+ Post New Thread
Results 1 to 11 of 11
Mac Thread, Binding script in Technical; I am trying to use this script for binding mac clients (10.5.7) to AD and OD (10.5.7) to be included ...
  1. #1

    Join Date
    Jul 2009
    Posts
    11
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Binding script

    I am trying to use this script for binding mac clients (10.5.7) to AD and OD (10.5.7) to be included in the master image. However the script keeps giving me this error most of the time (works rarely):

    attribute status: eDSNodeNotFound
    DS Error: -14008 (eDSNodeNotFound)

    Strange thing is that it works sometimes, like when I make some small changes to the script, save it and run again through the terminal, on the exact same computer that it doesn't work. The binding to both AD & OD works fine though - it is only the search path for AD that does not get added automatically. HELP!

    Here is the script I am using:

    PHP Code:
    [SIZE="1"]#!/bin/sh

    #Give the network time to come online
    logger "Sleeping 30 seconds"
    sleep 30
    systemsetup 
    -setusingnetworktime off
    systemsetup 
    -setnetworktimeserver myAD.com
    systemsetup 
    -setusingnetworktime on

    #Set Bonjour and Computer Names
    logger "Setting Bonjour and Computer Names"
    computerid=`/sbin/ifconfig en0 | awk '/ether/ { gsub(":", ""); print $2 }' | cut -c 7-19# last 6 digits MAC Address
    computerid2="""$computerid"
    logger "Computer name is $computerid2"
    scutil --set LocalHostName "$computerid2"
    scutil --set ComputerName "$computerid2"
    sleep 3

    computerid
    =`/usr/sbin/scutil --get LocalHostName`
     
    # Standard parameters
    domain="myAD.com"                        
    udn="myAD admin"                            
    password="myAD password"                        
    ou="CN=Computers,DC=myAD,DC=com"        
    la="local administrator"                            
    lp="local password"                                
     
    # Advanced options
    alldomains="enable"            
    localhome="disable"            
    protocol="smb"                
    mobile="disable"            
    mobileconfirm="disable"        
    useuncpath="enable"        
    user_shell="/bin/bash"        
    preferred="-nopreferred"        
    admingroups="myAD\Domain Admins,myAD\Enterprise Admins"

     
    ### End of configuration


    # Activate the AD plugin
    defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
    plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
    sleep 20

    # Bind to LDAP 
    dsconfigldap ---a myOD.com -c OD_$computerid -"myOD" -u myOD admin -p myOD password -l local administrator -q local password
    sleep 10

    # Bind to AD
    dsconfigad --a $computerid -domain $domain -u $udn -"$password-ou "$ou-la $la -lp "$lp"

     
    # Configure advanced AD plugin options
    if [ "$admingroups"" ]; then
        dsconfigad 
    -nogroups
    else
        
    dsconfigad -groups "$admingroups"
    fi

    dsconfigad 
    -alldomains $alldomains -localhome $localhome -protocol $protocol \
        -
    mobile $mobile -mobileconfirm $mobileconfirm -useuncpath $useuncpath \
        -
    shell $user_shell $preferred

    # Restart DirectoryService (necessary to reload AD plugin activation settings)
    killall DirectoryService
     
    # Add the AD node to the search path
    if [ "$alldomains"enable" ]; then
        csp
    ="/Active Directory/All Domains"
    else
        
    csp="/Active Directory/$domain"
    fi

    dscl 
    /Search -read
    dscl 
    /Search -create SearchPolicy CSPSearchPath
    dscl 
    "Active Directory/All Domains" -list /Computers > /dev/null
    dscl 
    /Search -append CSPSearchPath "/Active Directory/All Domains"
    dscl /Search -append CSPSearchPath /LDAPv3/myOD.com
    dscl 
    /Search/Contacts -create SearchPolicy CSPSearchPath
    dscl 
    /Search/Contacts -append CSPSearchPath "/Active Directory/All Domains"

     
    # This works in a pinch if the above code does not
    defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
    defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/LDAPv3/myOD.com"
    defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3
    defaults write 
    /Library/Preferences/DirectoryService/ContactsNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
    defaults write /Library/Preferences/DirectoryService/ContactsNodeConfig "Search Policy" -int 3

    plutil 
    -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist

    #Exit
    exit 0[/SIZE
    Could someone please tell me whats wrong with this script? Have been trying to fix it for so long but just can't seem to get this working properly. Thanks.

  2. #2
    skawarrior's Avatar
    Join Date
    Mar 2008
    Location
    Tamworth
    Posts
    131
    Thank Post
    10
    Thanked 7 Times in 6 Posts
    Rep Power
    22
    Not sure about error's in the script its a bit over my head unfortunatly.

