Hello to all,
I'm trying to get GSSAPI authentication running with the symas-packages. I generated a ldap.keytab file and it's readable for the ldap-user running the slapd. With the Debian-packages I ad: --------- export KRB5_KTNAME="/path/to/ldap.keytab" ---------
I don't want to use the system keytab /etc/krb5.keytab. How do I tell slapd from the symas-packages to use my service-keytab?
I try to add to my /etc/default/symas-openldap: --------- KRB5_KTNAME="/path/to/ldap.keytab --------- but it's not working.
Stefan
17.12.2021 17:34, Stefan Kania пишет:
Hello to all,
I'm trying to get GSSAPI authentication running with the symas-packages. I generated a ldap.keytab file and it's readable for the ldap-user running the slapd. With the Debian-packages I ad:
export KRB5_KTNAME="/path/to/ldap.keytab"
I don't want to use the system keytab /etc/krb5.keytab. How do I tell slapd from the symas-packages to use my service-keytab?
I try to add to my /etc/default/symas-openldap:
KRB5_KTNAME="/path/to/ldap.keytab
but it's not working.
Stefan
Hello. First of all you should determine, if ENV "KRB5_KTNAME" is using by running process. Try this to extract all of ENVs
strings –a /proc/<pid_of_the_process_ldap>/environ
If you cann't see KRB5_KTNAME, you can try to add
export KRB5_KTNAME="/path/to/ldap.keytab"
to startup script
If you see KRB5_KTNAME, thats means symas-openldap doesn't use KRB5_KTNAME.
Am Fri, 17 Dec 2021 16:34:41 +0100 schrieb Stefan Kania stefan@kania-online.de:
Hello to all,
I'm trying to get GSSAPI authentication running with the symas-packages. I generated a ldap.keytab file and it's readable for the ldap-user running the slapd. With the Debian-packages I ad:
export KRB5_KTNAME="/path/to/ldap.keytab"
I don't want to use the system keytab /etc/krb5.keytab. How do I tell slapd from the symas-packages to use my service-keytab?
I try to add to my /etc/default/symas-openldap:
KRB5_KTNAME="/path/to/ldap.keytab
but it's not working.
/etc/sasl2/slapd.conf mech_list: gssapi digest-md5 cram-md5 external keytab: /etc/openldap/ldap.keytab
/etc/ldap.conf KRB5_KTNAME=/etc/openldap/krb5.keytab SASL_MECH GSSAPI SASL_REALM My.SASL.REALM
-Dieter
Hi Dieter
Am 18.12.21 um 07:28 schrieb Dieter Klünter:
/etc/sasl2/slapd.conf mech_list: gssapi digest-md5 cram-md5 external keytab: /etc/openldap/ldap.keytab
/etc/ldap.conf KRB5_KTNAME=/etc/openldap/krb5.keytab SASL_MECH GSSAPI SASL_REALM My.SASL.REALM
The configuration is working but for the symas-packages the files must be in /opt/symas/etc/sasl2 and /opt/symas/etc.
But now the ldap server is GSSAPI missing: ---------- root@ldap01:~# ldapwhoami SASL/GSSAPI authentication started ldap_sasl_interactive_bind: Authentication method not supported (7) additional info: SASL(-4): no mechanism available: Couldn't find mech GSSAPI --------- The package "libsasl2-modules-gssapi-mit", "libgssapi-krb5-2" and "symas-cyrus-sasl-lib" are installed but: --------- root@ldap01:~# ldapsearch -x -H ldapi:/// -b "" -LLL -s base -supportedSASLMechanisms dn: supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 ---------
Is not showing GSSAPI as valid mechanism. As I said, it's the first time I try the symas-packages with kerberos: Do I miss something else?
If I do the same on Debian10 with the Debian OpenLDAP-packages I get: --------------- root@provider-stat:~# ldapsearch -x -H ldapi:/// -b "" -LLL -s base supportedSASLMechanisms dn: supportedSASLMechanisms: GS2-IAKERB supportedSASLMechanisms: GS2-KRB5 supportedSASLMechanisms: SCRAM-SHA-1 supportedSASLMechanisms: SCRAM-SHA-256 supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: NTLM supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: LOGIN supportedSASLMechanisms: PLAIN ---------------
Stefan
Am Sat, 18 Dec 2021 07:28:16 +0100 schrieb Dieter Klünter dieter@dkluenter.de:
Am Fri, 17 Dec 2021 16:34:41 +0100 schrieb Stefan Kania stefan@kania-online.de:
Hello to all,
I'm trying to get GSSAPI authentication running with the symas-packages. I generated a ldap.keytab file and it's readable for the ldap-user running the slapd. With the Debian-packages I ad:
[...] /etc/sasl2/slapd.conf mech_list: gssapi digest-md5 cram-md5 external keytab: /etc/openldap/ldap.keytab
/etc/ldap.conf KRB5_KTNAME=/etc/openldap/krb5.keytab SASL_MECH GSSAPI SASL_REALM My.SASL.REALM
I remeber that I did in the old days some succesful debugging with sasl-server and sasl-client.
