sssd-kcm-1.16.5-10.el7_9.12>t  DH`pb$ƨDݒp "MzfkܾqfPvX3|&BJě4eY*BX$w5Ll@Gv,cz*@f%V 3}@vaFS|S )@ͻF.zއok3yC)Ռ3gۯE]/5G-wz*1Ư"ђW y6A0 ]h;Nmب rΟZj R<ΏGUZ|b[rT #U{FS_ M`Wpx!`Z˒|d*2۬58俁,J, ن~}JWbʘ=BAA(Ct.rf[ZbY(!9 +Uj}BA6WOQ1,HkUI۲RWZ' B_f\W PB!;6q|ج+,mOm.O{Z Ri_5׌ir-LAj7 yhF Tи£-^x>+X?+Hd   I .KQX4 B P l  ;^AA A(x8F9F:F>%?%@%G%H&I&X&(Y&0\&X]&t^&b'Pd(e(f(l(t(8u(Tv(pw*(x*Dy*`9+DCsssd-kcm1.16.510.el7_9.12An implementation of a Kerberos KCM serverAn implementation of a Kerberos KCM server. Use this package if you want to use the KCM: Kerberos credentials cache.bk&x86-01.bsys.centos.orgCentOSGPLv3+CentOS BuildSystem Applications/Systemhttps://pagure.io/SSSD/sssd/linuxx86_64 if [ $1 -eq 1 ] ; then # Initial installation systemctl preset sssd-kcm.socket >/dev/null 2>&1 || : fi if [ $1 -eq 0 ] ; then # Package removal, not upgrade systemctl --no-reload disable sssd-kcm.socket > /dev/null 2>&1 || : systemctl stop sssd-kcm.socket > /dev/null 2>&1 || : fi systemctl daemon-reload >/dev/null 2>&1 || : if [ $1 -ge 1 ] ; then # Package upgrade, not uninstall systemctl try-restart sssd-kcm.socket >/dev/null 2>&1 || : fi systemctl daemon-reload >/dev/null 2>&1 || : if [ $1 -ge 1 ] ; then # Package upgrade, not uninstall systemctl try-restart sssd-kcm.service >/dev/null 2>&1 || : fi` 큤A큤bkbkbkbjbjbkbk04a2af0a27631b76215f6cd6cf6305db78e371271c475ed485f4d563fe2f3d54d50c2b062a96fdc50ef141b24132b40a62b776e14ed89c824f51c45e7571ba10f00fc09393ada6965b3296403373d31406675ba2e1755318a5730fbfbf586fcc9cdcceaec4a63bdaa9a03d68956dd7ced9e555e9c62580144cb9bfb434f31ad160368d9c16516f2f09e7d272ea0153436d868c63ae41c309e67bc522bbf1ea2791b30e576e05441743fcce027767650f498cf10ccca12ce0bafe8505f0e87b6frootrootrootrootrootrootrootrootrootrootrootrootrootrootsssd-1.16.5-10.el7_9.12.src.rpmsssd-kcmsssd-kcm(x86-64) @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @ /bin/sh/bin/sh/bin/shlibbasicobjects.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcollection.so.2()(64bit)libcom_err.so.2()(64bit)libcrypto.so.10()(64bit)libcurl.so.4()(64bit)libdbus-1.so.3()(64bit)libdbus-1.so.3(LIBDBUS_1_3)(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libdl.so.2(GLIBC_2.2.5)(64bit)libglib-2.0.so.0()(64bit)libini_config.so.3()(64bit)libjansson.so.4()(64bit)libk5crypto.so.3()(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libldb.so.1()(64bit)libldb.so.1(LDB_0.9.10)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnssutil3.so()(64bit)libpcre.so.1()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libref_array.so.1()(64bit)librt.so.1()(64bit)libselinux.so.1()(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_cert.so()(64bit)libsss_certmap.so.0()(64bit)libsss_child.so()(64bit)libsss_crypt.so()(64bit)libsss_debug.so()(64bit)libsss_util.so()(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libuuid.so.1()(64bit)libuuid.so.1(UUID_1.0)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)sssd-commonrpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-11.16.5-10.el7_9.125.2-14.11.3a@a(@aa`@_ _G@_H_H_=@_;_;^3^@^V@^m@^^@^>@^@^@^t@^r @^^@]]*]@]]]@]@]m]m]p]p]p]p]S\Q\Q\"\"\"\\\r@\r@\r@\\\\\\\\\\\|\+@[@[_[@[@[l,[b@[a[Y[Y[H@[E@[6@[0@[,[,[d@[[Z@Z@ZmZ@Z_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj 1.16.5-10.12Alexey Tikhonov 1.16.5-10.11Alexey Tikhonov 1.16.5-10.10Alexey Tikhonov 1.16.5-10.9Alexey Tikhonov 1.16.5-10.8Alexey Tikhonov 1.16.5-10.7Alexey Tikhonov 1.16.5-10.6Alexey Tikhonov 1.16.5-10.5Alexey Tikhonov 1.16.5-10.4Alexey Tikhonov 1.16.5-10.3Alexey Tikhonov 1.16.5-10.2Alexey Tikhonov 1.16.5-10.1Alexey Tikhonov 1.16.5-10Alexey Tikhonov 1.16.5-9Alexey Tikhonov 1.16.5-8Alexey Tikhonov 1.16.5-7Alexey Tikhonov 1.16.5-6Alexey Tikhonov 1.16.5-5Alexey Tikhonov 1.16.5-4Alexey Tikhonov 1.16.5-3Alexey Tikhonov 1.16.5-2Alexey Tikhonov 1.16.5-1Michal Židek - 1.16.4-38Michal Židek - 1.16.4-37Michal Židek - 1.16.4-36Michal Židek - 1.16.4-35Michal Židek - 1.16.4-34Michal Židek - 1.16.4-33Michal Židek - 1.16.4-32Michal Židek - 1.16.4-31Michal Židek - 1.16.4-30Michal Židek - 1.16.4-29Michal Židek - 1.16.4-28Michal Židek - 1.16.4-27Michal Židek - 1.16.4-26Michal Židek - 1.16.4-25Michal Židek - 1.16.4-24Michal Židek - 1.16.4-23Michal Židek - 1.16.4-22Michal Židek - 1.16.4-21Michal Židek - 1.16.4-20Jakub Hrozek - 1.16.4-19Jakub Hrozek - 1.16.4-18Jakub Hrozek - 1.16.4-17Michal Židek - 1.16.4-16Jakub Hrozek - 1.16.4-15Michal Židek - 1.16.4-14Michal Židek - 1.16.4-12Michal Židek - 1.16.4-12Michal Židek - 1.16.4-11Michal Židek - 1.16.4-10Michal Židek - 1.16.4-9Michal Židek - 1.16.4-8Michal Židek - 1.16.4-7Michal Židek - 1.16.4-6Michal Židek - 1.16.4-5Michal Židek - 1.16.4-4Michal Židek - 1.16.4-3Michal Židek - 1.16.4-2Michal Židek - 1.16.4-1Jakub Hrozek - 1.16.2-17Michal Židek - 1.16.2-16Michal Židek - 1.16.2-15Michal Židek - 1.16.2-14Jakub Hrozek - 1.16.2-13Fabiano Fidêncio - 1.16.2-12Jakub Hrozek - 1.16.2-11Jakub Hrozek - 1.16.2-10Jakub Hrozek - 1.16.2-9Jakub Hrozek - 1.16.2-8Fabiano Fidêncio - 1.16.2-7Fabiano Fidêncio - 1.16.2-6Fabiano Fidêncio - 1.16.2-5Fabiano Fidêncio - 1.16.2-4Fabiano Fidêncio - 1.16.2-3Fabiano Fidêncio - 1.16.2-2Fabiano Fidêncio - 1.16.2-1Fabiano Fidêncio - 1.16.0-25Fabiano Fidêncio - 1.16.0-24Fabiano Fidêncio - 1.16.0-23Fabiano Fidêncio - 1.16.0-22Jakub Hrozek - 1.16.0-21Fabiano Fidêncio - 1.16.0-20Fabiano Fidêncio - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#2006382 - IPA Intermittence fetching groups - Resolves: rhbz#2006866 - sssd_be segfault due to empty forest root name - Resolves: rhbz#2031729 - IPA clients fail to resolve override group names. - Resolves: rhbz#2032867 - AD Domain in the AD Forest Missing after sssd latest update- Resolves: rhbz#1968316 - SSSD: User authentication failing after server reboot. - Resolves: rhbz#2000238 - disabled root ad domain causes subdomains to be marked offline - Resolves: rhbz#1984591 - After sssd update to 1.16.5-10.el7_9.8.x86_64 the customer is facing slow connection/authentication (due to discovery of unexpected AD domains)- Resolves: rhbz#1973796 - SSSD is NOT able to contact the Global Catalog when local site is down- Resolves: rhbz#1988463 - Missing search index for `originalADgidNumber` [rhel-7.9.z] - Resolves: rhbz#1968330 - id lookup is failing intermittently - Resolves: rhbz#1964415 - Memory leak in the simple access provider - Resolves: rhbz#1985457 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-7.9.z]- Resolves: rhbz#1910131 - sssd throwing error " Unable to parse name test' [1432158283]: The internal name format cannot be parsed" at debug_level 2 [rhel-7.9.z] - Resolves: rhbz#1922244 - First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0. [rhel-7.9.z] - Resolves: rhbz#1935685 - SSSD not detecting subdomain from AD forest (7.9z) - Resolves: rhbz#1945552 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7 [rhel-7.9.z] - Resolves: rhbz#1839972 - Authentication handshake (ldap_install_tls()) fails due to underlying openssl operation failing with EINTR [rhel-7.9.z]- Resolves: rhbz#1875514 - filter_groups option partially filters the group from 'id' output of the user because gidNumber still appears in 'id' output [rhel-7.9.z] - Resolves: rhbz#1772513 - SSSD is generating lot of LDAP queries in a very large environment [rhel-7.9.z] - Resolves: rhbz#1736845 - [RFE] Backporting certificate matching rules for files, AD and LDAP provider [rhel-7.9.z]- Resolves: rhbz#1899593 - sssd_be segfaults at be_refresh_get_values_ex() due to NULL ptrs in results of sysdb_search_with_ts_attr() [rhel-7.9.z] - Resolves: rhbz#1888409 - sssd component logging is now too generic in syslog/journal [rhel-7.9.z] - Resolves: rhbz#1852659 - sssd service is starting even though it is disabled state [rhel-7.9.z] - Resolves: rhbz#1893443 - User lookups over the InfoPipe responder fail intermittently [rhel-7.9.z] - Resolves: rhbz#1871288 - krb5_child denies ssh users when pki device detected [rhel-7.9.z] - Resolves: rhbz#1853703 - Unexpected behavior and issue with filter_users/filter_groups option [rhel-7.9.z] - Resolves: rhbz#1756240 - [RfE] Implement a new sssd.conf option to disable the filter for AD domain local groups from trusted domains [rhel-7.9.z] - Resolves: rhbz#1851112 - LDAP bind can fail due to unconfigurable DNS server timeouts that inhibit SSSD failover [rhel-7.9.z]- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete (again)) - just bumping the version to build for proper target- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete (again))- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete)- Resolves: rhbz#1854317 - sssd crashes after last update to sssd-common-1.16.4-37.el7_8.1 with servers configured with multiple domains [rhel-7.9.z] - Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] - just bumping the version to build for proper target- Resolves: rhbz#1854317 - sssd crashes after last update to sssd-common-1.16.4-37.el7_8.1 with servers configured with multiple domains [rhel-7.9.z] - Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z]- Resolves: rhbz#1804005 - sssd doesn't follow the link order of AD Group Policy Management - Resolves: rhbz#1773409 - sssd is failing to discover other subdomains in the forest if LDAP entries do not contain AD forest root information - Resolves: rhbz#1551077 - GDM failure loop when no user mapped for smart card - Resolves: rhbz#1507683 - GDM password prompt when cert mapped to multiple users and promptusername is False- Resolves: rhbz#1796873 - [sssd] RHEL 7.9 Tier 0 Localization- Resolves: rhbz#1553784 - Document how to prevent invalid selinux context for default home directories in SSSD-AD direct integration. - Resolves: rhbz#1836910 - Rhel7.7 server have an issue regarding dyndns update for PTR-records which is done by sssd on active directory DNS servers. It is done in two steps (two different nsupdate messages).- Resolves: rhbz#1835813 - sssd boots offline if symlink for /etc/resolv.conf is broken/missing - Resolves: rhbz#1837545 - Users must be informed better when internal WATCHDOG terminates process.- Resolves: rhbz#1819013 - pam_sss reports PAM_CRED_ERR when providing wrong password for an existing IPA user, but this error's description is misleading - Resolves: rhbz#1800571 - Multiples Kerberos ticket on RHEL 7.7 after lock and unlock screen- Resolves: rhbz#1834266 - "off-by-one error" in watchdog implementation- Resolves: rhbz#1829806 - [Bug] Reduce logging about flat names - Resolves: rhbz#1800564 - `sssd.api.conf` and `sssd.api.d` should belong to `python-sssdconfig` package- Resolves: rhbz#1683946 - sssd or sssd-ad not updating their dependencies on "yum update" which breaks working setup- Resolves: rhbz#1513371 - [abrt] [faf] sssd: raise(): /usr/libexec/sssd/sssd_be[PROXY] killed by 6 - Resolves: rhbz#1568083 - subdomain lookup fails when certmaprule contains DN - Resolves: rhbz#1781539 - PKINIT with KCM does not work - Resolves: rhbz#1786341 - SSSD doesn't honour the customized ID view created in IPA - Resolves: rhbz#1709818 - override_gid did not work for subdomain. - Resolves: rhbz#1719718 - Validator warning issue : Attribute 'dns_resolver_op_timeout' is not allowed in section 'domain/REMOVED'. Check for typos - Resolves: rhbz#1787067 - sssd (sssd_be) is consuming 100 CPU, partially due to failing mem-cache - Resolves: rhbz#1822461 - background refresh task does not refresh updated netgroup entries - Added missing 'Requires' to resolves some of rpmdiff tool warnings- Resolves: rhbz#1796352 - Rebase SSSD for RHEL 7.9- Resolves: rhbz#1789349 - id command taking 1+ minute for returning user information - Also updates spec file to not replace /pam.d/sssd-shadowutils on update- Resolves: rhbz#1784620 - Force LDAPS over 636 with AD Access Provider - just bumping the version to fix generated dates in man pages- Resolves: rhbz#1784620 - Force LDAPS over 636 with AD Access Provider- Resolves: rhbz#1769755 - sssd failover leads to delayed and failed logins- Resolves: rhbz#1768404 - automount on RHEL7 gives the message 'lookup(sss): setautomntent: No such file or directory'- Resolves: rhbz#1734056 - [sssd] RHEL 7.8 Tier 0 Localization- Resolves: rhbz#1530741 - Trusted domain user logins succeed after using ipa trustdomain-disable- Resolves: rhbz#1746878 - Let IPA client read IPA objects via LDAP and not a extdom plugin when resolving trusted users and groups- Resolves: rhbz#1530741 - Trusted domain user logins succeed after using ipa trustdomain-disable- Resolves: rhbz#1713352 - Implicit files domain gets activated when no sssd.conf present and sssd is started- Resolves: rhbz#1206221 - sssd should not always read entire autofs map from ldap- Resolves: rhbz#1657978 - SSSD is not refreshing cached user data for the ipa sub-domain in a IPA/AD trust- Resolves: rhbz#1541172 - ad_enabled_domains does not disable old subdomain after a restart until a timer removes it- Resolves: rhbz#1738674 - Paging not enabled when fetching external groups, limits the number of external groups to 2000- Resolves: rhbz#1650018 - SSSD doesn't clear cache entries for IDs below min_id- Resolves: rhbz#1724088 - negative cache does not use values from 'filter_users' config option for known domains- Resolves: rhbz#1422618 - sssd does not failover to another IPA server if just the KDC service fails - Just bumping the version to work around "build already exists"- Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization - Rebuild japanese gmo file explicitly- Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization- Resolves: rhbz#1707959 - sssd does not properly check GSS-SPNEGO- Resolves: rhbz#1710286 - The server error message is not returned if password change fails- Resolves: rhbz#1711832 - The files provider does not handle resetOffline properly- Resolves: rhbz#1707759 - Error accessing files on samba share randomly- Resolves: rhbz#1685581 - Extend cached_auth_timeout to cover subdomains /trusts- Resolves: rhbz#1684979 - The HBAC code requires dereference to be enabled and fails otherwise- Resolves: rhbz#1576524 - RHEL STIG pointing sssd Packaging issue - This was partially fixed by the rebase, but one spec file change was missing.