    However have you considered Deploy Studio for imaging? The creation of a workflow with the OD and AD binding is incredably simple. Its basically a case of pointing it to the right server(s) and giving it correct admin credentials.

  3. Thanks to skawarrior from:

    jasonthat (14th July 2009)

  4. #3

    Join Date
    Jul 2009
    Posts
    11
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks skawarrior. Nevermind I figured it out, it might have been because I did not add "sudo" to the dscl commands (that's strange even though we run the script as root) and also corrections to the writing of the SearchNodeConfig.plist files - we do not need to add LDAP search paths in there. These are the corrections that had to be made to the script (if it will help anyone):

    #Add LDAPv3 to od server
    odcsp="/LDAPv3/$odserver"
    # Bind to OD
    sleep 10
    dsconfigldap -v -f -a "$odserver" -n "$odserver" -c OD_$computerid -u $odudn -p "$odpassword"
    sleep 20
    sudo dscl "/Active Directory/All Domains" -list /Computers > /dev/null
    sleep 10
    sudo dscl /Search -append / CSPSearchPath "$csp"
    sudo dscl /Search -create / SearchPolicy dsAttrTypeStandard:CSPSearchPath
    sudo dscl /Search/Contacts -append / CSPSearchPath "$csp"
    sudo dscl /Search/Contacts -create / SearchPolicy dsAttrTypeStandard:CSPSearchPath

    sudo dscl /Search -append / CSPSearchPath "$odcsp"
    sudo dscl /Search/Contacts -append / CSPSearchPath "$odcsp"

    # This works in a pinch if the above code does not
    #defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
    #defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3
    #plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist
    #killall DirectoryService

    Yes we have been very much looking into the possibility of using Deploystudio for our imaging, but has been put in the backburner for now, since we haven't had enough time to test it out before start of the acamedic year. Thanks again for the reply!

  5. #4

    Join Date
    Mar 2009
    Posts
    4
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by jasonthat View Post
    Thanks skawarrior. Nevermind I figured it out, it might have been because I did not add "sudo" to the dscl commands (that's strange even though we run the script as root) and also corrections to the writing of the SearchNodeConfig.plist files - we do not need to add LDAP search paths in there. These are the corrections that had to be made to the script (if it will help anyone):








    Yes we have been very much looking into the possibility of using Deploystudio for our imaging, but has been put in the backburner for now, since we haven't had enough time to test it out before start of the acamedic year. Thanks again for the reply!
    Hey Jasonthat, I found your binding script and am very interested... I am currently trying to apply your script to our environment but I was wondering if you had the completed script with corrections? I couldn't figure out where you defined $odserver, $odudn, etc in your script. Would you be able to share your script?

  6. #5

    Join Date
    Jul 2009
    Posts
    11
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Sure no problem. Here you go:


    PHP Code:
    [SIZE="1"]#!/bin/sh

    #Give the network time to come online
    logger "Sleeping 30 seconds"
    sleep 30
    systemsetup 
    -setusingnetworktime off
    systemsetup 
    -setnetworktimeserver myAD.com
    systemsetup 
    -setusingnetworktime on

    #Set Bonjour and Computer Names
    logger "Setting Bonjour and Computer Names"
    computerid=`/sbin/ifconfig en0 | awk '/ether/ { gsub(":", ""); print $2 }' | cut -c 7-19# last 6 digits MAC Address
    computerid2="(Optional)Prefix for computer name""$computerid"
    logger "Computer name is $computerid2"
    scutil --set LocalHostName "$computerid2"
    scutil --set ComputerName "$computerid2"
    sleep 3

    # Standard parameters
    domain="myAD.com"                            
    udn="AD Administrator"                            
    password="AD password"                        
    odudn="OD Administrator"                                
    odpassword="odpassword"                    
    ou="CN=Computers,DC=myAD,DC=com"        
    odserver="myOD.com"

    # Advanced options
    alldomains="enable"                            
    localhome="disable"                            
    protocol="smb"                                
    mobile="disable"                            
    mobileconfirm="disable"                        
    useuncpath="enable"                            
    user_shell="/bin/bash"                        
    preferred="-nopreferred"        
    admingroups="myAD\Domain Admins,myAD\Enterprise Admins"    
    packetsign="allow"                                        
    packetencrypt="allow"                                     
    namespace="domain"

    ### End of configuration

    # Activate the AD plugin
    defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
    plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist

    # Bind to AD
    dsconfigad --a $computerid -domain $domain -u $udn -"$password-ou "$ou"

    # Configure advanced AD plugin options
    if [ "$admingroups"" ]; then
        dsconfigad 
    -nogroups
    else
        
    dsconfigad -groups "$admingroups"
    fi

    dsconfigad 
    -alldomains $alldomains -localhome $localhome -protocol $protocol \
        -
    mobile $mobile -mobileconfirm $mobileconfirm -useuncpath $useuncpath \
        -
    shell $user_shell $preferred -packetsign $packetsign -packetencrypt $packetencrypt \
        -namespace 
    $namespace
        
    # Bind to OD
    sleep 10
    dsconfigldap 
    ---"$odserver-"$odserver-c OD_$computerid -u $odudn -"$odpassword"
    sleep 20

    # Restart DirectoryService
    killall DirectoryService

    # Add the AD node to the search path
    if [ "$alldomains"enable" ]; then
        csp
    ="/Active Directory/All Domains"
    else
        
    csp="/Active Directory/$domain"
    fi

    sudo dscl 
    "/Active Directory/All Domains" -list /Computers > /dev/null
    sleep 10
    sudo dscl 
    /Search -append CSPSearchPath "$csp"
    sudo dscl /Search -create SearchPolicy dsAttrTypeStandard:CSPSearchPath
    sudo dscl 
    /Search/Contacts -append CSPSearchPath "$csp"
    sudo dscl /Search/Contacts -create SearchPolicy dsAttrTypeStandard:CSPSearchPath

    #Add LDAPv3 to od server 
    odcsp="/LDAPv3/$odserver"

    sudo dscl /Search -append CSPSearchPath "$odcsp"

    # This works in a pinch if the above code does not
    #defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
    #defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3
    #plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist
    #killall DirectoryService[/SIZE] 

    Now there is a possibility that this script might sometimes not work for you, as I have seen the scripts that work for others do not work for me and end up modifying it (the above is originally from Bombich's binding script). It all depends on your setup environment, what you are trying to achieve and sometimes different versions of the components involved in the "triangle" setup. Are you trying to manage your Mac machines and do you plan to apply MCX policies on computer-based groups or just user-group policies ? Anways if it helps, I will just tell you a bit about my setup,:

    - Initially, only an AD server (Win 2k3) on the network and later on, we decided to setup a Mac OS X server(Leopard 10.5.7) - Done by joining the AD domain first and promoting to OD master later (guessing you have covered all the AD & OD setup topics properly)
    - The Search policies on OD master is in the order - OD first & AD second under Authentication and under Contacts, only the AD entry. While it is exactly the opposite on the client machines, i.e, AD first & OD second under Authentication and only AD entry under Contacts tab.
    Also to note, using the above script, I bind clients to the AD first & then OD - reason for this is because while I had tried both ways - it seems the "Other" option at login window, for domain users to login, took more time to show up (approx.5-6 seconds) when I do a OD bind first whereas it takes only like 1-2 seconds for the "Other" option to show up when I do AD bind first. Anway see what works for you.

    - One change that you would need to make to the above script is the dsconfigldap -f switch, depending on whether you need authenticated or unauthenticated binding. If unauthenticated, replace in script with something like this:

    HTML Code:
    [SIZE="1"]# Bind to OD
    sleep 10
    dsconfigldap -v -a "$odserver" -n "$odserver" -c OD_$computerid
    sleep 20[/SIZE]
    Again, this needs to be decided based on what you plan to do with MCX policies.
    I know for me doing an unauthenticated bind on clients works perfectly (some tell otherwise) for applying user-group based policies whereas if you are thinking about computer-based policies, you might need to think about authenticated binding which makes the computers show up automatically in Workgroup manager.
    Of course, there are ways to get around this so as to make the computers show up in WGM like manually adding the computers in WGM along with their mac addresses by either typing each one individually or using scripts to add them to WGM Computer Groups. But I prefer not to go much in that direction just because I am not in favor of it.

    - Another interesting observation that I found along the way is the fact of running the script (through ARD) on clients over a wired or wireless connection. This is also related to the authenticated/unauthenticated binding - seems that when I have the -f switch in there and running it wirelessly gives out the dscl errors and with failed binding to OD most of the times. Again running over wired, the script works like a charm for all the machines.
    On the other hand, if you the remove the -f switch (unauthenticated) it works properly on both wired or wireless. This might have something to do Apple's binding technology looking only for an ethernet mac address or simply put, just dont bind wireless

    Long story short, see how the script works out for you - I use it both as a login hook on master images and ARD. If you are using ARD, you could just rename the computers there itself and do not need the "#Set Bonjour and Computer Names" and replace with

    HTML Code:
    ## Host-specific parameters
    computerid=`/usr/sbin/scutil --get ComputerName`

  7. #6

    Join Date
    Mar 2009
    Posts
    4
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks for the help!!