-Dieter
Am 21.12.21 um 14:14 schrieb Dieter Klünter:
Am Sat, 18 Dec 2021 07:28:16 +0100 schrieb Dieter Klünter dieter@dkluenter.de:
Am Fri, 17 Dec 2021 16:34:41 +0100 schrieb Stefan Kania stefan@kania-online.de:
Hello to all,
I'm trying to get GSSAPI authentication running with the symas-packages. I generated a ldap.keytab file and it's readable for the ldap-user running the slapd. With the Debian-packages I ad:
[...] /etc/sasl2/slapd.conf mech_list: gssapi digest-md5 cram-md5 external keytab: /etc/openldap/ldap.keytab
/etc/ldap.conf KRB5_KTNAME=/etc/openldap/krb5.keytab SASL_MECH GSSAPI SASL_REALM My.SASL.REALM
I remeber that I did in the old days some succesful debugging with sasl-server and sasl-client.
I will test it, but I think that GSSAPI is not compiled in to thr symas packages.
Stefan
-Dieter
On 12/21/21 19:59, Stefan Kania wrote:
but I think that GSSAPI is not compiled in to thr symas packages.
Not true.
It is linked against heimdal libs from package symas-heimdal-libs:
# ldd /opt/symas/lib/slapd [..] libgssapi.so.3 => /opt/symas/lib/libgssapi.so.3 (0x00007f6d63716000) libkrb5.so.26 => /opt/symas/lib/libkrb5.so.26 (0x00007f6d6347e000)
Ciao, Michael.
Am 21.12.21 um 22:19 schrieb Michael Ströder:
# ldd /opt/symas/lib/slapd [..] libgssapi.so.3 => /opt/symas/lib/libgssapi.so.3 (0x00007f6d63716000) libkrb5.so.26 => /opt/symas/lib/libkrb5.so.26 (0x00007f6d6347e000)
I don't know which packages you are using, but can't confirm that: --------------------- root@ldap01:~# dpkg -l | grep symas ii symas-cyrus-sasl-lib 2.1.27-4bullseye1 amd64 Cyrus-SASL Libraries ii symas-heimdal-lib 7.7.0-5bullseye1 amd64 Heimdal Libraries ii symas-libargon2-lib 20190702-2bullseye1 amd64 libargon2 libraries ii symas-libevent-lib 2.1.12-stable-2bullseye1 amd64 libevent Libraries ii symas-openldap-clients 2.6.0-5bullseye1 amd64 OpenLDAP Client Binaries ii symas-openldap-lib 2.6.0-5bullseye1 amd64 OpenLDAP Libraries ii symas-openldap-server 2.6.0-5bullseye1 amd64 OpenLDAP Server Binaries ii symas-openssl-lib 1.1.1l-2bullseye1 amd64 OpenSSL Libraries -------------------------
I can find /opt/symas/lib/libgssapi.so.3 but as you can see, in my "ldd" output, it's not used. --------------------- root@ldap01:~# ldd /opt/symas/lib/slapd linux-vdso.so.1 (0x00007fff036e0000) libldap.so.2 => /opt/symas/lib/libldap.so.2 (0x00007f53191c7000) liblber.so.2 => /opt/symas/lib/liblber.so.2 (0x00007f53191b6000) libltdl.so.7 => /lib/x86_64-linux-gnu/libltdl.so.7 (0x00007f53191a7000) libsystemd.so.0 => /lib/x86_64-linux-gnu/libsystemd.so.0 (0x00007f53190f2000) libsasl2.so.3 => /opt/symas/lib/libsasl2.so.3 (0x00007f53190d5000) libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007f531909a000) libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f5319076000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f5318eb1000) libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f5318e97000) libssl.so.1.1 => /opt/symas/lib/libssl.so.1.1 (0x00007f5318e06000) libcrypto.so.1.1 => /opt/symas/lib/libcrypto.so.1.1 (0x00007f5318b2d000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f5318b27000) librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f5318b1a000) liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f5318af2000) libzstd.so.1 => /lib/x86_64-linux-gnu/libzstd.so.1 (0x00007f5318a17000) liblz4.so.1 => /lib/x86_64-linux-gnu/liblz4.so.1 (0x00007f53189f4000) libgcrypt.so.20 => /lib/x86_64-linux-gnu/libgcrypt.so.20 (0x00007f53188d4000) /lib64/ld-linux-x86-64.so.2 (0x00007f53193de000) libgpg-error.so.0 => /lib/x86_64-linux-gnu/libgpg-error.so.0 (0x00007f53188ac000) -------------------------- So no gssapi included
My os is:
------------- root@ldap01:~# cat /etc/os-release PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" ------------- either it's still a configuration problem, or it's missing. If it's a configuration problem, how can I fix it?
