Quantcast

[PATCHSET] Samba AD with MIT Kerberos

classic Classic list List threaded Threaded
54 messages Options
123
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCHSET] Samba AD with MIT Kerberos

Samba - samba-technical mailing list
On Wed, 2017-04-26 at 08:21 +0200, Andreas Schneider via samba-
technical wrote:

> On Tuesday, 25 April 2017 22:39:39 CEST Jeremy Allison wrote:
> > >     Your autobuild on sn-devel-144 has succeeded after 244.0
> > > minutes.
> > >
> > > Please review.
> >
> > Just a few minor nits I've found so far.
> >
>
> Thank you very much, updated patchset which addresses these things
> attached.

Thanks for all your patience on this.

Can we please get defaults into the smb.conf manpage for the new
parameters in the same way as we do for "lock directory"?

(I did ask for this previously).

Thanks,

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCHSET] Samba AD with MIT Kerberos

Samba - samba-technical mailing list
On Wednesday, 26 April 2017 11:08:47 CEST Andrew Bartlett wrote:

> On Wed, 2017-04-26 at 08:21 +0200, Andreas Schneider via samba-
>
> technical wrote:
> > On Tuesday, 25 April 2017 22:39:39 CEST Jeremy Allison wrote:
> > > >     Your autobuild on sn-devel-144 has succeeded after 244.0
> > > > minutes.
> > > >
> > > > Please review.
> > >
> > > Just a few minor nits I've found so far.
> >
> > Thank you very much, updated patchset which addresses these things
> > attached.
>
> Thanks for all your patience on this.
>
> Can we please get defaults into the smb.conf manpage for the new
> parameters in the same way as we do for "lock directory"?
>
> (I did ask for this previously).
Updated patchset attached.

--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

master-mit-kdc_2017-04-26_2.patch.txt (220K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCHSET] Samba AD with MIT Kerberos

Samba - samba-technical mailing list
On Wed, Apr 26, 2017 at 12:14:42PM +0200, Andreas Schneider wrote:

> On Wednesday, 26 April 2017 11:08:47 CEST Andrew Bartlett wrote:
> > On Wed, 2017-04-26 at 08:21 +0200, Andreas Schneider via samba-
> >
> > technical wrote:
> > > On Tuesday, 25 April 2017 22:39:39 CEST Jeremy Allison wrote:
> > > > >     Your autobuild on sn-devel-144 has succeeded after 244.0
> > > > > minutes.
> > > > >
> > > > > Please review.
> > > >
> > > > Just a few minor nits I've found so far.
> > >
> > > Thank you very much, updated patchset which addresses these things
> > > attached.
> >
> > Thanks for all your patience on this.
> >
> > Can we please get defaults into the smb.conf manpage for the new
> > parameters in the same way as we do for "lock directory"?
> >
> > (I did ask for this previously).
>
> Updated patchset attached.

Last few comments before I will push (honest :-).

patch 11 - MIT KRB5 based irpc service
PATCH 32 - s4-kdc: Add MIT Kerberos specific kpasswd code:

Both need reformat to < 80 columns (I can do this for
you if you like, I was planning to for the push then
I came across the comment below :-).

In [PATCH 48/51] s4-kdc: Implement mit_samba_get_repac():

+       krbtgt_skdc_entry =
+               talloc_get_type_abort(krbtgt->e_data,
+                                     struct samba_kdc_entry);
+
+       tmp_ctx = talloc_named(ctx, 0, "mit_samba_reget_pac context");
+       if (!tmp_ctx) {
+               return ENOMEM;
+       }
+
+       code = samba_krbtgt_is_in_db(krbtgt_skdc_entry,
+                                    &is_in_db,
+                                    &is_untrusted);
+       if (code != 0) {
+               goto done;
+       }
+
+       if (is_untrusted) {
+               if (client == NULL) {
+                       return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+               }
+

All other returns are POSIX errno values. What does
KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN map to here ?

Also, you've allocated tmp_ctx by this point, so
this error return should be a:

code = XXXX
goto done;

I would have fixed and pushed for you, but I realized
I don't know what the mapping for KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN -> errno
value should be.

In [PATCH 51/51] mit_samba: Fix principal lookup for cross domain referral

You delete the comment:

       case SDB_ERR_WRONG_REALM:
-               /*
-                * If we have a wrong realm e.g. if we try get a cross forest
-                * ticket, we return a ticket with the correct realm. The KDC
-                * will detect this an return the appropriate return code.
-                */
-               ret = 0;
-               break;

and then add lots of logic below. Can you add some comments
to the new logic, as I don't understand what it is doing
there, sorry (EREVIEWERTOOSTUPID :-).

