-
Notifications
You must be signed in to change notification settings - Fork 1
/
Setting-up-NFS4-Kerberos-Linux-Synology-NAS.html
executable file
·420 lines (388 loc) · 21.5 KB
/
Setting-up-NFS4-Kerberos-Linux-Synology-NAS.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1" />
<meta name="description" content="" />
<meta name="author" content="Jordi Warmenhoven" />
<meta name="generator" content="Pelican (VoidyBootstrap theme)" />
<title>Mounting Synology NFSv4 shares in Linux using Kerberos authentication - Penguinsula</title>
<link rel="stylesheet"
href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css"
integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u"
crossorigin="anonymous" />
<link rel="stylesheet"
href="https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css"
integrity="sha384-wvfXpqpZZVQGK6TAh5PVlGOfQNHSoD2xbE+QkPxCAFlNEevoEH3Sl0sibVcOQVnN"
crossorigin="anonymous">
<link rel="stylesheet" href="https://jwarmenhoven.github.io/theme/css/pygment.css" />
<link rel="stylesheet" href="https://jwarmenhoven.github.io/theme/css/voidybootstrap.css" />
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js" integrity="sha384-FFgGfda92tXC8nCNOxrCQ3R8x1TNkMFqDZVQdDaaJiiVbjkPBXIJBx0o7ETjy8Bh" crossorigin="anonymous"></script>
<script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js" integrity="sha384-ZoaMbDF+4LeFxg6WdScQ9nnR1QC2MIRxA1O9KWEXQwns1G8UNyIEZIQidzb0T1fo" crossorigin="anonymous"></script>
<![endif]-->
<link rel="shortcut icon" href="https://jwarmenhoven.github.io/favicon.ico" />
</head>
<body>
<nav class="navbar navbar-default">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle"
data-toggle="collapse" data-target="#main-navbar-collapse">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="https://jwarmenhoven.github.io/" rel="home">
<i class="fa fa-home fa-fw fa-lg"> </i> </a>
</div>
<div class="collapse navbar-collapse" id="main-navbar-collapse">
<ul class="nav navbar-nav">
<li>
<a href="https://jwarmenhoven.github.io/pages/about-post.html">About me</a>
</li>
<li>
<a href="https://jwarmenhoven.github.io/pages/projects.html">Projects</a>
</li>
<li class="divider"></li>
<li class="">
<a href="https://jwarmenhoven.github.io/archives.html">Archives</a>
</li>
<li class="divider"></li>
</ul> <!-- /nav -->
</div> <!-- /navbar-collapse -->
</div> <!-- /container -->
</nav> <!-- /navbar -->
<div class="jumbotron" id="overview">
<div class="container">
<h1><a href="https://jwarmenhoven.github.io/">Penguinsula</a></h1>
<p class="lead">Python, Stats, Modelling & Stuff</p>
</div>
</div>
<div class="container" id="main-container">
<div class="row">
<div class="col-md-9" id="content">
<article itemscope="itemscope" itemtype="http://schema.org/BlogPosting">
<header class="article-header">
<abbr class="article-header-date">
Tue 01 August 2023
</abbr> <h1>
<a href="https://jwarmenhoven.github.io/Setting-up-NFS4-Kerberos-Linux-Synology-NAS.html" rel="bookmark"
title="Permalink to Mounting Synology NFSv4 shares in Linux using Kerberos authentication">
Mounting Synology NFSv4 shares in Linux using Kerberos authentication
</a>
</h1><div class="article-header-info">
<p>
Posted by <a href="https://jwarmenhoven.github.io/author/jordi-warmenhoven.html">Jordi Warmenhoven</a>
in
<a href="https://jwarmenhoven.github.io/category/blog.html">
Blog</a>
</p>
</div> <!-- /.article-header-info -->
</header>
<div class="content-body" itemprop="text articleBody">
<p>Many people have a Network Attached Storage (NAS) server in their home networks to share files and perhaps function as a private cloud. These NAS servers usually offer different ways (protocols) to share files with devices on the network. Most common protocols are:</p>
<ul>
<li><a href="https://en.wikipedia.org/wiki/Server_Message_Block">Server Message Block (SMB)</a></li>
<li><a href="https://en.wikipedia.org/wiki/Network_File_System">Network File System (NFS)</a></li>
<li><a href="https://en.wikipedia.org/wiki/Apple_Filing_Protocol">Apple Filing Protocol (AFP)</a></li>
</ul>
<p>The SMB protocol is the standard in Windows networks, whereas NFS is used more in Unix/Linux environments. I have a <a href="https://www.synology.com/">Synology</a> NAS and have both Linux and Microsoft Windows clients connecting to the fileserver. </p>
<p>SMB works fine on Linux too, but there are a number of advantages in using NFS which I will not detail here. However, certain steps in NFS configuration are especially important to make file permissions work properly/securely with version 4 of the NFS protocol. This has to do with how user accounts on the NAS are mapped and authorized to the user accounts on the Linux client. A quick and dirty setup on the Synology NAS is possible: mapping all connecting NFS clients to a guest account on the NAS. As a consequence, owners of the files created on the NFS share are mapped to user <code>nobody</code>. With this setup I ran into issues with using <code>git</code> on the NFS fileshares since my Linux user was not the owner of the local repository files.</p>
<p>Below I describe how I configured NFSv4 + Kerberos on the Synology NAS and my Linux client in order to work properly with regards to file ownership and permissions. This is by no means an exhaustive description and assumes some prior knowledge on the subjects, but hopefully it gives some form of guidance.</p>
<blockquote>
<h4>System environment:</h4>
<ul>
<li><strong>NFS Server</strong>: Synology DS216+ NAS running DSM 7.1.1-42962 Update 6<ul>
<li>NFSv4 (4.0)</li>
</ul>
</li>
<li><strong>NFS Client</strong>: Manjaro Linux running a 6.3 kernel<ul>
<li>Running Kerberos Key Distribution Center (KDC). In a multi-user network environment you would typically run the KDC on a separate server. However, since my Linux workstation is the only NFS client it does not matter that the KDC is unavailable for authentication when my workstation is offline.</li>
<li>Mounting the NFSv4 share on the Synology NAS.</li>
</ul>
</li>
<li><strong>No DNS on local network</strong></li>
</ul>
</blockquote>
<hr>
<h4>Kerberos</h4>
<p>NSFv4 clients are authenticated on user level. This can be done using standard UNIX authentication (AUTH_SYS), but then user accounts on client and NAS need to match on UID/GID level as I understand it. The other authentication method uses <a href="https://en.wikipedia.org/wiki/Kerberos_(protocol)">Kerberos</a>. Understanding how Kerberos works (high level) takes some time. It is typically one of those things where you will need to read documentation, try things out, re-read documentation and try some more.</p>
<p>Here are a number of resources which I found useful:</p>
<ul>
<li>
<p><a href="https://kerberos.org/software/tutorial.html">Tutorial (kerberos.org)</a> <br>
I suggest to start here. </p>
</li>
<li>
<p><a href="https://web.mit.edu/kerberos/krb5-latest/doc/">Official Documentation (web.mit.edu)</a> <br>
This is a collection of separate HTML pages. I found the single pdf file contained in the <a href="http://web.mit.edu/kerberos/dist/">releases</a> easier to navigate.</p>
</li>
<li>
<p><a href="https://wiki.archlinux.org/title/Kerberos">Kerberos on Arch Wiki</a> <br>
I run a Manjaro Linux Distribution, which is based on Arch Linux.</p>
</li>
<li>
<p><a href="http://techpubs.spinlocksolutions.com/dklar/kerberos.html">Kerberos Tutorial Debian/Ubuntu</a> <br>
Not all parts are applicable to Manjaro (and perhaps not anymore to Debian either?), but still very informative.</p>
</li>
<li>
<p><a href="https://linuskarlsson.se/blog/acquiring-kerberos-ticket-upon-local-login/">Generate Kerberos tickets at login</a> using PAM.</p>
</li>
<li>
<p>Linux man files on the various config files, programs and protocols.</p>
</li>
</ul>
<hr>
<h4>NFS Client</h4>
<ul>
<li>
<p><strong>Enable NFS client services</strong>: <br>
<code>$sudo systemctl enable nfs-client.target</code> <br>
