Udo Willke
2016-Nov-24 12:46 UTC
[Samba] samba_dnsupdate --verbose --all-names fails with kinit RuntimeError
Hi everyone, unfortunately, I managed to break my Samba AD DC configuration :-( and would like to ask the experts on this list. When restarting my Samba AC DC I noticed, that it didn't come up properly. samba outputs the following lines to /var/log/syslog> Nov 24 12:46:52 addc01 samba[30784]: /usr/sbin/samba_dnsupdate: > RuntimeError: kinit for ADDC01$@MYDOMAIN.LAN failed (Cannot contact > any KDC for requested realm) > > Nov 24 12:46:52 addc01 samba[30784]: > ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - > NT_STATUS_ACCESS_DENIED >I followed the Samba wiki pages <https://wiki.samba.org/index.php/Testing_Dynamic_DNS_Updates> and found that the dynanic DNS update doesn't work> root at addc01:~# samba_dnsupdate --verbose --all-names > IPs: ['192.168.6.8'] > Traceback (most recent call last): > File "/usr/sbin/samba_dnsupdate", line 621, in <module> > get_credentials(lp) > File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials > raise e > RuntimeError: kinit for ADDC01$@MYDOMAIN.LAN failed (Cannot contact > any KDC for requested realm) >I also carried out the basic checks from <https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller>, where the lookup of the DNS Service Resource Records doesn't work as well> root at addc01:~# host -t SRV _ldap._tcp.mydomain.lan > Host _ldap._tcp.mydomain.lan not found: 3(NXDOMAIN)> root at addc01:~# host -t SRV _kerberos._udp.mydomain.lan > Host _kerberos._udp.mydomain.lan not found: 3(NXDOMAIN)The confusing fact is, that I *can* obtain tickets from the KDC on the command line> root at addc01:~# kinit Administrator at MYDOMAIN.LAN > Password for Administrator at MYDOMAIN.LAN: > root at addc01:~# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: Administrator at MYDOMAIN.LAN > > Valid starting Expires Service principal > 24.11.2016 12:46:04 24.11.2016 22:46:04 krbtgt/MYDOMAIN.LAN at MYDOMAIN.LAN > renew until 25.11.2016 12:46:00but not via the Python script samba_dnsupdate. I can't tell if this is a Kerberos or a DNS issue. My /etc/krb.conf looks like this> root at addc01:~# cat /etc/krb5.conf > [logging] > default = FILE:/var/log/krb5.log > > [libdefaults] > default_realm = MYDOMAIN.LAN > dns_lookup_realm = false > dns_lookup_kdc = true > > [realms] > MYDOMAIN.LAN = { > kdc = 192.168.6.8:88 > admin_server = 192.168.6.8:464 > default_domain = MYDOMAIN.LAN > } > > [domain_realm] > .mydomain.lan = MYDOMAIN.LAN > mydomain.lan = MYDOMAIN.LANBasic name service does work as well:> root at addc01:~# samba-tool dns query localhost mydomain.lan @ ALL -P > Name=, Records=3, Children=0 > SOA: serial=8, refresh=900, retry=600, expire=86400, minttl=3600, > ns=addc01.mydomain.lan., email=hostmaster.mydomain.lan. > (flags=600000f0, serial=8, ttl=3600) > NS: addc01.mydomain.lan. (flags=600000f0, serial=6, ttl=3600) > A: 192.168.6.8 (flags=600000f0, serial=8, ttl=900) > Name=addc01, Records=1, Children=0 > A: 192.168.6.8 (flags=f0, serial=2, ttl=900) > Name=Admin-PC, Records=1, Children=0 > A: 192.168.6.56 (flags=f0, serial=8, ttl=1200) > Name=fileserver, Records=1, Children=0 > A: 192.168.6.1 (flags=f0, serial=4, ttl=900) > Name=Workstation-1, Records=1, Children=0 > A: 192.168.6.19 (flags=f0, serial=7, ttl=1200)The Bind9 service