sssd-kcm-1.16.5-10.el7_9.6>t  DH`p_r$ƨv }6Pj}L=*>/2.%[}F@ob g6a߹+M1fOsKk1׷[ 8.5&oZ(aa B QKxjmc[qC7"JOXHPN 0 g `=ny'ڜ/ Nyơx7d@BɦR}br:"_8u $\2aa햯P>]:j~4C (|וq~#)gSirgحarU.SE0řC?BHzB2G-D8E -WLf! VP\| 5_f[:!E|ꂭ^lڑ"|JXb. 9c]L!Ru#r]o>H`zblJsƾfwM ~^8-*/\ڇ``N*&ɟh@VS 0% ^Bݖ>9|>>!?!d   H .KQX4 B P l  ;^AA A(w8@9@:J@>e?m@uGHIXY\] ^nbdefltuvw x y 9!Csssd-kcm1.16.510.el7_9.6An implementation of a Kerberos KCM serverAn implementation of a Kerberos KCM server. Use this package if you want to use the KCM: Kerberos credentials cache._x86-01.bsys.centos.orgCentOSGPLv3+CentOS BuildSystem Applications/Systemhttps://pagure.io/SSSD/sssd/linuxx86_64 if [ $1 -eq 1 ] ; then # Initial installation systemctl preset sssd-kcm.socket >/dev/null 2>&1 || : fi if [ $1 -eq 0 ] ; then # Package removal, not upgrade systemctl --no-reload disable sssd-kcm.socket > /dev/null 2>&1 || : systemctl stop sssd-kcm.socket > /dev/null 2>&1 || : fi systemctl daemon-reload >/dev/null 2>&1 || : if [ $1 -ge 1 ] ; then # Package upgrade, not uninstall systemctl try-restart sssd-kcm.socket >/dev/null 2>&1 || : fi systemctl daemon-reload >/dev/null 2>&1 || : if [ $1 -ge 1 ] ; then # Package upgrade, not uninstall systemctl try-restart sssd-kcm.service >/dev/null 2>&1 || : fiH 큤A큤_______04a2af0a27631b76215f6cd6cf6305db78e371271c475ed485f4d563fe2f3d54d50c2b062a96fdc50ef141b24132b40a62b776e14ed89c824f51c45e7571ba10097190158f833e39a65361515a0df893bd3f4cab65b86fb6e000c0e86fc7831ea70462f35d02b3db546b01d9a9e7ba36771daf87b98e3b2bdb9d16b091fb3659757de9274ea57436ac4eaca6feccfe64a656ebeff00febcc2218c223f02f6f8a91b30e576e05441743fcce027767650f498cf10ccca12ce0bafe8505f0e87b6frootrootrootrootrootrootrootrootrootrootrootrootrootrootsssd-1.16.5-10.el7_9.6.src.rpmsssd-kcmsssd-kcm(x86-64) @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @ /bin/sh/bin/sh/bin/shlibbasicobjects.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcollection.so.2()(64bit)libcom_err.so.2()(64bit)libcrypto.so.10()(64bit)libcurl.so.4()(64bit)libdbus-1.so.3()(64bit)libdbus-1.so.3(LIBDBUS_1_3)(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libdl.so.2(GLIBC_2.2.5)(64bit)libglib-2.0.so.0()(64bit)libini_config.so.3()(64bit)libjansson.so.4()(64bit)libk5crypto.so.3()(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libldb.so.1()(64bit)libldb.so.1(LDB_0.9.10)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnssutil3.so()(64bit)libpcre.so.1()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libref_array.so.1()(64bit)librt.so.1()(64bit)libselinux.so.1()(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_cert.so()(64bit)libsss_certmap.so.0()(64bit)libsss_child.so()(64bit)libsss_crypt.so()(64bit)libsss_debug.so()(64bit)libsss_util.so()(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libuuid.so.1()(64bit)libuuid.so.1(UUID_1.0)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)sssd-commonrpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-11.16.5-10.el7_9.65.2-14.11.3_G@_H_H_=@_;_;^3^@^V@^m@^^@^>@^@^@^t@^r @^^@]]*]@]]]@]@]m]m]p]p]p]p]S\Q\Q\"\"\"\\\r@\r@\r@\\\\\\\\\\\|\+@[@[_[@[@[l,[b@[a[Y[Y[H@[E@[6@[0@[,[,[d@[[Z@Z@ZmZ@Z_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj 1.16.5-10.6Alexey Tikhonov 1.16.5-10.5Alexey Tikhonov 1.16.5-10.4Alexey Tikhonov 1.16.5-10.3Alexey Tikhonov 1.16.5-10.2Alexey Tikhonov 1.16.5-10.1Alexey Tikhonov 1.16.5-10Alexey Tikhonov 1.16.5-9Alexey Tikhonov 1.16.5-8Alexey Tikhonov 1.16.5-7Alexey Tikhonov 1.16.5-6Alexey Tikhonov 1.16.5-5Alexey Tikhonov 1.16.5-4Alexey Tikhonov 1.16.5-3Alexey Tikhonov 1.16.5-2Alexey Tikhonov 1.16.5-1Michal Židek - 1.16.4-38Michal Židek - 1.16.4-37Michal Židek - 1.16.4-36Michal Židek - 1.16.4-35Michal Židek - 1.16.4-34Michal Židek - 1.16.4-33Michal Židek - 1.16.4-32Michal Židek - 1.16.4-31Michal Židek - 1.16.4-30Michal Židek - 1.16.4-29Michal Židek - 1.16.4-28Michal Židek - 1.16.4-27Michal Židek - 1.16.4-26Michal Židek - 1.16.4-25Michal Židek - 1.16.4-24Michal Židek - 1.16.4-23Michal Židek - 1.16.4-22Michal Židek - 1.16.4-21Michal Židek - 1.16.4-20Jakub Hrozek - 1.16.4-19Jakub Hrozek - 1.16.4-18Jakub Hrozek - 1.16.4-17Michal Židek - 1.16.4-16Jakub Hrozek - 1.16.4-15Michal Židek - 1.16.4-14Michal Židek - 1.16.4-12Michal Židek - 1.16.4-12Michal Židek - 1.16.4-11Michal Židek - 1.16.4-10Michal Židek - 1.16.4-9Michal Židek - 1.16.4-8Michal Židek - 1.16.4-7Michal Židek - 1.16.4-6Michal Židek - 1.16.4-5Michal Židek - 1.16.4-4Michal Židek - 1.16.4-3Michal Židek - 1.16.4-2Michal Židek - 1.16.4-1Jakub Hrozek - 1.16.2-17Michal Židek - 1.16.2-16Michal Židek - 1.16.2-15Michal Židek - 1.16.2-14Jakub Hrozek - 1.16.2-13Fabiano Fidêncio - 1.16.2-12Jakub Hrozek - 1.16.2-11Jakub Hrozek - 1.16.2-10Jakub Hrozek - 1.16.2-9Jakub Hrozek - 1.16.2-8Fabiano Fidêncio - 1.16.2-7Fabiano Fidêncio - 1.16.2-6Fabiano Fidêncio - 1.16.2-5Fabiano Fidêncio - 1.16.2-4Fabiano Fidêncio - 1.16.2-3Fabiano Fidêncio - 1.16.2-2Fabiano Fidêncio - 1.16.2-1Fabiano Fidêncio - 1.16.0-25Fabiano Fidêncio - 1.16.0-24Fabiano Fidêncio - 1.16.0-23Fabiano Fidêncio - 1.16.0-22Jakub Hrozek - 1.16.0-21Fabiano Fidêncio - 1.16.0-20Fabiano Fidêncio - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#1899593 - sssd_be segfaults at be_refresh_get_values_ex() due to NULL ptrs in results of sysdb_search_with_ts_attr() [rhel-7.9.z] - Resolves: rhbz#1888409 - sssd component logging is now too generic in syslog/journal [rhel-7.9.z] - Resolves: rhbz#1852659 - sssd service is starting even though it is disabled state [rhel-7.9.z] - Resolves: rhbz#1893443 - User lookups over the InfoPipe responder fail intermittently [rhel-7.9.z] - Resolves: rhbz#1871288 - krb5_child denies ssh users when pki device detected [rhel-7.9.z] - Resolves: rhbz#1853703 - Unexpected behavior and issue with filter_users/filter_groups option [rhel-7.9.z] - Resolves: rhbz#1756240 - [RfE] Implement a new sssd.conf option to disable the filter for AD domain local groups from trusted domains [rhel-7.9.z] - Resolves: rhbz#1851112 - LDAP bind can fail due to unconfigurable DNS server timeouts that inhibit SSSD failover [rhel-7.9.z]- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete (again)) - just bumping the version to build for proper target- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete (again))- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete)- Resolves: rhbz#1854317 - sssd crashes after last update to sssd-common-1.16.4-37.el7_8.1 with servers configured with multiple domains [rhel-7.9.z] - Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] - just bumping the version to build for proper target- Resolves: rhbz#1854317 - sssd crashes after last update to sssd-common-1.16.4-37.el7_8.1 with servers configured with multiple domains [rhel-7.9.z] - Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z]- Resolves: rhbz#1804005 - sssd doesn't follow the link order of AD Group Policy Management - Resolves: rhbz#1773409 - sssd is failing to discover other subdomains in the forest if LDAP entries do not contain AD forest root information - Resolves: rhbz#1551077 - GDM failure loop when no user mapped for smart card - Resolves: rhbz#1507683 - GDM password prompt when cert mapped to multiple users and promptusername is False- Resolves: rhbz#1796873 - [sssd] RHEL 7.9 Tier 0 Localization- Resolves: rhbz#1553784 - Document how to prevent invalid selinux context for default home directories in SSSD-AD direct integration. - Resolves: rhbz#1836910 - Rhel7.7 server have an issue regarding dyndns update for PTR-records which is done by sssd on active directory DNS servers. It is done in two steps (two different nsupdate messages).