Cheers,

        Jeremy.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCHSET] Samba AD with MIT Kerberos

Samba - samba-technical mailing list
On Wednesday, 26 April 2017 18:56:29 CEST Jeremy Allison wrote:

> On Wed, Apr 26, 2017 at 12:14:42PM +0200, Andreas Schneider wrote:
> > On Wednesday, 26 April 2017 11:08:47 CEST Andrew Bartlett wrote:
> > > On Wed, 2017-04-26 at 08:21 +0200, Andreas Schneider via samba-
> > >
> > > technical wrote:
> > > > On Tuesday, 25 April 2017 22:39:39 CEST Jeremy Allison wrote:
> > > > > >     Your autobuild on sn-devel-144 has succeeded after 244.0
> > > > > >
> > > > > > minutes.
> > > > > >
> > > > > > Please review.
> > > > >
> > > > > Just a few minor nits I've found so far.
> > > >
> > > > Thank you very much, updated patchset which addresses these things
> > > > attached.
> > >
> > > Thanks for all your patience on this.
> > >
> > > Can we please get defaults into the smb.conf manpage for the new
> > > parameters in the same way as we do for "lock directory"?
> > >
> > > (I did ask for this previously).
> >
> > Updated patchset attached.
>
> Last few comments before I will push (honest :-).
>
> patch 11 - MIT KRB5 based irpc service
> PATCH 32 - s4-kdc: Add MIT Kerberos specific kpasswd code:
>
> Both need reformat to < 80 columns (I can do this for
> you if you like, I was planning to for the push then
> I came across the comment below :-).
Ok, I reformated patch 11 but it has very long variable names. So you have to
choose either code readability or be below < 80.

I reformated ab it but I think the if-statement is harder to read now. I've
added parenthesis to make it a bit easier.



>
> In [PATCH 48/51] s4-kdc: Implement mit_samba_get_repac():
>
> +       krbtgt_skdc_entry =
> +               talloc_get_type_abort(krbtgt->e_data,
> +                                     struct samba_kdc_entry);
> +
> +       tmp_ctx = talloc_named(ctx, 0, "mit_samba_reget_pac context");
> +       if (!tmp_ctx) {
> +               return ENOMEM;
> +       }
> +
> +       code = samba_krbtgt_is_in_db(krbtgt_skdc_entry,
> +                                    &is_in_db,
> +                                    &is_untrusted);
> +       if (code != 0) {
> +               goto done;
> +       }
> +
> +       if (is_untrusted) {
> +               if (client == NULL) {
> +                       return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
> +               }
> +
>
> All other returns are POSIX errno values. What does
> KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN map to here ?
The function signature is wrong. It should return krb5_error_code. When we
call the function we handle the return code as krb5_error_code. A
krb5_error_code can be a POSIX error number. I've fixed the function.

> Also, you've allocated tmp_ctx by this point, so
> this error return should be a:
>
> code = XXXX
> goto done;
>
> I would have fixed and pushed for you, but I realized
> I don't know what the mapping for KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN -> errno
> value should be.

I've fixed it. The variable 'code' is already krb5_error_code. So the function
needs to return krb5_error_code. It is not a problem because krb5_error_code
is an int.

> In [PATCH 51/51] mit_samba: Fix principal lookup for cross domain referral
>
> You delete the comment:
>
>        case SDB_ERR_WRONG_REALM:
> -               /*
> -                * If we have a wrong realm e.g. if we try get a cross
> forest -                * ticket, we return a ticket with the correct
> realm. The KDC -                * will detect this an return the
> appropriate return code. -                */
> -               ret = 0;
> -               break;
>
> and then add lots of logic below. Can you add some comments
> to the new logic, as I don't understand what it is doing
> there, sorry (EREVIEWERTOOSTUPID :-).
I've documented it.


Updated patchset attached. Thanks for the review!


        Andreas

--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

master-mit-kdc_2017-04-27.patch.txt (221K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCHSET] Samba AD with MIT Kerberos

Samba - samba-technical mailing list
On Thu, 2017-04-27 at 09:36 +0200, Andreas Schneider wrote:
>
> Updated patchset attached. Thanks for the review!
>
>

Thanks Andreas and Jeremy for all the hard work here.