The <a href="https://kb.synology.com/en-br/DSM/help/DSM/AdminCenter/file_winmacnfs_nfs?version=7">Synology documentation</a> mentions that <em>idmapd</em> needs to be enabled. However, I noticed that the Linux idmapd manual says that only NFSv4 <em>servers</em> need to have that daemon running. The client on newer Linux kernels now uses the <em>nfsidmap</em> program to do name mapping. No need to enable idmapd. However, you do need to set the NFSv4 domain identical to the Kerberos Realm in <code>/etc/idmapd.conf</code>. This config file is used by other programs as well according to the manual page.</p>
</li>
<li>
<p><strong>Configure<code>/etc/hosts</code></strong> <br>
The hostname of the client (and KDC) must be mapped to the LAN ip address, <em>not</em> the 127.* address.<br>
The hostname of the service/server (NAS) must be mapped to the LAN ip address (unless you have DNS running).</p>
</li>
<li>
<p><strong>Maintain Kerberos configuration in <code>/etc/krb5.conf</code></strong> </p>
<ul>
<li>Section <code>[libdefaults]</code>: set your <code>default_realm</code> to a name you want to use for your Kerberos realm. Convention is to use the DNS domain in capital letters, but if you do not use DNS in your local network you can of course pick something else.</li>
<li>Section <code>[realms]</code>: map the <code>admin_server</code> and <code>kdc</code>for your realm to the ip address/FQDN of your linux client.</li>
<li>Section <code>[domain_realm]</code>: map the domain to your realm. </li>
</ul>
</li>
<li>
<p><strong>Add an administrator user to the Kerberos Access Control List <code>/var/lib/krb5kdc/kadm5.acl</code></strong><br>
See documentation/resources mentioned above regarding the format of this file.</p>
</li>
<li>
<p><strong>Configure Kerberos database</strong> </p>
<ul>
<li>After initial creation of the database, use <code>$sudo kadmin_local</code> to add the administrator principal to the database. After having added this principal, you can from now on use <code>$kadmin</code> which interacts with the database <em>via the kadmind daemon</em>.</li>
<li>Add a standard principal that is your user on the Linux client.</li>
<li>Add a service principal for the NAS/NFSv4 server. </li>
<li>Add a service principal for the KDC (the Linux client).<br>
Restart krb5-kdc and krb5-kadmind services.<br>
<code>$sudo systemctl restart krb5-kdc</code>. c
<code>$sudo systemctl restart krb5-kadmind</code>. </li>
</ul>
</li>
<li>
<p><strong>Export the principal key for the server to the <code>/etc/krb5.keytab</code> file using <code>$kadmin</code>.</strong><br>
Every time you generate a new entry for a principal to the KDC database, a key-version-number (kvno) is incremented. </p>
</li>
<li>
<p><strong>Prepare a mount point for the NFSv4 share.</strong><br>
Add an entry in the <code>/etc/fstab</code> file (type nfs). It is not necessary to indicate any NFS version or other options, defaults will do.</p>
</li>
<li>
<p><strong>Configure PAM to automatically generate a Kerberos TGT ticket at login.</strong><br>
When you have a Kerberos KDC running with the relevant principals you can use <code>$kinit</code> to generate a TGT ticket. When you try to access the NFS fileshare, a service ticket is automatically generated which grants you this access. In order to have the first step done in the background as well, you need to configure the <a href="https://github.com/linux-pam/linux-pam">Pluggable Authentication Modules</a> (PAM). These modules take care of all authentication in Linux. There is a <a href="https://www.eyrie.org/~eagle/software/pam-krb5/">pam-krb5</a> module that you can install allowing you to enable Kerberos authentication with PAM. <a href="https://linuskarlsson.se/blog/acquiring-kerberos-ticket-upon-local-login/">This post</a> describes a way how to do that in a pragmatic way. It relies on having both a local login <em>and</em> a Kerberos login with identical passwords, but for me this is fine.</p>
</li>
</ul>
<hr>
<h4>NFS Server</h4>
<ul>
<li>
<p>Enable the NFSv4 service in the NAS.</p>
<p><img src="images/DSM_Files_Services_NFS.png" alt="Image: DSM Control Panel - File Sharing"/></p>
</li>
<li>