- Resolves: rhbz#1835813 - sssd boots offline if symlink for /etc/resolv.conf is broken/missing - Resolves: rhbz#1837545 - Users must be informed better when internal WATCHDOG terminates process.- Resolves: rhbz#1819013 - pam_sss reports PAM_CRED_ERR when providing wrong password for an existing IPA user, but this error's description is misleading - Resolves: rhbz#1800571 - Multiples Kerberos ticket on RHEL 7.7 after lock and unlock screen- Resolves: rhbz#1834266 - "off-by-one error" in watchdog implementation- Resolves: rhbz#1829806 - [Bug] Reduce logging about flat names - Resolves: rhbz#1800564 - `sssd.api.conf` and `sssd.api.d` should belong to `python-sssdconfig` package- Resolves: rhbz#1683946 - sssd or sssd-ad not updating their dependencies on "yum update" which breaks working setup- Resolves: rhbz#1513371 - [abrt] [faf] sssd: raise(): /usr/libexec/sssd/sssd_be[PROXY] killed by 6 - Resolves: rhbz#1568083 - subdomain lookup fails when certmaprule contains DN - Resolves: rhbz#1781539 - PKINIT with KCM does not work - Resolves: rhbz#1786341 - SSSD doesn't honour the customized ID view created in IPA - Resolves: rhbz#1709818 - override_gid did not work for subdomain. - Resolves: rhbz#1719718 - Validator warning issue : Attribute 'dns_resolver_op_timeout' is not allowed in section 'domain/REMOVED'. Check for typos - Resolves: rhbz#1787067 - sssd (sssd_be) is consuming 100 CPU, partially due to failing mem-cache - Resolves: rhbz#1822461 - background refresh task does not refresh updated netgroup entries - Added missing 'Requires' to resolves some of rpmdiff tool warnings- Resolves: rhbz#1796352 - Rebase SSSD for RHEL 7.9- Resolves: rhbz#1789349 - id command taking 1+ minute for returning user information - Also updates spec file to not replace /pam.d/sssd-shadowutils on update- Resolves: rhbz#1784620 - Force LDAPS over 636 with AD Access Provider - just bumping the version to fix generated dates in man pages- Resolves: rhbz#1784620 - Force LDAPS over 636 with AD Access Provider- Resolves: rhbz#1769755 - sssd failover leads to delayed and failed logins- Resolves: rhbz#1768404 - automount on RHEL7 gives the message 'lookup(sss): setautomntent: No such file or directory'- Resolves: rhbz#1734056 - [sssd] RHEL 7.8 Tier 0 Localization- Resolves: rhbz#1530741 - Trusted domain user logins succeed after using ipa trustdomain-disable- Resolves: rhbz#1746878 - Let IPA client read IPA objects via LDAP and not a extdom plugin when resolving trusted users and groups- Resolves: rhbz#1530741 - Trusted domain user logins succeed after using ipa trustdomain-disable- Resolves: rhbz#1713352 - Implicit files domain gets activated when no sssd.conf present and sssd is started- Resolves: rhbz#1206221 - sssd should not always read entire autofs map from ldap- Resolves: rhbz#1657978 - SSSD is not refreshing cached user data for the ipa sub-domain in a IPA/AD trust- Resolves: rhbz#1541172 - ad_enabled_domains does not disable old subdomain after a restart until a timer removes it- Resolves: rhbz#1738674 - Paging not enabled when fetching external groups, limits the number of external groups to 2000- Resolves: rhbz#1650018 - SSSD doesn't clear cache entries for IDs below min_id- Resolves: rhbz#1724088 - negative cache does not use values from 'filter_users' config option for known domains- Resolves: rhbz#1422618 - sssd does not failover to another IPA server if just the KDC service fails - Just bumping the version to work around "build already exists"- Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization - Rebuild japanese gmo file explicitly- Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization- Resolves: rhbz#1707959 - sssd does not properly check GSS-SPNEGO- Resolves: rhbz#1710286 - The server error message is not returned if password change fails- Resolves: rhbz#1711832 - The files provider does not handle resetOffline properly- Resolves: rhbz#1707759 - Error accessing files on samba share randomly- Resolves: rhbz#1685581 - Extend cached_auth_timeout to cover subdomains /trusts- Resolves: rhbz#1684979 - The HBAC code requires dereference to be enabled and fails otherwise- Resolves: rhbz#1576524 - RHEL STIG pointing sssd Packaging issue - This was partially fixed by the rebase, but one spec file change was missing.- Resolves: rhbz#1524566 - FIPS mode breaks using pysss.so (sss_obfuscate)- Resolves: rhbz#1350012 - kinit / sssd kerberos fail over - Resolves: rhbz#720688 - [RFE] return multiple server addresses to the Kerberos locator plugin- Resolves: rhbz#1402056 - [RFE] Make 2FA prompting configurable- Resolves: rhbz#1666819 - SSSD can trigger a NSS lookup when parsing the filter_users/groups lists on startup, this can block the startup- Resolves: rhbz#1645461 - Slow ldb search causes blocking during startup which might cause the registration to time out- Resolves: rhbz#1685581 - Extend cached_auth_timeout to cover subdomains / trusts- Resolves: rhbz#1671138 - User is unable to perform sudo as a user on IPA Server, even though `sudo -l` shows permissions to do so- Resolves: rhbz#1657806 - [RFE]: Optionally disable generating auto private groups for subdomains of an AD provider- Resolves: rhbz#1641131 - [RFE] Need an option in SSSD so that it will skip GPOs that have groupPolicyContainers, unreadable by SSSD. - Resolves: rhbz#1660874 - CVE-2018-16838 sssd: improper implementation of GPOs due to too restrictive permissions [rhel-7]- Resolves: rhbz#1631656 - KCM: kinit: Matching credential not found while getting default ccache- Resolves: rhbz#1406678 - sssd service is starting before network service - Resolves: rhbz#1616853 - SSSD always boots in Offline mode- Resolves: rhbz#1658994 - Rebase SSSD to 1.16.x- Resolves: rhbz#1603311 - Enable generating user private groups only for users with uid == gid where gid does not correspond to a real LDAP group- Resolves: rhbz#1602172 - SSSD's LDAP authentication provider does not work if ID provider is authenticated with GSSAPI- Resolves: rhbz#1622109 - SSSD not fetching all sudo rules from AD- Resolves: rhbz#1619706 - sssd only sets the SELinux login context if it differs from the default- Resolves: rhbz#1593756 - sssd needs to require a newer version of libtalloc and libtevent to avoid an issue in GPO processing- Resolves: rhbz#1610667 - sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key - Resolves: rhbz#1583360 - The IPA selinux provider can return an error if SELinux is completely disabled- Resolves: rhbz#1602781 - Local users failed to login with same password- Resolves: rhbz#1586127 - Spurious check in the sssd nss memcache can cause the memory cache to be skipped- Resolves: rhbz#1522928 - sssd doesn't allow user with expired