I'll have this on my list of things to look at on flights to SambaXP,
but please don't wait for more feedback from me if you can get a review
from Jeremy, as I think everything I've been worried about has been
addressed enough.

The only quibble I can think of is I would like to have the minimum for
--without-ad-dc printed in the error message, so folks hitting it
realise that this has a lower requirement before they either come here
to complain or start upgrading their platform krb5.

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCHSET] Samba AD with MIT Kerberos

Samba - samba-technical mailing list
On Thursday, 27 April 2017 09:51:08 CEST Andrew Bartlett wrote:

> On Thu, 2017-04-27 at 09:36 +0200, Andreas Schneider wrote:
> > Updated patchset attached. Thanks for the review!
>
> Thanks Andreas and Jeremy for all the hard work here.
>
> I'll have this on my list of things to look at on flights to SambaXP,
> but please don't wait for more feedback from me if you can get a review
> from Jeremy, as I think everything I've been worried about has been
> addressed enough.
>
> The only quibble I can think of is I would like to have the minimum for
> --without-ad-dc printed in the error message, so folks hitting it
> realise that this has a lower requirement before they either come here
> to complain or start upgrading their platform krb5.
Good idea, this is what is printed now:

ERROR: MIT KRB5 build with Samba AD requires at least 1.15.1. 1.14 has been
found and cannot be used
ERROR: If you want to just build Samba FS use the option --without-ad-dc which
requires version 1.9
ERROR: You may try to build with embedded Heimdal Kerebros by not specifying
--with-system-mitkrb5



New patchset attached.


Thanks,


        Andreas


--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

master-mit-kdc_2017-04-27_2.patch.txt (221K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCHSET] Samba AD with MIT Kerberos

Samba - samba-technical mailing list
On Thu, 2017-04-27 at 11:08 +0200, Andreas Schneider wrote:

> On Thursday, 27 April 2017 09:51:08 CEST Andrew Bartlett wrote:
> > On Thu, 2017-04-27 at 09:36 +0200, Andreas Schneider wrote:
> > > Updated patchset attached. Thanks for the review!
> >
> > Thanks Andreas and Jeremy for all the hard work here.
> >
> > I'll have this on my list of things to look at on flights to
> > SambaXP,
> > but please don't wait for more feedback from me if you can get a
> > review
> > from Jeremy, as I think everything I've been worried about has been
> > addressed enough.
> >
> > The only quibble I can think of is I would like to have the minimum
> > for
> > --without-ad-dc printed in the error message, so folks hitting it
> > realise that this has a lower requirement before they either come
> > here
> > to complain or start upgrading their platform krb5.
>
> Good idea, this is what is printed now:
>
> ERROR: MIT KRB5 build with Samba AD requires at least 1.15.1. 1.14
> has been 
> found and cannot be used
> ERROR: If you want to just build Samba FS use the option --without-
> ad-dc which 
> requires version 1.9
> ERROR: You may try to build with embedded Heimdal Kerebros by not
> specifying 
> --with-system-mitkrb5
>

Much better!

Thanks,

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCHSET] Samba AD with MIT Kerberos

Samba - samba-technical mailing list
On Thursday, 27 April 2017 11:55:27 CEST Andrew Bartlett via samba-technical
wrote:
> Much better!
>

The auth_log tests have been only developed for Heimdal. So I needed to
disabled them. It is the first commit of the attached patchset.

I ran the testsuite again on Fedora:

ALL OK (14265 tests in 2045 testsuites)


I wasn't able to run it on openSUSE again, because I had a failing test and
debugged that first, but that issue is not MIT related!


Thanks,


        Andreas

--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

master-mit-kdc_2017-04-28.patch.txt (223K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCHSET] Samba AD with MIT Kerberos

Samba - samba-technical mailing list
On Fri, 2017-04-28 at 13:41 +0200, Andreas Schneider wrote:
> On Thursday, 27 April 2017 11:55:27 CEST Andrew Bartlett via samba-
> technical 
> wrote:
> > Much better!
> >
>
> The auth_log tests have been only developed for Heimdal. So I needed
> to 
> disabled them. It is the first commit of the attached patchset.

Shouldn't they be in the MIT knownfail?  Surely it isn't that they
don't operate, it is just the the MIT KDC isn't triggering the event
messages (because it not hooked in)?

We should sit down at SambaXP and work out what is required to get
these going, it would be unfortunate not to have this correctly
supported for production use.

