldapuser3
jerky local test Solaris user
noaccess No Access User
nobody NFS Anonymous Access User
nobody4 SunOS 4.x NFS Anonymous Access User

regards,
jerky

PowerMac G4 Mac OS X Server (10.3.9) client Sun Fire v100 Solaris 10

PowerBook G4 Mac OS X (10.4.5)

Did this topic solve your issue?

Jerky

Posts: 11
From: Midwest
Registered: Feb 20, 2006
Re: Solaris authentication with 10.4 Server Open Directory
Posted: Mar 11, 2006 12:35 PM in response to: Jerky

Mike,

I’ve messed around with pam a little bit but haven’t gotten it quite yet. RedHat makes this much easier. If you can recall what changes to pam you had made could you post them? On the client side it is definitely trying to negotiate Kerberos authentication. When I try to ssh to my Solaris machine I get a new ticket for host/[email protected]. (yes, I have created a keytab for it in the kdc) I think at this point I think pam is getting in my way. I’m still searching and reading but thought it might be useful to see what someone else had come up with or was trying.

regards,
jerky

PowerBook G4 Mac OS X (10.4.5)
Did this topic solve your issue?

Jerky

Posts: 11
From: Midwest
Registered: Feb 20, 2006
Re: Solaris authentication with 10.4 Server Open Directory
Posted: Mar 13, 2006 1:06 PM in response to: Jerky

I can’t believe I didn’t catch this! I created a principal for the Solaris machine,exported it to a keytab, modified the solaris /etc/pam.conf file(see far below for an excerpt), transferred the keytab via ssh from the OD machine to the Solaris host but never placed it into the /etc/krb5 folder on the Solaris host. So I’ve been sitting on a working configuration for a few days now but didn’t realize how close I was. If you followed along with the above, the last piece of the puzzle is setting up Kerberos. You’ll need a keytab to use. I haven’t really spent the time to wrap my head around the why but I’ve found it easier to just create the keytabs from a terminal session on the OD console. When I’ve tried to do it logged in via ssh I get errors like “Unknown credential cache type while opening default credentials cache” I’m sure they mean something but it hasn’t been such a priority for me to figure it out. If you know feel free to chime in with an explaination. the following is my terminal session output.

Last login: Mon Mar 13 13:22:46 from 127.0.0.1
Welcome to Darwin!
od-server:~ adminuser$ sudo kadmin.local
Authenticating as principal root/[email protected] with password.
kadmin.local: listprincs
K/[email protected]
afpserver/[email protected]
[email protected]

…

pop/[email protected]
smtp/[email protected]
kadmin.local: addprinc -randkey host/[email protected]
WARNING: no policy specified for host/[email protected]; defaulting to no policy
Principal “host/[email protected]” created.
kadmin.local: ktadd -k /tmp/host.solarishost.keytab host/[email protected]
kadmin.local: quit
od-server:~ adminuser$ scp /tmp/host.solarishost.keytab [email protected]:/somewhere/on/a/filesystem

On the solaris host you’ll need to copy the OD’s /Library/Preferences/edu.mit.kerberos file to /etc/krb5/krb5.conf on the solaris host and copy/move that host.solarishost.keytab file to /etc/krb5/krb5.keytab. Just to be safe you might want to backup the existing /etc/krb5.conf file to something like /etc/krb5.conf.DIST

I think this should be everything you need to get the solaris host using OD’s ldap directory(authorization) and Kerberos Realm(authentication). Keep in mind ldap by default a clear text protocol so I’d strongly recommend using SSL. I plan on collecting this into a coherent HOWTO and at that time I’ll add in the SSL bits and improving the method if possible. It would be nice if the authorization info from LDAP could be sucked down without a “proxy user” then the only password type info transmitted on the wire is the kerberos transaction which is encrypted anyhow.

Hope this helps,

jerky

Excerpt from Solaris /etc/pam.conf file

# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth binding pam_unix_auth.so.1 server_policy
#login auth required pam_unix_auth.so.1
login password sufficient pam_krb5.so.1
login auth required pam_dial_auth.so.1
login auth required pam_ldap.so.1

…

# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password sufficient pam_krb5.so.1
other password required pam_authtok_store.so.1

PowerBook G4 Mac OS X (10.4.5)

PowerMac G4 Mac OS X (10.3.9) Client Sun Fire v100 Solaris 10

Did this topic solve your issue?