password- Resolves: rhbz#1607313 - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails- Resolves: rhbz#1600822 - SSSD bails out saving desktop profiles in case an invalid profile is found- Resolves: rhbz#1582975 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers- Resolves: rhbz#1583725 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries - Resolves: rhbz#1416528 - sssd in cross realm trust configuration should be able to use AD KDCs from a client site defined in sssd.conf or a snippet - Resolves: rhbz#1592964 - Groups go missing with PAC enabled in sssd- Resolves: rhbz#1590603 - EMBARGOED CVE-2018-10852 sssd: information leak from the sssd-sudo responder [rhel-7] - Resolves: rhbz#1450778 - Full information regarding priority of lookup of principal in keytab not in man page- Resolves: rhbz#1494690 - kdcinfo files are not created for subdomains of a directly joined AD client - Resolves: rhbz#1583343 - Login with sshkeys stored in ipa not working after update to RHEL-7.5 - Resolves: rhbz#1527662 - Handle conflicting e-mail addresses more gracefully - Resolves: rhbz#1509691 - Document how to change the regular expression for SSSD so that group names with an @-sign can be parsed- Related: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch- Resolves: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch - Resolves: rhbz#1523019 - Reset password with two factor authentication fails - Resolves: rhbz#1534749 - Requesting an AD user's private group and then the user itself returns an emty homedir - Resolves: rhbz#1537272 - SSH public key authentication keeps working after keys are removed from ID view - Resolves: rhbz#1537279 - Certificate is not removed from cache when it's removed from the override - Resolves: rhbz#1562025 - externalUser sudo attribute must be fully-qualified - Resolves: rhbz#1577335 - /usr/libexec/sssd/sssd_autofs SIGABRT crash daily - Resolves: rhbz#1508530 - How should sudo behave without sudoHost attribute? - Resolves: rhbz#1546754 - The man page of sss_ssh_authorizedkeys can be enhanced to better explain how the keys are retrieved and how X.509 certificates can be used - Resolves: rhbz#1572790 - getgrgid/getpwuid fails in setups with multiple domains if the first domain uses mid_id/max_id - Resolves: rhbz#1561562 - sssd not honoring dyndns_server if the DNS update process is terminated with a signal - Resolves: rhbz#1583251 - home dir disappear in sssd cache on the IPA master for AD users - Resolves: rhbz#1514061 - ID override GID from Default Trust View is not properly resolved in case domain resolution order is set - Resolves: rhbz#1571466 - Utilizing domain_resolution_order in sssd.conf breaks SELinux user map - Resolves: rhbz#1571526 - SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'.- Resolves: rhbz#1547782 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process- Related: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1516266 - Give a more detailed debug and system-log message if krb5_init_context() failed - Resolves: rhbz#1503802 - Smartcard authentication fails if SSSD is offline and 'krb5_store_password_if_offline = True' - Resolves: rhbz#1385665 - Incorrect error code returned from krb5_child (updated) - Resolves: rhbz#1547234 - SSSD's GPO code ignores ad_site option - Resolves: rhbz#1459348 - extend sss-certmap man page regarding priority processing - Resolves: rhbz#1220767 - Group renaming issue when "id_provider = ldap" is set - Resolves: rhbz#1538555 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000]- Resolves: rhbz#1565774 - After updating to RHEL 7.5 failing to clear the sssd cache- Resolves: rhbz#1566782 - memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/sh/bin/sh/bin/shuk1.16.5-10.el7_9.61.16.5-10.el7_9.6sssd-kcm.servicesssd-kcm.socketsssd_kcmsssd-kcm.8.gzsssd-kcm.8.gzsssd-kcmkcm_default_ccache/usr/lib/systemd/system//usr/libexec/sssd//usr/share/man/man8//usr/share/man/uk/man8//usr/share//usr/share/sssd-kcm/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericcpioxz2x86_64-redhat-linux-gnuASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=e2e44d7c10c2aab667e9b111183f21251433fd89, strippedtroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)directory9R6R2R:RR#RRRR RRRRRR4R%R8RRR R RR9R0R'R"RRR(R5RRRRR&R R+R.R-R,R*R)RRR!R RR$R R/R7R3RR1RRR>? 7zXZ !#,] b2u Q{K 5:(ޙ.a~w()v̒nR~1RWagNDbP=C)У= r5rI!"ab"ISRxUg{U$CLuޫfGrEg nƦ=v+fGurG |uh3%k^W?r%܉ 3E[WlXQ]nϢFB-(W6?G/78, U8Cшо;f.WtM38ҠHc!/_!XIe&&LA~aaneBFz)!ioTFدx>j[1ׯzB Vv/x}z&%JSMN[H[‹kl`$A8jh¼o x-LS<ܠ(B$I.3+ ke3J}8e$yNXDJ]6Buqٰ"X0D{=***,$ =sjC[flԭ]{' ^R2 /Ѫ`(VJ7;qtGȻYY5TQ uZ ;H F<ڛ>ȶ0# da}DU׶!zKɂ>4zf(d;˲giQ Itl?߲QZ+:#?!hNtȖ[4_}C9L/=T$r׋#*̰/mNn8[שzۊ tgz&߁n Ưۓb5SN“č|bsWE f5 _"m2ЪbC%$c6>n{eԀfEїa21`'6"m'*8jlrX܍]j|eIrݓ\ä^I ?:c4vM qۧ1int,MӺOjm;An4ZCdgJW0+OZȱ ԷZ&1DRD-'UMߠ xl#u`Ru)aS!V%%r}F&:^4f'>$r3GcoCüXP8'$N+QMe2@?wl|n45[$lyuz &Q7ݩIl訨l;I|&>ќ- c];m)rO:we/2" p.,ʽ51 Z3Tm F~D)\IDy0{4jN̟|`! k?j6F3"xsYv<CD:Q}qjQzJSYg8.>wh7J$u2C˯zBv/AɀRG[Ӝ Zᖻڻܨv%GpBib'3OatUWڴڮ _+1/*E׋/Clõ΅K*SD]]GQ@f xiFk=DLW6˄0et bH^vl"@T6xLwςyCL^[cO %/Ed~RƸʽΫёJiJ2* DMg|0Ok|6θ9$ vKBܽZo!?TXQשXg9r=p^L\XwR٬P$_gur/D5'?0G{ʋyqǭ>]JCN}ڱ)gxcOޱALN atJYU (BB#xpLZ1A+ۮĺ0w*a"j;Scejy< }Dld^6I`H;U-HpS8_~ғVRGd0#8LMc!``_$,+Ki0$:;aZ kLm^f87^_=v/Ց>x\Q2O$j౓`Q$U3l@?5];*թRz^*sQvmGF牷k 1#I^\)>NcgZ@u"e c*_ϐ/c%Mi[Yc}PB0 h=sGKc^t~jb N.|,6gi;۷t٘o[CpmspZ@ ^Ic ZN_"Ca$g]Ny1}׷oĬv`*c5PfRFɒZtrh_A^ܹNGy̜uX8xp~' qXXFX#k/jKѫ0nyB%S. ${ <,oܗN I+}th0[7ӆG얾$IߑNtLxg]sI)YA9Փ~?9&uia37! |% UB8 `gr5vd[xXĜe" (]:FT`0_5A3=\/>p>iZN&*V)9zO iBwr7 2VԢDOdD sc{9rNx!X,V{Ώ)KD'E8ih@gAy!-D$.n:ܭX'rn֖P(/K )p6FJʽix?w[UN FQDMKK"f8 ќ-4<MB`͢T uCo@SXkM.fkO,xVމY6)RȔK0c!W?&3MLÕ0+bQ˦9~j Lk6ÔߪM{8؀j:;bWA}ֹ͛mȅȬ͐ BДfx ZAKXݧȹxĸ;-\"QLZt@IbA5Q#0@OBz.k} (,s`v_翴ϷwUQ>}rcق>DM,쇄 <{Tb+@DβJɶ6.e;zlׄ5#|;Q\0;MaᐠRKCg.ԏB0,AD*gc6ZO7c;kcYBc7`?!o0S%ł$1w"zo;-b-k|!]Gp`w# TZ6i0iEI:ɖ6< r@RUH| Ɏ<Ԇ4=,׿b@%ύ=KmMBϰnOa҅oK/hl+qx=aI;khtqS"ꦛj݂")&>nW4x^6퇓3dN`&6nP>3|#&K)1X76{k7Q jh?">-.1,.g$u6QM4s̈ {Tqع $6&kѝ܎YR9}`oRvh\--A <^rgqgcR:֛}V ,G`0g_[. qH_# G eaga}qc cI( nmKJ{ARpv $R\'̨ ME*E6v }ZއLJ#>O"KKX]I$21?i< o(WA"Q6n\@k>dYUy쌩W4YMՈ ޙ K[cyeX/' $ſjdB#G|*"yBtޑ :56kY[\b$b "H* x]=0Q48\0T@*\n Hj̝7~؊*q0/Nb.10 h[ەT]l pB]gC^"]^8PrL*v?dB F3{AeE<]R5#sF[0n2KqFP}rjUgJ*:W# )-Ga1s>IRG|  2UC9{nD(^h]ԭ<Nd$ ~"W!3J1eXڡ:B\,7XiS+$7'f1WoM$*u!3uz"螭NFm^k3`~o^ ofm۽[ć ^Iߤ#JTKh1 ܒ\*o[#p\Y 'KANF3hDwӎDn6ɥۚEVh8mD՛l,ԍޕԋ靱MaryP^S״i,z.pJUSF窊6l˾v#L{\h/W~i7.]H_|ꚗ6yX1H)m>ÅhW j#s>m%[l-̰P%Il6oqtoUHc"ڢHm\PUֆO>;snb7%(#%x/c6~ˊ+Iu(6NZkB &ׄ }k\`c3^ MVT1v$ڵ{LW @ZēV#h?WI(<{X}g~*>ب b6|5;:k"8[lİ\= ޒ5RH2IYfn%uW~]w'sKJ:J>6?YX7ߜL졢.\~+b$|XFCtF` e>lĪ̕:2Vp\9A1` ͨgM?@lDY_(P[%4 ǡ/ na68sBs)àXwXd1Ta!lp8v^V|0 J,7sll.0*{>[>3~]Jƒ}嬉b¸INhTt:-@{RPi;WB_׬ukw}om-Zg]k\0jrt?ɒ'AJpp+ Ma)OC[ڸW}U@dyUoOtP1r#&ܵ ,9ȎجK)mb@d_^ a/ҩ;p!ѾF[`hGzy:zl^,O,%i.OVuQw@|@}8ś( @{_15ggC6*Jg,.j:Bo|~k2=DlurD4 h@?~w&WMMyM4O''zϦO}AcU(96IO 5#bӓ#B #]!ڑWѪYBW6qiMHXm\ GW!då-MM4 W| 4kF"Jp~?E(g4ŵ'υ dm3\)lrsY M~"uI8TFD<ѻl-+=2טLlz6;{'2 zvd(1 q>i 2mS=kv†4Kޛ\Rq~bkW+yqQ㯯@ytlltqɹ,G8G#$ݭʹ G`!۬}r9S4a.=њfs3_v*ʵ9@>V@}Ex? kZ,Rl2&zV<lrSnk̶k Pj=PDY׉9x'dX 3TQ֒;峓I\H.>fC#r9";r?^:gɌ%Zt4\!`@Ygb.,nr({YO+lѮG va nKBW=qfV,=w&-td20A"Co~rvnC^҈V3oVɢC(E{lqY97 ڌC]j2JC/̪q*1.>@n&{\( <źhY6k *4خrUثU]Y&~w=*haH3Rl9pHoZR^u7a [0Z'?