f



RE: kinit request on keytab fails using 2K3sp1 KDC

David,

The easiest solution to this problem is to use the ktpass which was
shipped with Windows 2003, and not the one with SP1.

Alternatively, you can use one of the many tools available that replace
the need for ktpass, and use computer accounts for key storage. These
tools do not suffer from the same issues as ktpass.

It seems that the sp1 version of ktpass stores a key with a specific
kvno in the keytab file, and the kvno in the domain controller for the
same principal is different. This is why you cannot use the keytab file
to authenticate.

Thanks, Tim 

-----Original Message-----
From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On
Behalf Of David Telfer
Sent: 22 March 2006 17:09
To: kerberos@mit.edu
Subject: kinit request on keytab fails using 2K3sp1 KDC

Hello,

I am testing a keytab obtained from a Windows 2003 Server (sp1) prior to

configuring mod_auth_kerb.  I have used the following command to 
generate a keytab on the KDC;
ktpass -mapuser intsvcuser@smg.plc.uk -princ 
HTTP/connect.smg.plc.uk@SMG.PLC.UK +DesOnly -pass userspassword -ptype 
KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out "c:\krb5.keytab"

The *nix server is running Solaris 9 with MIT krb5-1.4.3.  I have 
transfered the keytab to /etc/krb5.keytab.  When I run ;
#/usr/local/bin/kinit -k -t /etc/krb5.keytab 
HTTP/connect.smg.plc.uk@SMG.PLC.UK

I get the following error;
kinit(v5): Preauthentication failed while getting initial credentials

I am able to obtain a ticket directly from the kdc using #./kinit 
DavidTelfer@SMG.PLC.UK which would indicate that the problem wasn't a 
clock slew error (I haven't seen an error of this nature appear with 
this version of krb so I'm not sure whether it would explicitly state
this).

 From reading a few mailing list posts I have discovered some people 
having issues with ktpass on service pack 1.  One such post;
http://groups.google.com/group/comp.protocols.kerberos/browse_thread/thr
ead/1c991fa1b6ea4ef8/3da9428688c66d72%233da9428688c66d72
details a similar problem  I have followed the advice given, ensuring 
that the kvno's match and changing the system users password prior to 
generating the keytab but to no avail.

My /etc/krb5.conf file is as follows (I've removed every non-essential 
entry to ensure that it isn't the issue);

[libdefaults]
        default_realm = SMG.PLC.UK
[domain_realm]
        connect.smg.plc.uk = SMG.PLC.UK
[realms]
        SMG.PLC.UK = {
                kdc = pqdomc01.smg.plc.uk
                admin_server = pqdomc01.smg.plc.uk
                default_domain = smg.plc.uk
        }

Has anyone experienced a similar problem to this?  I have to assume 
there is a problem with the keytab but I'm at a loss as to what the 
problem could be.

David Telfer
david@2fluid.co.uk




________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
tim.alsop (50)
3/22/2006 5:19:58 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

5 Replies
593 Views

Similar Articles

[PageSpeed] 15

>>>>> "TA" == "Tim Alsop" <Tim.Alsop@cybersafe.com> writes:

    TA> It seems that the sp1 version of ktpass stores a key with a
    TA> specific kvno in the keytab file, and the kvno in the domain
    TA> controller for the same principal is different. This is why you
    TA> cannot use the keytab file to authenticate.

Yes; it always sets the kvno in the keytab it writes to 1, regardless of
the value in the KDB (which of course changes each time the key is
extracted).  So, you can only use the keytab the first time you extract
it.  If you have to do it again, just delete the principal and re-create
it.

-- 
  Richard Silverman
  res@qoxp.net


0
res49 (1410)
3/22/2006 10:14:02 PM
On Wednesday 22 March 2006 18:19, Tim Alsop wrote:

> Alternatively, you can use one of the many tools available that replace
> the need for ktpass, and use computer accounts for key storage. These
> tools do not suffer from the same issues as ktpass.

What are that tools?
Can you send searchkeywords or pointers so I can find and use them?

Thank you,
Achim
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
kerberosml (25)
3/23/2006 12:23:21 AM
Richard E. Silverman wrote:
>>>>>> "TA" == "Tim Alsop" <Tim.Alsop@cybersafe.com> writes:
> 
>     TA> It seems that the sp1 version of ktpass stores a key with a
>     TA> specific kvno in the keytab file, and the kvno in the domain
>     TA> controller for the same principal is different. This is why you
>     TA> cannot use the keytab file to authenticate.
> 
> Yes; it always sets the kvno in the keytab it writes to 1, regardless of
> the value in the KDB (which of course changes each time the key is
> extracted).  So, you can only use the keytab the first time you extract
> it.  If you have to do it again, just delete the principal and re-create
> it.

ktpass allows you to specify the kvno on the command line.
You can obtain the kvno for the service principal with the MIT kvno utility.

Jeffrey Altman
0
jaltman2 (417)
3/23/2006 1:10:46 AM
>>>>> "JA" == Jeffrey Altman <jaltman2@nyc.rr.com> writes:

    JA> Richard E. Silverman wrote:
    >>>>>>> "TA" == "Tim Alsop" <Tim.Alsop@cybersafe.com> writes:
    >>
    TA> It seems that the sp1 version of ktpass stores a key with a
    TA> specific kvno in the keytab file, and the kvno in the domain
    TA> controller for the same principal is different. This is why you
    TA> cannot use the keytab file to authenticate.
    >>  Yes; it always sets the kvno in the keytab it writes to 1,
    >> regardless of the value in the KDB (which of course changes each
    >> time the key is extracted).  So, you can only use the keytab the
    >> first time you extract it.  If you have to do it again, just delete
    >> the principal and re-create it.

    JA> ktpass allows you to specify the kvno on the command line.  You
    JA> can obtain the kvno for the service principal with the MIT kvno
    JA> utility.

Somehow I never noticed that, probably because I couldn't imagine why
you'd need such a thing.  :)  Thanks.

    JA> Jeffrey Altman

-- 
  Richard Silverman
  res@qoxp.net

0
res49 (1410)
3/23/2006 2:20:46 AM

Achim Grolms wrote:

> On Wednesday 22 March 2006 18:19, Tim Alsop wrote:
> 
> 
>>Alternatively, you can use one of the many tools available that replace
>>the need for ktpass, and use computer accounts for key storage. These
>>tools do not suffer from the same issues as ktpass.
> 
> 
> What are that tools?
> Can you send searchkeywords or pointers so I can find and use them?

Google for msktutil  which will get you to
http://www.pppl.gov/~dperry/mskturil-0.3.16.tar.gz
We are using this.

Goolge for netjoin
This is an update of the MS netjoin.

Samba has some tools, but adds too many principal in many cases.



Something else that can be very helpfull is to use
the Windows mmc with the ADSI edit to lok at the registry.
You can look at the account that was created, and look at the KVNO
as the ms-DS-KeyVersionNumber.
Other interesting fields are the userPrincipalName,
and servicePrincipalName.

Keep in mind that the Windows has a single password that
is used to generate the keys on the fly for each of the
principals (userPrincipalName and servicePrincipalName)
asociated with the account.

Kerberos uses a seperate key for each principal created when the
kettrab is created. So if you change the password on the account,
you have to change the keys in the keytab at the same time for
all the principal assiciated with that account.

Msktutil tries to do this for your.



> 
> Thank you,
> Achim
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
deengert (574)
3/23/2006 3:03:05 PM
Reply:

Similar Artilces:

RE: kinit request on keytab fails using 2K3sp1 KDC #3
>From the determined kvno information, I am worried that starting again >will not resolve my issue. Assuming that the kvno is reset to 1, using >kvno and klist to determine the version number should return similar >results to above, but showing the number to be 1. What would the >difference be and would it resolve the pre-authentication issue? We found that even if we start again, we could not get the pre-auth to work. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Tim...

RE: kinit request on keytab fails using 2K3sp1 KDC #4
David, I have seen this problem before. It does not occur with the pre-SP1 version of ktpass. Conclusion : If you want to create keytable files which have correct kvno's and which work correctly with des, then you must use the pre-SP1 version of ktpass. Thanks, Tim -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of David Telfer Sent: 23 March 2006 17:39 To: kerberos@mit.edu Subject: Re: kinit request on keytab fails using 2K3sp1 KDC Jeffrey Altman wrote: > Why do you need the kvno to be 1? It wasn't so much that they neede...

RE: kinit request on keytab fails using 2K3sp1 KDC #2
David, Like yourself we spent many days/weeks trying to get the sp1 version of ktpass to work, but we could not, so we have developed our own replacement product that uses computer accounts instead. Cheers, Tim -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of David Telfer Sent: 23 March 2006 09:47 To: kerberos@mit.edu Subject: Re: kinit request on keytab fails using 2K3sp1 KDC Richard E. Silverman wrote: > > TA> It seems that the sp1 version of ktpass stores a key with a > TA> specific kvno in the keytab file, ...

kinit request on keytab fails using 2K3sp1 KDC
Hello, I am testing a keytab obtained from a Windows 2003 Server (sp1) prior to configuring mod_auth_kerb. I have used the following command to generate a keytab on the KDC; ktpass -mapuser intsvcuser@smg.plc.uk -princ HTTP/connect.smg.plc.uk@SMG.PLC.UK +DesOnly -pass userspassword -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out "c:\krb5.keytab" The *nix server is running Solaris 9 with MIT krb5-1.4.3. I have transfered the keytab to /etc/krb5.keytab. When I run ; #/usr/local/bin/kinit -k -t /etc/krb5.keytab HTTP/connect.smg.plc.uk@SMG.PLC.UK I get the following error; ...

can keytab created on Linux KDC be used when using windows KDC ?
Hi all, I am trying interoperablity between linux machines using windows KDC. I have a question regarding the keytab file usage. Assuming that I create keytab file using Linux KDC for a client called "test.kerberos.com" in the realm "KERBEROS.COM" Can I use the same keytab for the linux machine when it uses windows as KDC ? Has anybody tried this ? Is it possible ? If not possible, can you please explain why it is not possible ? Does windows KDC and Linux use different methods to create keytab ? - Sandy. ...

Re: kinit(v5): Cannot contact any KDC for requested......
I'm also using Kerberos with RH... I don't see your hosts in your principal list... You should add the host, with a random key and store it in /etc/krb5.keytab for every host that's in the realm, including the KDC. That could be the cause of your problem... I'm not sure though I'm also not using DNS. - Jin On Wed, 12 Nov 2003 20:54:52 -0700 muzaffar.sultan@telvent.abengoa.com wrote: > Hi All, > > This is my first email to clug. I hope there's kerberos expert on this > list. > I've been battling with kerberos issues for couple of days. > > ...

Re: kinit(v5): Cannot contact any KDC for requested...... #2
Thanks Jin for the tip. I tried that as well and it did not work. I've stopped using DNS to troubleshoot the problem. Here's principals list: [root@kerberos sample]# /usr/local/sbin/kadmin.local Authenticating as principal muzaffar/admin@RTDLINUX.COM with password. kadmin.local: listprincs K/M@RTDLINUX.COM host/kerberos.rtdlinux.com@RTDLINUX.COM kadmin/admin@RTDLINUX.COM kadmin/changepw@RTDLINUX.COM kadmin/history@RTDLINUX.COM krbtgt/RTDLINUX.COM@RTDLINUX.COM muzaffar/admin@RTDLINUX.COM root@RTDLINUX.COM sample/kerberos.rtdlinux.com@RTDLINUX.COM Here's output from keytab file:...