Mike Ingram

Posts: 7
Registered: Jan 5, 2005
Re: Solaris authentication with 10.4 Server Open Directory
Posted: Mar 23, 2006 2:19 PM in response to: Jerky

Excellent ! This is all starting to come together. I actually got the Solaris 9 box to login to the Kerberos realm and got the home directory mounted from the Mac Server box and the users can actually create files. So now, I have a single-sign-on for Solaris, Windows and OSX !! The only thing I had to alter from your instructions was in the creation of the krb5.conf file for the Solaris machine… seems that Solaris 9 only likes a des-cbc-crc key, so I had to do something like

addprinc -randkey -e “des-cbc-crc:normal” host/[email protected]

and ktadd -k /tmp/solariskey.keytab -e “des-cbc-crc:normal host/[email protected]

I still have something hosed in my /etc/pam.conf file as it asks me for the password and the LDAP password, but we’re making progress..

many thanks, and I’ll post my /etc/pam.conf file when I get it ironed out.

PowerBook G4 (15-inch Titanium Mac OS X (10.4.5)

PowerBook G4 (15-inch Titanium Mac OS X (10.3.7)
Did this topic solve your issue?

Jerky

Posts: 11
From: Midwest
Registered: Feb 20, 2006
Re: Solaris authentication with 10.4 Server Open Directory
Posted: Mar 24, 2006 11:35 AM in response to: Mike Ingram

That’s great Mike. I was curious so I looked into that des keytab issue and triple DES isn’t supported by Solaris 9’s SEAM. Solaris 10’s SEAM is the first release to support it.

http://groups.google.com/group/comp.protocols.kerberos/browse_thread/thread/febf8204c96399d8/43d7e86f28849819?lnk=st&q=Solaris+9+SEAM+3des&rnum=1#43d7e86f28849819

It’s not as important but something that I haven’t gotten working yet is 100% LDAP authentication. If I try to log onto the Sun’s console (or ssh without a TGT) as an OD user it doesn’t work. I get some error logged about no legal LDAP authentication methods. Is that what you are trying to get worked in with pam? If it helps I can post my entire pam.conf file.

So are you automounting the homes on the Solaris box or do you just have a static nfs mount? I take it they are coming from the Mac OS server via NFS.

jerky

PowerMac G4 Mac OS X Server (10.3.9) Solaris 10 client

PowerBook G4 Mac OS X (10.4.5)
Did this topic solve your issue?

Mike Ingram

Posts: 7
Registered: Jan 5, 2005
Re: Solaris authentication with 10.4 Server Open Directory
Posted: Apr 3, 2006 11:27 AM in response to: Jerky

Wow, it all seems to be working. I found an example pam.conf file at:

http://www.ofb.net/~jheiss/krbldap/files/pam.conf-9 and it’s working for console access and for ssh.

I used a fixed mount point to mount

zeus:/Users

at

/Network/Servers/zeus.foo.bar/Users

and having setup NFS exports for the home directories, the User area is mounted ok on the Sun.

Here is the pam.conf file in case the link above is busted or goes away:
==================
# PAM configuration
#
# Customized to try pam_unix, then pam_krb5
#
# Unless explicitly defined, all services use the modules
# defined in the “other” section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1
#
# Default definition for Authentication management
# Used when service name is not explicitly mentioned for authentication
# management
#
other auth requisite pam_authtok_get.so.1
other auth sufficient pam_unix_auth.so.1
other auth required pam_krb5.so.1 use_first_pass
#
# Account
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
# See notes about pam_krb5 in “other” section below
cron account optional pam_krb5.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account required pam_unix_account.so.1
# According to the pam_krb5 man page, this checks for password expiration.
# I’m not sure this does anything since I’ve flagged it as optional.
# I’m not sure if I can make it required because of root.
other account optional pam_krb5.so.1
#
# Session
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session optional pam_krb5.so.1
other session required pam_unix_session.so.1
#
# Password
#
# (Don’t list pam_krb5 here, this section is only for root. Regular
# users must use the centralized department password changing mechanism.)
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
#
==========

Thanks for your help, hope this helps.