    Our setup is pretty much the same albeit a bit larger, we have 2 sites with 4 win2k3 DC's and 5 mac servers (ODM/ODR/Wiki/Sandbox/SIU&SUS) split up on each. My directory settings for the ODM/R and clients are exactly as you specified and I have been applying MCX to computer groups. The first set of laptops I imaged, I had to manually bind to OD because I could only get the bombich script to bind to AD through ARD.

    This is round 2, so I will let you know how the script goes and if I had to make any changes.

    Again, thank you for the response!

  8. #7

    Join Date
    Mar 2009
    Posts
    4
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    The script works great! Thanks!

    The only change I needed to make was for the name of the computer, since I have a tab delimited text file of each laptops mac address and computer name, I have them named as part of the workflow. I had to use the "LocalHostName" instead of the ComputerName.

    Code:
    ## Host-specific parameters
    computerid=`/usr/sbin/scutil --get LocalHostName`
    sleep 3
    Other than that, there were no major changes! Worked great from ARD with a wired connection!

  9. #8

    Join Date
    Jul 2009
    Posts
    11
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    emamjomeh - good to hear that it worked for you. Yea we really couldnt do the text file thing for computer assigning using mac addresses, since our laptop distribution method is a mess. our boss has his own way of doing things

  10. #9
    Rozzer's Avatar
    Join Date
    Aug 2005
    Location
    South West
    Posts
    720
    Thank Post
    21
    Thanked 81 Times in 61 Posts
    Rep Power
    33
    Hey all,

    I have made a great little script which will reset your time settings to make sure you have no time sync issues and then clean out an exisiting settings to make sure no conflicting settings. Then join your computers to Open Directory and Active Directory.

    | How-To-Mac
    PHP Code:
    #!/bin/sh

    #####################################
    #Created by Ross Hamilton
    #Clock restart / Remove existing settings
    #Join to Open Directory and Active Directory
    #
    #####################################

    #Restart ntpdate
    StartService ()
    {
    if [ 
    "${TIMESYNC:=-YES-}"-YES-" ] &&
    GetPID ntpd > /dev/nullthen

    CheckForNetwork

    if [ -/var/run/NetworkTime.StartupItem -"${NETWORKUP}"-NO-" ]; then exit; fi
    touch 
    /var/run/NetworkTime.StartupItem

    echo “Starting network time synchronization”

    # Synchronize our clock to the network’s time,
    # then fire off ntpd to keep the clock in sync.
    ntpdate -bvs
    ntpd 
    -/var/run/ntp.drift -/var/run/ntpd.pid
    fi
    }

    # Remove exisiting
    logger “Removing existing DS Config”

    if [ ! -"/Library/Preferences/DirectoryService/ActiveDirectory" ]; then
    rm 
    -/Library/Preferences/DirectoryService/ActiveDirectory*
    fi

    if [ ! -"/Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig" ]; then
    rm 
    -/Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig*
    fi

    if [ ! -"/Library/Preferences/DirectoryService/SearchNode" ]; then
    rm 
    -/Library/Preferences/DirectoryService/SearchNode*
    fi

    if [ ! -"/Library/Preferences/DirectoryService/ContactsNode" ]; then
    rm 
    -/Library/Preferences/DirectoryService/ContactsNode*
    fi

    if [ ! -"/Library/Preferences/edu.mit.Kerberos" ]; then
    rm 
    -/Library/Preferences/edu.mit.Kerberos
    fi

    # Restart DirectoryService (necessary to reload AD plugin activation settings)
    killall DirectoryService

    # BInd machine to OD
    dsconfigldap --sgme -a MACSERVERNAME # fully qualified DNS name of Macserver

    computerid=`/usr/sbin/scutil –get ComputerName`

    # Standard parameters
    domain=”DOMAIN>COM” # fully qualified DNS name of Active Directory Domain
    udn=”DOMAIN USERNAME”     # username of a privileged network user
    password=”PASSWORD”     # password of a privileged network user
    ou=”CN=Computers,DC=DOMAIN,DC=COM”     # Distinguished name of container for the computer