`5li;dKPOh,vp1,;~` |e)c. Y.vTP]` jU 3NJrA~.'TQz5mT7`3^nvߣBBTeMPn+IWLy6R/i)?g>=]p $5},$T x_x\%O ̋ 8jp4NX)$9DhWٳ9ގ?[.Ժ|&S(vGM?zQeɈ3O.;!\)NGx6Ԇי[6*Q3~l5v.5nHȟwoVSI#G6_:,aig Y!}e'lS$&H&hK-̼;w@9ޖ@`|Wֶ }-dz}O65gҒꡅ^j32=+!/0v56F,ﻝ=LY-s`Zj}T Ax"!#wjFZ^Eɉ!:NWYfN2FiHkl33 -բ/:x%+jQQ YOiz퍉cw;h;HvqTTH-"5N~3( _v` 8 ؋ˈKd)_{,s;84J  H84OU'-}y:ZqJJƴw9UwKY|Qj'{be)vZ_tt ١ f_=0 E =`{}DtMj|O/77iiP q =$ڔl!s_a,ZvBntE_T%ufgj=y|z͑>5Z@_ dAcOu'jbVwr`eDfdFFe8%Zrb*ċ#SYId8 AMjzjd1 mn8FP.θ"&,){h)`u6M" _J~Ї"QͰPN%8݄β:M<3/5/HX;ZwV>;}Uu04>*&E_7͵7z qUw* .wz} %! L@Lh?S{SP@9Vf0?BF7H7 nrOav.5I;B"/´5=@ύ,d >B76g$pf˪8߽*xB/2pDsT_3R}ao"IVΙ-VEF O&G{4)y_ *$ƜpM!D~8ZƷ~g!NSJ"8]n\jL޳\r4mkwm%}фsž 'H(t@Krme.e긵>x]r_gکjݍA~^f1ůF[л~e-W-g>oĔy070uøƻ Q"k9eL3%NoYh58 o`c@=&Gscc|OqjQgȥ4M|}]kДkq ASMI? ̘RdbC`.L~iail>`r ⭖_ZOȤ#}RCYKuM ObjNrBVԉr:/x+c a ^W_l*1F"xٌ AnXZpav載5 J=ϔ2(…:U390s%#1Ӣ4MH#hr~snt^Bo[@dVdO)zIH2YP#Ghc?hMVQl¡)Y̛E4dM{Bt bԪQCr'ngժ6 r;<{FChZg]k9ΐ4l*r-kG&yi(@ G 6ϖd_%A<#LÌ>Ӫ*4E+ҹx<̔lO47Z% NDEx+ SN g iPڋ`xx<:^{5 (2iL:3h)tTcqne#@҂Aݐ:Ů8P80<*%B6ج竟Xf'>^Ǫf -NgTJ-!>(;`%a Έ- a$'{@spFWih|јMA$M8qEkse(>Oф-CwBBMU K-|1xcyu=Ǻ> @t U}'U+L'kŕc. xT/YV]C.a꽽vCL.tZBI/FPT'-}1S Mq:rClJ7#1.yO`(Q:΋]'og7>I1:ʘV| yΉ>6^ë] k8< }A21]Or!ZvLJy$;d֤ 3DlF>+T:X; k0՜";80rnW_Z_;^[<~+ ݟ@La66OXMNY?,otB9}t3\ VhB̌B=Yf4J6GF:w`W=T5 !SЭӇA7`|[r;0|,`GXӎZ*<۝vٕ9݉i`B"ɸPjA8w vXODƭ (/2Rhglw6VD%l1H⯪SV&]K{>F聆]c'r'QPOFAX Pg8]/ƦnF䂗J\jި*08ʈB\c!Qrtf{ (cA]b0XC <;\hS.ZEFXϼ>3oMmyf2& Rxm/~9j4j8_]"~N/m7V]lgXQ5$xpD4M[gYUuջ13q$گz8~CMd|PXGNo*+{hWD9AqơO6]XƬqڋT~8b_!=5]jIF,6Z1r=5h9gQ8G9E y xtAH<*]{8+MOM&ڡlUhx&Yաy8m nXJq}DJB1R7z(<@/f;.5#h7nB;WM;.b,`ZSHlS%} cL-@ERu?S vQV˓_lQYMɨ@`H=ѼY۸|T[I+ȇJ65폖3nQ ]Fҭ(nq5\gܾ|"bG uȄ58fќH%1r&/ gy[0]<%w :xa޴rїwJzXK"UCpka7蝩=a^˅MmޞQ5>N\}I<=LӰw1i:b^Q4ަZ`ś\$SLcSzR KsjpZ~؅*\~0,wb;X< %H!JN\i]]rRD+eU4ȿ$Pܬ1pd#rA\x(ɻ+ , khC+\3}̚[Q͆NcS3DaMxf4S|JY |~vPG6gCniX)1k9mlC]b6,vr_ȫ1st7O*~iy.[} 4~N{+mKFhHn\ZetʪOc1>1k.|1t,x6 6σ`I#hwIKF?൙FQj̠Y|Gl`a'%`˓i2MG&CXV=4Ι!2sPcޔݛ|?i_2Pzq%5Kh}eF+9(7uwfi pm#tUq&w/Mebb$j'IMjє:N/J(}Y"=CG <, ?9X+@uװ=+Qi-`Dy+: A`~CI [$%∩*|D\$^ 2 (AWyyK}nO?FhO[ۨIfiOtf-ff֛x,kf̽՜7:]ޙ)duwֶf測6+N!..wzڢE``s:(ψdfG.aٶΈӨ_ˮa#鮇IO@ @B)~OW3/>PyCwbk#z7АS)}b1W*u $#s,,s8mulCwJ9PLd7ȵ4Fͳ$xG]E8t?M{"$Yq9K:5be7X$'^{C&'Sh'6eσAܨm] a'(us6ɵm5$V>OV'50;ˑ;`mY~/(Pj';+r4ƀ71;z1W–+šn\_VDB:wчq&)U@wNiE?1ցdtJ]o͜l>7߱DfIqs(MVpՍ @0[*bPG1|gї 4}~ ](ZS(z= RpOBIjPuQ#@rt8=רЫ !i(uN]wx-y"fUIt~&-7^Tڶ&ZU@.Bz rz}'y"6io+ LJu儷Ka([0xH:};]PevvCdYWZH4\s2@z+y 2!$йvgk𺙿Wr8mO&TSCd,ȤJx4,`!ӝ0nX FDk<Ƞ+mF!gUWE~3f M(V1ŇVg: <ύrye{M!Pb3ˏ0hf|mM$zV_J ?Yr _jޡZӚ(撵g8r=ZЇ1ԠJesCg·}c'Ӥ1CeW c$P2|x ҨQgGQϮe=2 ]b" gw+sL:0& Y~U n:TZmM_7 ,WLP*)ˆ׽B@{T-uv)` [*8]PZFe_W׋E9n޵O?h+ў>: Vj'ɠ| |E[jT2||mYt8ώ^y>+Ʋ+UYyBy3^;.T~|,R],Ȍ[ RUj*Wt82([|(lYwiz| 1tzl!ō̞6k3$gA[gMj-JӒ-.7ى0&ۧ QC ً;D=PL^cg*qy &g9 ?sr6$Rnv2g S0&e,wrHOq49LJ&qkmp)bx:⧥⎇WOW}c"DG.țJ[-?M]#-Uz?SA7a,r}?+.Օ=]#YgǦoB* gX$h(,vp7wD_<E L~i>T'r, ~F~c˛|rs[VFI/C{deXӉ5^ًY[;Ωҩu^٩GrK젉˜|nw)|˘amE Ո6xb9zEg \w.NwpÉj(]y U%r)\Iԁ0~uc:mFYFgdȑTpӿɿv(*'" 9z4.+){~p~Tz^B}gU1%)6Y '~>?Z]#-6:C;-!nc&h F2D 01!x1R[vA (B]N(YYuPH%Thl*`56Vٲ>V,uV'{(X:^)%mY ZO(FfNg܆{wTUޕ?|;ʪ g-tck:/<9rQ=vĿ 9sa[%{kE-c!C A4Ѩgl-ׅjH'@?"["|0Ph?>lX&h{`6iPWlMĨPBfrqsmST9>(mS_a(mBJy1X}ƫ .&j\X5fX:A( OWR*x-Mpgg„P3 JjD#䯬NWE:mWU |cT'_3"H`0#4&-ZŮ#zaT:p[|::p3&^/wWaQa'*oKaeGe'ZՕ{_//LJ, >AZ*k^`تsyg c]5m6< kS ]7ͬAddBә@lD^Yi!ZmUIs2 _]ʥk$YG"^;"݆Ǥ[ފwnr*QD ca}+ 6 |}GyL~!Z .N 5VT}tͱp3{ kB:%C Y۟zTf_Х :jKA>,Кu9ulɷÒ_$)J6[: Fn:vm72)'wrn'sjT^E-08&v6$yɲTc?@ak9;Oӭe@%诞fQ+\%ڡ;RF&]6r9t^A#)X!F ;^m((| 1/0s\6&^[unC4N5H KKY#(wɿMN,aR%fy<A_<ոψ0i 8n-T.聖#g\ 2ZE!A,7 h,@І2C7f6$^TGrIct%o=&~{e Sy0TY.' uJUfv7܈"ݎ %\SvOa"]HG]Qn%`qPB+1WSZκHGψ؆7@&L^hPSx],l6YjCVF-%VGLd1aՋ+ S@,w>fG3k_ՉgGqNi+5êBqfp܂鷝p]8=V<+k\V?T2)A.P}p8L%S9 a=bzͧ!=_ n"ks )h`W\/j r`i: ~UbvxM$]/gAr^"G>3TE Ɲ2V"}PecuTf =4P惵ߝmD"JOο}Ф8HǯtO;y`Z c/S]#A>Tݷ,*z>2,lÆtp=Ez'淯"Q;Zˆ=*?ȾRTdܱ$EVl:qJ;WD)d+NWv@0f:|R\I^SQD k5!j-ۋ` {PdX5V \R'7^h Ү7H2qMX30=O28b*y펊KjmB2,O켥XY![S,|7J^j\1}T8sCjUb@ ~^r)=a <O 20]_ҋ>@!|Aʳ -K"u۰ 657XDw4'dlo`Syzü0mUD/w1t`MP2Kd=ᎍINC)LL0=W@3H6 r|DA>1x131GIhqޚE1V  v] -\ Sݙ"e%mrM єS̀ +{aG;;L6v *d5ֽ|{_̥{J)9wֵ`<eJ}b :torU,~v`߀ cjjְRÁqwbQA㱀:022ӦVFpO}TdO(I]-g˭^%AU1tW:$kD}\`j 5tҰdotNᬋ_LjḼ+Imn#SR_&tƚ0?9WM?X&5\ſB2ϲ/€T4H? @3'yhSҘSwmNѢ^<c )ѪoFv,],ߊnRMmCLnV۞wwN)g5=x͉wPGmMpmd#73)mQl:Wxgtc% Y 2ZfQ<,R1ve&@:j9/Tl\ClVhʊk)s1v^ș4I:%2RɝbS٩$ŵ &f 4L#MrqqY[1uT#6.TKTz> 08WX FQ%gQk?c~|d{խt/ )E3a>K'IAL M{w!BZ\c.Pƨp͈FcM2GXŊ% u]m|V]HFEVnQ}IN^v /s-#}p?CNyәg?R“OPBM۸m.L :)! X ks*۰4LDtzA[!K.ntkߧhR@Ը7׳8AŷĘ~Ag^ sܶ{b$~d;[قv[,i A?WL)HԎ[1!r0Zt=RRI *)"p)]viu/,^̡VĎ!u|F>G__hu:mjԽ>AX-;jmc|'@r*A@)7r!SWc#}o_EGĦֶApA-1̴ז±6?B ː1WR~Ū=l;  4oqlSmwu߿p ֿ敱.pf(ӎad.,vo<氓V(7]IGY'^8URq8D߻Ef)йz@uNF;S^1(0ˋu's^y`G.RzWk&m"EY:q1o3^[]e:e7mS6E/v2M{;M-2Dg{~Lv\. <'?~|AhW5R!Ιd6Q%.|[_aRc8 ˽;b˂wRݗ7~Joz/%_ExQ95ӊޫԁ;ɯJ pӏtloLS HR8uU*ڍ۞.GS5TەMA]DIɤoϨÌl1w5d~Ӫh_(I3CF6^ u6U]xZl-]|XubYߕP1l.M4 ;TpLH*{e6VƔ U$KNG]*.߭%Vq&6DyLxBv:IHDtn-H:mv3E߱?׎!Ib#MppKPVξds/i߾#^ *aFh~%&\G=" jP%8;k @E'gawT^]?xM{*ԬRȽx .PZey[m>DWj #g*u#MJxێN=ޣNdhTBSɰ~N+a> BP,b „,?^G#567Жȥ;28Oc$XA{LLx:;9kRCWw "VT!gF3|VPɀ'$^lUl45mDiU];^/4Xr9:Am@ SPmR+/6%%qxafi5!ԧLP@60əH$!o{K+-<@V#ou8jwuݬɄC N̫trw2sw:cY?OM4gl+2 Mm9/6M'HoԀEpQgH w7ѐdE=M_MX2wԆ*jB4i9T_xZ|KxW+9p>z,8Ytu;$Xs^O@Wo| #{{/(L."*Ose8@^)$Q5-\܁|_uN_[DDnO/HM~I7֤ E?[jZdE~x[2N\/PY\Or"SK\ Th`=Eg`{~{C8ғP(j_$t) nK̰U#@2;컧++7N!䁲.q8vhqo?tȆj{FUD͓p>݂5Q`s'-^S #GZ}!`Qn,씯q9EP| ոBՃhkBCMv)ְSPbՠXCrDžAM+~Qs^a`*5䰵#1a+T1f`%DodgYrNV.1-hsJ*@4xZbj2J_;Vc %kAMV]y5qħ`0ujge /|+/^>K(?##_Z6zhc$%ЋH) Zc W"]߁0›uE[[9Z v=xfʍLoc=Z)7F&gh|q1֦=i1g}ҌVb6)a5s E@ :"&j熑Hf>#=s> |7\Tz-ŬJʏ2 &'.WdE[Q |K-w%BY4ibz[!W$:/°u~oq}xՔ-m?,ױ p;k![&?Gj/=BџŋVj__Fk̨ uMrd%AZػCCHhM|RmT⏬B3e,A?YQy ]7i (|P-LLj>C1+-*V"pPK *rL_O=UhtqY}XH,`%$kSѾ)* AWY?e A#ۧX@ 52>Ӿdnf"]C[>yik3bCtjY*h 9Zg14:'&׀1=mqQi1tYb*X1ovMZ'[N31Gx8Y\a#bQ͒~9qNY4^Wm IK' TW:f10 Y0 [z` "Ajߎ2$"߀Qr}~=RN!/A!GfSqiyjdP[$8AZo)`W R6ּ1ŦA%R>hK -a2(#d1Z6X1xOgL#msIkGX5(RWx/|[ukAt*\|GA_oH73R;ʌ9"z(u=,틊ä[kfNYuC$EZ؟7,\;[sU*7jG !:-/~Zmtm%*Ļ wl=(#3]Iw9V.p׃qdA͆HWAz@|ahPqa]¯£՗xTg+/oxZT'ȩigdlKQyƊ5?֧I +6,2ekAb\}՝!(-z(rZ8fE?H΀ɐ EHPxުm{2ޢdNO.U^;+iRy 4)XEUߣ{o'誖O| wsN6s=Cr aYu>n—̽GAPx%t2PɅorE}/0[[f=\/1=XգBs2LW#@n {K89!$^sA`@ikzPn-H{[UbZDkXn4\f;q$w0}hHPpWǖqHi Iltq@ RFI'P15t +?НNQ݌D5Znu%HDB1LS Nb G)ŧsAc Po >ZJ91S|c0pMrtR5leL%EFrY@]Gd:tKNjw!yTW)"$V*4u .Wߢmm45xJ \N lR駃oC-9iqgnv`gqZjXxnW=cj2 зÿ@NP:UpXʘuSЉ62 ~4So5A* 0aݡ`tEA[9Ě.лR1b vIT:m}KҎalUp&Uce&)E6a7/;0=.}Nu'Llaa]5$͔"`y#C?IKS(2jY,ZOڪ t /ׁҵzVPK\!]"9>  m0gIZ[Kk D='JQMk9}ӆ$<9 K7gq@.WxG7I_[IIq=n5avܕZ-_,bmkNpF[F|`0UݡK Zj;ٵwTQTWw#)&ީ$m-] , J9vި/{NX@uv6IřAyzPqYZ)3 a Ͷ3U kȋƫpbҳK1l\_lѓ7>I|jW:aO"L^EDъ.a Rp15_GqJI~8- m(sz@z4mS j9ܵ)7%=2X gqN"TST. :—N=bܫYDRp%8lƫdۘ* د NQu!U:* QDS";h{~4p<%IVS X$Sd4vǞ9FİbFf!+CGŠHnO#"yr#G33@6m(c,G%S:̌wh񹋎CƄ<,s=湞LYo|<ʣTO&P2;=@^g_LF;񔺙SM»fք)4Tuƕ B$TKb(Bi~ k! *|n˩9k@NfziĄy+yGp߭^иEv:S4#E)0B5ZMnR]'p q)妐?`Ox(:aΊYG4(F2)\1bH*lCKaaUiuN 51fhlIsRD?nx +no5ϊ=/aye-ߩsFҫs/:hltS nB5"9ZxG&W[pu;qt>uǺM!ڷsk( eCAY׹ (PͫZvGF>3:1 W<0iw/jtcTy(*V+aMAsHkܶyG}XR81˯ˇ.piZ3rYxx0A'] FC8%TTE3 v5N+pmU}}#[eY?V07Gx Z\Ix2^H4ѽn:2*{ͳ#)c:zB<̪ x^.X$YEo%O =^EȪao6R]o[qpTXsϔ:YBc*M4daݔ.5O}y8;!j}9d.XOf$yYgc>vbE9ىP/Ͱ߮U!ma䖫9[ t R߽iV(h><`wBX)eF [HwnҘ#h8aS9/3TGCnιMWUt j1P|x"`Pe-U'՝A:5Od$7ɀνKe%KyMBrtM̵ 16*=t98^@jhs[?  X>hY^*u9aUTM4z9eko 2& ֬T#'kkɨrB#^536ybԯ4A粛_ߨ'c>URbEvq2i7yxHELҲnBQ䧶_5e).3!yk]gDR,w _ԥ豵*)fsZSGsGC:qӸjvZ0(czxն^)u7؉-p5W1%%S;!> =yzyAXV\ Gk4;z%XIYMŝ 8=|zryo>,w 7 ,ygUMPS!䛻<)M*ւ R~g}-xPYO{H $%@T0G;CCgOT5R rR:.6IFQB-K{.y.DF=.2#FP8*0KaYVxE:7u&b&ጜ 5X< ŸWt͔1UQc9~{ JKL@zD\=)Ȯ~CÊ;I|ANwêKm65T߶j،9TZ}7,HlǕCC4 djԧ5w1wL~"T o㈒^&^S,v\=ER*̥'A7X_m8YzŎ9H< 0"U;6nnm?y# 6?1W-|0AN!^D Z!Jkzr2ga|/sLRK(4oӯ铴 QOD#ʫt]s;oV#-2唡@/-xـJ!L6*j7<[]1Ourd .UbS,{BT=6vN~ :;Vڠ-##in9rp HFs]~:|Nhq֧.D T -] M9H4Lۍ|Yb?w-*20ӧg4{S6:O`f;l[ٌwrKΫ%-lZfM9]s4u+H, C!|wJE3pkn "> Wٙ빑1cωݸ=:`pw#EQ!^?>$ֈ:?7\SL'radJlC  b4nY4%vX{n-b~4`uRQ8k33tW9Бq&N6K)NH1g ~iKAT~gtG8ĿMH!D6dr"8cJ+,c'ȢŲғ&Y֍Z`p>Tm-\S W Uy]m#r5Hs4lbb s5K)s"1adS2)bYzO٢S(J={3V}ǜWRi4[(.hiW݂|׸=UKtݟXePP!ddIA=)%]$LDx@H!YǓ1kWWsӻ5͓"ut*6vgywPnhEHچ3}ZNTArx ?rP #W29}l[ډr"ŭ I_˛vON  >C%^KՐ&w~sܖ 10H?IY94O#¤$8J!H2SYP}g X{'g{С͈א]k3_ kVGn|ԶJN)oDJV\bS‹XD߂ YsPNI aM+@!6{}$vF vQr?;sKX *5;F8{qԑGogX†a\6N7K,6(<5ki * 5 ߘ|ؔSYA. ~,~2| kpk/8Llv|>pdNv0p<R4sJC0_XI1,Z0F% a`` S QW$p4:իy97骡^!{>/DdS|5ʘXV3b}9Hz0k=٪R&Rߟ\6Gu7u?lT==K'* ^x@.DyM2Ej]Q^֬w)Tn{ $/όD$yr=yJ݂w|˜F`^2POur< 3a>ffOCĸ"h-YE (rI_UB @x@<+<Ϩ+a FraawrPځǪ:|Z ~E\Օ|_BR. a)$|e"s20!,YyF/H4X61/)J؟ZpcA~:qFwk.1jwp"'0gW{hR11_tc܅AQiH)NLXż6~ -eŻ+r'&W 쇉13>|.,~!΁:8S+dJkjk\Q: ( -8RgA{j}@9n/F0^2c>Y&U muSHu_Ld'gi^ky}!8~x _[_Yɀ?է5"$fH(lğ)lhON2Vyݔ?u!*l=V>7A R3 u*fo?7_wDcturӲqt/&Dgꈞ*F+D &{TѶc=m ӹj2L{O1<*N? AR+VN$񦤍 b;:ayoxᒻ(źLܝDBs\CɃs1ƀ^$(,:&k=-o,'`vr߶ZqM/6ƦX[LJ 8;Vbӏ*ttv[1GQÃs %]ZTG20* k◒8_dx A޽3>BMƎr %[p~H RYWk%Nի.Ņ+:C1/B1S0J4>Jm$*×yIY<~rft~B}%M 0ML0B@[ m 飬szbūJYüq<=ǧ PLJ?9K2?&vBM6\;KSzX wK]0VL+Hqw9mOвiiU׸ 7ER2腅>L%v@Wl^i Jna 0EJvX$Ttdm ל.khSKzNGCJlpdA  ]@7\eptJn+\㆐什D(@k69U[6nU(3.ćb`"1P -#́6~D/`4:/W&xf<-k0!cXTWH`v퍖 1wqOIf?Ep{tAmB<ͯ{f{FQQykjr`]7 x3ys,$e\< rzCܒL?jF3M<;f`|PI#~ކb0M$4]j|[)_~s҈tSu[tZFRJ/"8JrM:y0\@|fҙMy:<:n'ƇWFS ÿHLJl@SSo1[]jΧoQR+THbWv= }$NZt8g⅔s  h"_:eќr&=?#n44"úW]>jC1f[A`n4r-x\s5 r"gne2G8.Έ5%yG/{@f[4S%\1{C ]*6/O]6*`y7SN]?0ab'MDɚ s}2m5W 74aC7)\A-AJJA?o ~'W}= s)*2 v¿wIIiɳVƓ<*xD_eUqqRр)`Hc HO0w6UM`$A7 |RDflR%PP2np acdgSA 5w_RO=M|if?]Ӧ:ߪp7 ӫuoQG+[Vld[Mu^ :yj"S.e?b?Zy8v.\Hn'BTZ͓wc$(<ʊn.i -j4\lfyT _.GaRA"f3ܷX#~-^ۯ0l(5oD/*{n@J}0t<:+ Q,NeUu#.9gU)O)d)V(jگP9ů&%)Btbl/Ӏ!3P%cHFΌ߈P"MDH70VA)R_hO.+THmbdSEv+Ʊ8K+"\D*X{%Vq+bߦڱkl ˟KK8r;ef ժ7CE1PRelҩ }]5])9 : బ%e ;qT:(8 )@-D qhx ]wc*ط0pBe("[qįwCd@dja&-ZyΣV7-CC-MZ#Fn>l8lr~8qYt%Ec :AͤBc@G$yD,2ϒbf~Q#2=@,Fw8\r 7fmĭ}ϛ#{rrm-hKD_&N֨ˮ DU?H`1Qׁ}"[x]W%]e7d04dtwv۩J`;Mu[ڎ&oZu {Lߘ1|e4Q}}%Sk+:%ZÔ齅@=5u1iKPc"㊔ !45|*,v8Iz_mR'i*f6p\U|*eڜC8=l1UDA9Jm#_jbS2jR)5d#/Ƹ\9~,>?at&|y*?V =oc];+׿a/)^ E % JeJ40O m?:]acߡoZ-2wUm0@ >S+)d Z\lz6e~>gg|$?o0z` تZPzΓaD(M]U.ޚإsQD4kLq屭φ%UG5 DkoWf3l,"ӥgA^5BEDv'WnF0T{hv \ZB<3++-קDv~q$wY,Af>?Kx|m =/\ܞlE)etCN;+PᦱdVnskB-lk6o#YeAaz)zf-iX+<%X9QԌw!<2W>)+i]O3p+o$,TZ TOK=]6"ix[îҪN@e^FիMKcf%Ŷ_yPV "Ó$[e1+~(f6`QϨ✀TyOFu!W?>P(V]Ng0`;׃7GGmJLFn2/]aʎ.c|)N'opF)XvXYd/D@{s+zrYZ) 1`{SZgYhˆLfseVm8qЛ4@f#{~Up>A0K .+=´,= +ֽ"uBEĻG4%AK,J|A]kz*tuho0ӆYq5:QJmY^з{y轿aR@5FNf7a &3 w*p.Vlf9E!f)ʹ>!%QCenpS'H7#CȖmPNȨ o]ۋ'!ۯȿ N𸱂WKx(1c "lԔڵ/:sP5j u(ez),b5S8W2&:5)f 9tX؁"+=p$C-ɾM1mգ@ أaWrv4b2[QD+A`eE֒s{~@o uʡ I[]*[3<552{A =>#ΪB ^G [ד52T:D,>t8s k#ބ9ӀgPKH(Y+v5zL67܄ve̥[$nۏ{2OmmuΫ8,OD2/n0zk𤧞̩^&l|h/T~_{ie&j_nza'(xH[En?X'#KdVos\yNַ\1tBhO i}E[0e!U \cyhm9^:DQ>/lqk/ck*$C(|A}٣bjRJ M/L>CiX&X" NNSqZ|S@ حј`$Tj?la|^6XSLcBN+k+PqY,@Er:LfG(H→./tu۫m/#vq>$-ī( F{s1Ql(a|$Ll _ЎEHűQ&R5r!,\ j2 L"q#]‡_Z^m( %aM9ےtɀX_LeQ Fx|3qX+uav36jpZ;-ߎ7&xv.jJز&T$EpwFgN?rDJaAˁ)wB{q}ѩWKA e&[]8I'bOk( =:k A4'*S1 'S+Q^8:Nt+s\i,WBdHpx݂5L :'w%}f.)Z/ǒj^Y:/7J7I7/[?aؾyJfH(}~%v.j-b$&/Ci[|>@}d*x\t$XN'3qEC~'>v6h䆦a^ DR mwkFa_^J.#Jo?B(,CE %͚[[Ǚdɶ?q-zΏ-89}/SηH8TTk eH2U7m%]m+VҧijI#2/ D"ER#1|8*_2@Y\u?&U)y1;1e1&ؗ5 Oc 1:Msy9*pQphEu{H&iIhcEl| uqvaQs]VPLe_NsrѱR]r&©D)\KC*mrT4#ǿ4n@g~=v`Po 'A>ܓusVфf l4ϨFQ3GKd썞u-;ayw5)u\m)^a'X8"߁~F86wbry5 f"5猤 R0{wěȿC{$5/¥!*ezPW{+ʬw:6k4X .U+fNP+{ڼr's|6Aa5C7pQ~Yҳ !:0r+j9CP+~9mʗH,[J?<<2W jJ+զRǔu[TŠjMT H@߶*#ӤcҹZnprbGq3y%3OW?*sam'{b<̴g?!.LͬJb0 0*| y 8R06Ee}W*=7+ m9ǠNHF'8 dz]GvCW{'hWsexp407(zZ&0u 9yrk:"'`BA=/_39 #\qX; eWF#Ob]2a*̻SP[6.C Ȍ΁@̼xrm*?.sdZp+^1ֺsOg%@PR| vty)?U-_Lܙr5dQ '!Q!:޾j\&ҾE-),9z9V|aYdFgacA8(#~Zù.k!y8i׌o=\4ZFz;ՀA "7<ZMEy H@!9Wӳòy$W!oN-QxV+@-,eHxU{N㰫|sZ(-QS1襨1iA c.rպݴoΝtsgWo} 1qM0x+;NXa=ׯOp [/ _~-LjCx=#aīHߝ8rW:3^}WD5Fu\sIMLeubzs+텷NR_FȠ_ f}[Μnӵ1̬< I8-U-%QQ ͧ7E/N,{σ{[i9JU2s6&%wyS-t, 6US hMR0>r^Y LU0ȭVG<[iIc r UX;Z1vBuiEfQy hNFƝ#'*^enS(Hw!cEWĄѻ58xE@on\> wG ]G( E?'ަm,&6,5-=MSz-w%"EkoP:FrXY= 9HkvU(t^)RKd@k̋["wд򋈙 pW+Y,^]px X6bDX|ScOŬƛG2XCDi(dh^yMi 3^;5]P}af GJOor+DLiŚM; 4۾HT(5Xc>8&r-/SEI4rHtq-1mg @c"J tvtVR RYi'+J0҃{3A:+)m %jCL2#:*a>=TKoT3ʥ\dßWgf'$<֞酗^]{CxEguіpчQvjY^zǗBCؼ *^+^P($. j}i \ C Dю|‹WרՅF7R<:R"ϛǠ*ЩcDdr}$H~313J&OWSK%㢬^| IpkV~PdtqA2BAϿeώtϧ@w-5َE`H?Q飃`t*OaOGal۟$6:6Hf(TG_ѷAP+ٛ+}q[4wYDV̢`je ~1 FF< \fAΈ !?Kێn )(t P֔O%S\3 @@k #EBh$*[AK) +C J+u1 =xr,"8>%ȗn](-Dl&!_59)چ51 N:`XSf緞-|{|Y_=%]l3Lב ʁ΍ / pB5Wjq1vt=E(om1gGQEN$WP;\oW)#.~-T%%ՇE"sՒzWz~HJ,O=R#i'ST[_bEK,|eP/j8`RH gp,p1rĠҬR\=)YgI;|S _d4+Ao]cyH/C4P:>ԑw MM1"symu0,=܁uf΢PDŽ2;IDH(K3h]_}5+b l8{DeMJSSW |KIRǜ"vdMz5 NI h+dvq Bxcc7MԜ"P.'zc8T022;zQ~;W8čPm9 D,ړP~}p/""2i(Wbݎ|[o5rs+gHc_w06Ɣk 2;t6Jg¿q&_'(iH^oE+ޕ!b(NoHv*SPJ2mpdKfHh$#B>²&@)Ħ^#+f,iѵ9G#%wZ._qq~<,!= e'z9͛X͖լ?/խ-3tgJJyV{G%{Hrws |uv1~b.rYmߩb't$k1:DK"¶8HCש'FF6 dtKºW>1rX-8$@9o+"6*ԀĞj_fS+J&jON@>c ?QpFl)t:mzU]gVA0,w8Fw{/+e E5z WݵqS"'r3?tGITmg 9#/ٚ_up?* "A=/#vjOכnjSjidv#p2Jm%d0X;@ kbu Sq\҄7Z`ΩJtvAlrǵrEޑɐW0_B)>okEY:56آX[ld7CÑI!i:ڛMfL i'&w|d|OmyzNq]o п+UIpВ0T"`fX@wwaT?#ﰫ⣞WT^Iha8&rfӋ?5맸~o#cwž f 2mnVH OtC(z[w ܓ6*'k. FήjWRJ ] Jl8Nwدww|mݮ>9%!]?'C*Vze?p:|KIx!G{RІ7}?5i8cJ ׀Ϸ #պǐ,t"ͩRKVsOrv:c,l80,O FRDyh $N+!}cXWi!xzhzR~z߰#(H_ |;RbZ, [fari'I|HUyMW<3zayĬnft*AO¸ANT_fă0x$ ,ldv) {1J2`#$&QbV#ȵC{+S5t1uM%xa.:;g>Hд:@Й Ӻg(2 Ͳ 9uOߔ/3amNq>Ȑ |^yF"zug-V{V['8,ơbJؖnB`oHt @(;g-̀Ԍ%|OM\iE$(m> ]!$<{8rB[ Ͼ0Tn0m=Y:'~h pz^s$дE=&rys8#Kb1`铇XXyQpQƹ2!KP6]x]{\TİR=)^@-t|{toO<52@S33͍yRN.w0gv}0&zoqÓQmDrWwLQ{N+.3sCYfMei=yІjsً}z8ljS qU{hfՃ. WdPTZ A[~ g]hk }gg3ԾFT3n/)etsA̝䯾KV 9Q9>sj@eXX-ɘ1|v=Z2UjJgb3+P\ KEvCNbƬogOi`yAQ5&3HD8]pJ2x(PL*-460"N#ғd܍5DW׷AE 8AIG(-:rʛ_4d@ESB]U1-ZЀBS@8AփVKFfHf!+zdӸ Zf*P,=Dlzr (vaŶWe!bࣘp2H9b>.g/-Weⷅv12crJ]i۳Wƌ7Pyrʙؕq>l?*4kpx:)ήoŤ?yOyol I,WRz,[ւq>*8,m[VO!ěOƭ8E}V4t+J&%Lkã`G58СKt5z|Yw$>] K`Da$qz_絽8}N%}1Զm:l2]a`ɔ{׽deM VAY 7,//2C}Vc]5IRˠ?WFs|'Kj 08q7xc-Dt GH!Df`MNeT ĽM5#fi0疗/[01K|9փ !ǣ%n+ꡠnH;uRk{]nZ9.Go2}1EL\ BiXY0e?؏ERb{qϠ8M00JyN:AFpP"(zYE i!Ug+\ 5\vj6_PT`c@dG$%8m8iO27"j(\MQ/*2xZO袟5V\`#d5_kkpz"( r–d{ &YRgc0'cK[,RژEg3 2bs)2@Ҕz' G6\g8v9p}"'$e|hqG"NhP2a#1H* %!Ka3bi(<aVfQg,^8R&Ur4-,u];r9ןjBxmWc >2ҹs' 6PHjZvzyBc*nHC.FߜU> ռL%,ITN8i@5@]i cQm0}X]k(Q_/v!t 2 ፓQ[)1[,U9m|fjD [.hU$C;"}1c@2ӵ؅Ϲ릂[?LgsZ)H3f~#ǭloQ[豗u2/|$n=W@mQ%]mTO5o )l`vMPQIk.a ; 5wU0W 'o9Wge q)eVݝHcV{M(__" ]6n[ 0'$,w5 @_OeHhZŸ})LLxdfՏb񷤝~'|,Բg(u4W5:it-Tp1 xHIu]I>JcՒqɰ.Xq*+[Vᝢ|f9ۀ#+Ycx BT (2 ~ս8f ]jϥkݵ#0JՔ&I '9)uO?E+u!Ln'sRo'|!-RȟrwÄmC.A3Ay@P8S_:uurZ$J&X$n=ꡱxK4TpS-? s5 >w;̪|<9E-IiehI"\0=K+3f4̚N5+Mݤ᱖ZGpel7_O@랉0gcr봁f8'#N̞G3`0xQjmE}Un-~l>qI6T4omw^J { s )03>_ x=ϦʊTGU.= A(CӤ1ѥo!bG?AC,p^m[Ab;bv+?r8LwTRBPIRGe3,$ȥBjјD0C.-ugx5iWL;2=[@׫E\8fċܷ殲]Up1|\au-~{rw9Sz :˒xsSL%s`s_ ״pHM-]Z3P\y-eV.UH+ ڇL8N1=:1XHh{ T~ DJU>>̮NEէ`@mc<,@/m( Ըx<+9xxRnWmÖ^0Lk,?5Kԏa.<E6DcetLyFP+%fi +`#;ݷw$@[׉Ũj soԆYwG4Q*7xAoC<{p7QNSR¦|%Y<סL/ QGw ]Y'cHPF̛ YɌ11Z-*g:q*0WJ/ah^ 2 |]/!nF2p2r!|nO?Lr, 4YP:Sua!7gsCLt8r P9P7%j8bje %qiՍv>PgU?rrh|3H1@lv(&\C@m_;XS60Ļ |L4 ގhG&M2Ybrc5١ a_X DN!V_3^KN)b !U]H1VXN' g% Vˁsw3YuhSN$O#4ʵ3ʟz~-c)M _k OND6@E| 'hFx#@31ْ;B}xo$\F%ݾ">zM%1j9퐧jHun}L6 zykh; ˫J F'%I*_X@eY)sWѨa.'^X !i5O')^q sWD=jwi ~ˢeu 6 "zxQLїFJ0c[1O:*uE0/]ǭ|6&͝: dVoCL>u+gAt%ö/ރRA_ƈWB|eAD,,j,f%*EQ͵]w V)4!_p0,[s#MMK>˻15u.!% Mbp4v/MRR;@gwk%T*P)jP#UiPq?IY9cV?Aq/(׋:t|]iېwҴQ_rӱ`ʹDlbB̊rj}IJh989*nΘ(bS8qD^"((gn >|u~phzIk_@;ν'/ n<"RZAk\Ѭɇt"1H ->Y6u-O0g A(bӔg{wM0fJǹKw}##ftM'/L㏚wZ$FgS49x<_L=fZtnk: YGj`oKBs- hn #5ϑRɗΟ~|#~s$'wi>StcWY5H K!!X$4:4_ 1~0MqN%1Zy:Io,!O7%&!2men $= ^wpKcE1oC1Tر Morg"<{*}t{+魕;mcf3wR'AQLG%DgsQ5y^1W~ ֏6ADuǮsOyJ rkjŠHY!)נfI1)J|:^2,\6L)MY;G 148| 7aWQeR ͱPv)ѵyGV m|t3 6R-;M^Plr̆Р9t ^USSb>PɀqjoXU?Vd^6a=&ZܧAύdNT'C%H%\Auban!x$UN~! x=Kg)ozGp`ˇ13݆ɳ5сm2Gu?w6__zi^H 2ϗ6RsHV>`G, `u V a|i1v! L}Z7ȔVKX$6w]W|^sRϬzZt4a )/F`%/ֺY{#TŮF+Y]{i =K;}kp?s'rxFpD؝A7E_P@(mVLviqF{ha/7hh,ᦦ"o90k5t5ZO$Jux)kf3,]h=3ƬZ {բJo7iMr'EYwNidyY@@C"\ZYtoy,HGBcS!lJOB RzqM S8WY2^rN%ЕRɠbf!q;F9n<%˺.\5J0dSM+9\`ւ/@4gQmtܘa@@r-.^] AEd) >ߓp:ϲpuc󱞬 tbI.BxES"n ,E-ǂ{]C:[+X%~P!B魾͕ʯ卯B5>AMgpó"fԢWo o (l"| 4 d47C5[>l"ZCΏm1۰IOa{F\* F"Dlب{{]0x*w)L(j1SDЎ2j(5xcl L_6W%Ɓ{=Ĝs@laV+-^y'HP=Pӓ+uk@<6.FA!_}9Iy&j8"Z!A#p}b/bJ?;.HcTpľEHHcne#ZcF aX- Pl./F~Ai9씌qNWX󴦲Z?X#>vd`U>R~8㱥y|w)(W-0ʚL&^ςc@Ʊx8q^g 0 Ovh0\( _gUzl&`7WN}{&qR\frh+K7ōZMm`ҮRbYrj>S]-Zܮ~`].4K#8\nb9%8{ROIbt@d.y6+ BӮ&ʏ rܷz>lTACft ֗uneW5_~yנu{>;k&l$.Pxo=Մ!-C55DO<xʎ_WN tCQW ':(I\aCQ|WBo3^\2n4CYFS;o:$j~xSJ}>‡ɅUXa3~.l rCIȒ'N,Ljh1d+W)-/{c+[H X8g ,yQ}],Q@&zζN E iO΁)vI*d l mrW4?4!3 Ȑvo G/W1j BG7^ >'yT4j97^9dIu_Y9բ.s?x?+_5̽ *hWa90|r6sE)?9As} (Nϩȕm,m/z@Hfd#TLu`Iax]JDib]_* (vyaox|AH+RCOUyoI%n_ ![ }r%~ZV>7ep?WT%E5d{4z+S˅(&Rj]U*2 ҏyn+/%ظlе^Ն /e_ͣ<B_dQ?B2ۅhci%%~h[%P<}2ߝL6PXMdT[=l!QO/@\po%bwZ>S9€Vg]XM[*7 Mtl/Xz`]7͈:%?ʻɞҭGp l k'P5C9@8#zB(\ 3ty՜"GU!A+d euE^ʽM\z5B~/)J;*&D%JrxELW2{B(3.B 5a+ Eש87΁psRx b}4is ̨gfHFKfEWj~uG| j\q;t$&_-fX"% Duno"=a$kNMOȼ?-HN˳vؕxӮFiӋ+[C\Bi:`."&ˡ@~! J[X%Ƈ!hM%Xm yC=bUkAYܼhI ,v vYHYb飭,܀'kʯq a=fWۘ*ôNݐk110tNlOTTԡUr1 ʀ`|oFSlM!ۦKjgnĮD-rsmjv:w-"Rw;|.x|ZG؋sS3cd؉HC^\#:?h~Gm׽k>v3Jy_If.NI7,\k;]C^װ«fJ9 7|GE!' q+}b;YߨB DQV3lͺџDP4>z*O!笹ʲ ֎H *#o9Ql<4F3>7R,q^N[jT] ?\--3C]}Wy7x5/dZkvᬇmN`<,{|*m}:6^YNmd$NJx LaQ)}&n_V-3*d;/%d"|"x$y04KơPjEW;8yXE@_4Ki-3VD.$)< %G#d} m$tļr'l;Hhz3i&"f(${WD{Th*=Arנ)7H#h2uYO"i3if\LQ끩<}nEv򿚲}N^iT _RT&:⾶xiXdC([iz{"^0"z\n9˜c9(Eaڀ*?ljM3O@qODH(J"04:lӡ ЃeH✢Lbi65@ef;\v jAN7A7:E̒ O^tMz ӛ.TWm]lh3cS}Vhft GC0+Z~ klMWOR6}&RH+,G2˴m7KJ4h0%BFw3S&>|b#.T` Jɒ2]DJ>6bZ3/'|:4 FٯW^)AԺdYdq6 2(=t4awA5;:Hw'SJ8'gxe`J"rsvuS\evh P~l.˪G.Qɉljfn+x8ꍅj/䉃Qf̧`0v(79Rt42pr @bpښ=TaJe*"@"&R !M9Np>Q2'f.0yz,b!*Dn.'>qI{Z4Hĩഹ=BtHRU.O_qN.Cx 9\ AZ-.0* ^T֝bfB/(R@{}.]Ե6UQYd!T݀xYxkPks -"#"M9jJ'2v/FNk3_W߼,1i2L䇛ǟ67T1N+}Ȓ d/VNHh -i:~!Eeu;"{6y-r'g@S0޾ފZ.aˣA/b0p2]=d5d2dCٵcĭB5Ǎ^4|01Wm)Z fT=1wBٝAdb$*CJ,5RƔ1#\5m9[bsJ>e3rRHejFVkXrYRNAܰ{*v#ZwCʿo1Ji@C/RByfMM_}AcF7b&{6}`ԿNeR˧k0HiwY+ic˜Krɒȣ+T W.~?XcB ̡H7?Wم.8 'XTD# Ot,r|^E\Ρ̘P\ßho|`qN(ISeg*ӨG٬А|>#wHeoXa_#$m]DФn)@r%%c) s:@|&3ǒφ=ȇTzI5C複j,:{reoNR* }E $y{*.0c%þcU("o5mYEŗj y14r<˶ 3܃XQxY?]QXcԀ?[NJ>sF9 Ћ(F>6oM-:(PrR<%YWOM'~sgo{dԜI_XYWHe?\!HI}>l.ꎌN"%/8wSvc AIGB' ~̈́5C71X| %~mu *,9,ELy~l^f@P͸j̗$t\OީS׶LH[-gU>xLÀ%)?ŗ8yi<.dEwu9v&6~3`26kl>0=с,#lsQT( %xkDR/iU5^Bw^C⒤8A"뒍P}>BYPݨQ*!ֽ@!+`#1`RHؑMj N`;\}xOgS!LժpNl,@.T7<܂f7")(Bގ$sX,"Uf23(JI=+k[ \y>~ o󠄐:PV*/ÿ+J]qjxgoqn6>¦[ DI@\肤2miRn(k 1oY9e9DpM)r+gԒz:%+m0/.KKn)ǚ k:ltHJT6U~$c "Q@@DƸUcb8v|=4JzɃiJFeIT\/.z{'iY|WQ!H)烴FۊE z= ؖR"~lFrU2{WH+T8ٳ[>q'C2W{PCP:1ƍ|w+;u`RL;U@ ]ۣI,|ܪ5,GNM1 d]]\L,@8:&g0w]ER!ۚJH JO&jv LKMSsYm@RG obdu0ב khT0j}2dǪSE҆3#P3 EQɲx(h Ow`YW;`2ubI+da-T[6ºo%]+a)|T7O57 :;"<oޘ:TG)!C_H> $׊y^&> 13[9J9BNvi]IfJR/5S+SS',S/mO؁=w39w;bi \il*y^2⌖=W( ]unDgi;,RX̖B Oeǂ[?RToxȶI\)9dۻUX*%o6 ^̘4n2&M)x99XwB2pC;jFHLNhpP$ff?&!Zt:6gҠ9#Q'e#5q~Wg=v`zn82FDVqJ,0RP~З'r̓I]5׋԰<#r2u2BQfP7.џҮ͵o' VEC  w'|]k̺+(+o-Em 0ROmwLHkH{?_`8w]ʙpʳ7,/ŖӺͶx*ޠ#T5}qrd!y4Z1Bǖ]nLZLԺd)Ě~@."E:pH+E5Yhtǔd5wyR{O;@rAKy@ye҄^0 003 y^@<)ng/ ̓{{XHC3f؞u`$4QTKĔ0 ^N/$׉\R?iuh.hJƩ*FT$m6ޞ(!ɗU -LfX9'шtq"9=}Zu-s eFb^#0|<G?:=}7ޱjgV3ڃ86 oϡ"(Ħt{:ϬpQi#}5>Agj260+`NDŮ؈VMg@d4V[oLB=OZj Qsxn0ɯSE#6i#LS̄(ny;'2+6_J9$ Y٠9B 0Jlo(iblTTKrybif*Pqu!:r}KN/~E{gZy |1W]IrwU\a>VW+Ty{+%7{݌s|=h~ RRQDN/I;5 ^ p4 CΓd"ɰyfP(G[rOr˕GU͓_?8Kɘ~hc̝Qab``VE׫Wn4 ,H74G4u'}a颲~@׼xh.$Dנo=D;{Cux^u-} 0q{Wʏ.U5p</%kE\j% X=hʴlK-B8u:ƛZ/ڴa,-f[j¬YP݊M]lsq  (fQd&1v{x .aUC-9,vg %G 56#@s:0mSolem, ԏ oc 7&>͸'lgbJw4%JOҹtUʽ~]< ~8 t9 B_:I:y7%Mu|慯KР D3GLZ#VK:.*]އF-N$ 1os 8e^ZRt9&*Wiic G8NsOt霸31VǫΓ v@5RI?a TҋStbMeNl,Y +nv@a[HUak3~]S( &YJUj^Y|y`hUv* rOKzn5OzW(\`)yg'FxaץHj|JDNMQȈ\םvEZpLatA8RewŜIn8;5vYDp:7ɇ`Fi3l&L+! $R -4>iw)3|yJJND(;W;ܬ 1 (xCn%֐i';*ϴecHՕ#/A4_XuHEꃛm,AݾFs-*n` G!]<@(F1G|H , rQgL}~Gz(p3d'%=kTx.x^L}`q$3@rH5zE^墿i{Ӓ5@ikX&@ ك\ Z:8޹ xft4ɬRI_s{R270ӇO=ۋ׽ Iẓ$5|g/]4pרp8TOmJKZ퍢7cy\k g4bЃ0? ^0邙J9*\iG;ʛT#(6UdsaKqȡpsEú@9tt wnkWSm\e|Wr'w9A ƆfOBQ vRhr҈5b;!3D48B|.ǘ|j롋" ֆoуhEJpc{6aE{,gϙN-蔵3eo|C-G4jq&6fx,y:77r6VK{S\Tpo6P):;@Nr^sZ_!lMl501u{KvHņyzz⁍[!j@XY@Θ<6Ckρ,BX =[v bɴL" Fܵa.OgwZڑ`'W5r4 ;8&2X&  q8kYMl_3v$Ouŧoeɫr00 za) n1 jV ƙz@;<0OkT+aw)^NNm$mIՁtK ]݃i\xL6!Ljloi,Qz]CRttYŷ53RQ/(: yDǫy*ƟCϕZRD sDMciT]4&{)&xw*YX|3|gL? w٠PhT+NW\\eWtri7$FL|{;U-:zQʥl/sR9`E@X1Rfzj봘cx Z_'&o#P33}ZYp CZSvJ^ φTbwGtV+"+KWT hIom%ՋC_rUbKϲ9hz[<]K_L0C1ūLu3!{E^42}jxgeeV;;B7  ٗqJ`lt'CT+( `vǹo5?~F?׏lùFu|-1ס1 Q8Tb _gy4̊&*eDC5.hO9˨7qsϦZ/d|:E^إ x{-Ra2 Nړ{[ɠj '0O몲8ufBV7g9]\J -.?e@1/-*o fVBk2(XI:$S U%X:GfyDN=Ӧq7rR+ݨXO^8mhiPlп5g֙{ϝֻj*2|uƂJ ·l(P v n1[Dyq́ 4lߦ""5ճf-ծ&VEXH6'?kADV YMHcB20v @*$⾜RKhP-%7Uw{{xūCn &v2Qu&yw@뾫~ZHBKSƪ{O̦x@Dw2Hئ0HyI(|H TR1^hČFaKUG.vyreH)ƚo(9D%&(B5#;2#/vkEFJ; 'Uہ#[DP( ƛ2wN@9σ$JC+AQ'|_Bu4 1ѥ58MϓOcA"}*#z&q! 92]溳u;h=C_V4mŘN ɶ:~*djKU4h{Bȃ#B.=;Q䰌nȝVU}i# UJ*I1=CB8::R Z_pxnoljU75N[| TN"ڬt tS{Ĉ7'7VYCL{ӦL-aI士Dn#/Ed WU{hMiR5ݰU|4Q:qRPP%"xf%Z*$qwЉ O?5+HC}@ꄝ部ިjGK6kVSb؃ąs5FC?_s<qT[ӐlˤhM o`@c|#)<lO0eVp*q2fƂ&E:Zq@XqZ;&Nlخ_4ʔZbf2.Rx}AUT ɫTlP. 3(W3dZ=f7ennC*0^hƠC2Ngrr^`e~*37.55 )q_vf_{A[T5*].t3j|nh'dHe!oQQj&6 O=#ͷB3 "dY`(.G N^˾L- ޼ϊQOY﮲)u_6ۡ¡P PiEvi?I nWT\)h$:'VмW˹pvƝe-0C[D5q g1"n Op 59Z~:AJ!Q 4icٔc\4׍~P|ER}"1-cnWm6Xa'Ez's1=+tqG'pйp i(`7:-7ReD|XFqRlo"r&w7מk8g¶E`$D 4LwҫZ=keJOx;I<("l25Rz20]j> fS=jÅ%ClEFluy[,0ʀ g-cFuc_OD53Vڥ_coE!d}P58g>@(qJUV8-ʚYG S}賔.lq3@4P7uhp' !aù"fIkWssy 磦XFIVT_v4vdxRjaz2r //06W6]!H#T)O>zeJ| JfJ4>v;U=%ʸ Ȳ"faxƧ/+;Âk{K'_U{ńƭt1d;x[$o;%޾Lcݛ6].JfU)F49HJp6PěLT{| 6C&:OzU!,5,g3`¢lmzMF?в7`L%%^q.(h&,-wP{ c "[SrղfLܜwOl/5 U{Ta!wqvw㾌 R'̺Uy=M&L647,$N2ag?z #hN 9Gj ZJONP/6 d (z^{! WD۩ tp<hizsy?3n>3XpkxMxCf |R^%#=J \t{i)%Zh&PV[2fYSvP=z6qNfhE)k mӑW{</$F(OF;s~77r0.*e"m<%:')-~~eED]əƫz2snUcl, 5o~ 8@ 'د>ZK u1Gn*qZ#O@(P[0'.e@Ѝ[H0Z] MilSYNek&3kn3t`ã\iŻ G@0s:vy̹A,)}Z5롗@?&d{Jф+\'@E h9٥m2E|}/抣}I%IGU2[ƾ-Aۣ!c(< `;x}w寀 V0,u"EnG,Nz1X=pk.dc`WTlydĞ+zj bȼrlkx-c_n*?Qc6IJ}8՚b3Dt4qpa}YtPATٳ.ioIn-|JSlc%zu@:h!tj(V ȕz+Ɍɸa?]g98p0ypܡ 9Z=O"BAHtj+{>4"hԫ ^\Y9.ӤVT20K֕3(m &{Jb)ds:AK-jH+9G4 i@Y@&P{`h<3n \ 5:' ޱ:-ṟ劯r 7%V`+4?C<U( hy$D #)l 1cf唖΂sTļτr"QQزPmn}T& a>3jqx e' +܅L:,F99Qi3WͬӋ ?RMʋ \-@%Uo:r C_*!A5&*io.EV‚Мj2`2r Elས1ݬ Rs}"`X iA$4Nut億N 2)2"KnW?(+ v/H42LHpVL eS+dX' M~ u6{H Ynrs[GSNI.mi }=Qڂl˺_SC66K_)1["o(zN%y<4?Ok̺nwmd}л:XN'w}0f^õuCj=& Kfdr8T ޵szRɑ}IḀ*yH?]9/{-ýQ"T 7##2]<,̐ "N7ʳ{V* t핹Qp#%_,VR%@8%r3Jy&kYo=Xfvl@m=H(QqEQ:`8{V(B}7Ƞ50kUo _kn4C1r`~W)1%/q5y9Q05ʛHi*V$D$Us86uLXj/}q(m%BN9sͩ 0YcJv_֥ȦOgiGL@F9zt27TzpFF~$/'1dy# 3Z"eKKeJSBI"'zAXw*X4S05dwڥ1[#g'<l93P>.g>]r^%FO!a4ba'n"⼥5ͧD`\O :,~ƉhwCS #_?j\SGm,k7e׼qE MknPUGҗGeS[/k~s/V@,)lY!pȉ[l>nƌ桅kAG5O^[7\)~|^FteV2*m$9ʕB>2#F88^o:MO1M+u(%2Ag-Z|AP<ۼa6&ߧ㿾1pMYLH}L*}bȟi*.r8_@jƈv }X4!z.Bj,UL,%+7td.(dX#{<:jusqSPAuaV-uMRw &?•`1zzĀ]U>f!b!|ra ,do Ns"ٚC ZXz;)OgMof 5 y$|WDbzq*LrwNUlKfkJE. brfЮ*u}%@lGFH )5g*5=<^A#r?\ 2tV^ô +Mω9@o pMF$67ٳ9$qЇb)> lUBfgtmO1oXr)[XCAN/鷺M]g,@hPدSi>ƕ>(0G87=P4ˎρˆ6f; ̰qdR:ZREox`LTϸ0\ H,t<R_Bm@Wn:x xxp_㤆 Ʉ/#z%SyҴqv:@L-S}zp"?j>"dkdt-KM$r$PZ~29g-S*^fպ#{t `z#7/qy˲V{{s1Tid b9G8 +Ae8^X6nO-c *j{ :Оl(uHT~aLdd2"gj* ^TF*ZuHOGstp k崁Rxi%=MV+4/ WmOCV5? ,MZi)6틧o~hI+W&\<4& rkE]λ*Ew_1jl1o{܃7񵧞EƋӻ vzXH/湑*L+Y'˷iuyn@7s% ?