RE: Kerberos error 52 (0x34) when using kinit
Hello Douglas, Thanx for the response. I'll get the latest version from MIT and try again. Regards, Bruce. -----Original Message----- From: Douglas E. Engert [mailto:deengert@anl.gov] Sent: Friday, December 10, 2004 8:57 AM To: Wells, Bruce Cc: kerberos@mit.edu Subject: Re: Kerberos error 52 (0x34) when using kinit Wells, Bruce wrote: > Hello All, > I'm getting the above error when I try to get the initial ticket using > kinit. The KDC is Windows 2003 and the client is running on linux. My > understanding of kerberos and the KDC in particular is that if the KDC &...

Re: validating keytab files: Cannot find KDC for requested realm whilegetting initial credentials
Adding "dns_lookup_kdc = true" to the [libdefaults] section of krb5.conf seems to fix the problem. Frank "Frank Balluffi" <frank.balluffi+exter To: kerberos@mit.edu nal@db.com> ...

[ace-bugs] Re: [tao-users] Failure using DIOP Protocol ... / CORBA client fails if diop:// is configured as an endpoint
Hi Michael, > Yes, for UDP I could not find out how to let the OS select a free > port - by default it uses always the same - which in the case of two > servers leads to a problem. Did you try to use ACE_Sock_Connect::bind_port()? This is supposed to let the OS select a free port on a particular handle! UV, if you're feeling adventureous you might seeing if you can make this work. > I had long discussions about this with network experts. The smallest > common demoninator we found to be working in our networks was 4k, > but we had also suggessful tests w...

Re: AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials
Christopher, I had the exact same problem. I was given 2 patches for KRB 1.4.1 and it fixed the problem. I applied the patches to my 1.4.2 source and the problem is resolved there too. Here are the patches: DNSGLUE.C Patch: *** ./src/lib/krb5/os/dnsglue.c.orig Fri Jan 14 17:10:53 2005 --- ./src/lib/krb5/os/dnsglue.c Thu May 5 11:39:52 2005 *************** *** 62,68 **** --- 62,76 ---- char *host, int nclass, int ntype) { #if HAVE_RES_NSEARCH + #ifndef LANL struct __res_state statbuf; + #else /* LANL */ + #ifndef _AIX + struct __res_state statbuf;...

question about MIT Kerberos KDC processing PROXY KDC requests
Hello, I understand that proxiable/proxy tickets are rarely used and the corresponding code in the MIT Kerberos implementation is not very well tested. However, I found two possibly buggy places in the KDC code, so I think this is worth asking about. I used the MIT Kerberos distribution and was able to make proxiable/ proxy tickets work, but had two make two changes in the KDC source code. I would like to ask if these are really bugs or not. We use the MIT Kerberos 1.6.3 release. Both suspicious places are in kdc/ kdc_util.c, validate_tgs_request(): 1. line 1144: if (request->kdc_op...

AD KDC - msktutil
Hi, I have this error (see subject) when using msktutil. Any idea what's wrong with my setup? (I've replaced hostnames and OU structure) /etc/krb5.conf (part) ========== [libdefaults] default_realm = EXAMPLE.ORG dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] EXAMPLE.ORG = { default_domain = msnet.railb.be kdc = ictdc01.example.org admin_server = ictdc01.example.org admin_keytab = FILE:/etc/krb5.keytab } [domain_realm] .example.org = EXAMPLE.ORG example.org = EXAMPLE.ORG msktutil --create -h ts...

RE: Re: Re: wxMac: loading a dynamic library with wxDynamicLibrary fails (NSCreateObjectFileImageFromFile fails)
Hi Bernhard thanks for testing, I'll look at it, perhaps using CFBundle would give a more versatile implementation at least for wxMac. Is there a reason why we must use=20 NSCreateObjectFileImageFromFile ? Best, Stefan=20 > -----Original Message----- > From: news [mailto:news@sea.gmane.org] On Behalf Of Bernard=20 > Krummenacher > Sent: Samstag, 1. April 2006 15:13 > To: wx-users@lists.wxwindows.org > Subject: Re: Re: wxMac: loading a dynamic library with=20 > wxDynamicLibrary fails (NSCreateObjectFileImageFromFile fails) >=20 > Stefan Csom...