    # Advanced options
    alldomains=”enable”     # ‘enable’ or ‘disable’ automatic multi-domain authentication
    localhome=”disable”     # ‘enable’ or ‘disable’ force home directory to local drive
    protocol=”smb”     # ‘afp’ or ’smb’ change how home is mounted from server
    mobile=”disable”     # ‘enable’ or ‘disable’ mobile account support for offline logon
    mobileconfirm=”disable”     # ‘enable’ or ‘disable’ warn the user that a mobile acct will be created
    useuncpath=”enable”     # ‘enable’ or ‘disable’ use AD SMBHome attribute to determine the home dir
    user_shell=/bin/bash”     # e.g., /bin/bash or “none”
    preferred=-nopreferred”    # Use the specified server for all Directory lookups and authentication
    # (e.g. “-nopreferred” or “-preferred ad.server.edu”)
    admingroups=" # These comma-separated AD groups may administer the machine (e.g. “” or “APPLE\mac admins”)

    # Login hook setting — specify the path to a login hook that you want to run instead of this script

    ### End of configuration

    # Activate the AD plugin
    defaults write /Library/Preferences/DirectoryService/DirectoryService “Active Directory” “Active”
    plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
    sleep 5

    # Bind to AD
    dsconfigad -f -a 
    $computerid -domain $domain -u $udn -p “$password” -ou “$ou”

    # Configure advanced AD plugin options
    if [ "
    $admingroups" = "" ]; then
    dsconfigad -nogroups
    else
    dsconfigad -groups “
    $admingroups”
    fi

    dsconfigad -alldomains 
    $alldomains -localhome $localhome -protocol $protocol \
    -mobile 
    $mobile -mobileconfirm $mobileconfirm -useuncpath $useuncpath \
    -shell 
    $user_shell $preferred

    # Restart DirectoryService (necessary to reload AD plugin activation settings)
    killall DirectoryService

    # Add the AD node to the search path
    if [ "
    $alldomains" = "enable" ]; then
    csp=”/Active Directory/All Domains”
    else
    csp=”/Active Directory/
    $domain”
    fi
    sleep 5

    # This works in a pinch if the above code does not
    defaults write /Library/Preferences/DirectoryService/SearchNodeConfig “Search Node Custom Path Array” -array “/Active Directory/All Domains” “/LDAPv3/FILL IN MAC SERVER LDAP k” # ‘Fill in this section with mac server
    defaults write /Library/Preferences/DirectoryService/SearchNodeConfig “Search Policy” -int 3

    plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist
    Dsconfigad -passinterval 0
    sudo killall DirectoryService 
    Hope it helps.

    Ross

  11. #10

    Join Date
    Jun 2010
    Location
    Yukon, Oklahoma, USA
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I can't figure this out, can someone point me in the right direction?

    I copy and paste the script above into apple script editor, and cannot save it. I get syntax errors, etc. What do I need to do to test one of these scripts? I need to bind 200 Macbooks to OD asap.

    Any help would be apprecaited!

  12. #11

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,191
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56
    You would be best to use ARD to send out the command to all of the laptops at once.

    Get the laptops all set up and connected to the network and then use the Unix tool in ARD.

    To do this copy the script above (edit to your own requirements) and then select all of the laptops from the list of available computers and then click on the Unix option. A dialog box should pop up. In the top half is where you would paste the script and the lower half should show all of the machines that you wish to send the script out to. You may also want to specify the root user instead of the current console user.

    If you don't have ARD then to be honest the task is going to be more difficult. The script above is for terminal not an apple script. You may be able to call it using Applescript. What you could do in that respect is copy the binding script and the applescript app over to the clients you wish to bind and then run the apple script app or using SSH, copy the bind script over and then run it manually one at a time. But then doing that you may as well just use ARD in the first place.

    Once again, if you don't have ARD then I would seriously recommend that you do get a copy. The difference this makes in managing Apple machines is massive. Also it is not overly expensive for an educational license. Unlimited client license comes in at around Ł230?
    Last edited by HodgeHi; 31st August 2010 at 05:41 PM.

SHARE:
+ Post New Thread

Similar Threads

  1. AD-OD binding issues
    By jasonthat in forum Mac
    Replies: 6
    Last Post: 5th July 2009, 11:19 PM
  2. Binding a Mac to Active Directory
    By simongrahamuk in forum Mac
    Replies: 3
    Last Post: 6th November 2008, 01:19 PM
  3. Replies: 0
    Last Post: 19th September 2008, 11:22 AM
  4. Replies: 0
    Last Post: 6th August 2008, 07:46 PM
  5. 10.5 AD Binding
    By ahunter in forum Mac
    Replies: 29
    Last Post: 21st April 2008, 10:18 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •