sssd-kcm-1.16.5-10.el7_9.7>t  DH`p`$ƨxT'6=EU)VʾaXqGVUY5yL2`mӱ \v$5 I* E}w.0'=1ޒu/\D@EL(ztg2QrFI=`|猞 q[rKmbBӃڴEw!(3k YWȓ!,6dV~`уvH zSןƎJc#9.u#A%$i5% '˜3i8JQKɎW.ơI{eSSF[k} fՃNF?oD3.}[Bb&֤[xaxLOG?9^3^+69:b6,]f O, ?t="8!7s-B |LcϭS ̷> z=YEe! ˃rU}gy<2qwnq[¥ڹɹRGZ_G|o _ {N-_m<ڶm, sfa1OgoUѵTC쓽 ?t13I\I &ZQuHd{ؒ|3ΰB q-#l.Bna1,utfӧWΥK?EMlGG^Gդ?|?1,ӫP.ǭksˮu %rHOXE%nI,]{Jo={jk|=vX&n$\ȼʁ#tBkFAI~qWlF|>>#?#d   H .KQX4 B P l  ;^AA A(w8A9A:A> ?(@0G8HTIpX|Y\]^&bd ee jf ml ot u v w"xx"y"9#Csssd-kcm1.16.510.el7_9.7An implementation of a Kerberos KCM serverAn implementation of a Kerberos KCM server. Use this package if you want to use the KCM: Kerberos credentials cache.`~x86-01.bsys.centos.orgCentOSGPLv3+CentOS BuildSystem Applications/Systemhttps://pagure.io/SSSD/sssd/linuxx86_64 if [ $1 -eq 1 ] ; then # Initial installation systemctl preset sssd-kcm.socket >/dev/null 2>&1 || : fi if [ $1 -eq 0 ] ; then # Package removal, not upgrade systemctl --no-reload disable sssd-kcm.socket > /dev/null 2>&1 || : systemctl stop sssd-kcm.socket > /dev/null 2>&1 || : fi systemctl daemon-reload >/dev/null 2>&1 || : if [ $1 -ge 1 ] ; then # Package upgrade, not uninstall systemctl try-restart sssd-kcm.socket >/dev/null 2>&1 || : fi systemctl daemon-reload >/dev/null 2>&1 || : if [ $1 -ge 1 ] ; then # Package upgrade, not uninstall systemctl try-restart sssd-kcm.service >/dev/null 2>&1 || : fiH 큤A큤`~`~`~`~`~`~`~04a2af0a27631b76215f6cd6cf6305db78e371271c475ed485f4d563fe2f3d54d50c2b062a96fdc50ef141b24132b40a62b776e14ed89c824f51c45e7571ba10cb8880d34e4cd1d9b0a2dabf92e39f7c92bca805a77d13e974cd67301c473812e2877a03b098be5777d4c7986673711fe3b1843d6312164607c685b35424b3ff9967458cbe9fe57973215bf1104568f564977925fd87f9d4721eda0a65443b1691b30e576e05441743fcce027767650f498cf10ccca12ce0bafe8505f0e87b6frootrootrootrootrootrootrootrootrootrootrootrootrootrootsssd-1.16.5-10.el7_9.7.src.rpmsssd-kcmsssd-kcm(x86-64) @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @ /bin/sh/bin/sh/bin/shlibbasicobjects.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcollection.so.2()(64bit)libcom_err.so.2()(64bit)libcrypto.so.10()(64bit)libcurl.so.4()(64bit)libdbus-1.so.3()(64bit)libdbus-1.so.3(LIBDBUS_1_3)(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libdl.so.2(GLIBC_2.2.5)(64bit)libglib-2.0.so.0()(64bit)libini_config.so.3()(64bit)libjansson.so.4()(64bit)libk5crypto.so.3()(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libldb.so.1()(64bit)libldb.so.1(LDB_0.9.10)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnssutil3.so()(64bit)libpcre.so.1()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libref_array.so.1()(64bit)librt.so.1()(64bit)libselinux.so.1()(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_cert.so()(64bit)libsss_certmap.so.0()(64bit)libsss_child.so()(64bit)libsss_crypt.so()(64bit)libsss_debug.so()(64bit)libsss_util.so()(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libuuid.so.1()(64bit)libuuid.so.1(UUID_1.0)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)sssd-commonrpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-11.16.5-10.el7_9.75.2-14.11.3_ _G@_H_H_=@_;_;^3^@^V@^m@^^@^>@^@^@^t@^r @^^@]]*]@]]]@]@]m]m]p]p]p]p]S\Q\Q\"\"\"\\\r@\r@\r@\\\\\\\\\\\|\+@[@[_[@[@[l,[b@[a[Y[Y[H@[E@[6@[0@[,[,[d@[[Z@Z@ZmZ@Z_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj 1.16.5-10.7Alexey Tikhonov 1.16.5-10.6Alexey Tikhonov 1.16.5-10.5Alexey Tikhonov 1.16.5-10.4Alexey Tikhonov 1.16.5-10.3Alexey Tikhonov 1.16.5-10.2Alexey Tikhonov 1.16.5-10.1Alexey Tikhonov 1.16.5-10Alexey Tikhonov 1.16.5-9Alexey Tikhonov 1.16.5-8Alexey Tikhonov 1.16.5-7Alexey Tikhonov 1.16.5-6Alexey Tikhonov 1.16.5-5Alexey Tikhonov 1.16.5-4Alexey Tikhonov 1.16.5-3Alexey Tikhonov 1.16.5-2Alexey Tikhonov 1.16.5-1Michal Židek - 1.16.4-38Michal Židek - 1.16.4-37Michal Židek - 1.16.4-36Michal Židek - 1.16.4-35Michal Židek - 1.16.4-34Michal Židek - 1.16.4-33Michal Židek - 1.16.4-32Michal Židek - 1.16.4-31Michal Židek - 1.16.4-30Michal Židek - 1.16.4-29Michal Židek - 1.16.4-28Michal Židek - 1.16.4-27Michal Židek - 1.16.4-26Michal Židek - 1.16.4-25Michal Židek - 1.16.4-24Michal Židek - 1.16.4-23Michal Židek - 1.16.4-22Michal Židek - 1.16.4-21Michal Židek - 1.16.4-20Jakub Hrozek - 1.16.4-19Jakub Hrozek - 1.16.4-18Jakub Hrozek - 1.16.4-17Michal Židek - 1.16.4-16Jakub Hrozek - 1.16.4-15Michal Židek - 1.16.4-14Michal Židek - 1.16.4-12Michal Židek - 1.16.4-12Michal Židek - 1.16.4-11Michal Židek - 1.16.4-10Michal Židek - 1.16.4-9Michal Židek - 1.16.4-8Michal Židek - 1.16.4-7Michal Židek - 1.16.4-6Michal Židek - 1.16.4-5Michal Židek - 1.16.4-4Michal Židek - 1.16.4-3Michal Židek - 1.16.4-2Michal Židek - 1.16.4-1Jakub Hrozek - 1.16.2-17Michal Židek - 1.16.2-16Michal Židek - 1.16.2-15Michal Židek - 1.16.2-14Jakub Hrozek - 1.16.2-13Fabiano Fidêncio - 1.16.2-12Jakub Hrozek - 1.16.2-11Jakub Hrozek - 1.16.2-10Jakub Hrozek - 1.16.2-9Jakub Hrozek - 1.16.2-8Fabiano Fidêncio - 1.16.2-7Fabiano Fidêncio - 1.16.2-6Fabiano Fidêncio - 1.16.2-5Fabiano Fidêncio - 1.16.2-4Fabiano Fidêncio - 1.16.2-3Fabiano Fidêncio - 1.16.2-2Fabiano Fidêncio - 1.16.2-1Fabiano Fidêncio - 1.16.0-25Fabiano Fidêncio - 1.16.0-24Fabiano Fidêncio - 1.16.0-23Fabiano Fidêncio - 1.16.0-22Jakub Hrozek - 1.16.0-21Fabiano Fidêncio - 1.16.0-20Fabiano Fidêncio - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#1875514 - filter_groups option partially filters the group from 'id' output of the user because gidNumber still appears in 'id' output [rhel-7.9.z] - Resolves: rhbz#1772513 - SSSD is generating lot of LDAP queries in a very large environment [rhel-7.9.z] - Resolves: rhbz#1736845 - [RFE] Backporting certificate matching rules for files, AD and LDAP provider [rhel-7.9.z]- Resolves: rhbz#1899593 - sssd_be segfaults at be_refresh_get_values_ex() due to NULL ptrs in results of sysdb_search_with_ts_attr() [rhel-7.9.z] - Resolves: rhbz#1888409 - sssd component logging is now too generic in syslog/journal [rhel-7.9.z] - Resolves: rhbz#1852659 - sssd service is starting even though it is disabled state [rhel-7.9.z] - Resolves: rhbz#1893443 - User lookups over the InfoPipe responder fail intermittently [rhel-7.9.z] - Resolves: rhbz#1871288 - krb5_child denies ssh users when pki device detected [rhel-7.9.z] - Resolves: rhbz#1853703 - Unexpected behavior and issue with filter_users/filter_groups option [rhel-7.9.z] - Resolves: rhbz#1756240 - [RfE] Implement a new sssd.conf option to disable the filter for AD domain local groups from trusted domains [rhel-7.9.z] - Resolves: rhbz#1851112 - LDAP bind can fail due to unconfigurable DNS server timeouts that inhibit SSSD failover [rhel-7.9.z]- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete (again)) - just bumping the version to build for proper target- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete (again))- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete)- Resolves: rhbz#1854317 - sssd crashes