starts up with no suspicious messages> Nov 24 11:36:51 addc01 systemd[1]: Started BIND Domain Name Server. > Nov 24 11:36:51 addc01 named[30541]: starting BIND 9.10.3-P4-Ubuntu > <id:ebd72b3> -f -u bind > Nov 24 11:36:51 addc01 named[30541]: built with '--prefix=/usr' > '--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu' > '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' > '--localstatedir=/' '--enable-threads' '--enable-largefile' > '--with-libtool' '--enable-shared' '--enable-static' > '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' > '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' > '--enable-filter-aaaa' '--enable-native-pkcs11' > '--with-pkcs11=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so' > 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat > -Werror=format-security -fno-strict-aliasing > -fno-delete-null-pointer-checks -DNO_VERSION_DATE' > 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' > 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2 -DDIG_SIGCHASE' > Nov 24 11:36:51 addc01 named[30541]: > ---------------------------------------------------- > Nov 24 11:36:51 addc01 named[30541]: BIND 9 is maintained by Internet > Systems Consortium, > Nov 24 11:36:51 addc01 named[30541]: Inc. (ISC), a non-profit > 501(c)(3) public-benefit > Nov 24 11:36:51 addc01 named[30541]: corporation. Support and > training for BIND 9 are > Nov 24 11:36:51 addc01 named[30541]: available at > https://www.isc.org/support > Nov 24 11:36:51 addc01 named[30541]: > ---------------------------------------------------- > Nov 24 11:36:51 addc01 named[30541]: adjusted limit on open files from > 4096 to 1048576 > Nov 24 11:36:51 addc01 named[30541]: found 2 CPUs, using 2 worker threads > Nov 24 11:36:51 addc01 named[30541]: using 2 UDP listeners per interface > Nov 24 11:36:51 addc01 named[30541]: using up to 4096 sockets > Nov 24 11:36:51 addc01 named[30541]: loading configuration from > '/etc/bind/named.conf' > Nov 24 11:36:51 addc01 named[30541]: reading built-in trusted keys > from file '/etc/bind/bind.keys' > Nov 24 11:36:51 addc01 named[30541]: initializing GeoIP Country (IPv4) > (type 1) DB > Nov 24 11:36:51 addc01 named[30541]: GEO-106FREE 20160408 Bu > Nov 24 11:36:51 addc01 named[30541]: initializing GeoIP Country (IPv6) > (type 12) DB > Nov 24 11:36:51 addc01 named[30541]: GEO-106FREE 20160408 Bu > Nov 24 11:36:51 addc01 named[30541]: GeoIP City (IPv4) (type 2) DB not > available > Nov 24 11:36:51 addc01 named[30541]: GeoIP City (IPv4) (type 6) DB not > available > Nov 24 11:36:51 addc01 named[30541]: GeoIP City (IPv6) (type 30) DB > not available > Nov 24 11:36:51 addc01 named[30541]: GeoIP City (IPv6) (type 31) DB > not available > Nov 24 11:36:51 addc01 named[30541]: GeoIP Region (type 3) DB not > available > Nov 24 11:36:51 addc01 named[30541]: GeoIP Region (type 7) DB not > available > Nov 24 11:36:51 addc01 named[30541]: GeoIP ISP (type 4) DB not available > Nov 24 11:36:51 addc01 named[30541]: GeoIP Org (type 5) DB not available > Nov 24 11:36:51 addc01 named[30541]: GeoIP AS (type 9) DB not available > Nov 24 11:36:51 addc01 named[30541]: GeoIP Domain (type 11) DB not > available > Nov 24 11:36:51 addc01 named[30541]: GeoIP NetSpeed (type 10) DB not > available > Nov 24 11:36:51 addc01 named[30541]: using default UDP/IPv4 port > range: [32768, 60999] > Nov 24 11:36:51 addc01 named[30541]: using default UDP/IPv6 port > range: [32768, 60999] > Nov 24 11:36:51 addc01 named[30541]: listening on IPv6 interfaces, port 53 > Nov 24 11:36:51 addc01 named[30541]: listening on IPv4 interface lo, > 127.0.0.1#53 > Nov 24 11:36:51 addc01 named[30541]: listening on IPv4 interface > ens32, 192.168.6.8#53 > Nov 24 11:36:51 addc01 named[30541]: generating session key for > dynamic DNS > Nov 24 11:36:51 addc01 named[30541]: sizing zone task pool based on 5 > zones > Nov 24 11:36:51 addc01 named[30541]: Loading 'AD DNS Zone' using > driver dlopen > Nov 24 11:36:51 addc01 named[30541]: samba_dlz: started for DN > DC=mydomain,DC=lan > Nov 24 11:36:51 addc01 named[30541]: samba_dlz: starting configure > Nov 24 11:36:51 addc01 named[30541]: samba_dlz: configured writeable > zone '6.168.192.in-addr.arpa' > Nov 24 11:36:51 addc01 named[30541]: samba_dlz: configured writeable > zone 'mydomain.lan' > Nov 24 11:36:51 addc01 named[30541]: samba_dlz: configured writeable > zone '_msdcs.mydomain.lan' > Nov 24 11:36:51 addc01 named[30541]: set up managed keys zone for view > _default, file 'managed-keys.bind' > Nov 24 11:36:51 addc01 named[30541]: command channel listening on > 127.0.0.1#953 > Nov 24 11:36:51 addc01 named[30541]: managed-keys-zone: loaded serial 8 > Nov 24 11:36:51 addc01 named[30541]: zone 0.in-addr.arpa/IN: loaded > serial 1 > Nov 24 11:36:51 addc01 named[30541]: zone 255.in-addr.arpa/IN: loaded > serial 1 > Nov 24 11:36:51 addc01 named[30541]: zone 127.in-addr.arpa/IN: loaded > serial 1 > Nov 24 11:36:51 addc01 named[30541]: zone localhost/IN: loaded serial 2 > Nov 24 11:36:51 addc01 named[30541]: all zones loaded > Nov 24 11:36:51 addc01 named[30541]: runningThe AD DC runs on ubuntu 16.04 LTS with Samba packages from their repository (at the moment Version 4.3.11-Ubuntu) . I provisioned the DC with the command> samba-tool domain provision --use-rfc2307 --function-level=2008_R2 --dns-backend=BIND9_DLZ ...My internet searches didn't help to solve my problem, therefore any new ideas would be highly appreciated. Many thanks in advance Udo
Udo Willke
2016-Nov-24 15:36 UTC
[Samba] samba_dnsupdate --verbose --all-names fails with kinit RuntimeError
Hi, in the meantime, I found a solution: During the installation the SRV DNS queries had the following results (documented in my wiki):> root at addc01:~# host -t SRV _ldap._tcp.mydomain.lan > _ldap._tcp.mydomain.lan has SRV record 0 100 389 addc01.mydomain.lan. > root at addc01:~# host -t SRV _kerberos._udp.mydomain.lan > _kerberos._udp.mydomain.lan has SRV record 0 100 88 addc01.mydomain.lan.So, I tried the following> root at addc01:~# samba-tool dns add localhost mydomain.lan > _ldap._tcp.mydomain.lan SRV "addc01.mydomain.lan 389 100 0" -P > Record added successfully > root at addc01:~# samba-tool dns add localhost mydomain.lan > _kerberos._udp.mydomain.lan SRV "addc01.mydomain.lan 88 100 0" -P > Record added successfullyThe quoted string is in reverse order compared to the result of the DNS query. Forcing an error in the samba-tool dns add-command> ERROR: Data requires 4 elements - server, port, priority, weightseems to suggest that this is the right order of the data in the quoted string. After this "samba_dnsupdate --verbose --all-names" worked again(!) However there is still