Stefan
On 12/22/21 10:31, Stefan Kania wrote:
Am 21.12.21 um 22:19 schrieb Michael Ströder:
# ldd /opt/symas/lib/slapd [..] libgssapi.so.3 => /opt/symas/lib/libgssapi.so.3 (0x00007f6d63716000) libkrb5.so.26 => /opt/symas/lib/libkrb5.so.26 (0x00007f6d6347e000)
I don't know which packages you are using, but can't confirm that:
Ah, I'm using the Symas packages on RHEL8-alike systems. I don't have test systems around with the Debian packages.
Ciao, Michael.
Am 22.12.21 um 10:31 schrieb Stefan Kania:
either it's still a configuration problem, or it's missing. If it's a configuration problem, how can I fix it?
I now built OpenLDAP from source with this options: -------------- ./configure --enable-argon2 --with-argon2=libargon2 --with-cyrus-sasl --with-tls=openssl --enable-overlays=mod --enable-backends=mod --disable-perl --disable-ndb --enable-crypt --enable-modules --enable-dynamic --enable-syslog --enable-debug --en able-local --enable-spasswd --disable-sql --prefix=/opt/openldap-current --with-sasl=yes -------------- Still no gssapi :-(. Did I miss something here?
-------------- root@ldap-p01:~# ldapsearch -x -H ldapi:/// -b "" -LLL -s base supportedSASLMechanisms dn: supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: NTLM supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: LOGIN supportedSASLMechanisms: PLAIN
root@ldap-p01:~# ldd /opt/openldap-current/libexec/slapd linux-vdso.so.1 (0x00007ffc23985000) libldap.so.2 => /opt/openldap-current/lib/libldap.so.2 (0x00007f160e666000) liblber.so.2 => /opt/openldap-current/lib/liblber.so.2 (0x00007f160e657000) libltdl.so.7 => /lib/x86_64-linux-gnu/libltdl.so.7 (0x00007f160e646000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f160e641000) libsasl2.so.2 => /lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007f160e624000) libssl.so.1.1 => /lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007f160e592000) libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007f160e2a7000) libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007f160e26d000) libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f160e253000) libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f160e232000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f160e071000) /lib64/ld-linux-x86-64.so.2 (0x00007f160e872000)
-------------- As long as I can't see "supportedSASLMechanisms: GSSAPI" I can't get the kerberos-authentication working.
Am Wed, 22 Dec 2021 11:38:32 +0100 schrieb Stefan Kania stefan@kania-online.de:
Am 22.12.21 um 10:31 schrieb Stefan Kania:
either it's still a configuration problem, or it's missing. If it's a configuration problem, how can I fix it?
I now built OpenLDAP from source with this options:
./configure --enable-argon2 --with-argon2=libargon2 --with-cyrus-sasl --with-tls=openssl --enable-overlays=mod --enable-backends=mod --disable-perl --disable-ndb --enable-crypt --enable-modules --enable-dynamic --enable-syslog --enable-debug --en able-local --enable-spasswd --disable-sql --prefix=/opt/openldap-current
--with-sasl=yes
Still no gssapi :-(. Did I miss something here?
[...]
You probabely missed the header files, check /usr/include/gssapi/ and /usr/include/krb5/ and probabely some more.
-Dieter
Am Wed, 22 Dec 2021 12:49:54 +0100 schrieb Dieter Klünter dieter@dkluenter.de:
Am Wed, 22 Dec 2021 11:38:32 +0100 schrieb Stefan Kania stefan@kania-online.de:
Am 22.12.21 um 10:31 schrieb Stefan Kania:
either it's still a configuration problem, or it's missing. If it's a configuration problem, how can I fix it?