Mike

[jerkyjerk]

PITA might be an understatement but I hear you. Apparently Solaris 10 isn’t really any better than Solaris 9 since everything still revolves around that damn ldapclient utility. The only improvement/difference I really noticed was in Kerberos/SEAM since 9 only supports DES while 10 supports 3DES and IIRC AES. Several times I had thought of “cheating” and just compiling my own OpenLDAP and Kerberos binaries but chose to stick it out, work though it and use the Sun supplied versions for better patch supportability. I didn’t want to have to constantly rebuild OpenLDAP and Kerberos myself. After working with getting this same thing working on a RedHat clone distro I was amazed at how convoluted and bordering on sadistic, the whole process is in Solaris.The Linux camp (or at least the Redhat team in my experience) is light years ahead of them in configuration simplicity and it seems not much has changed since the older version 7(circa 2000??) with regards to their auth-config tools. The other commercial UNIXes aren’t any better than Sun. I’ve spent some time(albeit less) with IRIX, HP-UX and AIX. IRIX is the only other commerical UNIX I had success with. I will say HP and IBM’s ldap clients are a PITA as well. IIRC they want special schema extensions.

Were you trying to get ldap auth working or going the whole SSO route with kerberos? LDAP auth was still kind of eluding me but I got distracted and never revisited it since kerberos auth was working properly and ldap was doing its thing providing the user/authorization info. It was good enough for my purposes.

[bowmasters]

This is a pretty old topic, but I’m trying to accomplish the same thing except, I’m not using kerberos

I followed the discussion and thus far I am able to see the directory users on the solaris machine with “listusers” and “getent passwd”. I can even “su’ to one of the users and it almost works. I get the following error:

[code]
-bash-3.2# su odadmin
shell-init: error retrieving current directory: getcwd: cannot access parent directories: Permission denied
bash: /root/.bashrc: Permission denied
[/code]

It did switch users, however, for when I run “whoami’, I get the directory user i switched to:

[code]bash-3.2$ whoami
odadmin
[/code]

The question now is: is this something that can be solved / is worth the effort to figure out or should I just do as others have done and just install OpenLDAP ? if it is the latter, then can someone direct me as to where I should begin or tell me how to compile and install it?

Thanks a billion

[bowmasters]

Well what ends up happening is I still get the message “/root/.bashrc: Permission denied”

It looks like it isn’t actually loading the proper profile information for the user. If I issue the command “cd ~” it tries to cd to /root:

[code]bash-3.2$ cd ~
bash: cd: /root: Permission denied

[/code]

Other machines bound to this LDAP server don’t have this problem. They correctly cd to the home directory Specified in the LDAP profile.

Also, when I try to su to the directory user from a non-root privileged shell it asks for a password, but simply tells me “Sorry” regardless Of whether I entered it right or not

[gadavis]

Sorry for the thread necromancy here…

The su command does not replace the environment of the user unless you give it the “-” option, like so:

[code]
su – odadmin
[/code]

This behavior is consistent on any UNIX platform whether you are using LDAP, NIS, or plain old /etc/passwd. As one of the previous posters pointed out, it looks like you are getting your group membership information just fine, but the directory /root is not group or world readable (which is a good thing).

You should be able to as root type “ls -ld /root” and see the directory permissions. Then after you have run the su command, type “groups” and you should see all of the groups that your odadmin user is a member of. Chances are that it’s either not a member of the group root or that the permissions for /root are “drwx——“.

[QUOTE][u]Quote by: bowmasters[/u][p]Well what ends up happening is I still get the message “/root/.bashrc: Permission denied”

It looks like it isn’t actually loading the proper profile information for the user. If I issue the command “cd ~” it tries to cd to /root:

[code]bash-3.2$ cd ~
bash: cd: /root: Permission denied

[/code]

Other machines bound to this LDAP server don’t have this problem. They correctly cd to the home directory Specified in the LDAP profile.

Also, when I try to su to the directory user from a non-root privileged shell it asks for a password, but simply tells me “Sorry” regardless Of whether I entered it right or not[/p][/QUOTE]

[Author]

Posts