/zIo;M՜}l~rshHX}yW8Mvtx-b16O,Dϓ. Xa qMi'xn$ޓ ]8 W>ڻ R32/f(Y닌\‚7ՋlX~3 Wl6+TA컥kT2VkG {+ Lv/94Vnz ٽI^v";\E+*_Ojq!;=ҙݍ|u\$ڗǖM6@`䀎`oaV0 Mty֟Ϲ߿8\ϤJ+ɓ! +ފ4R5/m R<b_Oy{FUů%"XϹG?:yW{8CVblkjE|X+ 8Mļ^d6[DqF[ٕ_,qBףAbff຦`7R(~G4rsU-[=5mKmg?B͂X)Zzp͜t;D$01xTsΊjeO+.ƾ]tXxl*>ؤBW[!i\i;xc;,ݡH7c 4-5KQ#yf09\0Dڕrݱ`r?#In,NdD!ʹT xcxZV:ݾeCq43CV7NڥsE&=4i ] | d<`ZQ]n2_O\ NrE9'6AR/{"ʃ|Ԟ ^' q) r~ry"u/obWkx*k!4lB=##v"JRk>@᩷65c}v0yQMCXu;+Lp: Tł=7t>Ίo*T]A>MPPQO=2%|j` C# 02Jdᅜ z| zTb V>|*<NI>3x!9 oE0յ[ T%+V.d8q<r-ۙ3 z8Ct}Ǥ^2SdWy}p}{%h WjhNyTÄ6BJ϶K,8ڱY = ֌VFhҦKPQ| +? 7$.5WJt<&3@ im6+pS&#ʠX \!us 8gۆ651_V7r+3 ШK? 6эb6YOq/8\K( dSwmPΘCŐLJl%|Np {!B-Ff2㊶b~?'@$.&++5ƌaj?$D2Nݍk^oq^Iz?JJ5sYDC<\Df#J1曝Z>'k8{L {!7!ES}vE;_iE9\S^e`ӒHe˓ WX[D ,޿ڤI]Tܶ=ɏz? jv"m > L('Q{rc^vluQ}VT]/+.{{1^k5s]DgrY"TЁ-$.E')_T eA_t~'sbY?8H IN} pe W)2[JV%2`FCiIE c@߬qe4gU i`%[LNɣ%'B-XNmV;<1 g 0[y :On cZ?E\v˨5iy뇀a" ?F唩+MֵG/LP)qے[eBec+eo/慩Zo ?Zl#JR+݁LCH;P䲜CҨٖ@ ~:lh2g(;†|{=c'Xe!!D2/`{ Z& 1RV5Pj-6'+bԪ CP~~jg%9t9q!GuXyH~?sg[G*EY?ըT9WsG :OXrH}0A3] t~4Qgl*|1<} |4ne*ut"c' 4J /$6cV;xP?tđK Pd'> ^9EזʟhY A)aĺ] DTKຶ+p؉EBKsu WՂ.3ٵU̞i?_'p QESJS{^rVXb|뷲iӈA"ɛkEGQ$:/xՁ4="}exXxk2,# {UCҿabp#- > NleZc!T!!h%DX'q:] 2Rk#^ G&#cvV(/-PX<0yjs@ R5EF;=%{-tP~^?B-ca0Kҳ szL Wn#9k׻g٦\PaD_g'&w]{U߫^uJ~U^Xޤ}n+CUNeGW4hU2]a&c1eZrvۣcڸч1no JI|'"DuѨJ)/PVfطB8q5k헐XKە+ wKwR ˶nϬ9,Sڈ%gS &F*iIÝWn 0>sJ^R;NJT U-B8]qn)7эp\d [ |ʿɢWF2f"D_5/"iJ*N@t8_8МL{-#p粰YI+~xYȗlz)٦?sT0Q.BZ*RDžUzxkx%Yv`.%+38D) 0:xo$ߦM:Hav`_y@?1]K6ۥ@'=jmwŘVV6GV(T|IunW-13Qpʼnx8C=j>~x[nA錬; ֘wvy¶o1  9?iб@ >Ue ]rc!oQQaZFw֌l㜤WA-fm}s>]<8hΩ2'[[ }V|/RG!ffFY6{b<\Q6Hl{(Ezx. 3lZcy#:WsD( ._@6x|Be4Km~uCyӼȅ]0Um_nf m8u?8Ԯ^74t]O{&@OOmԞwݹ?OᤋvO?81WW\Y.ras Szgh*[;(UsfrX瘘O xECt |}e$'IO試>*8 4UW K;9={ܒ#  >_ʎv<s:C~ͫ!w RC}#PX"l ,Ӵyxwkk=@[ETd66sUiB;C&PBr`k'@DƖv>[g"]@~PCPqKSҦHx@7[Ju?]s+"b?`̵vZ/`l\,R?a54G\k'Kv{bb @1KvvO2[>*,IGgurМH028ޯyyuܘjA@g+Oésڳ -ظH\t!Ś eUr.ƪN^fO "#؍Nf.SeG/}Eo<4*A0O+ӃrDj#7Z}zx͍EX]!*UJFoZ.4+S)71{sݡQw|'YQ;< #c0}1: ~ᓋȻ4bV&`Iu7ܩzzGuHph0 h@=Srݹ:LlHK׺`t|yɸN x_-Grq0HKy$k/ǾgEWCad£b3pUBF[}r CYU`m]"HkMհTOʛR(;Y3z i6o?@;Vr{iQ;4BC雀`B)w`{bscQ yr(ܢH"*&`wҙOۥZE-^em?2yL +} Q;$' ]jިo(̓aLģUfGUC"a p4.Sxem9 [; /$FD60sU:E v@|_Ol"_H‹/(,Ûʢ 5UW u"-.!v΃ 3oxi}M]Ӄ:%6q4~D1[[')0cci𻝧JEsã|$VLCҰ$O @(T(T ! `gBfO6%ye&07M%S?<#\* H~UV3*!SGx)g~X>XI]εox$. S9dJA;FJb;;wiʳc}dp#U0Zz=[tq w*Sv}+'䧖8Q1{R2wBW(2 brBeBudIio0nTU?{%RW@f7 .$@ RRKP}kuDXR.ω/£6`zlMjd;1&LE MsEwcite!QQ|E=mF5=]e5c9ipb'n\ kn&$FDЯEΐ&?i%K/ Ԕʿ:<,m~҇_nlf1ùIrtDDCq[C5>ĸa@n+TҬY7"BٳYip$q:GZnM[2*0SBAtu2 SJX$;: AoDEg*(=Yd8{L bI=oAhu'6$S[k-6`Ow`Z͟/H PryF q6 0 yg4d,\Kn'D{c>M~D"Kw WGRDN;MfwY-Of'RV+V9#Z7cmqOJ<# ݑ5RM_2uG?`j!|I#: V֛d,}8Af>o')k< Z~33Gx~f勭~0yi´MM\ DX Sa"R\l?ǸVlsY-]591FaۄuZ\3= gs =V}c/ݧm?=0| `yuu(w*`<ȾA'ڞ҈?1f+ Lc41TY@a^=?j<XI;l91 Ks8MުI"uیVD }^-4!ͧc[l@nK֦uL~hRhcd4"8/ w!qq`Aº^O]QvU(DαR%s^n߀)Q_eղ,¸׻M% [)*==ڏ2\ٟ˛a4gj7uK?JrhSQذp J>qyn}9Б֞c0%=-_}5m!ƿ7XljT7/>C(Y*uzzb*6D!&TpS\TN#PBM+z:3KNրh2, 7PkIi=&i)Bf~?N nK S{.!^E)eE=E37ͳQgl'~)y/pO7R0֖ &{J)soVΩ ˨KY^^.5W8Nvjt`̴4B|to]ݰq \="5N=x.k /@oyZrƛգ+&P47nRrEأ|՞~issХHLސK#;,6EQp\+_aQW w5$  Zȼɞ?6HlLlt% @w8dl KoQ9ٳ{rrOw?t\*"qh=b)E \u-û jyl{xVrYjTlt RafomR_uÙZ!=o? N茍D;&\A~[߇ֳrg#QysB.y?uĒ5(jr&Bt>5-|ģ~.0KrDYKfҎ(|F_grYlr*$vcqA((#wچ_F!\%6^{]|.>w]+m[7N]بr@%ǁ?=bl?+=OnyImΛӄ$ڻRB$kL?8_ ~«%0\o&B?f TNl'\L0Tol9!" e[`х3͕ {cW Ƈ]M}e\<1,Wm3;}JS9!`F 3IP \椗$pow\[ީlCrՄNGW^O8\|gXp,M ؃7ZND~ ?rZq^ˏL&e혬"h*IY x8[.'v onĵE(LzexpP noӁxĤNuڙk 3@j}RXDgjݻy.vI{KSh(c7Ӣ4/->=iIJ뷮f@ZE\q&f>yw^\sa.'hѿ唝 uh9TQw{1e3J4@,rKۜژiÅ̫8V JI nDB0޽7BìtN vqFF1=[NiD ⦙YpGc55hGM|tyb쉐1\ \C",guah_շQ-+3S eXҷs^.r1 gA|-L[~Y0 7C+w՝+%lw?1]6>B|+Vhdnl{h&oŊЧ$&?:GV (ZIOS[M~ Qv6bLvl_A,װUgYa1OؠVLt#|= aeJdqM̰Gg7諺&GZxdKguatIbxYOKJP8aU{.w)'twL+ /&EjZ6+HҘ߁.f׃6hHĢog`)iRemn[<g_P^3wEA(C^j0e>{KK7kZ:Z@"{1?`Fvd{T3?;|c[^. *ãDwVvI1 LWe:јÍtف@A?̟ќzYfDRf 3%ph 1UVOEՋ 09^ObrP>3$xD.HJ۾=:c̨m +Au%ʬՒLLS%pPVS>9ܤ}7rLWM)@aj+VFZ(n異Tcˋמ6.ta8w̮/5$m>ę7kCNp@iSd ?=:OVA3њgblf2O??^w'nT[XLA[lx4U,j!+`[{Yj!7=2%t%c> |mOR() Co4=G0z~ھvGK\ oEt^dRxPsx0 ,7wmx!)'i9 =6(t^Ql*Եir\ZI di*ƒ*i#F|H&BBіu~E>%jU\"cVNqP+^?SF#wG N!w='-yJ |@xS `+\ĵL0']iy9ZǀTţ(y A;f88z P(%5"׊y ^¼ /nDt#ؤl-1.ҙv5^HzP3ܭs[ޏi9bcaSSw4To&iV7Q5LJÎptudmx}+躤T͒2ZѫrP f?efǟ;5299*[6܌]]bZJ˯DlC@|A$]*_Iרl/A4ضPۓHb^[e2`oyEi>qpW<os7 Y W䔂{j LMn/ 9[x#If?J!Qm~^C`DRjJD_fQyQL`w݇&j'箔s`:?kt.< 4`R|xpX؍ -MD.쫤gd|X?eE!1))b"y8odmy%-!ȬѿXCeq/xP.{:P,R53q+[8w_7RmPkH`nqi ɚ. C@Jp T Ǭ.GiNؚCwE(QLIڞV$ԗyJC4Bْ)B B"G#3>1}L43A]ߜf+wX$7,cH0$M1X>fScHs UQ&Ѐ<2Wޟ DFHGy(n5[йZoaMr3IgHC4Ml'\C(L0ۏ+ I+Z1Eɝx[ HN:_u;ۑWԡOoK#n.̤שa+2d(OCy2+j4$Wz~RbRH?dhFO2V iׅw)".Qt,?"yw?䡵)JO-w}("tOaE'hd[IPiҖt9u޻?I$bYILK !b_@,ڽu  U_{@ȐGf`I( P;szՒg!JWCֆR)I)PLNe,!: [͵(@xP89.?o+"n $D(kMdw^h'P0A>t_X*X>5n,K N"m h/[HaB8Y;XvZ4ݙ#E Qb>2%u͆ڱ~FF"f pySBqa|fPֱ#g2!c7 c*1+KvDֱ'!X7ԝ9rlLX*N/ ŮKb3 3}!z&]1P*;Y"םk1aKf Do Av<@9:԰Q^vhRbjq{+H\:"N[QiH^]9Y1NA圚C_Y,K;n;͢FV1ȆY%WlGֺ%[Y;@6Q{3 rǪ;@yjWBW?H+9nO94b>*~~PM:'ʆHCxh멛M9+Uya=9، 0(f![r 7djU]U ]@Ri.Qϡ -*}!z)Wjހ m„2yg$%,>[QG}Kx u!VN}OhJ87 倜7S?OQͨ U,MVY,-kn`kv\ҁB)~HÀ4s98QmsE}`21uU@5F0M[5J"ڶ U4ֈCͶo@ԯwy14rba/&ڰ촜O+SݰIĝU4BLvb\%(e=Klj# ]b(A-YZ ݫľpG0H &hhvz>0gAtLê6GTamۄ$C0g)Q<:mξf hOnb((XF]q2"gW+0٬N-?SՕGZcih0j";TmNRd6Z7~+Vgh} p9b5|S27R]S*gĿJolQooc? b1e.~=Y˂Vh&a!q Bm1SK@f',vi幀}7" ]\M rȯ4*=R,kb J(k.K#zTY4Q yk/*zs?w僨x5i;L=D AltVAZecUjVp3 qo:W,l%𡄐fM'HuLel&Wv;oIttW|4y;PmAV9o8A^u,m E1% !&Cqrm}as[sz]IsYCLp`p X|m2:4h]r/r^ g MOfW ΐGNz~|oVZEWR34nˠ8纒ʷ'䑚?K V% 3G)wГ5+$u1=vYl jTai !\vu@G"ͺW@jQŬ5 Ztоt3מ\nd 8VĹia񃽞rOizU7zsU-9}(HpwD۷3<@h>׸M`^.knn3_&׆5܍*D7r@u &ȞIyʱ 6甅0E%.rhNIgCLv%Z|Bd]!y^GN_fYB7?GWn_tXߔ?RjWImaBv4;g555*CCdT0Y4`E.`N^U ŷHX\#3In"Xa}za{XDTTd? *BXIO* )l rb/+ލx5/x?Ѥڹ~#XԎGo <o`+0A׺,͏FX~m^[.$HbAFveYLٶuf^k6 C]F|7ܳ6v*"vRsҙ :\>yj+iߑDܪx޷(᭕?AkMmH(D,tf|X.Cѝv*mֆ'޴CL \iMP+`,EZmBy!THi!V^PMW6G ZU] U; DU 5&PyoEX!ÁΘPU e@&FӤ>ލfxWCp1KV e,VP YB?p¨Rn^pF6]Ur5&ў0W܉ 0^?ZA'ķCw  :i%H5l0 R7SGD 'ZyfoBl5h }$0)/Y&-0+/eG"IoIŬM9דoowfbtXO~f>*$b#1܇N$cH Z6'w?-4owDKs2SoNSV*$xÃK`RsSR*TM9%ۋHeLfSKfn0l]sO's" ET́ #gO>l_`9"c<)9"0kyMn:Ό8g)ZsNjj.jG.˗y yXHpY{#Ϊȝ-BAW )}Pvit+taWb*yia v~kfNOdi| wHw1A_g%eM2:py]VoFbc5m$lY&/g$_v2req7њ5YԤF[ѳ+>E@vx3}yAs0 ټZV)tp]qib.tuHN *0;7PX\ĿP ɨ_h+қ+i ڶ(1=^6+6>L =xv| /CX ow6'H76#K/)3:tG҈-n1,,[K9O(P*x n nz ԃS-| KJ9$r$Z,LH"st.)7!Nkhx*/o%o&3ڄ!0ȃ{&KD`vฤgz̆)zV9JHî.X@ܬ#S!rvb LnBX;Nr(qj_ƞq"R՟8Sψo3Ga +z'2qե#Ndx`wjHQu `R;qL|SKk5 W}/E Eu%OPe뽈[\ @Y%{␳17px+{ULV,g6rz;gȓilM|BdS>)FgD͕=g+lGHt#~7; Pcʐ٘'(t|%Lh6rl cz~wuj" K c8&ݫO+rRAL;.T4`[1V0!!"*,*-Ӵ4A嬒g#m=LO^AKи!!p>AM&w3*u-bYlx٦e'-[4]PG6Drnpzg0r ZlF9a@̜! B6n8qb%}rl= }h 57ڟ`Qd@ G4e$phH>O%]"0,UwK3V4B$Ok* UHOʩѡ.Kրvo)Z"M%/HQWkQ/c|5ZZ.^*8[; )"sJ N1u|tTT2OR_bq  #\|!ր/ԞyVBtMT`@їӸx MR9^gpq3j<Fb&V=Zt,ϗwOkGpmKzSFR~fLTPn%(@VOLPe3 y"IU%AM pMѨ\[\wƇ77|{dPܠ&١d9I&5c?z-Ee#͔PV妛/kvѠz :J,06L|4*z9 h25$V$}$ 7T o|XV'$ݤ,PAQ&u͗ >÷m@ Z@|]eIsAs);򾆂g /tVXw7,.jwwfnT ʤ*d’weͬ'fcP'aɚ p5!R-u\`T-jd7Cf Mx, UWnuCE%ڏVB:0>pB+CLoPi SpI8c6D/7느84GfAlWO=g1NNMhWd{)JNE yt;ķd,u1pX$ ^ۺpM㢅[p׸sS- ]E:(UŧY-ei mSHD,t:"]Р1*2,p`רώ^1cD %F04'|lI -KnYHJݞ' 6RXi0n5k~Rvde/cg's-8BITk2 #GXǹ@6xV*(4hQh7Fn؅ !U(RUxsLOZܶ;ARNl>L v7ʹhYyҍc=)]u(/SSG@׫ Xuʥ:ܛ&KXᄳn-\٥.SDZ!I|Ӝ{`J;W%b:;7'}qu]wDj8sFp_ ub7Rh ̱8\v8At}vڤiG͜}F4('2d~ 8 Ƒd ldͪ@Zo~o鉈 :]RhST=O4~@kiC  5L1ї_v{D-8iBkA0?E-j2+ H_l,UIZp :`=iBy3*ʱ?9J…1V1I\|9!yF;TFC>$ hARu=I4n$SOl6L)H>.T@ۺ'r]H" ,nǼQ0--H,/HJӛݎ"C\WlN2Ua ddם4_Mה0gsv**)f;p7:&Ri!p}e?Q Уdm܅ij{3I-sX)8wZpl q'?HG5 oAx 9"@#vo'd.ɗ!VCl ,߮"ܬmR03Jq}+8[jjZ▬q.+*.j)$Fi fQ[M}#Q4C"6zDjQU%?F$_^qAgG;u1هo {}*!