Discussing problems related to the Kerberos authentication module for Apache

Achim Grolms | 4 Oct 2005 21:38

http://www.grolmsnet.de/kerbtut/

Update on <http://www.grolmsnet.de/kerbtut/>
"using mod_auth_kerb and Windows 2000/2003 as KDC":

Now the differences of Win2000 and Win2003 in kvno behavior are described.

BTW: Anyone out there with a working 
- Windows2003 as KDC 
- RC4 instead DES
- and mod_auth_kerb setup?

Thank you,
Achim

-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

headers

Rob Sessink | 5 Oct 2005 00:44

http://www.grolmsnet.de/kerbtut/

Achim Grolms (achim <at> grolmsnet.de) wrote:
> Update on <http://www.grolmsnet.de/kerbtut/>
> "using mod_auth_kerb and Windows 2000/2003 as KDC":
> 
> Now the differences of Win2000 and Win2003 in kvno behavior are described.
> 
> BTW: Anyone out there with a working 
> - Windows2003 as KDC 
> - RC4 instead DES
> - and mod_auth_kerb setup?
> 
> Thank you,
> Achim
> 
No, I tried to use RC4 with negotiate on 2003, but i always get a DES 
ticket. I wanted to use it to pass the ticket to samba's smbclient. The 
only way i can get a RC4 ticket is to use Kerb5Passwd. (If someone has a 
setup for this please post it)

	Rob Sessink

> 
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> modauthkerb-help mailing list
> modauthkerb-help <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help

(Continue reading)

headers

Achim Grolms | 5 Oct 2005 10:43

http://www.grolmsnet.de/kerbtut/

On Wednesday 05 October 2005 00:44, Rob Sessink wrote:

> No, I tried to use RC4 with negotiate on 2003, but i always get a DES
> ticket. 

Strange.
What happens when using kgetcred (or kvno on MIT)?
If the Account is not set to "DES only" I get a RC4 ticket
with Heimdal-Client and W2003 KDC.
Does that happen to you too?

Thank you,
Achim

-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

headers

Siarhei Baidun | 5 Oct 2005 17:39

Re: failed to authenticate using mod_auth_kerb for Apache

Hi again Everybody,

Second week I have been batling with the problem...

A lot of problems a have already solved on the way thanks to your advises.

Now I have done everything in compliance with the manual (http://www.grolmsnet.de/kerbtut/)

I have created a fresh domain account in the test domain (because I cannot use production one) , have mapped principal to it, etc.

And I'm getting now the error (in the Apache's error_log file) :

--------------------- Apache's LOG

in case

KrbMethodK5Passwd on
KrbMethodNegotiate off
------------------------

[Wed Oct 05 17:20:07 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.154] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:20:12 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.154] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:20:12 2005] [debug] src/mod_auth_kerb.c(879): [client 10.3.103.154] kerb_authenticate_user_krb5pwd ret=0 user=TEST <at> TEST.EPO authtype=Basic
[Wed Oct 05 17:20:12 2005] [crit] [client 10.3.103.154] configuration error: couldn't check access. No groups file?: /

--------------------- Apache's LOG

in case

KrbMethodK5Passwd off
KrbMethodNegotiate on

------------------------

[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.194] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.194] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1023): [client 10.3.103.194] Acquiring creds for HTTP/gvepl100.test.epo <at> TEST.EPO
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1152): [client 10.3.103.194] Verifying client data using SPNEGO GSS-API
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1168): [client 10.3.103.194] Verification returned code 0
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1186): [client 10.3.103.194] GSS-API token of length 0 bytes will be sent back
[Wed Oct 05 17:33:12 2005] [crit] [client 10.3.103.194] configuration error: couldn't check access. No groups file?: /

What does it mean? Which groups file I do not have?

I'm very, very appreciated for any help!