I now built OpenLDAP from source with this options:
./configure --enable-argon2 --with-argon2=libargon2 --with-cyrus-sasl --with-tls=openssl --enable-overlays=mod --enable-backends=mod --disable-perl --disable-ndb --enable-crypt --enable-modules --enable-dynamic --enable-syslog --enable-debug --en able-local --enable-spasswd --disable-sql
--prefix=/opt/openldap-current --with-sasl=yes
Still no gssapi :-(. Did I miss something here?
[...]
You probabely missed the header files, check /usr/include/gssapi/ and /usr/include/krb5/ and probabely some more. and check the libraries in /usr/lib64/sasl2/
-Dieter
Am 22.12.21 um 13:01 schrieb Dieter Klünter:
You probabely missed the header files, check /usr/include/gssapi/ and /usr/include/krb5/ and probabely some more. and check the libraries in /usr/lib64/sasl2/
I installed libkrb5-dev krb5-multidev libsasl2-dev
I found: root@ldap25-p02:/opt# ls /usr/include/gssapi/ gssapi_ext.h gssapi_generic.h gssapi.h gssapi_krb5.h mechglue.h
root@ldap25-p02:/opt# ls /usr/include/krb5/ ccselect_plugin.h certauth_plugin.h clpreauth_plugin.h hostrealm_plugin.h kadm5_auth_plugin.h kadm5_hook_plugin.h kdcpolicy_plugin.h kdcpreauth_plugin.h krb5.h localauth_plugin.h locate_plugin.h plugin.h preauth_plugin.h pwqual_plugin.h
root@ldap25-p02:/opt# ls /usr/include/sasl/ hmac-md5.h md5global.h md5.h prop.h sasl.h saslplug.h saslutil.h
Recompiled openldap and now I finaly got:
root@ldap25-p02:/opt# ldapsearch -x -H ldapi:/// -b "" -LLL -s base supportedSASLMechanisms dn: supportedSASLMechanisms: GS2-IAKERB supportedSASLMechanisms: GS2-KRB5 supportedSASLMechanisms: SCRAM-SHA-1 supportedSASLMechanisms: SCRAM-SHA-256 supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: NTLM supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: LOGIN supportedSASLMechanisms: PLAIN
But still GSSAPI is not showing up on my hosts with the symas-packages installed.
I checked the installed sasl2 and krb5 packages of the self compiled system and the system with the symas packages. The lists of the packages are identically.
Am Wed, 22 Dec 2021 12:49:54 +0100 schrieb Dieter Klünter dieter@dkluenter.de:
Am Wed, 22 Dec 2021 11:38:32 +0100 schrieb Stefan Kania stefan@kania-online.de:
Am 22.12.21 um 10:31 schrieb Stefan Kania:
either it's still a configuration problem, or it's missing. If it's a configuration problem, how can I fix it?
I now built OpenLDAP from source with this options:
./configure --enable-argon2 --with-argon2=libargon2 --with-cyrus-sasl --with-tls=openssl --enable-overlays=mod --enable-backends=mod --disable-perl --disable-ndb --enable-crypt --enable-modules --enable-dynamic --enable-syslog --enable-debug --en able-local --enable-spasswd --disable-sql
--prefix=/opt/openldap-current --with-sasl=yes
Still no gssapi :-(. Did I miss something here?
[...]
You probabely missed the header files, check /usr/include/gssapi/ and /usr/include/krb5/ and probabely some more.
Sorry, just an other hint. Check the sources files openldap/include/ldap.h
/* OpenLDAP SASL options */ [...] /* OpenLDAP GSSAPI options */ #define LDAP_OPT_X_GSSAPI_DO_NOT_FREE_CONTEXT 0x6200 #define LDAP_OPT_X_GSSAPI_ALLOW_REMOTE_PRINCIPAL 0x6201
-Dieter
Am 22.12.21 um 13:18 schrieb Dieter Klünter:
/* OpenLDAP SASL options */ [...] /* OpenLDAP GSSAPI options */ #define LDAP_OPT_X_GSSAPI_DO_NOT_FREE_CONTEXT 0x6200 #define LDAP_OPT_X_GSSAPI_ALLOW_REMOTE_PRINCIPAL 0x6201
Am Wed, 22 Dec 2021 14:27:37 +0100 schrieb Stefan Kania stefan@kania-online.de:
Am 22.12.21 um 13:18 schrieb Dieter Klünter:
/* OpenLDAP SASL options */ [...] /* OpenLDAP GSSAPI options */ #define LDAP_OPT_X_GSSAPI_DO_NOT_FREE_CONTEXT 0x6200 #define LDAP_OPT_X_GSSAPI_ALLOW_REMOTE_PRINCIPAL 0x6201
Did you simply test by ldapwhoami(1) with all available Mechanism?
ldapwhoami -Y gssapi -U dieter -H ldapi:/// SASL/GSSAPI authentication started SASL username: dieter@MyREALM SASL SSF: 256 SASL data security layer installed. dn: ....