- Resolves: rhbz#1524566 - FIPS mode breaks using pysss.so (sss_obfuscate)- Resolves: rhbz#1350012 - kinit / sssd kerberos fail over - Resolves: rhbz#720688 - [RFE] return multiple server addresses to the Kerberos locator plugin- Resolves: rhbz#1402056 - [RFE] Make 2FA prompting configurable- Resolves: rhbz#1666819 - SSSD can trigger a NSS lookup when parsing the filter_users/groups lists on startup, this can block the startup- Resolves: rhbz#1645461 - Slow ldb search causes blocking during startup which might cause the registration to time out- Resolves: rhbz#1685581 - Extend cached_auth_timeout to cover subdomains / trusts- Resolves: rhbz#1671138 - User is unable to perform sudo as a user on IPA Server, even though `sudo -l` shows permissions to do so- Resolves: rhbz#1657806 - [RFE]: Optionally disable generating auto private groups for subdomains of an AD provider- Resolves: rhbz#1641131 - [RFE] Need an option in SSSD so that it will skip GPOs that have groupPolicyContainers, unreadable by SSSD. - Resolves: rhbz#1660874 - CVE-2018-16838 sssd: improper implementation of GPOs due to too restrictive permissions [rhel-7]- Resolves: rhbz#1631656 - KCM: kinit: Matching credential not found while getting default ccache- Resolves: rhbz#1406678 - sssd service is starting before network service - Resolves: rhbz#1616853 - SSSD always boots in Offline mode- Resolves: rhbz#1658994 - Rebase SSSD to 1.16.x- Resolves: rhbz#1603311 - Enable generating user private groups only for users with uid == gid where gid does not correspond to a real LDAP group- Resolves: rhbz#1602172 - SSSD's LDAP authentication provider does not work if ID provider is authenticated with GSSAPI- Resolves: rhbz#1622109 - SSSD not fetching all sudo rules from AD- Resolves: rhbz#1619706 - sssd only sets the SELinux login context if it differs from the default- Resolves: rhbz#1593756 - sssd needs to require a newer version of libtalloc and libtevent to avoid an issue in GPO processing- Resolves: rhbz#1610667 - sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key - Resolves: rhbz#1583360 - The IPA selinux provider can return an error if SELinux is completely disabled- Resolves: rhbz#1602781 - Local users failed to login with same password- Resolves: rhbz#1586127 - Spurious check in the sssd nss memcache can cause the memory cache to be skipped- Resolves: rhbz#1522928 - sssd doesn't allow user with expired password- Resolves: rhbz#1607313 - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails- Resolves: rhbz#1600822 - SSSD bails out saving desktop profiles in case an invalid profile is found- Resolves: rhbz#1582975 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers- Resolves: rhbz#1583725 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries - Resolves: rhbz#1416528 - sssd in cross realm trust configuration should be able to use AD KDCs from a client site defined in sssd.conf or a snippet - Resolves: rhbz#1592964 - Groups go missing with PAC enabled in sssd- Resolves: rhbz#1590603 - EMBARGOED CVE-2018-10852 sssd: information leak from the sssd-sudo responder [rhel-7] - Resolves: rhbz#1450778 - Full information regarding priority of lookup of principal in keytab not in man page- Resolves: rhbz#1494690 - kdcinfo files are not created for subdomains of a directly joined AD client - Resolves: rhbz#1583343 - Login with sshkeys stored in ipa not working after update to RHEL-7.5 - Resolves: rhbz#1527662 - Handle conflicting e-mail addresses more gracefully - Resolves: rhbz#1509691 - Document how to change the regular expression for SSSD so that group names with an @-sign can be parsed- Related: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch- Resolves: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch - Resolves: rhbz#1523019 - Reset password with two factor authentication fails - Resolves: rhbz#1534749 - Requesting an AD user's private group and then the user itself returns an emty homedir - Resolves: rhbz#1537272 - SSH public key authentication keeps working after keys are removed from ID view - Resolves: rhbz#1537279 - Certificate is not removed from cache when it's removed from the override - Resolves: rhbz#1562025 - externalUser sudo attribute must be fully-qualified - Resolves: rhbz#1577335 - /usr/libexec/sssd/sssd_autofs SIGABRT crash daily - Resolves: rhbz#1508530 - How should sudo behave without sudoHost attribute? - Resolves: rhbz#1546754 - The man page of sss_ssh_authorizedkeys can be enhanced to better explain how the keys are retrieved and how X.509 certificates can be used - Resolves: rhbz#1572790 - getgrgid/getpwuid fails in setups with multiple domains if the first domain uses mid_id/max_id - Resolves: rhbz#1561562 - sssd not honoring dyndns_server if the DNS update process is terminated with a signal - Resolves: rhbz#1583251 - home dir disappear in sssd cache on the IPA master for AD users - Resolves: rhbz#1514061 - ID override GID from Default Trust View is not properly resolved in case domain resolution order is set - Resolves: rhbz#1571466 - Utilizing domain_resolution_order in sssd.conf breaks SELinux user map - Resolves: rhbz#1571526 - SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'.- Resolves: rhbz#1547782 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process- Related: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1516266 - Give a more detailed debug and system-log message if krb5_init_context() failed - Resolves: rhbz#1503802 - Smartcard authentication fails if SSSD is offline and 'krb5_store_password_if_offline = True' - Resolves: rhbz#1385665 - Incorrect error code returned from krb5_child (updated) - Resolves: rhbz#1547234 - SSSD's GPO code ignores ad_site option - Resolves: rhbz#1459348 - extend sss-certmap man page regarding priority processing - Resolves: rhbz#1220767 - Group renaming issue when "id_provider = ldap" is set - Resolves: rhbz#1538555 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000]- Resolves: rhbz#1565774 - After updating to RHEL 7.5 failing to clear the sssd cache- Resolves: rhbz#1566782 - memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/sh/bin/sh/bin/shuk1.16.5-10.el7_9.121.16.5-10.el7_9.12sssd-kcm.servicesssd-kcm.socketsssd_kcmsssd-kcm.8.gzsssd-kcm.8.gzsssd-kcmkcm_default_ccache/usr/lib/systemd/system//usr/libexec/sssd//usr/share/man/man8//usr/share/man/uk/man8//usr/share//usr/share/sssd-kcm/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericcpioxz2x86_64-redhat-linux-gnuASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=d13f1f52d724ce047a8a26ab7723456a5f923232, strippedtroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)directory9R6R2R:RR#RRRR RRRRRR4R%R8RRR R RR9R0R'R"RRR(R5RRRRR&R R+R.R-R,R*R)RRR!R RR$R R/R7R3RR1RRR>? 7zXZ !#,M] b2u Q{LT^$m!>@u0o7y3(wjj-EQ]&xQC-#h2'!~,gL_V&qtSq͊A C< safؖ""2Cܑ݅ŶU<܇Sܲc߿=Bi 1"b/ܒ6<$ٿ2^&D~K$d/ s'x/K2B,:siQ,*ni_ڃr &rQ8&da<3e:~@(Á8*)_5J; %6,~hklvBފ4"BBiD;IT;ڟ嫙lnWU[OnծSuNW #{c֓V=ԋ_}&R'ԍC/0Xț8H#I:smF1Sk(BҖ 2O_'Ƣ||+U cwz`w$xqۉ,IYS&R^Sc{F^ ,[vi!1v|m b<׏ ֢ji  eMyP'.BJh|]S'q rЇ{[⠜zpF04ٶلkhL>KfmdU_AũCa0иcQ{1~qwI23t;F1y!>$ x-@!}~tyڞ50tA/ߤ\MS>Em9.JX i:4+dxFxi ХysS$|˷vەdh$ɚh<MJ#'` C:^ϋ1P]1??yOC NR&9 NC>|@6rOa(fQ=hX4=ߞµN`\1 $;FO".l CخFwh8v }.Fο@^)7Cx&tf~"%(h=EOlt Ԥ)p6C@@xv|ΧٶZ ]4ji n/I*Ҵ44D0UT!z+ !oeEہ8vl[HwG k̃B2o6>(s3V7?DS9>+iEY)sCkT1(xS hE۷+K_ pZ3, mM*\ἝcƝg GJLa/UQbW  Ō Ď@Hiݕy|E־>vq ,hԁ4Ing+W&[mf֬~pіVY?o`7O;75Y˖FGjv^]m3됅7%쮪G8\<4%!4eū$8T&;e4!ys%pHUF:|qJ2\?^;o&5?6AZ3Y;v&Jl$uZXnm>HK[ QQPzv}<u`*+7ck7SIJ|5nN UFT=T_"fZ[S|Dx*'dP߼N t3(M QQʣŨ_ ->d(}Wf' 2_S>0g6n!DzeG5@Wn-a$bɃR^Qo9AHLØvӾѨu{ p.|B-\(t3CLuх^4§$x " x'_+5/wlV#iwŢk#"]3@tj8Yģ~lG,GA64t]GZ_)jt[E֭iLzjcFV[Q{ǟz0`_dn>BUfLEecjG9)Ij괴j'ŠwPMP1%q}51* wTX36V5?!9yUs{]%P/)Fc; `l2S%{|5L1oq8M{6ヌOC 6d'@tl8HTㇸhx սyw0ZگCI*i ,MO-99ө sHi &6{B DITz:<Ҡ 2C6g:5:S\f6Gad[ޤ 2_ o] Q*F5H 'wO0HfvOY׈&bK'WtϔdH1xQ˘s^PnK$Oc} Whe#o\^xËztDzvu0c C4ZʇQ0AE)NWŜ riBZ~##KhG}3-"Ynum_gUTJӾ2[No/YrТ2~k:AT{\Ji(;?) SBrơˑշ:EGY5PS'2<&XnC$`J1Y(G^Gy'3nؾ/{ӱ Q2q*By2=WFm ޶ b8a.}2қ%wZk6&qI*?Xlܶł!NJwh}0 htͬ["8'/rzPVͫ(*(t3&5kҩ?>P|*˵Y+,~:"ů?Xq3d'tVȍ+ H4;p, ;lKRRiz +_z2\Ltܟ"cu@.q@a /MݶxY٬V jlsvUaA6[kSk2X0(]O?c%|Uh]$uStD Cp%wH&#_tJa "7͍o)WCH:%j%~\qw%2*>=CGN)rVMQ) S 3sOxo;*Wpr97f|sPS1zyKMlMxU6K!f=5t5B~Tv4;楗3;,4y5:]輂vK Kbr.B u PhrMh,GqmOy6Q\VԊPg)8,9o,Om?uBuG%{"c4ߒ"p8 ;/oFg!pYCZaL1^㧕ӃFHoGl3ez`Lb dl`mh*5Qx;Qcb [quu`F鹆vu6qꆸ A+a"ciT Kmlf<; !%U:gI31Q$Q{عtSքle85XZߞ򠉰136QCw4olQgzR[pg/QprZ/51`DL!aq)ۖ5&]R%*B C>V2ʯd>ty ,\w*%IX6jv{.D5jIGuN s$ـ( 748CCn(_{uعkUMk ݻ0%w-/Tv$Ag !d5( 1t-=(0ϡaoqǡ7J~x^wc#"}Nak&PDtMD;a0^iWL xUF|i9 l7#(ɨy/raD^/L͟NNIr{K^`dmz똠OhE\3ZHӦ{(^V#Kc4 <1kG9ӭg"Ɏ$K^ݴdkb]#^zrON,.={YR{AqՒ\vu?I''k- 8CloS> I q{Lo\:&9w,ҐCyŋ"/ȠLd@ju>_'~ ϼg'f4ZǬOϱ\D%i ,^)Yfyٍ0Ʒ0'Ϣ:m@5X宾03{gv8tnV@9@?;2mn(tMHTUZ8d':CO83ʟm=*e-z֝ٱG9@t/.W.;Fٰ9/Pu `qo GۄnrUPEzLP^J;2r~RDll d_v(/,yr~R) 8]>bV&E{}xnܬ_ =? 27dFjtL/.rRz83n%,syY#'.7eJE;]Aw+ ӢUs*,Kߎzwǯ&n6ʘ5G\6x\7q<88?ǖ#_)OGsDqi{%dPΧ`ҠcEO~\!;LT^TOT<5m-Sr:u#$!CKKjꂺl0Y"&JhLLWSs S}ԓ#֦+iͭW j>b'nzgS_8Q78޽_ qZ &x|oovPn+ ˋzy9MpJ#_DF7O-AI \y\cNK ?o><ǽ䝳lv.jT 8|N-mP+vE3bnz8s̔ĚeQ_9_32b9۞= A ۘ 0^5'#Q|b{26ViIvGO\}K27. &HXq \ATzqELS g(IOba$ @֟ V~<FlEX"ľ,=qY=HƒyLv^Ю)!Ү iil;-fvggk rz_T nKqQ0츻rᥭͦcI˰gѥJ/Xg /S|:WwM^GX]~M2wfB)}OY"C=HZģlҺ4dIadٙe,Q`uo|; BdRwwb퐯l\bǡf&Gd 5|`uj 1 d2?nat >z?@ҡX.Ezᓪtj@ txm!’BqRғ`o+ q\lR [^ w`)lqZ[7O Ͳy;o۬i_ECJ10X~As5 A|hK}řϊ oԎ:H+ wafy/*k|>N-Z҈]隁6<Vjrk&( Ifd,I1S-{m7FwpXkJζgk̫xB7ٕ+mZuVf˩mE6(azUIvT &FR4t/UQWC$gnwO:!ä $&H/0}rsa94SQ[\dOk3K;s88b"A % a:lWRFR'7,;ES*+vƦ9Ocon"^`~ykB`۱4bǛ&s3b+`Gj]K7&m= K`:eu5LfYyG!*Bźp>Ս8RrwoU_s<baKwDŽ7SGU|p.2(]`Pu5T Yt=0> P|`?/|x(ݘ67#0Y(~6gD?'[ ׀a#Ɠbi-a dZ[Ü-De a擄HiBᦛ%7 7&Hd Bkt͵~fa{8E 2fȳ$,FBۡm\X?oeЄRS iAYa/pzQۥ61Bʾ!u뚙n߀:~HG@mn^H ~Q'!W&@ʣWz%paFZ| R)h$j(y1`Y2,PZGQECu Gl@nY@mBr\v`ۍBCx[1!Zܗ'wM.ޡAD44OIH@;ǃM }}Ժ\8ZFrA^Jž>CYBx-736'`jcoN)R2_ѲB hJ(TWܔQhCCyX'`cK\HϠXqumc-Qaf󌩒!0%4Wb e\vvN;ܕ Q HIȒ w4AʏP!7J8?C"/cZ 1na=8; ]"(+.]!p 1cEI3Zzfsj=ox:_Fhy%[7G2Q"^An]YEd„]zc3GYN6S\;u[ުQ- -Kl:%"UBFڟK:Mm OX_$jf*H[k;|;.gLX{̌ӹ9J1u WY@S>Y@{"kޒ{U\Xy"2g^¿D38=X*R18v2:v2>;/]@b-05Ә,m2*8xぺegmS }66`/ɘߣDO) Pҧ/(Ma%~>O=@.D40 R|y񍓉kI|?^<.B;y>JhPN`= Hq;Y$L6Nw!Q5?`f$pl[+O-M9 ;gͬ0ddOyXߚy|3s {{ϐg>UWJ` <鹪 s<'Cj)~D$Ng*{2mgCU]ZA{q)rj@"}5. ʯipNXd_ ˀc딳zEO)8C{ӽC$ eYv(yP(^LG"Wׂw;QGpt/1$!42pA(k3|\}sA{_dR1tgU4u b䵃Dvo wK٤=AP??}axE+ֈ|/J Raꒆ  E>zOK,? +tGw2djnwuK8 ;dr,[<`y5AUX> $(4_~cuC[(DmcKM%߾x}lFH%%5B\v5Ѵe+=BԼB5ɽC\w _i jŅP 3q*ۦϳ+[ZSVLWH\] r3:͏F ~7GҐ|` sѨWvf ,^s]*ϻ5V4^Х/L܅ӰY5F)wASAdvX;ygG?E]ObJjl<aF),eah0S|֧iؐ݅ZmpV~$ Mc $I_or̬;.>7Eux+(\c{D48:6!$ znFl~^ګQy̪1RLณ%8 E+ZJ33뵏͌?A; 6򆞚V|W_`+#1m:% |fJ=T0_S®]Y]噄E#*3EAC`m5r }J)6N:q C.]t=9rKLn@멤q!p {lˉC1 l[XPs3Vڝz?0w3q@WU N` d}Bx2< ׿ [VMa_BE<{ f?]|K[vbNuw:# Q4ɑ˵mi!WX*W(tO](bg ; ^Nř@' >9"֒&bo ڷ<@^96!lCO"w_E{㚕?jɋHM BB)ֵSwl03g]L,K,Ah+ dz bwb~i݃V˺Q+ă@cDӃgy#X_)K5 w@[(-~/IZ%b~99 u+e[l҃Ц`i|?zg!-uBHQ*}idOy#W|t#|U#< ,#[SmiĸzySf1C{ҲSK>Ъf9\2Ec)#cU):!Vj/c֤{Jq,AM%ōH x%x i5Aa:$"o=8$(@zڻ|_)>@proRhc9Snʛ|L9%a WP]7Mw: ,@;))w nA];l~a0WK{DUaC ^}A!IFݏi, 0.^[rM8܇R.`tP$y,QSЖkV:Oǝ5o yۅpfZ[hf!kU{z,Ԓ'~fm`M>IJI.+O] q /DO[ >h >I5:$Ky'z@+ɦ,l5Hg3#a2ZJ\72Hi !>qK旬 lIOL+)_.1nn*7,9}3Ll?=z{6wұ0%-KZ:OhZ;%ζޅ|u 6EF'sosjw f ک&]T@tba_{IynŒf?xDL|f9ϔ?G|olIx$;Q9&L:_}FjTp/WymCQ} q)ϞNڂ5giO ;@`$p>﬍!Ab`'4&j>Vbn:v}iYe[Bhf` 0l8rɿBrs #OQdH´:W괤 .C= j4! l9.S:=VR 'L Ё5w KȅtoIf.]D?>e>G3Lu}3d'?D-ˆ*CF|V#1bp5ufBTMAqgӛFz@8n4y !"Vn/ksQoQ~} d]1USD-DSv}ʶ*sfFsHK.PHӨ~nRw GgEz_+SL~ֱF*-xV4ՍOnTZ]E>+2aW4˺ܮ&9Y%m>ɢQڥ!0젩m5a釶z@jYs0&4h`7)@ i[d@Zqδ|i We/]E Qr%C2,iI/aR) V}daP_; G0}\)7`J21?ʰf*N4u )'(Z7o-KDY4[żie)Y4tl)x͚V L}81 mMO ZmxġcD8NGpǤ;zƚO.coҼbn4u+Ϧ'.Q͊9u瑩3 %⇆Ukt>u$u %awd:6pF9 E`Xޣdʯ2;Q# }HGl@޺K<H^we GUɀfȖ&'a`t&Y;1%w4ۉ <W.ÐE],Qa<}x$%?g?2zfҼ=4SN^Q]ICgp[V,^whJ!q%ǟ\Cx^ci"w֦#[Kж_([B<`(AG=b]ke7u)A D\J7p&o-c2<7/)br SkvHqn& 3!\x%aKno:e^A9#t]^۞uw+\(h No>um _7i(sx~ZzR̲M췺XŹ(&*4BϬ;1!S嗯rbw`Z[IԻY&υ3*s/>H;ݚI' Rƾ-AqKe=q40XNa^럑kލ:&S N`gp{;(W%p7eh<$h9su  C\GB[HPGg4[띱 |I#%VRFN\/ٙ*8뽳Ls#*j%&_3-Y7ouA)Ke:&b~O7dkKS[}UY2B8G>V@˄aܸvn 68ZV4GȫRx!{Шr_G:Ւ,'[ q|ZD*qEFz}x {Z/w܍0?$@I‰BVglpY7ck7__@Rx -(7>MOG70^m) uX2 O^5`KTmݬ4G%vx5z@]pCYvl $ ~m{zHAڕMۿsV?/h'{m> VœSB:ڧDE)S&88(vx`^ECh†[A;o3 K8Jz>,婰4Һi`Masc&.T@H 7S0>ds͚Rnҽ΂Fڄ$3%Ku<^Oc+alj/yCKKQ5~9T1>ϚbC-p̪>!E}:]i]A SIUg; rݚň2۵*}E_!(CHP@6A,9՗MKǜPvY[Nk|[Y!{]/Sƞn)-0iE'Clw"\Wa'fLl sC~5n=T|pYTAܽA"9JڥaykM= ݣbJ+O1[?baʾ8`W3[|}&;ufޠl}>QZMIY05mu^.I7LX"ѹn|kBUd=e$I[^f*DCo[݉XQ9rwt|*OsTDe4yQϬ|jeuqKWjYCeK6B\{\B(DW58i,֔6Q:Znh$`0rrߪSsJBB9AFe]tP%c^0&7;j.?0;b,J%RJǵnG.*8ݰ]3f{bGy:&hf9:~6J +jPs=BE( Chq$vuT5ސ=g)y.2S)Ag5IFu?T,*M|eZ&*:Vkٓ\cz!AHNHR=/) 0@~IpGx-T`o<]/X23] ٷEޔ~㣇#V(=+7(boZ03]/F a;RffdT 2 aȥuTL6y~7=;*di?Xlf;Eu8QW ׿Sq.1 &5] i#O'|!@jj{v|롓֎4JEڣ7ȮrybmkS˸,xd~j=EwpBg2~|' ( tx˕NMRU!+ 8c\1l>NLx9lLk47ld!cU^Ӈ UL-lȖDE̳ 4a .aπ'OvMd:U RhOhhy_+P K< ARPuٸ5R@Y]x![Ot<2呿}CQ͏_qC踑W>ӄs*W4TM}+T1ݴkBiiadSq7}##]7#bdzx;8=Uj>*E&]#[y~Zkݝpw:j qΫ|zƓh^̈́}8ɮf&h$j|Ras+zn)]2Yh[r&cyn|DU7Ovɐ_v!<9n`O1J°b&Ixo~ Y*/*ե*Rx@3nh'!q|wRds #և⋧}q !Ч&&Zu5&hdo&ѭ29k_= gAt4r^:WgX\E=W,)]2ו32^|,#3tm2qz@S(ʧW6E`}'crqVC9W|;~}73- I`oE*|lu5ߎ ^ ݬOfvVL烦ŨB''F;|Bs$__{I$΍f^3CEn=M MH5Tؑ0AzI$ZC rL/%}v~!x 啱j=tGmmIC!  n S0HQ%1u s'qNsMÉa[AgaP6fȖO_E&{!5T5sl5<.$1C Kvtun-? aSȖ%.k4X|֎ǐA.U֒{$$ !7iC}8n(Ea*vs+IFmwmj۳z G˱C#IR.a{ }4*gQat?C%J5 $!V4LӅ21nrk  CH5"R5{O [#j! p(kBjp[ <fhO'%zc9sOaY #VH)/W_B'CLȫBj'Z5.@GjHj_,?OާQD*3}̴^f!{'8lY? 1IVz$E@p]Rqd{T7P׏_z)[:i#xpe0sNu6V5|^j͡5GdA|NVj)-h%TzSmHadIۛgNUN&MG2ލ߾CŒƥ=@Y7ѾA}_r +Ej,dl&r⯲4֬"(W.\o6Ůeo űevcVI`Wc}\K|m1+dnԱw. \ JZ= O`9 i@)t>$4q\6 e*D]Bb;۟*BZ;,1 2ĽLubtwQCܜ0jɑZ>γ;c?*K,cc378]@K`v4Z)&#bU& fGzͤYj[Cx7n|dQYqؔz])ͽl44,h!FPwF_e|KTLe~YehL*H_̿ N@ܗamxhhgR i tV f_4\hww/¨2[[>DӅal{š'[iR aN>P1?tO%@a Vra>(#XN B$&/o9R V]w|D.OVaFb:^b3h Ps17hLz(I7 nm7Na{ޤ)AѪmpx@wJ1x9 u#s!B9\QP/G N5,JM[?ԥcД@ax7EL.b*%6(Y)%/=אdVHK HB TR=RWƫ!b]7JxT)r!oZW' Z?;$O<V3s\<_Z}dMJrAAȭt٨4bO)p$`(:3@͓PrB:戎Aͺ3&gb `^ev-Wo9$$ SMEwwP-&S= ゾYwؑNumEU`!Rh|22@IX>r@cCCI/0@J l%ըpyPD/DFnt!Å~ (Jr8,Gppoy@:W,NoP}%7 0}wYK~ݗG2M(=XdpjXE`1u2ED@4#l@|,oir #]ΐ{HbYP1X9l ET7J2p!ix$O駁6:7M /V ~`\]ōäx0u8҄L^j|"| w'X r6ŬАr5S۝ qj $Nts@i^8k8PE4- 5 xs&oՅ̞݈cG \*g}L2v;g*zug:1"ҡR*W/և]:J찢rzꡁˠ`nDz;M>,)vRtAs. vh/so|Y0 V1| h&UU~{n 'gYɸ*p|[F*0P^,aO~*vX@+102tVKLNn \W'mtQ|OsMP7ǙTɎ8w41!_ev 2AtS.Mg\UxCIyn\=.P)uzILj#Tf3 Eϲ6M[AODCۭƛ%Ћ@R=D! TǣD1jDԖxIaCđ)\O9?I6bySȄM1 ) 2j lZ`R00м)9#;R'|wEYiMYf]`B} .L%y +dzM$,虘[ 4Y [Gw_R.z 5rJ=ENKv,0^9[-qԌpmcbmX8O>@>'xߗ+αa7%2Ԇhu;/Jc>Pv?iF=e0aBY3:ط&-@Ji:~M?&semiUjXnFmr 8\:nh`+?ޙFrQ$*Y5 ڬ @eyzo{>.N 5qرZ$JZz0r3Owp#ES"; Cf{ U15juQd:J) n[߿.י6BOjAPnɴ`.~wy! &uwr Q臱2$3| M45ٕОu$}fǚO2J{@Շ5ey݁r_#OTH^kP&W/"tڢs*CSѤ[10(/~ߙ{¾PLSE¢20\"{RkXfKɦ$S?ʛΣ|hĚOW.s!fFMomeWRai; //]e~Xc}k8LRS  oEXP{$m0Ln L5R5I$#&#a{X9a$F`5(uB?'zg 6<>(;,G>AboBWq?a(@bkfW47^9Qz " IN\ay e i$kLG>gZ 1d],OC y+5yƸ/{ ݏ ذcOi.^~k}CP v6 bڼq~_7BWYmV>Vr{k!&bsOOP`Bk{\ųQ]ePj#()S9K [j4V!h8">&]+e:!}/T.9}jREc1Z=h(8ez{Qv1+^CJ/,Jީ;<^Zݤ0\c◔V=PۧB>y^Kgh^s nՇ{8&2koDaĂB-X'~shdSk}d OD#,A0sZ봀E>-%08Z%/gcˇsnJI, Uw7i|IzM_ʂ~3ݳJ l-$x3 B'ߖD}WVpgެ|:nirZBkݾ:ܲ 79V'T8M]u@TViRr6G]|sFsux9\b;-•){f,5T,Ls=lYV=cX))-4!U㗩9ˎ'2gqFB懐BmXaEn^#e"fy]wm :כ+R%zz-Y؂sGB҇ .7 W4ےܟX$BZn&;EDГQ:&™3 =ʧPqO8nV/j#YjπSJ`->+QD dg2;5䔧 V {łQ˭12 y[,3r^tpGt~L WeJne<~O{POVjXlNWǽ}JQ\~ci#Lt @)6t_(yJz@t߁99l1E7pˁZjB)v9r-Ft,K0j^f,)wƧ$7VWZߤFEd.0@݇NF`l=QP-i=qÈu Sf\^-6,ݼȿ#]܅"x4C$?>MA[^39ʟJZ)l5,]çw#`F5ru5Lpvٲ/BG*zքqp`,^A&97l=v-۝aT̉YǓ}8#yVEϳ-ɣ " F]ӡO'-(NVu~ބN5nXf zfކ"A״*X˩4*9M8)g @x}b<`=@2䊂"Tb gjLU U|}O„mWތ*z>eU=[,2]^YNX%Bę\.&x%oЈcXŚi{#.=ܩ8%B}1*h_ D2Qϔp,f^/jOuRGk]a ^C^Pfs(, +$=PpPUȄhsRll.z VO*^l*bg1Zتvl 8C].VedULdRjH%t\0wA&ď3hXse0. tYpđg_퉼 >#C0aeyPX \) [1GW^靛:;2cI2bIfFN7*3ѳ2dSr{-RcP}8@Sa'6? < xD`먻7@&E?iYi;dG`>' _[N|HX+yyR>v dͭ0>Wty:z*W4:uX׼o>Ŏ)9m2*.:|ݦ 4~e:+P̭do̦PhqqӶ>qkw=CVٱq t^qKVVb6"T3/IZ%O]{|us "`0mUTcr,;^ږ<)JcS]L ږӮn[oo^1)KPOO]3{]ƺ0W/D.D+ 8bs{?׎lXA`Zx!;0-7E_ͤ鴀iUmUKˊֆج2&T~;0D+T ji?èQf]n׾b,u_E%%ze? S7?o'KEſ^?{UNd[6<iz ɘE,0c%&=9`uq6>S:"'ϤVP$R/HAG ҍ}e7LfpʈE8eUV9z*LYͻ$AE[pN!z!wi}xkN`G{~\q14wdp%6kQ&3'* k UjEaG0A,O0 έH?^VwUO$l\S,Xd&kCʅi^}*Nsv#qFˉ08k3Yʜ%:e`ѿЛd73)UDh.[ै3\p?I$.[y?KߚM:dr{h䯐arDue2sM} BK<Z_,!5dz)I;D #Ncż7BeZڨIR"/sh5Q!Ѣc^d[G)^Cjɥ& F'axL~s*y!#r|.LI8nafC H!Ny}|Ƥ8OXfp@n& 6E"U@&Y fH.r4ф DU`G#,S(:z37 ֆۮJ!ԋ6kx# 6L3av]ZAĨ'c@kڵTVA>GKĔ(0ff:<0氫6);%*^,ܞ3Zޭ>䝦Rqݥ'LV\RTffONG |Xw-|@-9iu l͢*Etu%_3] Xqp7&NQN@7Cs H%7?8v"`X0u1o#z픋:g3^s%[Agb pn>E0Lܫmf'Ӆ2M@VU,Z&s!Q9Z+ZU]|k8[P\yuh{i&'7GEHgW촒 ؋H"r^Wqy=Q&4ܡ,aIz%.Οiy𥲞Z=njTƥe"!-lcwH=NaQ ́Szm̧h!elQ<HHb++2|hWE]nD9v8Pأ<7 r+J!lI,~C7MųIf/3|}e'߶oƲSk Jަ ,!NVc] nBb CL@c4a5 mx;|8P)\tQIbHCW vuh۹_)35^<2pBS j\ P)u3Q˷p3]KOAmbb!Báb.)½P GtiKc; ܹ i7$ՕH`+}ԩChY2;liގ(́pn ks;L<{N R 7ܕ h*[w2?o*C!vy]Al3&9}q\d_M})< v\U;{ j-3Aۑ OjxSդ>ä>i޽{MwIEʕKJ[f#G>c;lˍMɷY\k'p#rU YNi,^ K?>pĜs/<Yᔄ$Ͻ.ħ:,ViC޹r 3}HhWLHQ+ R,vɩ0CȧBGXB+tRw *HJX1@'~lv|+Q exVlX1{ǖ0S:}"THr̀g}NzmJ[dt]-RĐt1)K0~]?c_y%bU nt*ܤiҏPVrɬ4n&)AQP;K UhV~#<娈w IH9D(aUnw~xbP|9W]3b7Ӧ~m܎Wbw6O?ifx`W>1ߣ 'öMtf%#_%vAMx!+e6(kofP軨ƟW$V&>s|j[)--C'7IҔ殼c(` GHnNpJxG޵(mxVqQZK;oСFW@SQQ'ADgSr(w9BQM8 //IC8t?^Uh^)¢D3%|2t#CAن姒J6D?z,ill JZ{ Z]y`Z8qmý`͗R=XW.:mS]!Q ٽQy3YLPqB:m?-X|4RG}O-*?Sf Fg;ޚJ jދj{ E)N) x98аSdƝ^e\72)H&^y,7kQ2nA^u./-9l+el#;Fv)c]CKҒ w"v3`.ieud3i 7p`P70q#)wEU=>Y `%sFj-XrXLRfp?y&jxF@t Yl) p12ˏ~Dup:d6}!P0ַ‚I nGI+*{kscW`ﰷ;\.߿;O0{3{hx˗͑ VAQyJAQ(oJ"V3-.\an %|L4$B'􎓰e_k) 'HaEyƉ7[­OBss rsF6B Mj:3q7 Hm\y{0߈S@b J&Tn O&\(;&sV\@[j5 8YB5CRGܤBa\xEK[[Ѓox.p\i H\6sqF;qDд<; 7^)U 묽5_hC }i1|pv|@eO(.k긙g-w+c06LEs Kw|K$~?񸊷 L NM;#G*tl_'Q\~go *{5(cOI q{nClԀߢ%j_vB62T8-5xdv4y&6- 5j.V:ϥU #Glj*Aw4 _LGz 0}n8׺-QҵEbRd]/Ixlz z:帳rʇ$ѷtŭ U.V)2Dx?$+ ˿b)NEl A4r٧B_x?[q*0*q+'7'Q@'n[O\[_Hr>KT!y.B-66dSkD$$V3%S8l:r\Ei?Uˮf{(,_bmljnZGP㈷81B *dBv;i862D/`"-qt3,~O2Suz.:+~'rNJ3;6sҏ)#63P҈ kiY'is sLAa(G8gK]FK3u skThN0`q .1\ lS&n)%>p bر;z`A 18޳.گeІڰ/yQG4+X"k?Gq!'~((pWPcAƙ>GS9²5&HxD&C〠R'җ6c&C5|M0惩gl-PI#N1]CZLבuJ -z 1,aaSJ[+o/72qb}shNӲ46bwI&i;lL^( @$zg&NR ymAcm9ˍWM:weВxebR s d4`)׼fGʁQ_ ^q:8jKFzy%,:W29[Fp߮4<dw2ʅ̽W;\vX4v8ݖYNO 1J딥_Gf*ObQVr%|hbeAe6nQ W]qDNn)lz;ޜ)pJ~FG5LITV-)E/1hN*Mn%4i\.?{D Z]=htZ ݍOs1o˰f5<N"+&Yk{Hzayz?"N]`ߑ;X i)@yOsJ MLSc)#M@OHˆVL נ 1N,iʼp{4.˗ 6#YQSqFT@I_[RcM9%(Mc62;_!r- 64jޝQIZ-w]peCSMѿl@ZYDi@œ#67C ҁ]#^B-62J'8x*< [JFB=sd?ΤضX73T5iũ!~b$oLa$ްL{c^^PxL{Az7L0Z1w ,m/ Y@Rd #פ)V :9>>s*S](τ앃ٰsWQO;ahϥΗ_p>܍QQ" aj9bؖLWJpV-&ͳ/FNO˥2ك%& lz&O?AhQ5\0[r6],#ѽ@⋴W-0C{bҧ~ϰ`* QPmPVDɵ.c$l~w_Ȝ *`(ydwQo R9Y\'w$jSջ9Uf?/P%aߘ8NFUhXn40o]K#_!b$0$p=fa|}y?ӝC˨V v8XB3}# q<!cՖ\ ؔ& ӷ3@_Ϙ*B\ uNkr21iL\63=A3Jtw(n?r(7uAB/GdN.#s›9 xw!BK G\G'K a EJz@N.%Hd{"@]z7ՋIfϭ'LDT7''0"Gi&HAH@{Q*o1xi9}4;NadƢtl,e3BtUe{J 643f1v\9T:MxVa{M\b )QwNz*V%*sJs"AhZ0`PaNGE|L[LMEV%WX[+n͸a'p?) PSP`Ar\Do)t+EȍrfZ לZ;*BwdoXs0KAu.}B^Ksk2`=6.[d~8t' ;4cҥ+Vc*b4+d xh_Cļt/rSD&ύ¾^c' 6G=sIb:}oߣU76ämD=~W7VOŬ8(I6:lW327vS"%|hmRN]rFl@h|x[ňGu!V{i$]ry!Va3v-}|J-= 7h y3 Hל>CսUʔD]ƕ.*T'zv$]N"aU%(=ԪB  r6ǁGY/e*qg-$+~۲2&Ԡy8TC$}poo0S=<Đ !|lG(_"WSͥ˄:8lrk!xŽbH{ZC*.>fAFe|.\ ͚ܰ9Ճtv20ߤU}6סeaR/K ||[ Q5lߓ$۶r϶7Fu/KN00(obyʹI2(Q eƅ ʜ$^?/yjҖ: .ds0:+ۑ:/t;_^DSv £vIW%_-{Q]E\ƺ7+i\f2:Z %J6Z\rɜY%2VWd7)7:5 ձtznJOYyx64 v>(*n'y`[c im!ecD_qi3zJ6z0 #5I(g䍦w=9EG?r-J u`Gm~1,q2p.6AwAK-j`_ɟg^lEo(=zbMK.0Q%r\SuPEBLtS2U)JbTÃD 2{7xź 7H9a|-"UPԿS*uý}9z#Q-u!@BvG#?:2*-Jo vXmOu!% 61 x0Y.pa+XIYQ'('c7_#ӵƩer3  MT`mn3rG|e[4"j*QM+:̇6QĠi1+D>:r\2*YCS_CN!A{&5mkIש'FO@ȸPS5g}:vDSђ.GB+^) ?gB~  u}i݊5%ߟ};fkTCn]~[$qS` ]CMz E]Zh8EMos;pHE5tZ+K 3NC+lCHDAD /Jp5[uX_q=Z%7i'Ul6E* X՟aHʿV&3y,.^s*N67 H]MiQш{MBoIF*蒉D_# ;|ɔҜm䱼瀴\5!#@$IQ65HVK,Ȉ%|nͻ@*;YHJ05`Hq [t 0gmDISR5_KrPv+|sA]Z5#DDV+eaX$]o2|[vR8"_Rb8QktgrI_NlaʥEmQqUEN;ɠ=v_&rf^g >j(iZU&ϣ2*˽*]l?"J|v-PPUK?H6eJ;r$Ż>iMn/fd5a}^5(Y!;,*6ɀx鼚/|gE'ݒXƣ]G/sIwSe;T\Shu.CG%-WԮz9ۗO۹) ƌC$ ϰ-QN司 "lA7Dք{!a]4&6[ړ~h*OA%KM0$X6UUP63F/% \dnW\AlNIAoe>THSp([ꀆ8ܨ|Nm;QCC\j&W=ˏoVxB{TbU A+^ )w:ԍKC7KAA3I?ŲU'-(*3f`tI*nqDOikv anea)tCn,KKXH,oL'"\SNj*H!mO$d=§=/}stBI4dNI܋,txT;Q1H1M]O׮+sazԈ@~5KQs=4ZnoͰd=08g화v%&j` 7¹ m@L HZ#:[_蔨@V4Kg  =ۍKfj1;Vw_3Bd6i2 |S 7,~em GځR@hºy1~=/):p~ "_K0K ;DXI8$NȂKf/z?XD| QHL:‹@ _/c ፕ턂Պ^2ji'['}joRuqCz58=֓")mЉCK+/A GO)p $YKNzV-l(QĘ7#lmpw/cB5 @&| xRX;^.Y CӀF;|-@] `pdf5.M`O\A?M3 p0 PM8׼:tC wc҃A<0󝮔V"z}h0+9A۴""dZQ{< ʜy+<6jYxoLS:C(.E("i$_۶MΕwmrp[>Eqb[0yi;;K8s6P%]oI OXP 5 Krs5=D4A65+P}L &TvՈΔه+s-L4*<DbIl$q (wXԭ9. =]3sZQ1 YQJ߿D%cϝNLF.D&G4߃eu (ߘHآ Q[_*\ XX QTGPk'ZNE#qku[mѡ;Ku W~j ѿf-?X|KR^ǶͿSӪdga\4M[=i\,i=,UG aHp1 7~NN(h`Ͼ3PQ;scym~}:M^7HP®dR`yN}'l{7R#7|Ա }ǜ61ѳJRi#sSžNMmj.σ铳OFi'xͱXz~o%& W9JcpCͱUwn3MKWK<l^s|oq~t;m44F-~i}^n6xvءxF>;=ZjΪ]ˡ`×,ԅ[n[͚L)1~.:?%zUQ" {|o$I!M0T,q-֒Imy |ڷ̏d7*ʛimJ/j,ŗ JJ .EF0!b: "ڐRtP9Z(_g1ިtPX>s_g;TK;''=pߟ-y5K:<dۨZxk]lx ĘQo"2=qeF}uff.F덖50Kyѽ.TiO"g0hFOo:Ѽ X7g<B%t*՗`3gv/bsO䅾Vy6h Jv0'բ )lD#Z=2XO:drjxX!Ls\a,6d:|R8ΑXDeKpXqm)tiC.p7wyn}=,wmZUAU(kͲ3nS< TD`MGϲ:wQ& o3S3E $NS/t`,1B6|3/Y Zo$ne,Y^v\8붔KoQ}zxwzw;j Ye* T/C*!/{>{ƵdJ6vo'͜M-1xn n> M ilqU/"e>!2=%YYpRk\~2l9UKNWA lb ǃ/"bNjlZ&'M 'j@?8 W(fbwPeG(Z[>;@|mOkQEfb[ *NSvk=Ȋzjz;i)^JH7uch!<ĎK8teUhy*\Xe@+s,孉94|joHG!gN}6DD# )2؜V18@5u>Ц:>Υ~I8[ږR1m57JKsQ<${2 yd1d|Fg.LIpN ?62ԉ]pN"}Ȼ*"zʛ'YѬZdҁo$c>Kf+BwZOW >Vۏ3}FNQoW[R=-W ρR:>%^#乣f=>& (FY=-g0pu =h#K:3g.d`nk:. )A;B`3*JtAlGAO"7=cJ\kr+u`Lj*}j^5+0f2^(l;!WnH(R"jl_0Yj1?'|zi{yoh+1TOXppڛp2i-;A; cB}dJ :ySJ{*Y?tsO26}nLR+hY, V ]`bUPR>dq2Y#;1J1? ߦgEk?Q6e" AҼ"%g騬?XCB9;!Pnt]y-ʒ43BQJȉ1%^Ktsiqis p&0pKEc#0i^q=;;UOzĂI })PBbl ,ZGk\*6|*!?Ej]<"8suܷ H"a cOxL x+ laQ]s?P]3Gg$S~ 3|A)3x8w }`F]M=-/[^r%o/$r\iT6/ȕx~Z8X6o&d=',[)c\\5 :*] RMechg!A h]vv:@=Wx~E`;K/ S\V8Iye*8zI,n>iM2( - 2oOǍN2 *Pz ?pXmCDredtL:Fm@Oxp~IC ymcf)sY3ZcaLi`3l%bpC|cؘ2`3OkB= 4x)UlGW)UxRYlJ}WaU'(\73bϩ/s("Nvi8uH)%]t\[5,lpX;ĉR-а Q֓zws 4yPD*ƚ߷\Q;*f7hp^vTsz"kTc:&s2g|^p>/ @ӳ뾤~^rJbd6QUk=6//y^fQh<[ɵFQ`Oo~Vb̝q+d\;~ϡEne0V"2xtq*p{]u&2йTRˊܘd es8x? bD,.:|3z$"geT~B0; (\osxSjZe L~wc{$bh 栯Ӥ_^+-,we;% M^OT"D!e>\*W\Խk뤛6-Vy1dO: ('^yKw뉚V.V#BTyMY:C׀ZqQ'oYl,Kfz-C\ΥYA` MTg P2SɿG( ]%xkJMʐA)Es^pedSA%Q)趣LA9dⰽM]O-kx,ԱMm:% gѶc4usʥdÝ[VZ+$qF4q% h~0Yʚ3=jZ=4D꺯/hT4 wPkˊ#7~}b&a6dUP[Ο{OQ8\z ITj7BU\nhWC.2~nJƱkD1UL-b81&,RF*BP]!+{{#*=C8Wj,-[ck3:;C_~ lg+D.UHZ G! gBG!yJ4FVE(`rb,qw+d1~d;Z 'PhcY}ۓݪN4`bnc4hfw%[Q&qC3G}"UÉgSZv9QHLѠxզ oscCrLOÆ>g7N{Rg^0^0lx.Sܩ~`<9䩿 ;/ &@$n\GֿD Ꮪ S,y&i4qgEwg\A9 %UhA.I^\~?̻_u5K)`[W&oOq`XY e7'NyQH[)s%h(9= $$(QJJqF{ڦ8-}#< rnɻՒy )85~Kw&-{>IЃ|."P01"zcŬZNaƦc7/ohE8T ~ǂg!ݰd0O{^7WW1 4>z%- kO/8٦aUQEe_d>-S4&Sy X-ÑbDԽ ';NnYҊ?Wkȡ7!=mIL >ӿh52w \H4fCM1Б6cQfFɑG`r֩!~,/ KDH ,o\2(.Z*F0M" 1T[8DcRK{Vחgbql-(\}NOa֚䘺sŒAdDI:DG!UA >.?uJ!DjC0: ꤁9e7&牾Qi8 c/ IP>_t=w_'] ]n<#Ԧ ;j{(db_2[ r>Z0u$NW )!?.yzg{IyM /ݔpa7 9֕u]%OZ?ҨM(+ۇDyt0,IHm)v*"U)E(#JJU<{+&Z&GPa'[z0hgY8).#-7Sae _P`^t/lTsM[5sFgq? t #-p̧,2+0EϧW\iBX*Yf<&fA9<K".q3i(rc阒u* ,3j a܁@girzkF4Uz 30'(i[ kx^؍ ^כ,V([ &Фh2 ,{aʝ,MTNu]Wf\L;R\?M月\"%CJrESVS6 .ڪd˳$'RdekvDI [h,|0h;U)q)_®rbV d vzqo`&MG(!@,4jKPY݈ԇJA-BsN<"\(jף_ 8wn^Q@;~wqDcmչ|tNSkf 3V4]{O64E>~n?ݨ(E5zuTK~aFIi;# #.dQF^)>*`V]%X,=0L*OY?HMc -"CʈW^l gJč CZAK4BHf;vyE*0l3Ӂ{BJ,&8V@`ɛ\fL)o_4 M_&p9CSfZ,xmm#[Eڂ*bpd֠-ؼ9BRŽpQ +&iԩ%ȹgvCŀM6I&P8/'rmf%]7Y8QVy !5oreF-`['09GLjšSbs\4kXl@(L1=v5 G4N8^ M_a&U|5[_.^lS9cL"ө?`bg<[sB>2n,@U2R qɾI˨"!}?U|^>"MIVX@.B}ћ^[L% >X.VHjk_Ku#y[*qÙAP/hP5/We~g'i!aƣvh:I  ZWc('_C=h!,1.h"yIއwJ!y$χG~U!gW*8Mi,¤9[<.vBv޿͇l2l21#Я:RPxQh=\Z4OoC #DwquF#F<; wY)#Xpsx"  }d@@1^ưKv[ٲd13Ңi&OswVS;(N0&\ K]̚0d9gym@7ssVޒQHlPV[ x*.+]_u3G>.{' Gגb Z<=.KP+Ob?p-#1 XƳphƫp֤d>> Qͨ ΪDMAEdy3B~LiˑDj~}_2t6!x6_:5 H (sO] HvzeP{@4HMrzd(Nn}Z p2%fĖ1ߒ3 PD'p-NsvMR&ʜ!)M8V!:>=VCunXx_~+MkWWGT]MGF!;$ /p?iqU~F z#|zw)<t"?}KI?Ľp -\EwxDbTհzgU%V/ `NnG5hlMK8+aaw}.fJ.#(MwNzԕ{DR OrorƘ&ZO" y,O5'*YWkқ85HĶXΤ)Tm. ~%v .\=Gy%܇\[j8 ,rtU1_zGI8BDP戗CC"`}i:s5ٙ2*S)R؜Srf,ϗ\ STkQI0otb>@ J4iLdBqbCق&xܽɅy&!dTlMٔQP:(8Tojǘl[#R ϰWaW <:.?l1d'Hf)/blM]$ikt0cdtg]κpy)`)GϑnK2%*d!l$O<'L q pu9>r+ WaDfWaE>˭0jj̴ֽ{>'z+l>d?G`̾(]&$0C^]ޚ.e[{#D@9 R> .Si+(RCbOrP< Y"7*Ƹyle^fHm"_x=ښwv(nd0 dRGAxcYU (ܧ3: 7עO#f˻j!kF-\hhpլ*bu"DX+7|?4O 5(VpG=w|!0Ut"z p%ak|| b"w뭫_sZxa> bma95Sohb myӞ6Gԯر71qE|f0/prb"s7G;Nu/IM0}8/xIY Z`*;)ƊY@r{=<֧q VCOI};{)JED\e"pBpAC)#N6{T͗ "~Ҥcxo3H- XmP?vGl@m=?"-U2_|_HqԬf"jxR/-K-%L7@i %O OtD 镼.jٹt{,e@d.r\M, )]ȱ;:պu> 2$L2\gI@%GUD`cX)&+هl:F6Ȗ97/4<`vcM b:-_ ssvxkcD` N=f'Tl7`9tޞ Z=_!Jo/i==9,6l♂'V4a7g$'1d԰ҾfrBpZA"VܘJhu=ntvb \1b=ScAN:9S޴'e@HgT|ud-Z:ʗo>K%OP]B   bieiP{F@چEŒ0)wJB:L{xX[^RHtð'vlH> v ;s#:XO UF}c9lC%,8h4p-վ) }=G0ܿo9{ +hcuhK˶}+Tg;Bf ?$"OM=| ;%#{[s~kB#cEnΰoh 5') RaR:[{0Nʛ Ɵr8ov)b0yϖ@$t(c,wTr9ySkD)d\%h0l%kA8+QˉMv}jnutͥHbE|RXCrY FU{q+F)Df;KKG>_Ni'OS  iXeQm ]&G~qnGvW%BVjɄEnxQ0H :YG-chr_, 5/0]|\⮩LZCJe2߈S,㭏(6ꂸ$|YYD@Ƈ'ݮyRga%IQZ: rii~^UbL"cU#yf%së $3ŵ{n/E}Hk˃ȆӘC; pNg#F˭3R8CYs=E :JSM &LGqʹ;"o{C ԍ#sOoS0 &ˮ*ڢXۑ"t룑wDNǨګ+^NwO5d2LA=:_شTߢmLq{\z~u5!dLoϬE'a3]!bA. =G< t/Yb$h1u#=%O uxP ك=`}">_>l{2A2vXj `ݥθZm"B+FX@w}xnAx 5<$b* %(4M}#c=miY'kM r=AU4?"$ɬ RpbHLvSUM0:<ܒEgXy|Ùw[_: ZQGY身P\UNqn =NV!ƵEt✠iV05cPP x2n]lΫqR/̛Vʋ/|U {]ZWhsDvq!x,Q934FoI"ٹ9 sQLಳ1TҢ!:~L3 Fͩ;ׇԗ}u~+R PuRzptucX4ʘa-0nGbbE[+Pl&y"ORI:z/z0EZEc!pJ@RS 0h iw\H|ZRQ~R 6V~_LguKDz{Ĭ)=܊3F'k dy<7<2G'#nzB+/-ay+nY4U+'?E:z3x *+Tg߷C;2Gȏ%Yu`D{)XYcŝ'֝lZRmnי$!63Po4s[zOJo F/,d?x0(ᣡZ䖧;QD(`IO2޷EsD ɜkM]/D̢Bj2|˄@*PCf :kHj6s\Nc@C g:?"JTGEXx#AbCSN79A+{c)h-j()d)PPɖZUy/).`^dMNBdNv;wOiQޘ/ދ *lUԖ?AA HՀbHoUaM dPKY(LHWOۚRuU{ qv 32 }ɲ ǴA"\_TYڜ~WƊBb% leKDL 3qOؐv$$ȎvBB,Q:*=ʆ P=~q ӢaghuD=M[&cƎ#5d<0ٽ%ڏ)M\p.]9v9@PE|t8a5녚7N";A. )ɥ3kפ#u'; J.d خ ېba1`4>J~;PSkE!J ~mtIEDžXW{])R~+Y(!Na8cw .V^~%RZ8 π,"?ի]Tr,MsUGPxݚvDuϟ$[5W7PLxB7`V%:m09- EM_A&UI'"Ա`kg=?i)W/pd^mbSݖENӾsA,'CFy[F1{^G?I y?PXZnmaFSm\D92~T6ӢaLc.F3!YQY <{rO o܂ 1vXgGDr~m^mҨA6=z?o3ߔy/M:w UXOUoR,MŵF *xS`c4c!U%x`_IHL1v.a8'X^V3'ߥ ^e sRo٣(հ@' E]]ND@) 5C>n!MJ Eͫ9*Yj}Ɉ d^-gX?[_ d1TBw+x@] {tj;4ѢiHsjO oG{K,-xRVFk?cB-m0`;0ߊx&Ij¶3}NDy: ]A=mͩ?SSᧈJ%0y;8ջ1҈Z$JBmNw(* 6讥$m==n[%lfm3Leè߂AdR wf1(rFQKVP2DMmz.3 ɡ3Hq-tyCPrId*SEMm2s>so- DKn %4Q%#my୵GDshrFE$ Jgj#Jc^%PJQрO47&RIEB%Xk \7/Xau}6wK_fε;Fc+ZT)ĴvpDtO{)+<پ<&b&ԵDjB%b.H-r'ƊzU]u߫Vd=HNt5 ='`Hezc5#svXE'*<$DD,<}1 '*1aUA="\: mL}X1)'+C1RqBAZb9åJg^Xeu(2AS+ʶҹR#<;:mdk{ R˅V@/Dtȶt_D%"]uG4tcm;m-l4ͦ ldO2v<']#\I4P@o]S(P۝ƶJ׀[>reT횀gN9Z8}$2{~"/_Fœ#?, @:+J"\R_SU YKbdvI]cb64[9ۖA.'Q0)z# Z!wݴbS Kj d܁Y1Sɺf*X ,P rҤ@!NkFᏈ.C& 7TsCr{}BxmO .`O[@nG7+"`[ŚQ30~(x-9T%cbb|3ٛY-+o4ZO-u"D@ZϛrڛZ"o9֏g". .߃@w]xG܎u/QYce'S' &+`FK9w2P*P!ܻ:%dQ<&(szLOV\;QC,sZ*À`xU3~sCswW"eT|k.aztt7}B?*)0tHƟq43>QR  T' 1H*4ec#e´"|˶Ke bwӉfy{x!yD58|r<ŦD ;kqd' NudY QyCbt#֎0OFi#hLov*J*)y۽@wP:1p$J=> kj3z#BAE%c2VlL*A1tPQUǶM!sRl(JI$O P= eVѬ1]O@5wKЌ@3zΈ\H+]q_G.b}5A^Ͳ'Hc.w;:5<,^jQtni|.wך1 ,Č@(ԶN%ܒMi(=X oCNe-~h ZcE WZ F_' qR"+^ ʩ; Cd"/J2\Q(32DZ W &HwRh_z eRh00- T8ԣl3b}a9~w47Xxe9o(_@`eVJj*VϙYW"3)F>h}o@1)x~pՀ*UR|{`EڜYe- \+٦Y▘q K!H&ڭ?M97ұ Ul\㾽>EM|iXlWfymEs{^/mMYm'z9wtjXG׍G /)ʒpۅ3xc.V} gt*{)WWM5z3.= O}LWՒPr?D|F .ZH+| ZJ ?sxhcF;?S+gaO1K=UeHC I1]rM*p:&9<&<`wx/1 ӲUJ6E[Ga^9y^s}yfpFm()_.3`Lu|ĀԒbٲY0Y@x> [5eD J"oJUC/G*\3#sZMte0T?xeNVǼaP?JuXĦ4>½[aps{!`DYTU?dO[RUigbQnk =^jtKL&nG~f$NǪs۴Iѕ<% V{cMn|4egvO"F<JGI+^=i%$k c 1.gV>LzÛ,JK8iO1̾PuPly  &apv0 +>}|%[yad}c!g.E 9>/bqq ZkRobQi[q>*gqƷtxs?}7BWf<7huޚz}Ex)nݘx"m%4*^6T JۋXV(ab.L 1eT!)obdHBꠃ0I-6Gx0QmU(!MfPwf{mM1H УrTt?r-Uhޯq1gsPٻ%2[:QGׯN?D#*B>|D9k3 T={G]Eɣ!/R85)_'9mܔ_Fɯ(M~}<M~8T`*pD/=5y akbZwzȖ|>m\:FiJN)m?&{&Vv5Ir!lr}9 %_Z\h cn]r_En.MzqH;Nh$`1Ƣ^ Gҍ+jw8gJ)<BMm$G{bkY{^UIcvIέqGPe_~ApwgPŽ+4 C)kFy'VRS1LH(Ψaytܬ[.Fy:T{V&O_H$Iv{5`rKɌZtG`XNr t僀+ vZ (4)^GFJK!vf;>j11Qwv1?uEmYLqz_>o=Rw7N,Ҿ!?Bdq5$*r:W&qO풍$1/9LB=s>t\R\?K5@+pT[&j2V$}؂H+gL &,wUù.Dh]fJ;9YG>5>G7=%y_TqdR\şURg4/x^!O*a&U&7)#wڐIYnf:zcN[}"A6pf,nC~Q-JLҘ5{QR"A$?T4%ğ,-}`rD$J)/묰j'i%\#d~[bk:sH}bۈu62+ŘGHq={MbhebEѩyH(%§cY>YҚi3n*&C5"gh)HյLf;?b`lh6 zD%҆E>0iRәx:5%n/4ʀTK^fƢ[Q[Xҏ*zD/MAwv=~yo\ SPq6ю24A4%ty' ^teR?C܋ Bڥ^۳ iS wh8 aTnEL~$Vb,Ҡǻ7cڢe)bkS" uR5WTbmtmχ ?8N.tfKMgn0RR.v"m*ʔ⎤bbPҹ:43Y Tf@,[f(`բDKIʣ=$`csU#IxӬ2]ū/pה1}Mg9p(@yخB r93L?,+wWfݑʢ  bO}]N\.{׻a,]CRJ$?F3n#׮ š0D/̶?$1\ 9Z$2sdwp^Ⱦr%ٕG#2FٕD !j[R}YBU%xl&ōswjNBg@o =Պk!!Ilbj!nPnYwz[}EM{REr>LjAR_VY]wa_/h&e,ĶP0<2t4Ӟ+jbLfҳz@_kU'ƺtAliǴ$|DUp)%nݱ— Vxzі^݆2,rŲo%j3IӽC:j^9DF /f1Sqf{IvtUXj:г$RSŶYO։?잁kKrv@B'<Xpbg|yY4YeRCwhgE&z>񾙭QQ / g:|Mvf ^ kU6,#<o4qMra&4!9hke#"w^q|^#}\clG*H7E|K|?u*Nm@j0n^869>-)J=U#$Cww7B; 'rYtiPEPQwUAn Z?$ ٟޮvHw7hKI[.Z4g@;>f-e>wLXS| ×:P^M;#:#nm9`!~"xKC.=ex>mgAov%y?kU Ӌn=v,cF1 K=~涶]YƺmHԺ{"VN$n,ad(%U[xtU DBZK}j58DRB\;#5p\9Ğ(:Sҡ^4Węiz'UB;9;@h 0'{g O56%.w/AZc5Ĥ1s|8p7&rxÚy9Zݪ`w4mഹ$MA*~i ezT?Y1L hS-Rw!xA|XyJ$VV62^N3czC{F(qe-2#aW!K%z~1!M(wJMRjjMvK=Hp0՝Т(VCۅ[}  8TWy%@i:Ldtt\CJ a\p@`U%0S@mI3jѦd;N>,f|${%3t#P?,.%ùx@F w31jX,;hWʈO5Ppڏ,a` uʾbE`3ef)= |z"BJQTN'Ȁ"Ez(MSEf9!x%NU} WG"V{DqMfc##5}{GυC=a9^ٜO:k)|aq0a-8V,!7[v'o UhS6ե&^şםvy#'luwŊoJTKPzO&~_$w q*\ HQHdX| `Qޟ^*%5z @KSґpGCDŽ܅BGǏk+ۂ?e8_ YCg}aQks~jaի?`9Vywxg%^s'if<p'~(kX*17D 7؏,LԴ|i晒d3[l%'>+F0ɌZu[~=zq}Aiw@{p哾el 8ct3-~0늀?#F۵k D!{ƨv><( E* /:ޛ+E 3?T+X}֙f1qdzr`ڢuCRC5pص8qyޞ{7D{b)nӘg'%m$C;Eԍ/x,[COي}ˬj;ذYC˸  zt@xh^O 8 ny& 2" 7ZFF:UJ `C I0[ \pP T%e*,HؓCwm7.`5zr#grҿOrH%ź٢e@(LԋA)CT6D*&Wh)<"} ?KrA%!V,BՆ@9b~7.<"2_(t;.l]t沫Lűw^9̡g ~u ;=c 6 vH|ׂ ![nB.6&74噅/4I{R1p;A0 v$ntҖ5 f,OJZI" t1>wӤdTOK{AOў4哤uKMY:0gi2s?j>@Qk%Q&>9ꑔ"}4~c5%q#[Gg .%.c]kڛ 6"0 A0/3gtC)ο^pGuGAe1J{͘OyW-i ޘXZhY/5Jһ wUWR{!C|o~}ERj0JcHsV Rq\w$ě[,[Jdv'R\QP՟}[nc}+ I5-,7QHOtb^+IM[5ns Iz9udў^U/ h?U*aE:Vk0D "dCPlZ6)v{m 3Ȏrt9( {Y-\xmϙb6Kjd\/+B Tfv5d9A!`kjuEjTVܴ)NjGʍ5 q=9B^Vdx),i}TQ[,@ZR?bGE,?[AC, Qob ?($ePDZ2mY)` ~@j~r"^(:szLUhj׉l1& ~pD[d9 ښ?Yk~r2JC#-9zr!L\u.Ƶm֑T;Hl36rZ4,nhd;8^p_EMӂp~[mi`sz?xY77#2wpS4vk4"NR }no&-P}(ѴqH؝Fg\:AD`s z,oP⮟{n:V`HN~3l{ oPxYf.0A9!~Uengr+bd’.y:TK hc\'[u[hW+w>6z~~@.LyIe1(\.<~d_'`w -{wE#ʷ} Bsȁ1iU0ܾ;nK k@5 eľ|Jwj8"5݅Єt;sHۈeM5\2:s*g)ciuc,[s՛E8!'% 7f̥$Ikz IjxAO9׶˭>,ͻ5d&4V~' iJLf?#%]ЋTjui؛pa %w EPyEXP4c*8-"YLar  aR=08> W) _ .Evz+#-/qG6Ѕjyf6 sFTo)-3|!p/Qgp y.cVF 4rXv7&:K-Ԭk˳3 ?Pd'8tԌj^vc ^6y {q0TG"LVi7-.P}Mu=zK;ݧ'h']چZscQĸ,)?7懰ծe6||dӽڸ˅afVJ3N. "֝;W~{~]@ؑaԤ~6B (p(TjW5}4ѹv +g$X7;Ju/!G#iy_/8US kG8@FX&{{69m] [?rj`8,$1a,.깢-tqh`Gi0v>{8iu W"\ F+ u)B+՟`@s ;5ntJU`ͤN#:%EL[fG`iKİ;ԯic~w l4<0}yeڅ_ ӷOQaiMW"(qc$H|id ĊAU܄Pcg)7@VeKp࿶J2%$tDJU#饏j|<D r-Cj?6Uw*qXElx2 cC߹vmu#% )3zyT-u=Y`kUʮ>aqsyGhغz:AQ`FYS\  Hf{I.)Zԏ߳OttO.wIj,f% pM-+9K92}?Dk:H {3¢^pjMۑ%9B jYiQ¤ܞBtAռq-6_+TY1~lнAMO(#?CPy;SC+bw_/޴DvfV?^xSO;@>&*ʔ~>`d27חJquL5PVw ;FPc"i{4l?=B٦ dg< Fw}ʒQdHKBoL2uTGMǘ7ģ͵ad˾*'%Co7n@$L`ZbEŌ}P U]h2ȫ#ɖ+"{?,Oa H%VI: D"{^Df7FMmm㿈@]Wg,slq>1a! ɈiR!pa= E0֑b_ rDW"2) Iy?m*762V E,KJ`TF9+u0F]:Jy:H.@7Z2`;c$-چ=ޤ)rH5OCa#7@&Py[?+O>4!UG>)Ij,Ǚ4 .xefQ*~BG~/( ^FeX0ө-ɧ­UyiOR`%}im:$MGw5W.ʹ/QE7$CTm(?|;GyNBEtp'@^y ͖^ C]hw^PS MѿꁸbC%| %|c.£.FՆeN4hXFϥJ;(shxflkCY6*,J*)_P烕;3$k?adϐs2c{mm+z߄ U] %Yy i_ڊ{!]ϯSR!ᑹJvAHNC3y wO-&Xl ȇpeA?oX-T2:VS[٨E})g8N{O:GAoʠcJU͐Iy>/YrZݺZ}ˍiDt'|{M{@/ i/AZKֹGDr&2`!