Below are my httpd.conf and krb5.conf

Thank you very much in advance,

Siarhei Baidun

------------------

krb5.conf

-----------------

[libdefaults]
default_realm = TEST.EPO

[domain_realm]
gvepl100.test.epo = TEST.EPO

[realms]
TEST.EPO = {
admin_server = odessa.test.epo
kdc = odessa.test.epo
}

----------------------------Apache's httpd.conf ----------------------------------

AuthType Kerberos
AuthName "Kerberos Login"
Krb5KeyTab /etc/wolfi2.keytab

KrbAuthRealms TEST.EPO

KrbMethodK5Passwd on
KrbMethodNegotiate off
KrbServiceName HTTP
require valid-user

------------------ result of "ktutil -k /etc/wolfi3.keytab list" command ------------------------------

Vno Type Principal
1 des-cbc-md5 HTTP/gvepl100.test.epo <at> TEST.EPO

headers

Henry B. Hotz | 5 Oct 2005 18:16

mod_auth_kerb combined with any ldap module?

Has anyone used mod_auth_kerb in combination with any ldap modules,  
e.g. mod_authz_ldap?  If so, any hints on configuration?
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz <at> jpl.nasa.gov, or hbhotz <at> oxy.edu

-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

headers

Siarhei Baidun | 6 Oct 2005 18:25

Re: failed to authenticate using mod_auth_kerb for Apache

Hello Everybody,

Just little question.

Do I need to have the principal

HOST/gvepl100.test.epo <at> TEST.EPO for my web server machine or it is enough to have only

HTTP/gvepl100.test.epo <at> TEST.EPO one?

Because this issue is not desribed in the manual (http://www.grolmsnet.de/kerbtut/).

I`m constantly having the error : "configuration error: couldn't check access. No groups file?: /"

And I just think that this error means that modauthkerb does not try to authorize a user with KDC as userdatabase on the web server (in my case it is gvepl100.test.epo). And it tries to find some file as userdatabase. And reason might be that I do not have principal

HOST/gvepl100.test.epo <at> TEST.EPO for my web server, but only this one:

HTTP/gvepl100.test.epo <at> TEST.EPO.

Is it right suggestion?

Thanks,

Siarhei Baidun

On 10/5/05, Siarhei Baidun <siarheibaidun <at> gmail.com> wrote:

Hi again Everybody,

Second week I have been batling with the problem...

A lot of problems a have already solved on the way thanks to your advises.

Now I have done everything in compliance with the  manual (http://www.grolmsnet.de/kerbtut/)

I have created a fresh domain account in the test domain (because I cannot use production one) , have mapped principal to it, etc.

And I'm getting now the error (in the Apache's error_log file) :

--------------------- Apache's LOG

in case

KrbMethodK5Passwd on
KrbMethodNegotiate off
------------------------

[Wed Oct 05 17:20:07 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.154] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:20:12 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.154] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:20:12 2005] [debug] src/mod_auth_kerb.c(879): [client 10.3.103.154] kerb_authenticate_user_krb5pwd ret=0 user=TEST <at> TEST.EPO authtype=Basic
[Wed Oct 05 17:20:12 2005] [crit] [client 10.3.103.154] configuration error: couldn't check access. No groups file?: /

--------------------- Apache's LOG

in case

KrbMethodK5Passwd off
KrbMethodNegotiate on

------------------------

[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.194] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.194] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1023): [client 10.3.103.194] Acquiring creds for HTTP/gvepl100.test.epo <at> TEST.EPO
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1152): [client 10.3.103.194 ] Verifying client data using SPNEGO GSS-API
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1168): [client 10.3.103.194] Verification returned code 0
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1186): [client 10.3.103.194] GSS-API token of length 0 bytes will be sent back
[Wed Oct 05 17:33:12 2005] [crit] [client 10.3.103.194 ] configuration error: couldn't check access. No groups file?: /

What does it mean? Which groups file I do not have?

I'm very, very appreciated for any help!

Below are my httpd.conf and krb5.conf

--

Thank you very much in advance,

Siarhei Baidun

------------------

krb5.conf

-----------------

[libdefaults]
default_realm = TEST.EPO

[domain_realm]
gvepl100.test.epo = TEST.EPO

[realms]
TEST.EPO = {
        admin_server = odessa.test.epo
        kdc = odessa.test.epo
}

----------------------------Apache's httpd.conf ----------------------------------

AuthType Kerberos
AuthName "Kerberos Login"
Krb5KeyTab /etc/wolfi2.keytab

KrbAuthRealms TEST.EPO

KrbMethodK5Passwd on
KrbMethodNegotiate off
KrbServiceName HTTP
require valid-user

------------------ result of "ktutil -k /etc/wolfi3.keytab list" command ------------------------------

Vno Type         Principal
1 des-cbc-md5 HTTP/gvepl100.test.epo <at> TEST.EPO

headers

Gary Rather | 6 Oct 2005 23:24

How to get the Remote User

After finally getting the mod_auth_kerb to work in my environment

Thank You archive list for all the help.