-Dieter
--On Tuesday, December 21, 2021 10:19 PM +0100 Michael Ströder michael@stroeder.com wrote:
On 12/21/21 19:59, Stefan Kania wrote:
but I think that GSSAPI is not compiled in to thr symas packages.
Not true.
It is linked against heimdal libs from package symas-heimdal-libs:
# ldd /opt/symas/lib/slapd [..] libgssapi.so.3 => /opt/symas/lib/libgssapi.so.3 (0x00007f6d63716000) libkrb5.so.26 => /opt/symas/lib/libkrb5.so.26 (0x00007f6d6347e000)
An ldd of slapd never tells you whether or not it has GSSAPI support. What mechansisms SASL supports are limited by whatever modules are in /opt/symas/lib/sasl2 (for Symas OpenLDAP builds). Similar idea for OS builds, etc, just with their paths instead.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Dieter Klünter dieter@dkluenter.de schrieb am 18.12.2021 um 07:28 in
Nachricht 20211218072816.769b483e@pink.fritz.box:
Am Fri, 17 Dec 2021 16:34:41 +0100 schrieb Stefan Kania stefan@kania-online.de:
Hello to all,
I'm trying to get GSSAPI authentication running with the symas-packages. I generated a ldap.keytab file and it's readable for the ldap-user running the slapd. With the Debian-packages I ad:
export KRB5_KTNAME="/path/to/ldap.keytab"
I don't want to use the system keytab /etc/krb5.keytab. How do I tell slapd from the symas-packages to use my service-keytab?
I try to add to my /etc/default/symas-openldap:
KRB5_KTNAME="/path/to/ldap.keytab
but it's not working.
/etc/sasl2/slapd.conf mech_list: gssapi digest-md5 cram-md5 external keytab: /etc/openldap/ldap.keytab
/etc/ldap.conf KRB5_KTNAME=/etc/openldap/krb5.keytab SASL_MECH GSSAPI SASL_REALM My.SASL.REALM
Dieter,
I wonder: Did you "just know", or is that documented somewhere? If the latter, maybe also add where you found those pearls of wisdom.
Regards, Ulrich
-Dieter
-- Dieter Klünter | Systemberatungslapd GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
On 12/27/21 10:45, Ulrich Windl wrote:
Dieter Klünter wrote:
/etc/sasl2/slapd.conf mech_list: gssapi digest-md5 cram-md5 external keytab: /etc/openldap/ldap.keytab
/etc/ldap.conf KRB5_KTNAME=/etc/openldap/krb5.keytab SASL_MECH GSSAPI SASL_REALM My.SASL.REALM
I wonder: Did you "just know", or is that documented somewhere? If the latter, maybe also add where you found those pearls of wisdom.
These information is spread over Kerberos, Cyrus-SASL and OpenLDAP docs.
Ciao, Michael.
Thank's for all the help, after all it's running. I thing it has something to do with my Ansible-script an the order I installed the packages and set up the configuration. I reinstalled all servers from scratch and now it looks like this: -------------- root@ldap01:~# ldapsearch -x -H ldapi:/// -b "" -LLL -s base supportedSASLMechanisms dn: supportedSASLMechanisms: SCRAM-SHA-1 supportedSASLMechanisms: SCRAM-SHA-256 supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: OTP supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: PLAIN supportedSASLMechanisms: LOGIN -------------- Again, thank you all for the help, several tips got me to the point.
Stefan
Am 17.12.21 um 16:34 schrieb Stefan Kania:
Hello to all,
I'm trying to get GSSAPI authentication running with the symas-packages. I generated a ldap.keytab file and it's readable for the ldap-user running the slapd. With the Debian-packages I ad:
export KRB5_KTNAME="/path/to/ldap.keytab"
I don't want to use the system keytab /etc/krb5.keytab. How do I tell slapd from the symas-packages to use my service-keytab?
I try to add to my /etc/default/symas-openldap:
KRB5_KTNAME="/path/to/ldap.keytab
but it's not working.
Stefan
openldap-technical@openldap.org
-
Dieter Klünter -
Michael Ströder -
Quanah Gibson-Mount -
skeletor -
Stefan Kania -
Ulrich Windl