-"MRhZ h{P80PuC "$cF^;Y{f'z 33w\ml<&e=#[i(rr+>4Y2aͨ iIT0?CoQrDݑ;$CO$&lN8JA Aq-p=9MHMіG7Wj;LndI˿YI| ҫX;ԆN0CxCFܸb `E{`s,T@RAa D䊅4W9KYF!ѪzAhh|vpۗ:uBMMΒFNU"ftKsG:^h6xv/RN`bx dBAѵ#~i/z%n2D{vwC5qʑ.*^;ec7pZky0bkg-d>VYC0rzS/Vp/_..Cx]s;D1RNĒUbH4/8'hH梅̐=fwÜEIY?F^JIYdӾ'Hm6kBf noY'<*5(ص2Ӧknō@sV776tK Je\e0R!pmblYeFyD>̣ ї1U[m~Gt ±Faˋ/. e=˖8_ (XD-cD5y@L,O&avF~e!I(@;w25>5İ렍vks;RL_ Xwj<Ƈ\^[6e"EH9Q5V CπpfZ\pp3Cs @@`klX8⫙>NfĐPw5|T?dom߹v/%&tY$8);(gm;.?C¤|* ᔢs{X+|DwnE !%=B b  aٿ0K?yTg9խI&r?GClPXZr_נ?j HLd`n#>'k$` ;qym^e`,B1.{c^_3*h:^≮H7=;jbHKCM=P_6B4+#7R*|d"'&01ZP Vhj7b1ϛ `i{9; [& c6ŧHߒUL?'MS[X.@bZN~ $+2@)|b[XĎ]bH xLόےPM <USX?[CML#,˫ FVF[#r::OZꑇ)w/Mk\$R;nCng> wzC邈I_O%i0$罠d/|3d`i.q168&ќR .C']E*N frcߤH %Cd`̇k?4[kϳDS^O9m?{ NΌG}~^8J(*RTB$+s(ޕ]w>LJ_" 㗔 sֶs$(duO78y<S1?|J1y ;ĝwCKN HMjm)ZW$GW?N;7o VOkB,&H FXǞZ sߏ@ܺRW 2Y;Ti=]32& fZ^S&cĞ/B#-2HqU#E3p)p))t `_5߽P(*OmӉ=J;EM09OD>&$%b*{-rH+\+ -_Fjߌ'KG$ (cvq|:E_W-?, BĘעLD c}Nu=gr sV^M.)VGϽaPsř9?6XB(:,m`3T6X H--$kv-gUs\z;+f{3@w70)f)9z:R`-|-oN)Ev Fx)k"$iǫltCr:aѮgIQ5+@9qhY **47>Ւ ѡ?_KB|-=+t/m\4 Ig_0L V_k+!aҨ,Q~){/#7[^\0.چ>S4+21@gcdveq~ťo=-A,?J_&6!nl|ѷSL [q`3˯ RGKzHvyӳW=sƐ\5q7Dk|F.[RHMP-; B-Ot!`u;b0Uo ')dpZԒQxN0XxolMqzڸ.*܌|Lgz &zk\VC\˻ pM)h=bM0}c6UCxz@տWl**}kdY =<=8pj:3>f9L`;֤[ŖvmIamf{/?[ؐdjӬEڜᔄNǀpC@]CHt4$i6գ]ݫOncٴAyӥ ۑf 1n+e:f\DBw_PuKP&܍wk AhQH7MASr?tȂKGMr8=?İ_%MwFO 3RC_O / ƙ⵸ e /OGUUAsdE-kg?Y@/\ʹvX{z0 -B\Ss1di E-cj @pl<)58-OԓY :x.K}./Q\~|⻲v}c? d !@!xe'Mb H=-dL*t @v#}KҳJXf;Mt\V+p|'zV:(巸`H_&۟)&%ծ.bXhG6 :?hZ:6]d8'E ";zD]ҶVc\;żw PY2,]L: 1Wǫpus715 OO=W0. (Ms2K >qb7iMQBv?B,6M%4̧T1Py, *?W~F5󖑀 J 4t<b&)nn Ֆ.qLh[Gdkue ; *lҜt߀_9fUq_Tj6?[t;f|? ZSpVQ!r/jJ3M X$MB7 \l!Y p"[rEZR_*WL.â.yxf"&SƉ^nNNX7pA^ʁ͛FHǤRcz4;vJN{ewIZ".2~JߘFw7!jdT}1lHL1T"mYV꨻)bvEYwawiE.Q0] ? oj-n7儱rtt )ICgKj^ y"sWႹТ݁p/`Nq}߻W\F l03'{Qz-F&z=֌a!&O/]5 O xw)3[Ǫ$bz"JQLMQ5!NRz5$WO4OqZ.\%G]$ȁW_OSOqkKFՁ[K[} f8N6*ǫbR<.0"~$0IAUܘL&I_M<.ΰN|+JE71n M |\+nm@ў.Nݯ;`dO2sx-=%] |Saاǩ!> `(_+ !43[sQT`[w4줺Yz=7hg3WÜ-ġz缀TrXXH#'job.D(_p- J-fiI7EJ(`.^J PDUDqw/̊? 8B3y;XODIΤiHՒ-FBBTZp{¼nAwQ6p!tB18sE -v}n1}ߺ8i5*?h0ꗠ+vĚg=|k ~޹ǓY#|jn?+sQp^%gi|-ʷ[+˝ivp:M+=q2&}sZck #Y`phŃ+=\GThČ(;PUG"-%T~WcQ5!wⴈźHl=d b!'o=}+&sx83~N BTfQ~"yqV܇Ԑ{t%-|I&3#D J7uH x).Ls'*daF*|>zzx̪!ͻZD6%(rxpB:sdDsy]JdTr*Єν4A%t rIBj>Hn8/C&]GPhRx0[;ʡDfu,әʨ>]B \ v-˘U`jj}CámvW *] ,O!1URWz:FIZ_ܷ5 FʹK[f|aq?"rR\Mc^PaQZ]㵵 jz]` Y5sFo ORK4pZSOqY xG83tJ]g2;b%s{m,Lf\"ШT.6:WN 4[CwhDq4O tɠ+ 2&~qHEe%CjQpC`?;†9w]ۨ)<Ԉ yRNHA&u^%{$~BO V5X]컽xn]/Lo-Cٸ"$&d,M2uF_Gat5a2s&(}ͫOWh.|եC HX/7;~ҧJ+~e1\deA0skJfr|TX*vt#4wG~f_M%.ۺwx5}TƩ؝Y`72%6Ôzo:R]W)@3˗r"י'7>^+=مLބ:*8)\ox{mU ]C%iٚFb6vC G'}#6w -VA D\-)|. Y`T/el-=Lz\MF]7.WW3L AG#>?s"iy9c̝lC+\Q0Op0ѐcNnXO{nmk2%:ʔc='נ؊N%ZyrOz# s[`Ӣ6!yߵԇk{ğ)@i2FѠZ4KXA2M;-_ %`> ;wg$`P2;$' &J/˜YNˉU9ǵ@5'0u4XrJ<*)yl |ODʨbx@bPhw?"ЏȢ^]$a Ķյ۔m-zߏ71?+֞U# 9:PAqYRKG'2V%%ybqssW&Q6sabKp6bz%bOݕWuδəK.3>Od4D7U/ pTo8frK<0jw4g.aWUR 9)vV nVRίl,]"{ZaQۏ"eefO>m~T~ wwS~ٜlhنzLug!D ;?%z.X,#r*fGF9/ױ2ur8qF8`idv O^wkeYm?J!&^t.gxౌNLBhBU]aqzNk1>GȿהW%PK-W4מ_COթtadl5ax\ I(t#\s@X竏o9-k25t/3_#U",B)Y8lY[aH`(6bs~Ś~mkuQ-B$=3@?;ќH01Ԁfpx! % :͖DXчA_Wnxd:*'HEǮROq1RXchϬE*F åjۭTXp[Qa_of29tLiX7Ĩsðlף+&qKsӤZҁF׶6ZdZ݌VPu +h7,ό/yXsիңGgJm]pl3 mWr?Iay?ʼn_.)喩s崚JS7Ux7FL;7#ιw /v?XEnjC}C<R\k6<:)՞jc_y`+DWuE򥫒.{Pj/O@s m`-6\9nN'|.Uܬ= U^-u1jv9eЛU]z]SҦ~kțʞL )(~|eM^vʐuox>*,u.8=»+O4e'l:.#0X\q|#NAᕅv#AgUtzH8百Kd i⠤ߝ2a" v~_cU%'S81^4ĵN7(&`ݢrq[/c9,7_f_$FH=êC4 Xf'!^(|b75MRISb&S 0]JVK!D[jkIpmfo{LՔ~y!XjKv5Si kQN_P%Ij&ANaX} a1YΛj>wޙ" mQLQ,+,wpT?* ' "}z؀+=U%ȡɹw= ʖT"ݗh+[{L$< -o,Ux#OI=u$2r(aܶr#.,_{؜ -0w#n;fnѥ|>L)Y :׆yB]r|9BH?}">*#Њ!Ndz-Zϋ9W7viT+2L^|lK}=ؖgɔx>Վ&(!;e؁mJ.! ibiwKZnڞP94\hJ= 9x>j򨿊 @YxƔQD"7:Ƚ=f^'&UE>>:|;0!FEĸՐx֕~6fBb:26'&ߴZX oKP2= H(~V>2<G'CMK'+ Q(gz!Asy+ ZBS+?يv'KV:PslHA#9P4T[#8ZzZ ]JiYIFxȜz&?{.isE#DPva-JZkp\90ߗVQ7F$wB]R{EnIXYfڿ6ؖbɘ0 8PN$ قy̘2{M(ANO^ ;z'1sE^i8(@l &r]]Rˋf\K;!Y ٹ!q=KjSOv>)'{ob{ ē6b o-g#k?HfR<7SY>,Jη34{p94xCIcaGUW-`2Z?x"6`1o"e=5m J<2V}*$*cig\o5Q;DYq:G|m['v'^7KC (MAmF LZgJ$!=sڛ^]y(s[l t㧇$ߤOxi;d}S0of^l1 f`Ӏ].&isT5jBd S9-FcG7<{E($l30ֵY=Tu< 5`!;;0(~Q!Eoς@39+?5 k4EOhzC]?QȷGXv kR/CO L[DQ]! 6dF'-kQBۦ˜nu8Xue8ze=ls~ Owc)bx$aɚ1'AȰ 8xMC0-{ @e:ɩkɏدb ?k݈ᮖ}uhZ:k;׀!"6 ebXq8i=xq#˵i!A ܈(!s i؇?LS0lgq*K{1@B70ϱyJ#i .zД|WJRV(Pu^G 7:^Մ9tlZِGy:^c&K(n.:,CLM q!' ټbEu!?!#Sm ˜f<^oHcz-<}USH-Mx3޸ ږ^G >-DΕ ,W?8Y3je?[ W);ˡth\IHU5_,*4<ΆjlM+Nؽ=OO!cɉ4ϾSE On>[S/x-3f|7 1h9^C rvS1Ē{Im)Iv8O3G(|`;]Qy`[9!|x~76^{5 UHF[~y`(3'`v'X*맺b1X"2>]$|rѵ-3M2;{r^z'+nas3Yd+;Eٲ@#xwMS_6nfD85OTmlL?K$mCm2F0{zsVb}TN A@k'v'ԏ19UVa-˯L .Hp?F.sDK%R(KdP%{ <6eilB[%K(0pk.h_(dtQ_ DH,:{TuPܪNE Lk\uJφ.,w'Dط[5T $5"KbDtAx2#ϒ1֟Fu"|g;FcpԋpD:e1#˫F'Nx=k-MF.Gln!pHzЁ1ǨE|/jsτ q]SJÜrpD̚%*GHBNt9g7I.:7uZ @»1P*y)-9 [;AnX0a|l5!4v> _[:ao`n%ۍ202C ABTǍ$x^H!>l {'lfHd.6@P9eVd(9o8-Uk WM?~SFqg2ceŴw`Kl #QxE&ZgAjf&ߜ3;:Bw2E DP>`sD#BL!c%ľgkrluy7 quQq{l͘ /xXYPGeՕDbE1j>߹3J9Qɳ.o3lk3 r-Y!C!^*Y (Qb=!c Z`Β*bIss;lI#=JRY)b͹mo~BEjocUdĊb'sF1J[*-F3LЙL⟸y?wUN^_lg5P-Yh=aLڱҏ1\Q p&F{4gsfaZTd['I1L 'ءASÚ cL^'1(MEL6"L1Y^G$aHZKxqja qEӽS×E"|:]SpNα7w]NB$.S$m8.Xqe8ǭZ"cZۻ|lKb S)S$8X~d;Wr< nlDc|[PKdz V~Aij%k]A=/NՏ_K芡x7_e#A "tvwk)Q#WkWAc-u~ vMp!vʥ5hI5%D\$qJ=?w[Z7n|HwA|u$l=/.%Edyk*ڢ̻4GF7*#7סh/J򒰹ẓtfXߜLe4G$Շͳ-خwBLgE"cP;rwRE[<#s\i,|u +D"$ڧHKG0Cyf% 灻Keߌd*%l, V>a%cv= 'Cd :iONx*+aAczNE9`?C_ H/{NzzE,y@1Ebג"} x;~2@M\efmcl"6yTuEjH+ @t{ خZ@ 9s5tYR ,t=B %t'բfokdij­.'- Whɨ5cod(])zCE>$Mt{ǯ+`!\!8q?x@Ab==~Y[hDHpo%n䬍ISP|'>}h"rЉ);D؆LCf366p! z=i{D#o`W^i=8Cz-n5On-f¥{3Mxkvw\g?ؘKg>Q%G$EwIh:,s?^ו'9ąT* >pXqdvF'-nJ#(oi0ar j){C`NLl"x2ˌ`PJA+%S[Zp\N TiIUM_NeٸJfG {J Nq(;giP1% [́Y:ʧwOq-qoa`RӦfSgm%' Og~՜C!u9J1C|Orq)!Nf'͎0HGF-TUDIY@!|$ƺ1V7}Dy%p;58r N6k)y9:,+tQT3RɕMݖCu-Gi:9w{] e k,Ӎo# E]A.\/jv~ab+03!B ыSz" dqZ#Dםkʹ@M`GA~G4 2|N tP100_|GcA5&;=ƾBx/uJ`eǛw~C*Q2hZfL3MLբY j2K $N֩XWjmZcE#Ŷ&0D{=z ¹ %QxbLÀZ9O!r|fG5qT?w$+كk.f5,} *'1{HBD|`HCK~kyU٩;*f/͛{ ƾl(iLHBܳu>M+ 4tQ\sdWn9I&_6aHȻAU G-;iнGҒ)G{cS&hJk{`?`\g5m E}d9n[ =/׶&{;*_eB@Ɲx>":T `/b KY|!|i5ۗgΜ/+^fͤqm S{4]CIOFeZIcWy85gy̼«1>I#%67yțǚ}\bBQ<"-JĥWU .'3Nj띢hrwz(p(ܰvڥx  y Ru+e:{GRrX(\:/y_s,%b"\KxͲ̟W_v{VJ+&[ Ȝr8ܥ&j:`H=93n>o\wD @so(X=ü'S'5AE?Ɗ8M8O؊˵kM M#E؆ATr :VM=dxP`vK\s"*U撹I$#jv<|uL[!o_fO(EcъⷿibK3ٜ}&px1;SKazz+D/ [{p[ v, *),P̟e6-,inyU{5f' rzV +iP4euQ551/ҋbYK%cQF_ΕYR>S*]r_uAlق96O'wieFQ ͏' o`[3'M;uh>ۊ)rCI"uy=뷳9?ٳsVO 7,ۼvwQ:?=Q0, Bgܪ 3Kd࿄X 6(Vуod{y'8Z$Z_l^Y W~_e1IH#AmarJMEw`4qN+;ckY8sv@b}oy]1vX.Ta>tyGtx ٙ1,g7A:*Z#A \-FN[[{TJa#ILw!/ꈄ^En 7Tҕ*^_/I=5 /C)X"s_pzL17Ak~>o6AwL @'DMf-MpWU)Ƅ.~-C1@L~kosׅ$F-XTfڴb 坮~}mS 6D]M j|iB^6&Iz3+p;+mұ 9Ճ:t:*!xvji -Jbz@Rҵ KU AnI!F^D_m3Dߒd'nTv±|kb}JOҐ8Qg&<#|O 2< !9fZ֩AT5P!PP,:tgV+"]<+iWZtEPs=#vFR`vj$7n\aga򄛓B*/~0zvfJ>~J7x3 meeֺaWF- \l=B wO` y}{l;o#U7Ë{5VIf1j)G)PΌ!r,:**}N58vOZU9҆wM^]ѵ1ȤB\{wR:?FJ7le^SExAbS7(I xw:35v< DQnwm4/gOJMEȓΪjRdv^E4|Y8"QOgcwٗE?'9*LbV%-nF Um 3tȼYZC胹%3ep%CM]TiYHH>V"dRxtxNlZVvMXzn$PX7+٨p^>Bx&1LksOɸI&Y@5 0bz{%OXz}c5f=sc`FeHJ~(Wc d 'GSgg؆DdzÂȆT{/b̠uWҎ7EIeM.>-M.ݮdNBH1LWoc_[)Bϝ^ʜ3'N:8+Cb$aqˆvJQ`lm{ )>X*[\-_0k4eŸhyo5t>rj=Θ!XJYHvAyiXv67qk`ڨ)CutAQW}b!j8ZI7˺(B/]臰)5g זMsdfL2M>Ĩp Bx9%WVl+蜗gpRwa7 * J{nw^)#IDTF}p^)XYk!R)-w sǐނ+clH8Rhk,@X:, s3LBj$R2$F?*_l#BИ+3&OFj(REsp`U(=5Czw/u_-ʉVXiR[G ߷b{W{I^3bs[4\}禨yJLyF8 P meKYb8d9@!j }K7+(ŻZx^Z3A@\2L~S A}ArG!|xo00,uy#nR 04F4!9H"`8~E~s {ZGŋ}+4BW+?yuɹqp z*"UY 064ѤbuK Z)l"$N8!(kȻYONFg`! RPzS4@L8?{ Eb5k_7՝aV[6S&ZS*ok3o7.?ؖKȟ&g#cϜvuj<0StѮ?CDT9캫ު".&8f~nJ,{*<4< f́Y?3>ˠiԈ )?*Ss௙ 7I[SB̹h#ЖS9oY+Qe4sҷ K1FjƓŧF(]Vi։"M6!j{Wh1vQֹ5I'/xEuw_饕sn%MRkHD O`JwM/CIlQ &Mw񊣞H2GE ӇAw`sl3>[Y@݄3%8e-Tl>*Y8Y-\-)]X׿#{c/Ь 4$;hQ&-IBڇ ~МJ0 ?LR<%a/4%ӂtcG5%3L?@)[Ő唀brݲ;{'-taN 7D2u>-صPuʢA}Z\9juJJK<'v *Bug5\.,]5z %񮚾9nگ+Z]}@ñj*]4k| t/?J ];椏Q#*9FyzUft Z`{Ҋ- wǥH@f'@C$# UVtIT asMٗG?de›~ ah )QPBh&MMdxjhΙx=.*7[`s5ܭ Y1)E>5K(3ut]x7tio5<]|%$FB+?Z[r)Cbijy/Ƥq$ݠ9DF)C.q/puaXM89pٚA ̊[5'5g PjT1<^.EToٵHĄ/S<l?-iΕE%2[hX: QlsPו>q )q$=I~Y+4wF!]I֘~ u]s {ʝBp0MdJk41W©v_QzA޻(نXl.B6^P|:B=&$J_,tH"#S(͛kܸ:Y@R7ՎP&QW2 fB- ϼ Ϧ׶c}dȨ !0ziHM߂D{Ӭa,{-C%k=*gi+@#[M2hf/- 7-"L,A34np|ӽH${Qrm667$^Q2|'p4.nb}–kkܖPX))Ly C=$ ^񜫞8r#uK)w㰆>?7j@m A;ߕB4+HkxZ9WbiSidNgke:Q|M ݲ~&Z D+*:xӨNٰv*?л>RhΝQ}2 ]Z޳7R BTط,ed 8$r#D{%C^f9UDϧv'oڞ9g)_N 8fQm#y+C0潙P8#Lv_V益JtKl?t Y0 @Vlp`QvbTumTs1s`PPy$oe"D=oŝB(~ n^⽼4]S}"uaQ:=ލ< 5uPAya:C=Fc% 8p@\8^l(fڻ=wu8Xu@9Rp3\'7`fνM\Ͽ{^:Mg(/5zmeraJEVݱ2ۅΰ +dmAΌ%Mx1XF2^kͬ7lt_Vݔk],vyoGwZ%Eۡ?FցI?Vl?>ߓי#ho]5BɋT*Z%y.qhU'*mN;d`{M;/` y5IMc(Pڄ\k%j/H24.b ܩjA՚͏Y^LPx92&؇c݉Br="eI8PRry{m9қx| 4)'Ov"2&D:$2:ߗ# 0)^ ߒ6pI(:~;魒A6a6ݰh;WKvi,j -vIX[wU~I6f1oсEZcQ?R.*Vd`ށ_&v ~)ӛ>%8"kl^Ia M$%+RT Մ> ˿mƼ$g]֕+ޝCEX_?N'k )rW۳qo6]Vy[k?vߧȔ>e,VN ,95??sJ˞7L:3y^2p#`CӌOzzׄ鑤zݫE0Ip(b @ƭj1^<,@P#@PMQxg\dQVG[ Yd9*񺸌IbK8&RpKޒjխ\叡-˂\1Eo?8̓GK9hc\2f~G8^2+ϨvRQc͡y[N{H :lp̿V!_s媖5e6.N85lpD\'])x0vDcftK^|t\"?ö a8 Yf2$!? }:r{\D/~aB:}\ŋ(y֜-M'U2hI) xM&1 #m.Q ©GRp^ `=Ȃ6r /}lO)܍>9/.\SdϟP9 17Zr>'!sL>lz}u8fؾw)GcEIe$,ݚR'zSO٭63CR"b65]_]{}k,[ƃiPWwˬ7QZ`>7?~]e @-ږ F2* &5D+))|:;l{yIP13׊k\fS=SƆC2* c9n 2Dr'|SkI ήM;Cr-B+C\`|Wxށ=,AYXlɧ7C]n, ?ͩ1Zk WxYbd-.L&4IPKpT2Q8.0KJiL `))goUI9ʙ0 ipi%j3,qN6̎(ey?7hzBiG{IG)Qḱ:hI۹S㑥|Ђ{UFRJf'Z㲴Xθ y@,bg :8b8 :{%L锳dTpީ媈Yi;C=6~4ųGE&\K?.ңR{I-mN2D%=h$MyS/+&h__uÛk{ˈ}wvPbagRa$-qglp| N-ʹ^/<0"zoo"KbVN6qg(ĹqXPvѥx"m~/utb}uR<3?Ҙ Ѡjp/ I5w67ނ'(]؅xՒb~b [Kl7`=ä^?7{S`j0aZF$9"H Jhi.e峹hԻh5R6 ItsiSwLu*$HTZqJܟw[7dR&"T'SrL}m 6E vݑ?ǤĩUy6maClDA4s~Q ;rUïMY hQՅql Wۣݻ >sA/>f,H3>u4QG0b靊pU"pAK~1w˕ jF7tȂ"rc ~)4-s݃~_vU+]::K_5 =RF{?WL7'K[XanNeW1c8}/U'i\*Q燍-B$BP9+։=AU(x%z2Jcխ/M}CF΁i(6sK N$eZM!=X ɫ^zx0G~JӖZ->~$R)05FmMwyZ-]s "nPC; t |&vjyN I;hE4RԊ6ܼE6ӓؖ%[6}u 'n)kʳR3Y­9=?$k:&iJktk ubc:6 {u=ޯΡib9%{yyy'NPf?oK(|[Mm'^Nt2%T?.WhuvI6 J~Ca 6nd+;|p$dߝI/a3PF̆fcC{k!qMJua0NLX65T[#Fx8mApgOyt^cȖ{NBJG^9mD%C+AWI>(iď=>c]t@-L׷ޗ d?4=5 W {$ pr X6er4<_4f(Kܣ``9V QXDBgeL/gemmy1Wa@f[t<~=')1Y%ٜg4l土"/@mp!w ݛBz&1J,nS!> )WFqЇ+ urK{<ڿTMog0>39P;;LuB;Q/&Ֆq:Edh;@?=߈㜜W\OK:8Vtڋx;O]c5HMګN?O]la4a),co[c3yGNJ#( o\ŇOus`v^;P}diaqS0Qxr3o\+6d2O kgNٗd6^*d'${@Ot_ u^a~V>'.x =)0vyayYt}^e:w":!dlcU48E8a@j7 Ftd8X-/?t룡UebSj-On:F[5"Ni[O:ѷȋ2?ǜC/VL}tl!?w(T;8l  2aGD[ݙ8+T$XV>SQ?vfۢE BS41ÙwulGffIeY{HxK\vg SՊ^"))g:sGlUbuf@4sN v1wӖBu{.IXg/KAX:hA'*y7lii4r^0 >UBβ#^c݈,Lψp|` q*La[lI1|x|ji< (+l2J)B3,cqm %1b)D:G+@^D8BrպGfsy`9mݛMɟg>:~S'lRĮϩqGHPna{V*כ> sO[ӔU+*G5lgTYwqAw :흡avhd#Io¨b@Ruo=]8jÌ-gˍMPmc'.:߆P3gYVt" b-k/eSmfhjT10D ~,#чGM"9sS Tq~nڅE=6ӳjwvۦEq~ED5I^ kie:ɎV+ت}in0G)TP`)** del%عG'4o"B>SޅVC0BYs;{Z;g0# ͹>'F*xQ _jQG,g;s^M7lp^`5P Vlzq?<`J|B;! )rԊۛF~`;N9s <'5p%hMF<\'ZF~x ?JҝF,F_|WXG, }+a(H_jzGrEX'DeN$i]w6?&[;r,j#mD1w{JERBG$`bǔZj,qCc3neQxW;TcE!X:OX/&)ܲF{k'g>=M~LbI*QCJIrekWfu- ]lޓp;Rhl0 q %!wSKNׁ ђYޜFLROGݭ}ûs{fb"DW? ~vlt{a*gD4}+:i|Y_I5-yI2u;Ehx]$Y'#@+͘C<2\bB5Y7[1ρ9Ϲ}+kg!ߞ_K|=RA0g)be.Sch ȼ {ܡ Zڦ|oQF0vF9}EIZ Q5ҍ–EK<~0 So A(0}nwӳt ktEw1@ XV5W:!EXO?՟sj1xwkc`h#OGrG]cvܼdmD3u=:iD|$7kn>tM'+u-8ƗN6]3j (] *"dO9¸u4d#o܂f[de7]:$|A3 <:! ~[/vr+2&„Qص|U7|^yEIT&O4=וT;uFe Z  Q 5_Ѫ~Qe~k@F3bT$Sq{ϒhI'5(=Aq zj'}= X։cRU҉! {XJ7u?+/8EF.XlڞwGb#ưL\vZ荨Mu$k -ݪ5MkJzKJ2)s8˴hc(1SF=;+q .+3B70-y9w1[` Kuo&ea8V߼oz\qgo;ўt>VO|'R XNi OF@C{r:K"5 zqzMzLd,l?PM18bv;v}H.p(sK?qWJB"'xUYѺ(7ي^'GU N bJM?1q̟VҐ6.7U$jK3CE6!99#@T9?7E묤H5 UZZ)tqVr>2`N,lFyZG*~8PnvaED 0s-kt@P ͋Z$=i OTp_&_!`ɷG?X%`WV/'9*P'×Xʥ,A;/lϰF~͡KQ^.˛fR3cny$r*~D7\0dx^^hɛ-l5P6_KtR0yh:zC*rKXp<'>ؖnc lk5R5TD)NW⬖?m/W=7 @8"Ɣ-Ue6;;`qKZ5;mGZ?8u! ڂ4iy?cm3XQ",-,#j2+Mſ+&[lĹnT%NGZJ|^wsvŭgB kK]#=u FsT~Y:LjLm_'2V"rH6-NH+^E7\6ޏ@g_\'}Q2fe3m j 7U 8Tu2d_0E7C2-4a&#KfB6*ڌ6O{z(CQ}{C`>vJ)l3Qj@fQPg=FU@o}S]m5SvAUQ:O-Hէ@lp )W˾TY)2"jSfz1z{qT6fNbS1HG(S )7Z l P uLiһW~„q5z#+d;nFb1!AuzӶ`9Y7<v⏵`+ΚH̨ʖi[~ƅgyZuMGXauQ,--x2g*Z. "*}۴(q0h8+e;d(W ʅ*t b.7W?vE, ĦV1/4AXGUn+x i!*V"4f^ xmpRNĎ;Vu2MX\,3kFU+`^ \ޱ!Ԫ`?YiDj^ʕENzP}$4~۵ǀ%VӸnK0M(WQ/UmPH?@+'L;K}%3'&n'+|^OHy-m[UİpK#=L kY3mۏMarv7m/X:5wDW7&A(L-DI$ V'=)m;n0=:L;vZ6/WJ jf^yܘca#zϛ>G>`ϵςZk}Oς)FjoUgK~r]b-0s#E"qS;nڈmD [Vqv2T)l~'P0W lXy^c{o\AG~]c>7veu FV)I*[O78`S]ۥn#I7̄?$H&85 : f_@6>1ҽ(EXfؚW=` -ԍk?3ͨK2#y-F䝭a8mWNⲴ@H@M?akH%P 'fzz`+^*93;nﶥpϖmQbeNɅ-1.֘y5d1(%Jc ?m/G&V䅜XpF6V:^D%`@Cǣx(B ;x%7RS (}rEsze Sp:~9% 꼵eXFBؽaB@1W`|53QP[ v3IKݮhK oXni^E~/d 7+3s2o,$ ލX]3_czHo*u{4ۙQP|7oƪe6)sXH;&y#A-9)yЖ=w0pdXw=.w@;5S%@u3gr "3+R^0r֔5Ҍݑ#e1VPߘ 2*B_R|4|*RC'v[q/8leoV.pUm"w ms =7mH|ɳ⢯t@h30 C%G]W/=ݰ%fNj"qڰC|^"Y*LኺQi*r4tm01r7 ߋw' d\IibcX8_׾MP|c(`9֢܍whaݨ!RyY;U '܆7| X hd85^mNWji֫1xxY#25i,l g&R IzI81X bs?Ӧk?COߋ8)H,$DajV#}jE'7RFLD&g*c_Ȭ-JEͰ/Z7A6;?^ŇoCn/!=Q`1ܾghx5͹2xL)¸;̴J}<-C?6F6S%QtdA#pw`P!d@Hs8!VPkڂd+fն/D,kebFJwu#ܺfvQ⬻' v1@6H+"$x1Aa@6RQB;OA`5l1*|q ;nE,5A\܅i3{GEmֶςxȠ+g8ᯬ_],H#1'#hN?·JR$M9 3L?b/xiFOL͜e(b?8# ϩ J(B4a}6ԝ2ǩ؆x5QG*JA E<6Z1 _fX*lsZsDF0ͪ"RVfPx¹=Y_Ow- C Ƙ1"k0,KD]:>[F\5?))Y@WGv˴1pȟU(#BBDŽ!hɿj)?i7U;\Ƶee)o *FF<wvN9LĢ 2aNOpE2}taj{HAҌ8?5ZɫH;Z홛ZbO* u-ڧǡga:Թ{L*bRjCޝQ n ]2)Չ |P[xGÀ?`uva۾[O>i*C f?|w ifBOB+PQMXZ1=ڟ}E/` Dbh%#ͯll\%tzmyu;2C+7@{$dȫ-9%dO=Opi=Vz˭wDein-l%"S}k1 LzY7SpW|LR1n쀂~.WZϏXʟ":Ybn/h'fm'ab#RVW]+٩.Ṉae`@haI0L'RmGm[ȷPŗ){XvMk7LLOywE*pe_aYOIbQ,R~~x`n_ 6A37!,4uîGzL#Q}oud9'P%-MF'EsD@%]Ia zl PR&iUpoOjኘ;I^b'i_'OP5!V$.w<% <`2ŷa54>~\.*kwSOQ.L@Nx45l,-7IP?No-T˒ Z LuB2-?bi{:LV#3_`Ts!嵡¥bkK#w}&?;hՁDTڶ'.d+ QooepT 'i7#6ڢRZ\i(S ravA?1B@ Bu^}j;+, yx^7Bq|I9p#d@un(b5%Die=1IF dcwha4lSE$rRO}XmQi!9q@[/2P2⣯3 N-&Ln ^ ?~sfLw?eHS\6sM4 OUm8['B< W NKN)Ze'k|욹OMʐpެѬ3h, Q```R9Ϭz11ޟ#Ɲk2"}A{yjGE ==ܙZjmU9WZFyo>&"-P~EK?ku(VG*gs"1*Xwd]hcVH4k툱F)>~FRt:_>BS+b{K 7h&ɈB鼔8pC聟O ^z 92ƧWݥʼ(T~lP)˝> jJ'>OKff*_E8B3F2+#>ߖk|=>g%,f q`pkLd{,"[7ڱ򭂸snNanu{B39xJ+8i)CѦC@9McBwc55diKx$78DKˈRj%;1td|R( Sj-Xac'ƽ'^2 4xL՘1d ug8fYZh\5dإV[CvqtffV Љ6F5µǕʿZ b{怇-OXɵ=J%ȉvlZ-}JFl`6j}./1b/ԭ٧)V/m64kQPNGXgIs];>sr#?5^5DP$C$qT~“"m0n//w~>F@%L d1WB6=/fĸ(m9<^@?=4isۖ2T7݈dgU-~2Er/O_]Fw{1Xld, )Ż"biaSAЌj[ɸhgP4 f_"&5db+n5xW5[*}… HW<^- Ӵ']zU\.xP&|93 vb ;i;j u8978EΠhz>%dEX'3MҷSb8* jo\LAY VbM\FS:Bd*%ʓc p;xT#!cW\Ts66mOLBjs+->|nBk3pgXzZacP-۽}J,?[{hVpUA4'GljۿCR!t aˊn sĢ5q"y\#B ^\Y{Iͭ^!sh @%mCGިn1 ]F01ddƖXI'TMgMa-fǗxzye{Z梟G7"сF[VyJhFMs)ֵqݼZBJí$+>$xHxPo?[4\Cy8 v,6xcm:> h!5]!tӅZ+-?EV{A̓6F镃GzjjxO)?kEwbM̍#: #FS ̙ 4z"xn.VOhH ^kA(#z+<6yr׸jh-!Kw;hPD Eǘb4mWuR@mr7R-|/0mĸ "JxՃysH)>^%1YfQBmU_įgjdT%/ީ|p3-M.oU6º/KSEW uÄ fVy/ZcCKqLNȘGD>ZtɫgJ* QnxZ~ i5d8ͺUCF|X@@gR0cy^ɇᢨRtN{Ct BTl!/\qSxl,YOPyYJ[Y~? w涺H%}9"yGcIDoS6 5NT .?`Q@8q,gT)vٶ+)@03 ZL[fϭ\j PvrDXں9_v 3 2C^PNE1IN|Rs*V7u_" !Vyr֯|pGMTƜ JEKYb"Fְ3*Zj.Lb^Ao]JXұdIr)o t0-Ȋ#(*5R U|oIX㬢e{3>wu]PG~w+HMO@enTƼW+B r;`"PHq_dȩ"[dl:ӥUYEKireҡ5Fvrdݱ%t ]ix]#Ys=J!!|9,'3Rsc~90)քgTMes%3Q;2BAA˶cpMޜf!M y!-9:6aV|'C"y_{k8[M/\NZKAY[gs18naH1Ob͒au} BQ]d<ٹ 9ETay&K!g5KgSxyۺ"4m*i(h0^^TA|`{=N2+Xf!k*5`~](_-CTtA" ?T4qc~Ө]|oIv Wkߖ/N&D'͓g!#R 'Wq$Jٗ(rZ-@3,i2+7D/3XQ[n|ޠ6.t4o`TU\\O1Xv_nJ7."_Q"FkNJv_}ZO\XE02h}wLZ Fҵ; }!VMpd'5~S[{ϫ /tڠM>6.$s94y`a%X."rq8ڷSM! L;>?|C)//W n bx o=~';ÈC5aN WCJ;0˻mcPj+0s(ȼ^<ËB8U`)"fރm8D~bDc!H\_d<,khWb53!MZ"dt,ID`ZEچ k缎Yzrݰ881ypdWʏ\F50Mnx'PHuȔݽGs'P!9E[zH-fw Q -"K-$!.io-@A71ݺӹ90e zW|(e1?06)>mQkv Q`WF!MʎT 2{l21'yA,M86a$$9@:_(;)#GaZ2Hq ')}d"ǬA| R#W.}SғYfε:D̓pM5@5,6'^DZ~e PDh&oeSä[ ՆxqΏ5֗`gb̅[/%CJ qtq3PA'W\Fr>0@l#×:AcaV0L[Z(WkScՌ!TgNQ7n6N^)W{.(Emc"8+ caN#鯆Cr󿹨D0T"b`Ǚ~Y q,J^t.hYBsM}Z$V?ޖ &6jǟ5³J.@~rI`SU_YNU.V5 =J*<bkCUxZNp1榹ܿΎa @+Z u]Ƀ~y,5L[YHS K`ƀ1kwRa>+ƲuN~v)U3U ('cHKUjṱ%w4w0 S&9o|͢Bz!tՅw36}-g RdU+_{zM*li/1SNĠ;DBk n(eդ{cmϐqp~ƚ'wheͳ`dYBhy[,#Ua"5_ (C9/?r1.{u"ivQ**pCˀ3L9KdJ&V0`u5'fhqWJѼXdaoC54ƛt gj,6uL;j9-sޙN\-8ɼ8E6|sgwf]V:5$l/oaynN[ ;CӫRgj0L&'Qz՞}֝0{6}W E!SGd ;l@*.X@sӼAT@cy'm8:/"]Me9T2D 8.DD.5hv˥:2/ YZ