Thanks,

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCHSET] Samba AD with MIT Kerberos

Samba - samba-technical mailing list
On Sat, Apr 29, 2017 at 01:21:55PM +1000, Andrew Bartlett wrote:

> On Fri, 2017-04-28 at 13:41 +0200, Andreas Schneider wrote:
> > On Thursday, 27 April 2017 11:55:27 CEST Andrew Bartlett via samba-
> > technical 
> > wrote:
> > > Much better!
> > >
> >
> > The auth_log tests have been only developed for Heimdal. So I needed
> > to 
> > disabled them. It is the first commit of the attached patchset.
>
> Shouldn't they be in the MIT knownfail?  Surely it isn't that they
> don't operate, it is just the the MIT KDC isn't triggering the event
> messages (because it not hooked in)?
>
> We should sit down at SambaXP and work out what is required to get
> these going, it would be unfortunate not to have this correctly
> supported for production use.

Can we fix this after Andreas's patch goes in ? He has suffered
enough on this one :-).

Let's fix up loose ends once it's in master IMHO.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCHSET] Samba AD with MIT Kerberos

Samba - samba-technical mailing list
On Fri, 2017-04-28 at 20:57 -0700, Jeremy Allison wrote:
>
> Can we fix this after Andreas's patch goes in ? He has suffered
> enough on this one :-).

I guess so ;-)

> Let's fix up loose ends once it's in master IMHO.

Sure.

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCHSET] Samba AD with MIT Kerberos

Samba - samba-technical mailing list
On Saturday, 29 April 2017 06:37:19 CEST Andrew Bartlett wrote:

> On Fri, 2017-04-28 at 20:57 -0700, Jeremy Allison wrote:
> > Can we fix this after Andreas's patch goes in ? He has suffered
> > enough on this one :-).
>
> I guess so ;-)
>
> > Let's fix up loose ends once it's in master IMHO.
>
> Sure.
>
> Andrew Bartlett

I've pushed the patchset with:

    Reviewed-by: Andrew Bartlet <[hidden email]>
    Reviewed-by: Jeremy Allison <[hidden email]>


Thanks for your time and help getting this cleaned up and upstream. I'm
looking forward to see you next week!

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCHSET] Samba AD with MIT Kerberos

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Fri, 2017-04-28 at 13:41 +0200, Andreas Schneider via samba-
technical wrote:

> On Thursday, 27 April 2017 11:55:27 CEST Andrew Bartlett via samba-
> technical 
> wrote:
> > Much better!
> >
>
> The auth_log tests have been only developed for Heimdal. So I needed
> to 
> disabled them. It is the first commit of the attached patchset.
>
> I ran the testsuite again on Fedora:
>
> ALL OK (14265 tests in 2045 testsuites)
>
>
> I wasn't able to run it on openSUSE again, because I had a failing
> test and 
> debugged that first, but that issue is not MIT related!

I finally got the chance to do the re-review over the latest set of
changes.

In: [PATCH 01/52] s4:selftest: Only run auth_log tests with Heimdal

(as mentioned earlier, but just so you only have to work over one list)

This should be a knownfail I think.

In: [PATCH 10/52] param: Add 'mit kdc command' to change the default.

As you probably noticed in autobuild, setting the default for Heimdal
is wrong.  I think the entity should be defined as "", but with some
text in the docs to say that this only applies to an MIT build.  The
main wrinkle comes from the pre-built docs used for the website and
those platforms like debian where xsltproc blows up, they need a
reasonable value (eg the /usr/sbin/krb5kdc you have) written into docs-
xml/smbdotconf/generate-file-list.sh.  This is reproduced with "make
dist"

[1(0)/1 at 0s] samba.tests.docs
UNEXPECTED(failure):
samba.tests.docs.samba.tests.docs.SmbDotConfTests.test_default_s3(none)
REASON: Exception: Exception: Traceback (most recent call last):
  File "/data/samba/git/samba-push/bin/python/samba/tests/docs.py",
line 157, in test_default_s3
    self._test_default(['bin/testparm'])
  File "/data/samba/git/samba-push/bin/python/samba/tests/docs.py",
line 205, in _test_default
    "Parameters that do not have matching defaults:"))
AssertionError: Parameters that do not have matching defaults:

    mit kdc command
      Expected: /usr/sbin/krb5kdc
      Got:
UNEXPECTED(failure):
samba.tests.docs.samba.tests.docs.SmbDotConfTests.test_default_s4(none)

In: [PATCH 41/52] python: Add provisioning support for MIT KDC in
 samba-tool

You still reference _glue directly, not via samba.