I now have a request being passed on to Tomcat.

I was expecting the RemoteUser to be populated.

But that is NULL.

I do have a ticket.

But at this point I do not know who made the request.

How do I get the remote user making this request from the tomcat world.

Is this in the ticket?  If so how do I get it.

It is not in any other header in the request.

Maybe I need to ask for it how do I get this info.

Thanks in advance

Gary Rather

-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

headers

Jari Ahonen | 10 Oct 2005 10:46

RE: Re: failed to authenticate using mod_auth_kerb for Apache

Siarhei,

The HTTP/fqdn <at> realm principal is enough, you donm't need host/fqdn <at> realm.

The group file error you are getting has nothing to do with mod_auth_kerb. It's just

Apache's weird way of telling you that your authorization configuration is invalid.

Mod_auth_kerb does not do authorization so you need to have another module

such as mod_auth configured to do that.

- Jari

From: modauthkerb-help-admin <at> lists.sourceforge.net [mailto:modauthkerb-help-admin <at> lists.sourceforge.net] On Behalf Of Siarhei Baidun
Sent: 06 October 2005 18:26
To: Achim Grolms; Nikola Milutinovic; Markus Moeller
Cc: kerberos <at> mit.edu; modauthkerb-help <at> lists.sourceforge.net
Subject: [modauthkerb] Re: failed to authenticate using mod_auth_kerb for Apache

Hello Everybody,

Just little question.

Do I need to have the principal

HOST/gvepl100.test.epo <at> TEST.EPO for my web server machine or it is enough to have only

HTTP/gvepl100.test.epo <at> TEST.EPO one?

Because this issue is not desribed in the manual (http://www.grolmsnet.de/kerbtut/).

I`m constantly having the error : "configuration error: couldn't check access. No groups file?: /"

And I just think that this error means that modauthkerb does not try to authorize a user with KDC as userdatabase on the web server (in my case it is gvepl100.test.epo). And it tries to find some file as userdatabase. And reason might be that I do not have principal

HOST/gvepl100.test.epo <at> TEST.EPO for my web server, but only this one:

HTTP/gvepl100.test.epo <at> TEST.EPO.

Is it right suggestion?

--

Thanks,

Siarhei Baidun

On 10/5/05, Siarhei Baidun <siarheibaidun <at> gmail.com> wrote:

Hi again Everybody,

Second week I have been batling with the problem...

A lot of problems a have already solved on the way thanks to your advises.

Now I have done everything in compliance with the  manual (http://www.grolmsnet.de/kerbtut/)

I have created a fresh domain account in the test domain (because I cannot use production one) , have mapped principal to it, etc.

And I'm getting now the error (in the Apache's error_log file) :

--------------------- Apache's LOG

in case

KrbMethodK5Passwd on
KrbMethodNegotiate off
------------------------

[Wed Oct 05 17:20:07 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.154] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:20:12 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.154] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:20:12 2005] [debug] src/mod_auth_kerb.c(879): [client 10.3.103.154] kerb_authenticate_user_krb5pwd ret=0 user=TEST <at> TEST.EPO authtype=Basic
[Wed Oct 05 17:20:12 2005] [crit] [client 10.3.103.154] configuration error: couldn't check access. No groups file?: /

--------------------- Apache's LOG

in case

KrbMethodK5Passwd off
KrbMethodNegotiate on

------------------------

[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.194] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.194] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1023): [client 10.3.103.194] Acquiring creds for HTTP/gvepl100.test.epo <at> TEST.EPO
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1152): [client 10.3.103.194 ] Verifying client data using SPNEGO GSS-API
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1168): [client 10.3.103.194] Verification returned code 0
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1186): [client 10.3.103.194] GSS-API token of length 0 bytes will be sent back
[Wed Oct 05 17:33:12 2005] [crit] [client 10.3.103.194 ] configuration error: couldn't check access. No groups file?: /

What does it mean? Which groups file I do not have?