after last update to sssd-common-1.16.4-37.el7_8.1 with servers configured with multiple domains [rhel-7.9.z] - Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] - just bumping the version to build for proper target- Resolves: rhbz#1854317 - sssd crashes after last update to sssd-common-1.16.4-37.el7_8.1 with servers configured with multiple domains [rhel-7.9.z] - Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z]- Resolves: rhbz#1804005 - sssd doesn't follow the link order of AD Group Policy Management - Resolves: rhbz#1773409 - sssd is failing to discover other subdomains in the forest if LDAP entries do not contain AD forest root information - Resolves: rhbz#1551077 - GDM failure loop when no user mapped for smart card - Resolves: rhbz#1507683 - GDM password prompt when cert mapped to multiple users and promptusername is False- Resolves: rhbz#1796873 - [sssd] RHEL 7.9 Tier 0 Localization- Resolves: rhbz#1553784 - Document how to prevent invalid selinux context for default home directories in SSSD-AD direct integration. - Resolves: rhbz#1836910 - Rhel7.7 server have an issue regarding dyndns update for PTR-records which is done by sssd on active directory DNS servers. It is done in two steps (two different nsupdate messages).- Resolves: rhbz#1835813 - sssd boots offline if symlink for /etc/resolv.conf is broken/missing - Resolves: rhbz#1837545 - Users must be informed better when internal WATCHDOG terminates process.- Resolves: rhbz#1819013 - pam_sss reports PAM_CRED_ERR when providing wrong password for an existing IPA user, but this error's description is misleading - Resolves: rhbz#1800571 - Multiples Kerberos ticket on RHEL 7.7 after lock and unlock screen- Resolves: rhbz#1834266 - "off-by-one error" in watchdog implementation- Resolves: rhbz#1829806 - [Bug] Reduce logging about flat names - Resolves: rhbz#1800564 - `sssd.api.conf` and `sssd.api.d` should belong to `python-sssdconfig` package- Resolves: rhbz#1683946 - sssd or sssd-ad not updating their dependencies on "yum update" which breaks working setup- Resolves: rhbz#1513371 - [abrt] [faf] sssd: raise(): /usr/libexec/sssd/sssd_be[PROXY] killed by 6 - Resolves: rhbz#1568083 - subdomain lookup fails when certmaprule contains DN - Resolves: rhbz#1781539 - PKINIT with KCM does not work - Resolves: rhbz#1786341 - SSSD doesn't honour the customized ID view created in IPA - Resolves: rhbz#1709818 - override_gid did not work for subdomain. - Resolves: rhbz#1719718 - Validator warning issue : Attribute 'dns_resolver_op_timeout' is not allowed in section 'domain/REMOVED'. Check for typos - Resolves: rhbz#1787067 - sssd (sssd_be) is consuming 100 CPU, partially due to failing mem-cache - Resolves: rhbz#1822461 - background refresh task does not refresh updated netgroup entries - Added missing 'Requires' to resolves some of rpmdiff tool warnings- Resolves: rhbz#1796352 - Rebase SSSD for RHEL 7.9- Resolves: rhbz#1789349 - id command taking 1+ minute for returning user information - Also updates spec file to not replace /pam.d/sssd-shadowutils on update- Resolves: rhbz#1784620 - Force LDAPS over 636 with AD Access Provider - just bumping the version to fix generated dates in man pages- Resolves: rhbz#1784620 - Force LDAPS over 636 with AD Access Provider- Resolves: rhbz#1769755 - sssd failover leads to delayed and failed logins- Resolves: rhbz#1768404 - automount on RHEL7 gives the message 'lookup(sss): setautomntent: No such file or directory'- Resolves: rhbz#1734056 - [sssd] RHEL 7.8 Tier 0 Localization- Resolves: rhbz#1530741 - Trusted domain user logins succeed after using ipa trustdomain-disable- Resolves: rhbz#1746878 - Let IPA client read IPA objects via LDAP and not a extdom plugin when resolving trusted users and groups- Resolves: rhbz#1530741 - Trusted domain user logins succeed after using ipa trustdomain-disable- Resolves: rhbz#1713352 - Implicit files domain gets activated when no sssd.conf present and sssd is started- Resolves: rhbz#1206221 - sssd should not always read entire autofs map from ldap- Resolves: rhbz#1657978 - SSSD is not refreshing cached user data for the ipa sub-domain in a IPA/AD trust- Resolves: rhbz#1541172 - ad_enabled_domains does not disable old subdomain after a restart until a timer removes it- Resolves: rhbz#1738674 - Paging not enabled when fetching external groups, limits the number of external groups to 2000- Resolves: rhbz#1650018 - SSSD doesn't clear cache entries for IDs below min_id- Resolves: rhbz#1724088 - negative cache does not use values from 'filter_users' config option for known domains- Resolves: rhbz#1422618 - sssd does not failover to another IPA server if just the KDC service fails - Just bumping the version to work around "build already exists"- Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization - Rebuild japanese gmo file explicitly- Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization- Resolves: rhbz#1707959 - sssd does not properly check GSS-SPNEGO- Resolves: rhbz#1710286 - The server error message is not returned if password change fails- Resolves: rhbz#1711832 - The files provider does not handle resetOffline properly- Resolves: rhbz#1707759 - Error accessing files on samba share randomly- Resolves: rhbz#1685581 - Extend cached_auth_timeout to cover subdomains /trusts- Resolves: rhbz#1684979 - The HBAC code requires dereference to be enabled and fails otherwise- Resolves: rhbz#1576524 - RHEL STIG pointing sssd Packaging issue - This was partially fixed by the rebase, but one spec file change was missing.- Resolves: rhbz#1524566 - FIPS mode breaks using pysss.so (sss_obfuscate)- Resolves: rhbz#1350012 - kinit / sssd kerberos fail over - Resolves: rhbz#720688 - [RFE] return multiple server addresses to the Kerberos locator plugin- Resolves: rhbz#1402056 - [RFE] Make 2FA prompting configurable- Resolves: rhbz#1666819 - SSSD can trigger a NSS lookup when parsing the filter_users/groups lists on startup, this can block the startup- Resolves: rhbz#1645461 - Slow ldb search causes blocking during startup which might cause the registration to time out- Resolves: rhbz#1685581 - Extend cached_auth_timeout to cover subdomains / trusts- Resolves: rhbz#1671138 - User is unable to perform sudo as a user on IPA Server, even though `sudo -l` shows permissions to do so- Resolves: rhbz#1657806 - [RFE]: Optionally disable generating auto private groups for subdomains of an AD provider- Resolves: rhbz#1641131 - [RFE] Need an option in SSSD so that it will skip GPOs that have groupPolicyContainers, unreadable by SSSD. - Resolves: rhbz#1660874 - CVE-2018-16838 sssd: improper implementation of GPOs due to too restrictive permissions [rhel-7]- Resolves: rhbz#1631656 - KCM: kinit: Matching credential not found while getting default ccache- Resolves: rhbz#1406678 - sssd service is starting before network service - Resolves: rhbz#1616853 - SSSD always boots in Offline mode- Resolves: rhbz#1658994 - Rebase SSSD to 1.16.x- Resolves: rhbz#1603311 - Enable generating user private groups only for users with uid == gid where gid does not correspond to a real LDAP group- Resolves: rhbz#1602172 - SSSD's LDAP authentication provider does not work if ID provider is authenticated with GSSAPI- Resolves: rhbz#1622109 - SSSD not fetching all sudo rules from AD- Resolves: rhbz#1619706 - sssd only sets the SELinux login context if it differs from the default- Resolves: rhbz#1593756 - sssd needs to require a newer version of libtalloc and libtevent to avoid an issue in GPO processing- Resolves: rhbz#1610667 - sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key - Resolves: rhbz#1583360 - The IPA selinux provider can return an error if SELinux is completely disabled- Resolves: rhbz#1602781 - Local users failed to login with same password- Resolves: rhbz#1586127 - Spurious check in the sssd nss memcache can cause the memory cache to be skipped- Resolves: rhbz#1522928 - sssd doesn't allow user with expired password- Resolves: rhbz#1607313 - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails- Resolves: rhbz#1600822 - SSSD bails out saving desktop profiles in case an invalid profile is found- Resolves: rhbz#1582975 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers- Resolves: rhbz#1583725 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries - Resolves: rhbz#1416528 - sssd in cross realm trust configuration should be able to use AD KDCs from a client site defined in sssd.conf or a snippet - Resolves: rhbz#1592964 - Groups go missing with PAC enabled in sssd- Resolves: rhbz#1590603 - EMBARGOED CVE-2018-10852 sssd: information leak from the sssd-sudo responder [rhel-7] - Resolves: rhbz#1450778 - Full information regarding priority of lookup of principal in keytab not in man page- Resolves: rhbz#1494690 - kdcinfo files are not created for subdomains of a directly joined AD client - Resolves: rhbz#1583343 - Login with sshkeys stored in ipa not working after update to RHEL-7.5 - Resolves: rhbz#1527662 - Handle conflicting e-mail addresses more gracefully - Resolves: rhbz#1509691 - Document how to change the regular expression for SSSD so that group names with an @-sign can be parsed- Related: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch- Resolves: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch - Resolves: rhbz#1523019 - Reset password with two factor authentication fails - Resolves: rhbz#1534749 - Requesting an AD user's private group and then the user itself returns an emty homedir - Resolves: rhbz#1537272 - SSH public key authentication keeps working after keys are removed from ID view - Resolves: rhbz#1537279 - Certificate is not removed from cache when it's removed from the override - Resolves: rhbz#1562025 - externalUser sudo attribute must be fully-qualified - Resolves: rhbz#1577335 - /usr/libexec/sssd/sssd_autofs SIGABRT crash daily - Resolves: rhbz#1508530 - How should sudo behave without sudoHost attribute? - Resolves: rhbz#1546754 - The man page of sss_ssh_authorizedkeys can be enhanced to better explain how the keys are retrieved and how X.509 certificates can be used - Resolves: rhbz#1572790 - getgrgid/getpwuid fails in setups with multiple domains if the first domain uses mid_id/max_id - Resolves: rhbz#1561562 - sssd not honoring dyndns_server if the DNS update process is terminated with a signal - Resolves: rhbz#1583251 - home dir disappear in sssd cache on the IPA master for AD users - Resolves: rhbz#1514061 - ID override GID from Default Trust View is not properly resolved in case domain resolution order is set - Resolves: rhbz#1571466 - Utilizing domain_resolution_order in sssd.conf breaks SELinux user map - Resolves: rhbz#1571526 - SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'.