Tabs/spaces for indentation (was Re: re.search when used within an if/else fails)
On Thu, Nov 29, 2012 at 8:39 AM, Steven D'Aprano <steve+comp.lang.python@pearwood.info> wrote: > Perhaps it would be nice if Python honoured a directive setting indent > style to spaces or indents, as it honours source code encoding lines: > > # -*- indent: <mode> -*- > > Where <mode> could be one of: > > space[s] Only accept spaces in indentation > tab[s] Only accept tabs in indentation > mixed Accept "mixed" tabs and spaces, but only if consistent > > with mixed the default for backward...

Re: Re: MIT Kerberos 5 v1.9.1 krb5_set_password_using_ccache() fails with Windows 2003 R2
On Mon 14/11/11 17:30 , Greg Hudson ghudson@MIT.EDU sent: > On 11/14/2011 11:49 AM, Greg Hudson wrote: > > I would expect 1.6.1 to send the TGS request with > the canonicalize bit> set. Can you look at the packet trace for 1.6.1 > (or post results if> you've already looked at it)? Perhaps there's a > difference there which> will explain the different outcome. > > Nevermind, I think I know why 1.6.1 succeeds and 1.9 fails. 1.6 > through1.8 have a workaround for this specific AD behavior (fall back to a > non-referral request if you get back a T...

Using re.VERBOSE, and re-using components of regex?
Hi, I'm trying to compile a regex Python with the re.VERBOSE flag (so that I can add some friendly comments). However, the issue is, I normally use constants to define re-usable bits of the regex - however, these doesn't get interpreted inside the triple quotes. For example: import re TIMESTAMP = r'(?P<timestamp>\d{2}:\d{2}:\d{2}.\d{9})' SPACE = r' ' FOO = r'some_regex' BAR = r'some_regex' regexes = { 'data_sent': re.compile(""" ...

Re: Bind 9.2.5 and IPv6 fails with client.c:1325: unexpected error: failed to get request's destination: failure
> Hi, > > I have a very strange problem with a Bind server version 9.2.5 on Fedora > Core 3. > > Named listen to one IPv4 address and any IPv6 address. The configuration > has been running for many months. No changes where made recently to the > configuration except for adding or removing slave zones. > > The symptom is that the server does not answer request to the IPv6 > address + port UDP 53. It still answers requests to the UDP and TCP port > 53 using IPv4 and to the TCP port 53 using IPv6. Using dig on the > server, or on any ...

Re: Bind 9.2.5 and IPv6 fails with client.c:1325: unexpected error: failed to get request's destination: failure #2
> > > Hi, > > > > I have a very strange problem with a Bind server version 9.2.5 on Fedora > > Core 3. > > > > Named listen to one IPv4 address and any IPv6 address. The configuration > > has been running for many months. No changes where made recently to the > > configuration except for adding or removing slave zones. > > > > The symptom is that the server does not answer request to the IPv6 > > address + port UDP 53. It still answers requests to the UDP and TCP port > > 53 using IPv4 and to the ...

Re: Bind 9.2.5 and IPv6 fails with client.c:1325: unexpected error: failed to get request's destination: failure #3
> Hello, > > Roland Dirlewanger a �crit : > > > > I have a very strange problem with a Bind server version 9.2.5 on Fedora > > Core 3. > > > > Named listen to one IPv4 address and any IPv6 address. The configuration > > has been running for many months. No changes where made recently to the > > configuration except for adding or removing slave zones. > > > > The symptom is that the server does not answer request to the IPv6 > > address + port UDP 53. It still answers requests to the UDP and TCP port &g...

RE: kinit fail on AIX
We saw this problem in our AIX environment also when we moved up from 1.3.6 to 1.4.3 and we had to apply a patch to fix this. -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Hong Ye Sent: Friday, April 21, 2006 1:08 PM To: kerberos@mit.edu Subject: kinit fail on AIX Hi, I compiled and installed kerberos 1.4.3, 1.4.1, 1.3.6 on AIX (5.2). Kinit works fine for version 1.3.6. But when I run kinit under v1.4.3 or 1.4.1, it gave me error: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credenti...