a problem: samba_dnsupdate added a second entry in the DNS for both names> root at addc01:~# host -t SRV _ldap._tcp.mydomain.lan > _ldap._tcp.mydomain.lan has SRV record 100 0 389 addc01.mydomain.lan. > _ldap._tcp.mydomain.lan has SRV record 0 100 389 addc01.mydomain.lan. > > root at addc01:~# host -t SRV _kerberos._udp.mydomain.lan > _kerberos._udp.mydomain.lan has SRV record 100 0 88 addc01.mydomain.lan. > _kerberos._udp.mydomain.lan has SRV record 0 100 88 addc01.mydomain.lan.so I suspect the right order in the quoted string should be "addc01.mydomain.lan {88|389} 0 100" (although counterintuitive; priority=0, weigth=100!?!)) Removing the incorrect DNS entries was easier than expected:> samba-tool dns delete localhost mydomain.lan _ldap._tcp.mydomain.lan > SRV "addc01.mydomain.lan 389 100 0" -P > samba-tool dns delete localhost mydomain.lan > _kerberos._udp.mydomain.lan SRV "addc01.mydomain.lan 88 100 0" -PProblem solved. Best regards Udo Am 24.11.2016 um 13:46 schrieb Udo Willke via samba:> Hi everyone, > > unfortunately, I managed to break my Samba AD DC configuration :-( and > would like to ask the experts on this list. > > When restarting my Samba AC DC I noticed, that it didn't come up > properly. samba outputs the following lines to /var/log/syslog > >> Nov 24 12:46:52 addc01 samba[30784]: /usr/sbin/samba_dnsupdate: >> RuntimeError: kinit for ADDC01$@MYDOMAIN.LAN failed (Cannot contact >> any KDC for requested realm) >> >> Nov 24 12:46:52 addc01 samba[30784]: >> ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - >> NT_STATUS_ACCESS_DENIED >> > > I followed the Samba wiki pages > > <https://wiki.samba.org/index.php/Testing_Dynamic_DNS_Updates> > > and found that the dynanic DNS update doesn't work > >> root at addc01:~# samba_dnsupdate --verbose --all-names >> IPs: ['192.168.6.8'] >> Traceback (most recent call last): >> File "/usr/sbin/samba_dnsupdate", line 621, in <module> >> get_credentials(lp) >> File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials >> raise e >> RuntimeError: kinit for ADDC01$@MYDOMAIN.LAN failed (Cannot contact >> any KDC for requested realm) >> > > I also carried out the basic checks from > <https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller>, > > > where the lookup of the DNS Service Resource Records doesn't work as well > >> root at addc01:~# host -t SRV _ldap._tcp.mydomain.lan >> Host _ldap._tcp.mydomain.lan not found: 3(NXDOMAIN) > >> root at addc01:~# host -t SRV _kerberos._udp.mydomain.lan >> Host _kerberos._udp.mydomain.lan not found: 3(NXDOMAIN) > > The confusing fact is, that I *can* obtain tickets from the KDC on the > command line > >> root at addc01:~# kinit Administrator at MYDOMAIN.LAN >> Password for Administrator at MYDOMAIN.LAN: >> root at addc01:~# klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: Administrator at MYDOMAIN.LAN >> >> Valid starting Expires Service principal >> 24.11.2016 12:46:04 24.11.2016 22:46:04 >> krbtgt/MYDOMAIN.LAN at MYDOMAIN.LAN >> renew until 25.11.2016 12:46:00 > > but not via the Python script samba_dnsupdate. > > I can't tell if this is a Kerberos or a DNS issue. > > My /etc/krb.conf looks like this > >> root at addc01:~# cat /etc/krb5.conf >> [logging] >> default = FILE:/var/log/krb5.log >> >> [libdefaults] >> default_realm = MYDOMAIN.LAN >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> [realms] >> MYDOMAIN.LAN = { >> kdc = 192.168.6.8:88 >> admin_server = 192.168.6.8:464 >> default_domain = MYDOMAIN.LAN >> } >> >> [domain_realm] >> .mydomain.lan = MYDOMAIN.LAN >> mydomain.lan = MYDOMAIN.LAN > > Basic name service does work as well: > >> root at addc01:~# samba-tool dns query localhost mydomain.lan @ ALL -P >> Name=, Records=3, Children=0 >> SOA: serial=8, refresh=900, retry=600, expire=86400, minttl=3600, >> ns=addc01.mydomain.lan., email=hostmaster.mydomain.lan. >> (flags=600000f0, serial=8, ttl=3600) >> NS: addc01.mydomain.lan. (flags=600000f0, serial=6, ttl=3600) >> A: 192.168.6.8 (flags=600000f0, serial=8, ttl=900) >> Name=addc01, Records=1, Children=0 >> A: 192.168.6.8 (flags=f0, serial=2, ttl=900) >> Name=Admin-PC, Records=1, Children=0 >> A: 192.168.6.56 (flags=f0, serial=8, ttl=1200) >> Name=fileserver, Records=1, Children=0 >> A: 192.168.6.1 (flags=f0, serial=4, ttl=900) >> Name=Workstation-1, Records=1, Children=0 >> A: 192.168.6.19 (flags=f0, serial=7, ttl=1200) > > The Bind9 service starts up with no suspicious messages > >> Nov 24 11:36:51 addc01 systemd[1]: Started BIND Domain Name Server. >> Nov 24 11:36:51 addc01 named[30541]: starting BIND 9.10.3-P4-Ubuntu >> <id:ebd72b3> -f -u bind >> Nov 24 11:36:51 addc01 named[30541]: built with '--prefix=/usr' >> '--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu' >> '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' >> '--localstatedir=/' '--enable-threads' '--enable-largefile' >> '--with-libtool' '--enable-shared' '--enable-static' >> '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' >> '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' >> '--enable-filter-aaaa' '--enable-native-pkcs11' >> '--with-pkcs11=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so' >> 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat >> -Werror=format-security -fno-strict-aliasing >> -fno-delete-null-pointer-checks -DNO_VERSION_DATE' >> 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' >> 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2 -DDIG_SIGCHASE' >> Nov 24 11:36:51 addc01 named[30541]: >> ---------------------------------------------------- >> Nov 24 11:36:51 addc01 named[30541]: BIND 9 is maintained by Internet >> Systems Consortium, >> Nov 24 11:36:51 addc01 named[30541]: Inc. (ISC), a non-profit >> 501(c)(3) public-benefit >> Nov 24 11:36:51 addc01 named[30541]: corporation. Support and >> training for BIND 9 are >> Nov 24 11:36:51 addc01 named[30541]: available at >> https://www.isc.org/support >> Nov 24 11:36:51 addc01 named[30541]: >> ---------------------------------------------------- >> Nov 24 11:36:51 addc01 named[30541]: adjusted limit on open files >> from 4096 to 1048576 >> Nov 24 11:36:51 addc01 named[30541]: found 2 CPUs, using 2 worker >> threads >> Nov 24 11:36:51 addc01 named[30541]: using 2 UDP listeners per interface >> Nov 24 11:36:51 addc01 named[30541]: using up to 4096 sockets >> Nov 24 11:36:51 addc01 named[30541]: loading configuration from >> '/etc/bind/named.conf' >> Nov 24 11:36:51 addc01 named[30541]: reading built-in trusted keys >> from file '/etc/bind/bind.keys' >> Nov 24 11:36:51 addc01 named[30541]: initializing GeoIP Country >> (IPv4) (type 1) DB >> Nov 24 11:36:51 addc01 named[30541]: GEO-106FREE 20160408 Bu >> Nov 