I'm very, very appreciated for any help!

Below are my httpd.conf and krb5.conf

--

Thank you very much in advance,

Siarhei Baidun

------------------

krb5.conf

-----------------

[libdefaults]
default_realm = TEST.EPO

[domain_realm]
gvepl100.test.epo = TEST.EPO

[realms]
TEST.EPO = {
        admin_server = odessa.test.epo
        kdc = odessa.test.epo
}

----------------------------Apache's httpd.conf ----------------------------------

AuthType Kerberos
AuthName "Kerberos Login"
Krb5KeyTab /etc/wolfi2.keytab

KrbAuthRealms TEST.EPO

KrbMethodK5Passwd on
KrbMethodNegotiate off
KrbServiceName HTTP
require valid-user

------------------ result of "ktutil -k /etc/wolfi3.keytab list" command ------------------------------

Vno Type         Principal
1 des-cbc-md5 HTTP/gvepl100.test.epo <at> TEST.EPO

headers

Siarhei Baidun | 10 Oct 2005 11:12

Re: Re: failed to authenticate using mod_auth_kerb for Apache

Exactly!

Thank you very much for explanation.

I have noticed that mod_auth_kerb returned with OK but I experienced rpoblems with "no groups file" error.

When I launched mod_auth I managed to authorize against KDC!

Thanks,

Siarhei Baidun

On 10/10/05, Jari Ahonen <jah <at> progress.com> wrote:

Siarhei,

The HTTP/fqdn <at> realm principal is enough, you donm't need host/fqdn <at> realm.

The group file error you are getting has nothing to do with mod_auth_kerb. It's just

Apache's weird way of telling you that your authorization configuration is invalid.

Mod_auth_kerb does not do authorization so you need to have another module

such as mod_auth configured to do that.

- Jari

From: modauthkerb-help-admin <at> lists.sourceforge.net [mailto:modauthkerb-help-admin <at> lists.sourceforge.net] On Behalf Of Siarhei Baidun
Sent: 06 October 2005 18:26
To: Achim Grolms; Nikola Milutinovic; Markus Moeller
Cc: kerberos <at> mit.edu; modauthkerb-help <at> lists.sourceforge.net
Subject: [modauthkerb] Re: failed to authenticate using mod_auth_kerb for Apache

Hello Everybody,

Just little question.

Do I need to have the principal

HOST/gvepl100.test.epo <at> TEST.EPO for my web server machine or it is enough to have only

HTTP/gvepl100.test.epo <at> TEST.EPO one?

Because this issue is not desribed in the manual (http://www.grolmsnet.de/kerbtut/).

I`m constantly having the error : "configuration error: couldn't check access. No groups file?: /"

And I just think that this error means that modauthkerb does not try to authorize a user with KDC as userdatabase on the web server (in my case it is gvepl100.test.epo). And it tries to find some file as userdatabase. And reason might be that I do not have principal

HOST/gvepl100.test.epo <at> TEST.EPO for my web server, but only this one:

HTTP/gvepl100.test.epo <at> TEST.EPO.

Is it right suggestion?

--

Thanks,

Siarhei Baidun

On 10/5/05, Siarhei Baidun <siarheibaidun <at> gmail.com > wrote:

Hi again Everybody,

Second week I have been batling with the problem...

A lot of problems a have already solved on the way thanks to your advises.

Now I have done everything in compliance with the  manual (http://www.grolmsnet.de/kerbtut/)

I have created a fresh domain account in the test domain (because I cannot use production one) , have mapped principal to it, etc.

And I'm getting now the error (in the Apache's error_log file) :

--------------------- Apache's LOG

in case

KrbMethodK5Passwd on
KrbMethodNegotiate off
------------------------

[Wed Oct 05 17:20:07 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.154] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:20:12 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.154] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:20:12 2005] [debug] src/mod_auth_kerb.c(879): [client 10.3.103.154] kerb_authenticate_user_krb5pwd ret=0 user=TEST <at> TEST.EPO authtype=Basic
[Wed Oct 05 17:20:12 2005] [crit] [client 10.3.103.154] configuration error: couldn't check access. No groups file?: /