In: [PATCH 42/52] waf: Move python build instructions to wscript

Why do you need this patch?  I can't see what the purpose is, so could
you extend the commit message?

The final quibble I have is that I don't like, but not really have an
alternative to, the different tests for the different Kerberos
platforms.  I fear we may update one and not the other (as happens
already with the two backupkey servers).  Any efforts to further merge
these would be most welcome.

I trust we can sort out these last issues soon.  You have worked hard,
and I'm really excited to see this land in master soon.

Thanks,

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCHSET] Samba AD with MIT Kerberos

Samba - samba-technical mailing list
On Saturday, 29 April 2017 23:26:34 CEST Andrew Bartlett wrote:

> On Fri, 2017-04-28 at 13:41 +0200, Andreas Schneider via samba-
>
> technical wrote:
> > On Thursday, 27 April 2017 11:55:27 CEST Andrew Bartlett via samba-
> > technical
> >
> > wrote:
> > > Much better!
> >
> > The auth_log tests have been only developed for Heimdal. So I needed
> > to
> > disabled them. It is the first commit of the attached patchset.
> >
> > I ran the testsuite again on Fedora:
> >
> > ALL OK (14265 tests in 2045 testsuites)
> >
> >
> > I wasn't able to run it on openSUSE again, because I had a failing
> > test and
> > debugged that first, but that issue is not MIT related!
>
> I finally got the chance to do the re-review over the latest set of
> changes.
>
> In: [PATCH 01/52] s4:selftest: Only run auth_log tests with Heimdal
>
> (as mentioned earlier, but just so you only have to work over one list)
>
> This should be a knownfail I think.

I think we should look into it and check what exactly is missing with MIT
Kerberos. It might be that only the kinit is the problem.

Take a look at 31491f8bb407ebe5dd976b6d1cad3d7d31080bd4

> In: [PATCH 10/52] param: Add 'mit kdc command' to change the default.
>
> As you probably noticed in autobuild, setting the default for Heimdal
> is wrong.  I think the entity should be defined as "", but with some
> text in the docs to say that this only applies to an MIT build.  The
> main wrinkle comes from the pre-built docs used for the website and
> those platforms like debian where xsltproc blows up, they need a
> reasonable value (eg the /usr/sbin/krb5kdc you have) written into docs-
> xml/smbdotconf/generate-file-list.sh.  This is reproduced with "make
> dist"
>
> [1(0)/1 at 0s] samba.tests.docs
> UNEXPECTED(failure):
> samba.tests.docs.samba.tests.docs.SmbDotConfTests.test_default_s3(none)
> REASON: Exception: Exception: Traceback (most recent call last):
>   File "/data/samba/git/samba-push/bin/python/samba/tests/docs.py",
> line 157, in test_default_s3
>     self._test_default(['bin/testparm'])
>   File "/data/samba/git/samba-push/bin/python/samba/tests/docs.py",
> line 205, in _test_default
>     "Parameters that do not have matching defaults:"))
> AssertionError: Parameters that do not have matching defaults:
>
>     mit kdc command
>       Expected: /usr/sbin/krb5kdc
>       Got:
> UNEXPECTED(failure):
> samba.tests.docs.samba.tests.docs.SmbDotConfTests.test_default_s4(none)
>
> In: [PATCH 41/52] python: Add provisioning support for MIT KDC in
>  samba-tool
>
> You still reference _glue directly, not via samba.

Ok, I will check again, thanks!

> In: [PATCH 42/52] waf: Move python build instructions to wscript
>
> Why do you need this patch?  I can't see what the purpose is, so could
> you extend the commit message?
>
> The final quibble I have is that I don't like, but not really have an
> alternative to, the different tests for the different Kerberos
> platforms.  I fear we may update one and not the other (as happens
> already with the two backupkey servers).  Any efforts to further merge
> these would be most welcome.

I can try, but we need to write a lot more functions like

31491f8bb407ebe5dd976b6d1cad3d7d31080bd4

for that.

>
> I trust we can sort out these last issues soon.  You have worked hard,
> and I'm really excited to see this land in master soon.

It is already in master, sorry.


But I think we can fix those things now too. Looking forward to meet you on
Tuesday.


        Andreas

123
Loading...