Ҏ 2Щ9e)L vwreS@!em"kMQ@Vݸy`$h7ӨP,Fhwڄ3q Kܑ /ܣU9`PrT'~QtAf'oPЎ# ?mU]*s{T.Jgg"s1kZyb#4v3xiIFx~xMB/8D\Z2þu} Hƕ^ <c7呈Z]t,4I_ͦ@28H * O_/> D[:XOWOhsg: ST$y_.]. 5ЇɆ)Vͬx0D"O8F4)t8ɷc?vlLn Q1.3tONGnv?>iYX렻{"ұ!pɰ%ELeFT$NJġb \a@ynY`ytҔ$4;Dyu 8`ހ+ty)6P=C`+u[nZo$NɅuOvj5}+P"MX=-E'PR:fU\1VZ4 əV$69 ]{s VTa^"8N(ת-` rC~jTNGș 4OS:Y]KBKe{/IJ(`}lGf/`b,džk0#`f6JabtGLDίNPe)I5>c-U/&^ 0HOmfK^Q5j-J( 0<#;W0Mo1?RCA/#1f5QQ,3vz&Na!k+x7@4۷3 +&C(iR=ۖ5g(qLQDʜr*v{fȔM_׉i ۷N6t#-lW e:XTS<| Ţ9*Q\җ*Ҵ*VzFJ*zb/A9}כ9%El>6*6ѶڽJ y `x=46CVoǻlYyY I@vZ9UR2'up:n)b7{i& `_dP`M n//wq; ߴE\Bp%_[c"W{*\!XD O+:g 3D B+ӁFU7t$[Wg0p{gdj)UAԟ,=Z?h}zP2O!^"_#Bv= K 1W:J_s9ep!OJNK ${Ft62unl14:dβ!f. ˒-m=?E*oNiztifc^'5JqTx׻K=tR@:zOs]J;Hp;2 nJٝx,4dt-IkPdaz|Lg!7u*fN;\ p7S=(8{9䎏Xآ)9ɢ}꨸z_Ǻ k.)h0iB9S3(r&-Mf~KOJ2"uZL %/]H"j%К`}dkn`ALX#u)U,㪸@ߏ'ѥrMGdd0}"4攕;Cܟkn·^{6J1u\q5T8g 9<'ٝs;Vi~h(D[wβu`;6tF[ˑP.;L .αL9hӝ]@GP&i+>vA,(uvf>T{׾IZsTim`8kKy0ݱY磌W-;TP5GNz }DLρ#8z#(afӍ+s֐}>BϱU|E%`?[[_&.DR)|2)~5›FеLQ6O>PnvDJ"f>k=YOX׈66Aad ]ۦHq( |£tگ`Zu8Y-Wm":78;^ijVv4\KG3"ti\tV^lD+4T=[H)BA&YV>D1. ܒ+^R]'P,XQAX9 JMvsu \[Djk)o,q{?0H3r >ڊ"d8ݲ܍̟WH9v8-*߱ݷC8ȉ S.ڨ胰9핅c8 QH :؎NTL'!=D,{f3j:(0?oeqJs[1W2-S"2SǛO&iMKܫN'lfOr,~"#<NK|}9ka^˥:+u+ *Ҡ"^)xmwP;=;m4q`Kmli$գ7 dd}\li0VD:=\c^>Lڰy!>J-)^C2.wN{Θ`c@@?HhiN3XBK ʪ&SCWDEs2 a3Οe@68tV~EtE ٩:b+3QJGB[CEy&,(뮫qanӽjRmJ^|992(5 @AHr I{TN1'sC|գLr^ ܤABr[]m8>aW nPI/k~l}YB4Na!$xXN15 \T2V57ЫC@ԞY FPK='toP-Q`fr65ցmYL-33[v 'rQa*az_7'kLIlbRjl*l.Op[%Ou]hVy,24ֶ`[)H}QD=ΉgF 8pIcX(S֗xg)dI :w_N'J#G,s%! 6>4J>Z]iW![BPG @~tz9~k--d[F>eg1u^UN4fy H~޺/ϻuJe@Iz{6`fIrp\JgFc`F\s蟖a=Dp78֧1g;dlxD:9S1qWvE37Sx'(ZBߞiCo'Em \b_4DI" A8?1HO7xqx\Tٌrm@oy3 Jwӽ7ٵt%[c(HV)^h* $SW 6,PUV=*>l||o?0B_ЩTSzJ@jfXc0̮J4H,(踸QG05KgRr2vҡW.!-Rmo/E}gXE ,'&@m a،,AJ5/^}w=ׂZۙZg޼3LO ]ޡKmG]&q'}jz p[̂/'^<wR$$to˻SYlZHqb=_|:&ICUj0nwERfG^LDy坞cEVzR[Oo5K09zsثTGzMYkQF>4@2*%a p"`$EHɀƚ@䇎Hk xm‹-t0b5䓥 iOr9ִCՃrͱ[/dAާGKQEtrZJɣySIB, ޲ jq xjvnJk'¼+ہJtO4({84f)| /;fЀe<@$Qf5rC l2OKattx^4|߫`S\&ٕh䞆|EwީL^Bw4qt6KA5TCҶ+/$Y'1M[tj7N! Qh3EsTWhPtp(\{nH;]p15-L{UDh( w0s{ՄAaz"SSp? Dž,!hN#iv 7Xh[}MHp5U] m#J.w‡BB`v8RYZlgPUFw6;KeڰK56Bf}A>ۛ xB$mA4c GsYF5^+4ÇgWQwFpq`ޟ XoE!5,⺰Sݩ]x]L-n@]_IT:o N tɶR+eZ3m)zLqBpn^ǖ6 +-釩)822ΝrVwyUfu>^؉|ip`^b{ro^IJ;GwOd^W.~ $PѽZ>2 fGt+d%KfJk,{YŮCn K4h2r|鱶>d0 s07H]Ism$J3R]9UK=]*MD!}+,^iI}WHs;L!Yl6,GGTkx(fg68]Sj75m]Uvֿ#hn%`toնm6B^ K3& VCQu!_K/yU!uͤTHeQQ &vS8]9v63lcO;73d$ёtMELHy6{t)%h*7۬.r@f2/*\Xfs]& 0@&uf ==2nQ tVMAs9T^F仵rZ1H3׾sQ]tvP%%61-_t:JRr]|T8ANYpԫ_NA*#fW}L;ȰY.)3j_3r֥H54.{PؒK 8XЋ"h6* t25'ZYnđdaLjulj.Tƭs# ۝*t,XA]1wƈGЭ,Xq?x@BYJvmi?/1@{0BDk=7}F? RПs4j+_rElaD]v )uq` ċW) UY:0mtv~5U&(o#'mY%T}SF2b? xvyC*T];7WK8QKm$.Êz?BY>(c*Vl pP1LR S3_44-)o!/CYI_?y7[mq-Ƅ} ~$%`ZkqMPI'ފXMl&klRv˭r;[TV M2E2<ovk0hiT긍 J8U|z m0{R6Q].پFٌX^<˄o)ٷX)y}: dԡ&\|J>:^Do󬪘qQ'<39[ 2ZAdL\xe08) i_@5"┘C ՉDf'Gc^J~<8hi]2ˏKL3҈LTV P0i4QOeGEuШ(mzOIm`T{.| k'^GG.o!)LDP( lƓNiTE߳6wMJ90HUz;M\t:TQ^pxVDx囒-GR2('EH, uMI]BىDuA1(jwCoJtg3—İHrQSa𣖧 ?A㷭d qi[ #'!e˃#]A{E fRւߍ%M#~*]GVd5Q;^ZN(Q;;rOb h/\mY2ős̨oGǟ-/߱qMБLCo^M'аp-`2} )u1?n-w{dLt@qw7VmUX{I1[1{XfmMKJ%̀@dhۋ0AD5xdˌ>qw[lXV%й ^$KIs@ԕ9!0W>ק*M[?$R)ˢND|C6-ƌ~QD9IqNԐXo8'ɝ5-t{Y!c =`{h SF/q4\~ƳpU(ho/vKfsy:t11aL G-A^+m3x&nM9%|!2wyY}wY*JfYMpzzem'ߛ#cn 22yW# |(3HEm7 CI1^.rQHNKv0Vc:pT/wmVƕ2΢qB:r!ofYXI6J |6&9q ]{TAw7wvat&<_i?_>}*bi&؀PA#ɹ"‰S4~`B-,tAW,'|fJ̩jFC3l 8!@ Pdq$eS nr6Ȁa&Le"aIaG)3J ߧMܟsx_|.ӻb)aJW}-H9+5*B{A/z=zzDЍWG; H!Ћ -9u) XE"D;wQ-qo:4(KŴ;Be b{sZRVG9!{߲ix_;\zxw>](q2q]F1ͥ@+d!@¯ IݦMe!c"I@X4KٍFo܈X .(.]@\< ;"TI\1M"':ݓde :fD&ňgLwh0-uS!蟐EHj $0Ԩg}V!J.h#*ku]Y$X\SČ|`{lY&4 ns_8 mTY-.!vA?5a{k셂fSGU§ O0[pWW튮הoH +*>@ƶ#@$|Z@#aqu IzL _1ts .qgT5RJѸk 0=,zg0%q$FN/x{ ކI>ԡOWWUvyd3=6^y$:J\yqܓ㴅oHZji$+tq PgCPsE@;d=~A$BD}Wf3wݒ9 +027K/ú9Scf{|n ঵K)g7 X $EQK"ܿn }`9Bқ X(/U(bdVI/5G׵+@=Iߢ&BZd7L!`PfF6tk8O?Q$lwMk :pfIy_>f{R6URC8&yXpW@: "Ej΁|$̀pzxm"dA~l(t;h9ٰEah.c\͵n |$kƗ{U,<$\-3fEʵ5jMu.[]N޶7@kZcְۛGfI:?D13gP F폷CBI eDd[byc%-͈)#JȒ*F)Ţ9h#Hq$" d. ˆ[ ?+qfu[|nƻpf՟GxZ1MGE`]=Gg/`F]gm^2F%-nw.t䎑@7^$% wovs<|X>.r1A^0)bg ny~G"?I+A k*B *O@{uP!0<{`ߐg+pin3iL W-n[w38Qy uM+a_;J#$ݸ{z25wW/,m/#U_F5`@vƳcoQ`8=vY7kp#Yl!&p-A ]hn{I jw쩾a 8!`&4A#|U~KRK@Oy6՗s6C |7\Ն~>M-?z߅4գ.qyMuK_`WTeuܯ*B~jH볶^^ P T=uᝫO Qb(ha5zsrVD8&@K`O4,+nF5yjsGuE;%W EW|9qFv]4K*`n6p`/>8{z Nxx#J.Yy:'2ĢlKFLnXzXb|t*lmR!4 (H\C&nY<اu> p2Zt49ڢK([c]>g-5__BT8*Bo%bC ,,|VxUp|ѳÿtACF-NwmXE9IeSTI!sO=+5o٢wCw;׼ I"?͠ Z>,XF5P =5k (T(9 ,F`^WE `&Um„htUn^g^1KoJP o]zIW+Ae'}DNC"|+(9-n:ҡ+`C&|6سrK+F֌?YDV@H'WQQx% ?x*RXmԩ!̈́r6e6%h>h <>=B *7R77ojrb2DW*}9eô l×̏#%0_+;(8EC8NJnዜᅨ K~ќLd\mq G [9J62k8rpQ6hIE (χ;E 'c#[+ %3|SП0C} ~<ߔ֩1Z v7[T0|yqlNLů3kn6`v~hͳOax\$"e*Tb (?\0ݎyiye-P4 vlXDG:cն v^fah;hrA ^}ۼ [Խi18kO߆LH| qH+-DNs[V_ I3I(8\_+KSHB.yw[ Wa4,V:hw:q?EfТUne 85P}׺v[΂  2ADEc3#Q/YoahTUY|"5"ɒ!ݲ!0*8!u|=#*GF#wfWH1yg>Jjj$S=Fc9z􃏡$ݮTC?&J=#9XZP)=vTai]Zѡc,EVEw F\umh2x 75l/^zO0 nI UZ9?B4[Jѹ+*$lC<qؓ :c,uxDdn9'efs8 fw)7|V;Mm읹W !i@!J_{: W9u?]a6lf\s {.doB5A<"TR/۳(j% c;ދ~2^G f\BAyP^}HRvg.r ^WO Y)_|ug%bd6 z_B!+9Ɇ/] R>$$D-.,&3 %(eCI1PܙD^Z?ޥE!e<-U URC,˳%/߱?oqE@W;@I0ӿ@w}q._8Մ6t oGo[(+fH?Q;;Džwv۠8r o%,y30hݢ'\c?^̣o-IKyp,pӋ']D[OB]qs9 2bYjB0J3]SkbDbr+Sy0sq Z`݃^Ħ~E>=kt87Y߿dP_k= BX&qOH97b3.;GOs:,GPxX,!I4^EYcjuS(ձJ2c2kAPTq ;wZKЁk^3EhG e6GG_-ͳÐsbw17uǜ i^SVOha-tE!n(6 \9ps*I@h Lx 'T~!ү?je:uހOSy.n<"?~x7Nw"mZqGNLeiAR&#/ rAU=y2YQ<6jYƞq0F39A$uNP6luBOѥoƀ$]h̐~Q-,;~9jEk<*̝mR]Zȗ9-N}pi5c!%X7С zAxx< ƾD<8XIqJ`LL·MړaagN A)2g-*m)ir蹣~ԁĈ_$…O;2"6ZR9v\^1 [ 65N*@M0W+peL "DPdL5l,~Եyr 'w6ʢ Hfp@=-eXG=Z5?N˘^ڃ2ݖtU*&_]_.pp~ja)6NI/}EFq a7ѷU0T!R) 7/ U,_mWM# mm|tb64 :hevhI c iqÆe|8q ]dfPl~GAXLy Vp)qOb?o>LzĆ׿C`XGM(=ؙZ"tybս:924u#q]PhƵ[TCƟE{kMI)-VQӮi . I+jfAl5!CH2zk(&IDK;9 ?TFW_Ն JR}_Xt3K;'qfel1($)GYXyHLE~ڧqxOS=PM'E"RtN!u6(2\ @aޞC 4?DQ`0Pp'A-Yڠ  zMm"ו JVxWcӏ uy R 3ɆLYTDM4"#--V%\_'"M3j{w(`a|D?-#<-P@g-8n3HtVYN@r"j[W/9AO;:Bnت;=6wL ͢~=dRe(,6=Ӏ5BS Kt:C f9wKLTcD ) a v9GŦn}9IHM5nftѬCIAv̔R iL"Q r l}M^KR?) J;6ș2%( Eb07=eBݶ݈e_ZWٕw'Lj#731~_O@ƍ6xMg 2%݀8J$j"..b[%0~DI&S:BoLt9FjES/;J>JqT ,1b"CFtghz*-G :&wuNeNii,\$nم-]7Zsva_@D{e~H`tw|u3Oo{O~YVQbbI=e+(98S~Z;8a3nĕY Je:̴>U|Gl}7g4%`te@Qn~I{Y}=I0 V.x^?P-Mm$vC2mrkb.~QA-ܥV\q ? U[9dHzjd Nz;/~HV=+ V6Gjk,Ry^?b?:ZED}P9+>s,@W6jvX,viVdDZ?"2FP-*u@Lc Cu^ݘq)L7gnCEaa8d1m2?U<;s{ݣ$^2apr6?)4v/ ~Y"5G8Ot? :WS94J|0.( q61ƴ|PS\_B$PEۗ7 ĘBzTUAݾ`),wHODwOjB#v ;0ǣb -Oc1[qM4 Z昙:s-Yst;SnȴOb%OrLLIoBCmjUuÿTqK нE2 _XWjaxIk|놈=EA~"|FA^;rXes%Ր{yߏ/'ݙJ?敺ǃ{qv%AC WCS6@h ^DHUZ:< 1KLs G|LY33G ,$&աtP%ZO'ai<'8۱wn7\I)YeN3T%c'ESH⽻&^ 2`m%i^#Bvoݺcyɯ+W//;DGXQ<-KK.㰉I}_krؽ,E eƈK擻Ry(2& EډVU;D!^./{oWRRB_t@$2>ϵK!՟{ܮ̔$)5&7U1sOk>s cqwRo?Dxhu;;`BeUiG'ŃE9}&4͞*A8g$\}_ٰ-&[[lӨՏMAԝHiw{x jfFNZoNt,zXPݽm= `(s~Xs[b0dm9A~w+|%*8+t`WҰunV4梈X8|]HeE]a~|}gfq+Q#S%Q[MCf_`IvV4 ocQԧő\4ekGz5J@*߆@nWScw Ftee\}C}FItew}dA4}E Ca߁FͷlL~+SO*@WMj߹l#L1Nl[zf嶸z]m)RS܄aJK B3kA}ɇո1hFghލ0Y)<)*0)UќSSݾ]q[Aύw6t{ ДFTkT̻V/u{y}gj#mfl2W2gPaĴx2@ -SOϲ˕Pj*AIkuG=Td8ͦO%v>A fx5nFWqv A? [j-U;/B,-t"F}"U<| -cU픞T&EO+|7mW{7[T5m4'y@XPUUߵjK3S\%Q`˥+^r8x!Lyy.효0LjFڠHD?1z IyP;(8Uǻ;7w"Z{!S&3궱m6Z?ɼhFđ:%&2qO]-{_"M& Xr=Cш' 0度+j{pǧ/@RN\Z(+!oQE2$HO0zFn$sK_:CUghxeGm=M a*;n$]OtI):ӑNIIwj Vc(TCao'DBb8Gߥ@j2Cx]D;bɔ emR_ڋ5!a@,6 \#7PE F -}$28`>l;J*fA'#o/u oQۄe3a#C/^f5B5fS'^LHPJu#Q#4!rqO$Ỻ棩o Oi u{I"DȒ@T:Q qgx 0ON=U )vKt2 ux/]x0ɱ˄t6դCoOPja dͺo!}X DXx<$pVil:lO"t.Xe(g21O%ԗ/ECqE.8AP7Vs Y⒌dERݜ#Zl#3uE1۟2*M0ۊSg W|{DO"ԕ /bg#OwtTx皬e"oϨFը>+F[4(;zP@teC$@_FPDa `w{oޯץnSW',IL>) N]5y)gG?[ 0 x);䟪.\T"YvNՑ=`Ubns7i̐5,0?$ô4QO29AMou#!0< Q!owsߝZB-0[ ,Y:挕jiFivY%J!x![:tkF f-2H: ~YHZ:?I'T蠯u>>!*H~v?q]rpdGpuSڬ(kzZKӝ%u~*@!`v1䤽q-_B1G$B%۲~[κ30Z YSѰ=,tn&D1 jEP>+)a0'}g>|2 ׬RTNy(-ِ2gHE14v^̚ɗy}