<p>Enter NFSv4 domain/realm under 'Advanced Settings'. No need to change anything regarding the size of the read/write packages. These are negotiated between server and client automatically.</p>
</li>
</ul>
<p><img src="images/DSM_Files_Services_NFS_Advanced_Settings.png" alt="Image: DSM Control Panel - File Sharing"/> </p>
<ul>
<li>Import the <code>/etc/krbd5.keytab</code>file from the linux client. In this setup, it should only contain the keys for the service principal we are interested in, the NAS.</li>
</ul>
<p><img src="images/DSM_Files_Services_NFS_Advanced_Settings_Kerberos_Keys.png" alt="Image: DSM Control Panel - File Sharing"/> </p>
<ul>
<li>Map the principal ID from Kerberos database to a local user on the NAS.</li>
</ul>
<p><img src="images/DSM_Files_Services_NFS_Advanced_Settings_ID-Mapping.png" alt="Image: DSM Control Panel - File Sharing" /></p>
<p><img src="images/DSM_Files_Services_NFS_Advanced_Settings_ID-Mapping2.png" alt="Image: DSM Control Panel - File Sharing" /></p>
<ul>
<li>Now the server's Kerberos principal identifier will show on the first screen of the 'Advanced Settings'.</li>
</ul>
<p><img src="images/DSM_Files_Services_NFS_Advanced_Settings_Principal.png" alt="Image: DSM Control Panel - File Sharing" /></p>
<ul>
<li>Create NFS permission rule for the file share you want to connect to with the Linux client.</li>
<li>Enter IP address of the Linux client.</li>
<li>Read/write privilege</li>
<li>Do not enable any static mapping here.</li>
<li>Security: choose one of the Kerberos authentication methods.<ul>
<li><em>Kerberos authentication</em>: krb5 - Authentication only. </li>
<li><em>Kerberos integrity</em>: krb5i - Authentication and Integrity Checking.</li>
<li><em>Kerberos privacy</em>: krb5p - Authentication, Integrity Checking and Traffic Encryption</li>
</ul>
</li>
</ul>
<p><img src="images/DSM_Shared_Folder_NFS_Permissions.png" alt="Image: DSM Control Panel - File Sharing" /></p>
<p>After all has been set up and services restarted, you can try to mount the NFSv4 file share on the NAS. You can check the status of the mount using <code>$findmnt -t nfs4</code><br>
It will show you the details on the NFSv4 file share.</p>
<p>You should now have an NFSv4 share mounted in Linux with authentican handled by Kerberos. </p>
</div>
<div class="article-tag-list">
<span class="label label-default">Tags</span>
<a href="https://jwarmenhoven.github.io/tag/kerberos.html"><i class="fa fa-tag"></i>Kerberos</a>
<a href="https://jwarmenhoven.github.io/tag/nfs4.html"><i class="fa fa-tag"></i>NFS4</a>
<a href="https://jwarmenhoven.github.io/tag/linux.html"><i class="fa fa-tag"></i>Linux</a>
<a href="https://jwarmenhoven.github.io/tag/manjaro.html"><i class="fa fa-tag"></i>Manjaro</a>
<a href="https://jwarmenhoven.github.io/tag/synology.html"><i class="fa fa-tag"></i>Synology</a>
<a href="https://jwarmenhoven.github.io/tag/nas.html"><i class="fa fa-tag"></i>NAS</a>
</div> <hr />
<div class="well well-sm"> <!-- Social media sharing buttons -->
<!-- Twitter -->
<a href="https://twitter.com/share" class="twitter-share-button"
data-via="penguinsula" >Tweet</a>
<!-- Google+ -->
<div class="g-plus" data-action="share" data-annotation="bubble"></div>
<div class="g-plusone" data-size="medium"></div>
<!-- Facebook -->
<div class="fb-like"
data-href="https://jwarmenhoven.github.io/Setting-up-NFS4-Kerberos-Linux-Synology-NAS.html"
data-layout="button_count"
data-action="like" data-show-faces="true"
data-share="true">
</div>
</div> <!-- /Social media sharing buttons -->
<div class="comments">
<h2>Comments</h2>
<div id="disqus_thread"></div>
<script type="text/javascript">
(function() {
var dsq = document.createElement('script');
dsq.type = 'text/javascript'; dsq.async = true;
dsq.src = '//penguinsula.disqus.com/embed.js';
(document.getElementsByTagName('head')[0] ||
document.getElementsByTagName('body')[0]).appendChild(dsq);
})();
</script>
</div>
</article>
</div><!-- /content -->
<div class="col-md-3 sidebar-nav" id="sidebar">
<div class="row">
<div class="col-xs-6 col-md-12">
<h4><i class="fa fa-comment fa-fw fa-lg"></i> Social</h4>