--------------------- Apache's LOG

in case

KrbMethodK5Passwd off
KrbMethodNegotiate on

------------------------

[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.194] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1322): [client 10.3.103.194] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1023): [client 10.3.103.194] Acquiring creds for HTTP/gvepl100.test.epo <at> TEST.EPO
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1152): [client 10.3.103.194 ] Verifying client data using SPNEGO GSS-API
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1168): [client 10.3.103.194] Verification returned code 0
[Wed Oct 05 17:33:12 2005] [debug] src/mod_auth_kerb.c(1186): [client 10.3.103.194] GSS-API token of length 0 bytes will be sent back
[Wed Oct 05 17:33:12 2005] [crit] [client 10.3.103.194 ] configuration error: couldn't check access. No groups file?: /

What does it mean? Which groups file I do not have?

I'm very, very appreciated for any help!

Below are my httpd.conf and krb5.conf

--

Thank you very much in advance,

Siarhei Baidun

------------------

krb5.conf

-----------------

[libdefaults]
default_realm = TEST.EPO

[domain_realm]
gvepl100.test.epo = TEST.EPO

[realms]
TEST.EPO = {
        admin_server = odessa.test.epo
        kdc = odessa.test.epo
}

----------------------------Apache's httpd.conf ----------------------------------

AuthType Kerberos
AuthName "Kerberos Login"
Krb5KeyTab /etc/wolfi2.keytab

KrbAuthRealms TEST.EPO

KrbMethodK5Passwd on
KrbMethodNegotiate off
KrbServiceName HTTP
require valid-user

------------------ result of "ktutil -k /etc/wolfi3.keytab list" command ------------------------------

Vno Type         Principal
1 des-cbc-md5 HTTP/gvepl100.test.epo <at> TEST.EPO

headers

Gary Rather | 10 Oct 2005 19:22

How To Pass Remote_user on to Tomcat

After finally getting mod_auth_kerb to work.

I found when the request was sent to Tomcat still had no idea who the 
remote user was.

Who just got authenicated ?

Apache knows. And in a CGI script the REMOTE_USER environment variable is set.

So with a bit of rewrite commands add a new header to the request.
Then in tomcat could look for that request.

Was not able to set the header so getRemoteUser worked
So just added a new header

Here is the code.

RewriteEngine on
RewriteBase /

RewriteCond %{REMOTE_USER} !=""
RewriteRule .* - [E=E_USER:%{REMOTE_USER}]

RequestHeader set my_new_header  %{E_USER}e

-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

1	April 2013
1	March 2013
3	February 2013
2	November 2012
1	October 2012
13	September 2012
6	August 2012
7	June 2012
7	April 2012
29	March 2012
13	February 2012
20	January 2012
4	December 2011
7	November 2011
1	October 2011
4	September 2011
30	August 2011
11	July 2011
23	June 2011
21	May 2011
1	March 2011
19	February 2011
4	November 2010
57	September 2010
34	August 2010
3	July 2010
4	June 2010
4	May 2010
36	April 2010
14	March 2010
3	January 2010
20	December 2009
20	November 2009
2	October 2009
2	August 2009
10	July 2009
11	June 2009
14	May 2009
7	April 2009
19	March 2009
16	February 2009
29	January 2009
24	December 2008
4	November 2008
24	October 2008
4	September 2008
9	August 2008
23	July 2008
18	June 2008
19	May 2008
9	April 2008
9	March 2008
41	February 2008
15	January 2008
36	December 2007
23	November 2007
57	October 2007
41	September 2007
29	August 2007
112	July 2007
5	June 2007
46	May 2007
5	April 2007
15	March 2007
29	February 2007
134	January 2007
30	December 2006
77	November 2006
17	October 2006
22	September 2006
58	August 2006
26	July 2006
57	June 2006
64	May 2006
36	April 2006
50	March 2006
63	February 2006
7	January 2006
5	December 2005
17	November 2005
26	October 2005
14	September 2005
24	August 2005
14	July 2005
1	June 2005
35	May 2005
19	April 2005
51	March 2005
43	February 2005
27	January 2005
41	December 2004
29	November 2004
32	October 2004
28	September 2004
82	August 2004
50	July 2004
189	June 2004
1	January 2003

Mon	Tue	Wed	Thu	Fri	Sat	Sun

					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30
31