Re: using MAILTO protocol
> The big problem isn't that *browsers* don't understand it (the majority of them do), but <snip> I'm sorry, but this reasoning reminds me the immortal "I smoked, but I did not inhale" :-) If a browser cannot handle an HTML tag/link, it means that IT DOES NOT SUPPORT IT. Why it doesn't support it - this is the secondary question (programming mistake, missing interface, etc.) If this tag/link is a part of HTML standard which the browser is claiming to be in full compliance with, this is a serious problem addressed to the browser's authors. Good news is ...

RE: kinit fail on AIX #2
This is the same patch that worked for us also. -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Christian Weiss Sent: Saturday, April 22, 2006 5:55 AM To: kerberos@mit.edu Subject: Re: kinit fail on AIX I ran into the same problem some month ago. The following patch works for me. Donn Cave, donn@u.washington.edu ----------------------------------- *** include/fake-addrinfo.h.dist Wed Jun 1 12:24:32 2005 --- include/fake-addrinfo.h Fri Aug 12 09:10:48 2005 *************** *** 1193,1199 **** a known service n...

RE: Re: wxMac: loading a dynamic library with wxDynamicLibrary fails (NSCreateObjectFileImageFromFile fails)
Hi if you'd use CFBundle calls do they give better error codes ? Best, Stefan=20 > -----Original Message----- > From: news [mailto:news@sea.gmane.org] On Behalf Of Bernard=20 > Krummenacher > Sent: Freitag, 31. M=E4rz 2006 22:35 > To: wx-users@lists.wxwindows.org > Subject: Re: wxMac: loading a dynamic library with=20 > wxDynamicLibrary fails (NSCreateObjectFileImageFromFile fails) >=20 > Starman <starmannj <at> hotmail.com> writes: >=20 > >=20 > >=20 > > Hi all, > > I'm working on porting an a...

Web resources about - RE: kinit request on keytab fails using 2K3sp1 KDC - comp.protocols.kerberos

User talk:Sodacan/Requests - Wikipedia, the free encyclopedia
Graphic requests, all welcome will complete as soon as humanly possible, please be patient. Thank you, Sodacan P.S. No personal or private stuff, ...

RLPA hit out at NRL over Manly Sea Eagles replacement request at Auckland Nines
The Rugby League Players Association has hit out at the NRL for refusing to grant Manly's wish to bring in an extra player after the Sea Eagles ...

Feature Request: How Apple Stores could demo CarPlay to customers
One of the best parts about Apple Stores is the ability to try out Apple products out of the box in an environment superior to big box retail ...

Obama says no need to panic over Zika, requests $1.8 billion
(credit: Executive Office of the President of the United States ) The White House announced Monday that it is requesting $1.8 billion in emergency ...

Ted Cruz Requests Private Meeting With Ben Carson
Ted Cruz Requests Private Meeting With Ben Carson

President Obama sends final budget request to Congress
Top Republicans in Congress have already refused to review the blueprint

US judge again denies Texas request to ban Syrian refugees
A US judge denied for the second time a request by Texas to bar relief agencies from bringing Syrian refugees into the state, a decision that ...

David Axelrod: A surprise request from Justice Scalia - CNN.com
The former senior adviser to President Obama recalls when Scalia asked for the appointment of a justice who is a stalwart liberal

Volkswagen Begrudgingly Complied With Regulators’ Request For Takata Airbag Recall
Earlier this week, Volkswagen announced the recall of 840,000 Audi and VW-branded vehicles equipped with shrapnel-shooting Takata airbags. But ...

Mannix: Atlanta requests for Horford and Teague ‘have been borderline ridiculous’
Skip to main content Comcast SportsNet - CSNNE.com Header links TV Listings Channel Finder Apps Follow Bar RSN login or register Login Search ...

Resources last updated: 2/15/2016 2:21:47 PM