<ul class="list-unstyled social-links">
<li><a href="https://fosstodon.org/@Penguinsula" target="_blank">
<i class="fa fa-pencil-square fa-fw fa-lg" title="Mastodon"></i>
Mastodon
</a></li>
<li><a href="https://twitter.com/penguinsula" target="_blank">
<i class="fa fa-twitter-square fa-fw fa-lg" title="Twitter"></i>
Twitter
</a></li>
<li><a href="https://github.com/jwarmenhoven" target="_blank">
<i class="fa fa-github-square fa-fw fa-lg" title="GitHub"></i>
GitHub
</a></li>
<li><a href="https://www.linkedin.com/in/jordi-warmenhoven-9650805/" target="_blank">
<i class="fa fa-linkedin-square fa-fw fa-lg" title="LinkedIn"></i>
LinkedIn
</a></li>
</ul>
</div>
<div class="col-xs-6 col-md-12">
<h4><i class="fa fa-folder fa-fw fa-lg"></i> Categories</h4>
<ul class="list-unstyled category-links">
<li><a href="https://jwarmenhoven.github.io/category/blog.html" >
<i class="fa fa-folder-open fa-fw fa-lg"></i> Blog</a></li>
</ul>
</div>
</div> <!-- /row -->
<h4><i class="fa fa-tags fa-fw fa-lg"></i> Tags</h4>
<p class="tag-cloud">
<a href="https://jwarmenhoven.github.io/tag/kerberos.html">
<i class="fa fa-tag fa-fw fa-lg"></i>Kerberos
</a>
<a href="https://jwarmenhoven.github.io/tag/nfs4.html">
<i class="fa fa-tag fa-fw fa-lg"></i>NFS4
</a>
<a href="https://jwarmenhoven.github.io/tag/linux.html">
<i class="fa fa-tag fa-fw fa-lg"></i>Linux
</a>
<a href="https://jwarmenhoven.github.io/tag/manjaro.html">
<i class="fa fa-tag fa-fw fa-lg"></i>Manjaro
</a>
<a href="https://jwarmenhoven.github.io/tag/synology.html">
<i class="fa fa-tag fa-fw fa-lg"></i>Synology
</a>
<a href="https://jwarmenhoven.github.io/tag/nas.html">
<i class="fa fa-tag fa-fw fa-lg"></i>NAS
</a>
<a href="https://jwarmenhoven.github.io/tag/deep-learning.html">
<i class="fa fa-tag fa-fw fa-lg"></i>Deep Learning
</a>
<a href="https://jwarmenhoven.github.io/tag/gpu.html">
<i class="fa fa-tag fa-fw fa-lg"></i>GPU
</a>
<a href="https://jwarmenhoven.github.io/tag/python.html">
<i class="fa fa-tag fa-fw fa-lg"></i>Python
</a>
</p>
<hr />
</div><!--/sidebar -->
</div><!--/row-->
</div><!--/.container /#main-container -->
<footer id="site-footer">
<address id="site-colophon">
<p class="text-center text-muted">
Site built using <a href="http://getpelican.com/" target="_blank">Pelican</a>
• Theme based on
<a href="http://www.voidynullness.net/page/voidy-bootstrap-pelican-theme/"
target="_blank">VoidyBootstrap</a> by
<a href="http://www.robertiwancz.com/"
target="_blank">RKI</a>
</p>
</address><!-- /colophon -->
</footer>
<!-- DISQUS script for displaying comment count -->
<script type="text/javascript">
var disqus_shortname = 'penguinsula';
(function () {
var s = document.createElement('script'); s.async = true;
s.type = 'text/javascript';
s.src = '//' + disqus_shortname + '.disqus.com/count.js';
(document.getElementsByTagName('HEAD')[0] || document.getElementsByTagName('BODY')[0]).appendChild(s);
}());
</script>
<!-- javascript -->
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js" integrity="sha384-nvAa0+6Qg9clwYCGGPpDQLVpLNn0fRaROjHqs13t4Ggj3Ez50XnGQqc/r8MhnRDZ" crossorigin="anonymous"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"
integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa"
crossorigin="anonymous"></script>
<!-- Facebook -->
<div id="fb-root"></div>
<script>(function(d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s); js.id = id;
js.src = "//connect.facebook.net/en_US/all.js#xfbml=1";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));
</script>
<!-- Twitter -->
<script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+'://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document, 'script', 'twitter-wjs');</script>
<!-- Google+ -->
<!-- Synchronous
<script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
-->
<!-- Asynchronous -->
<script type="text/javascript">
(function() {
var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true;
po.src = 'https://apis.google.com/js/platform.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s);
})();
</script> </body>
</html>