24 11:36:51 addc01 named[30541]: initializing GeoIP Country >> (IPv6) (type 12) DB >> Nov 24 11:36:51 addc01 named[30541]: GEO-106FREE 20160408 Bu >> Nov 24 11:36:51 addc01 named[30541]: GeoIP City (IPv4) (type 2) DB >> not available >> Nov 24 11:36:51 addc01 named[30541]: GeoIP City (IPv4) (type 6) DB >> not available >> Nov 24 11:36:51 addc01 named[30541]: GeoIP City (IPv6) (type 30) DB >> not available >> Nov 24 11:36:51 addc01 named[30541]: GeoIP City (IPv6) (type 31) DB >> not available >> Nov 24 11:36:51 addc01 named[30541]: GeoIP Region (type 3) DB not >> available >> Nov 24 11:36:51 addc01 named[30541]: GeoIP Region (type 7) DB not >> available >> Nov 24 11:36:51 addc01 named[30541]: GeoIP ISP (type 4) DB not available >> Nov 24 11:36:51 addc01 named[30541]: GeoIP Org (type 5) DB not available >> Nov 24 11:36:51 addc01 named[30541]: GeoIP AS (type 9) DB not available >> Nov 24 11:36:51 addc01 named[30541]: GeoIP Domain (type 11) DB not >> available >> Nov 24 11:36:51 addc01 named[30541]: GeoIP NetSpeed (type 10) DB not >> available >> Nov 24 11:36:51 addc01 named[30541]: using default UDP/IPv4 port >> range: [32768, 60999] >> Nov 24 11:36:51 addc01 named[30541]: using default UDP/IPv6 port >> range: [32768, 60999] >> Nov 24 11:36:51 addc01 named[30541]: listening on IPv6 interfaces, >> port 53 >> Nov 24 11:36:51 addc01 named[30541]: listening on IPv4 interface lo, >> 127.0.0.1#53 >> Nov 24 11:36:51 addc01 named[30541]: listening on IPv4 interface >> ens32, 192.168.6.8#53 >> Nov 24 11:36:51 addc01 named[30541]: generating session key for >> dynamic DNS >> Nov 24 11:36:51 addc01 named[30541]: sizing zone task pool based on 5 >> zones >> Nov 24 11:36:51 addc01 named[30541]: Loading 'AD DNS Zone' using >> driver dlopen >> Nov 24 11:36:51 addc01 named[30541]: samba_dlz: started for DN >> DC=mydomain,DC=lan >> Nov 24 11:36:51 addc01 named[30541]: samba_dlz: starting configure >> Nov 24 11:36:51 addc01 named[30541]: samba_dlz: configured writeable >> zone '6.168.192.in-addr.arpa' >> Nov 24 11:36:51 addc01 named[30541]: samba_dlz: configured writeable >> zone 'mydomain.lan' >> Nov 24 11:36:51 addc01 named[30541]: samba_dlz: configured writeable >> zone '_msdcs.mydomain.lan' >> Nov 24 11:36:51 addc01 named[30541]: set up managed keys zone for >> view _default, file 'managed-keys.bind' >> Nov 24 11:36:51 addc01 named[30541]: command channel listening on >> 127.0.0.1#953 >> Nov 24 11:36:51 addc01 named[30541]: managed-keys-zone: loaded serial 8 >> Nov 24 11:36:51 addc01 named[30541]: zone 0.in-addr.arpa/IN: loaded >> serial 1 >> Nov 24 11:36:51 addc01 named[30541]: zone 255.in-addr.arpa/IN: loaded >> serial 1 >> Nov 24 11:36:51 addc01 named[30541]: zone 127.in-addr.arpa/IN: loaded >> serial 1 >> Nov 24 11:36:51 addc01 named[30541]: zone localhost/IN: loaded serial 2 >> Nov 24 11:36:51 addc01 named[30541]: all zones loaded >> Nov 24 11:36:51 addc01 named[30541]: running > > The AD DC runs on ubuntu 16.04 LTS with Samba packages from their > repository (at the moment Version 4.3.11-Ubuntu) . I provisioned the > DC with the command > >> samba-tool domain provision --use-rfc2307 --function-level=2008_R2 >> --dns-backend=BIND9_DLZ ... > > My internet searches didn't help to solve my problem, therefore any > new ideas would be highly appreciated. > > Many thanks in advance > > Udo > > > >