- Resolves: rhbz#1547782 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process- Related: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1516266 - Give a more detailed debug and system-log message if krb5_init_context() failed - Resolves: rhbz#1503802 - Smartcard authentication fails if SSSD is offline and 'krb5_store_password_if_offline = True' - Resolves: rhbz#1385665 - Incorrect error code returned from krb5_child (updated) - Resolves: rhbz#1547234 - SSSD's GPO code ignores ad_site option - Resolves: rhbz#1459348 - extend sss-certmap man page regarding priority processing - Resolves: rhbz#1220767 - Group renaming issue when "id_provider = ldap" is set - Resolves: rhbz#1538555 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000]- Resolves: rhbz#1565774 - After updating to RHEL 7.5 failing to clear the sssd cache- Resolves: rhbz#1566782 - memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/sh/bin/sh/bin/shuk1.16.5-10.el7_9.71.16.5-10.el7_9.7sssd-kcm.servicesssd-kcm.socketsssd_kcmsssd-kcm.8.gzsssd-kcm.8.gzsssd-kcmkcm_default_ccache/usr/lib/systemd/system//usr/libexec/sssd//usr/share/man/man8//usr/share/man/uk/man8//usr/share//usr/share/sssd-kcm/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericcpioxz2x86_64-redhat-linux-gnuASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=0637a254ad23b7b6c8f93862c822c4bd600e5555, strippedtroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)directory9R6R2R:RR#RRRR RRRRRR4R%R8RRR R RR9R0R'R"RRR(R5RRRRR&R R+R.R-R,R*R)RRR!R RR$R R/R7R3RR1RRR>? 7zXZ !#,] b2u Q{L߲s!#ٴ2; 㛊$T&-0Rr(97HuPM{ƀV))>0 WnQH<%,Qx8e+DR'ki ?mSluSL՜ Ê%uB̉udIZqz!\;؞'&XO{\"jYrߨ'wFbslc8uNJOHScyj7-OIs{0X?FUgEIЩu(K="tȦ_XL $"G?a,}XaĘUesB(PiCl)W'Hn]Fcq~d68(ڰ 4R ׂb| h&pNw<վ*BY88c^NKG_2,s\ 3zk;|oV?\tJ-,*OzC~9QO[56,ɽƳp<;~3-xM5edzKIΎ[>> !qny~YFk(=wMsZd[; ͍XԤ\z؇Q3NR)F؎7d{jfUD52`[L4ou]@v3q] ivZ_9 Ș1 etx;3QGӎԬՖ|4YRSKZ¿F`-ەI9OG ~G+Bp SaUJ 6\C+=dɻX. ^H$Ds%XL +t +>F\0ex[9ߨh\=y/b6K/C.[?fL:AOG]F$JKiVzs\OzESC̻z2\QqR½]2vC|bhb y?/XDQ,)S.D$r yqwS-h~8=MGߌ/tj&dh&kyȇmk4N^H) D(F]] ǎKyvBR'ѫ/ 'L UQ|"Qnubuc\=uAm7j*yJS?|ALws/^DBЏFu8{# y9 d=t GN;m5A5]_t.{_KNQF6%EUC?q;1KAl!r#^[8]|e ŷʟ//GN%spb e ajl7e> a:<ڡ?ECETMP|Є`No1KQﵹYYwDkfQ/xO1z;֒d O\2Fn=Êh"Va-& Z,3`5ϗW58"L}! :NH5dǥh#g pLu!G1,t^-ʘ_&߰DYȁ' tńl4\vpt1[*U=YC[صSÕ,/9J*in(tꂤZUIhgYOh5zKy*ʇsA=b-ppU% BD#1P1p_O,2Tk9 x>E&Lt Ї?ΐ g~=3!Y5ɡg55ni6.jI (\brՏlys|P<7;,P7RMQ UMDE#: ]ip<øفxȶPHsR븵snd9}!؎05]n%Mmc|mQF\Cv `fЙGU< F!z0!,4;MMȫ.CǡH:sAýg!yjD*]P"bw='G8`c\^ x'/?LBj#Ǘ"tmg4}וbCޯ<Y׈  g?qtVnPC136cr!e{EYH睎 u^W`P?cMDR߽78sp%)rGXvW=l2iGI:h\_,-p-7Y=*h~S߮]cO]ʿ)?&wkpP|*ğWWk(y䟜RxE?R#jiV;)T|AABB 8!/nH[v.~!_!*"ۊa>/Ǎ E~ITvf(K_ cX(ʨ>_5>~\rY(\Zrƫ#hDŽ灰{ LE֓Z oΓ Zϙ|߰,Ԏ"$سq\C>2$Y.<1^=Tv=Z=kς!Jxu7U1(r0 >~JRz*?o|r)ֵ<5ʉlMtq؝َ픂 UHli`|nn+!:U0Y+OU.=>3(E(/cO\] Nz>AV`tvC x|D[yT s_`h9.(OO7AMwREY!p(<`A*toM02tK .JӿzVrmR3z$Qj7 U O1pba8+컑-["H`ׁVoSN=U"jޜq&KV}@({eX:Tp=2wsFCΓKE|v3KziM9o߆EdR@3bQkFP޻AJ=ހ$֭xԨ|N[72᝿.OTa'UTv0z+O" Ti//m!}[,%){U@rS%LjfbȩܰDw^( aB_9}aAj{lLq-8Yۇ d D=t&#/~,Phc\!@<3ڻ#~3$1 ~I깊Vǘ"*tOdiqj]@ >Ieբ+fLCVT|f$.򪪪Y~0L3tv4M` /1WgcAV/x*9rs. "PES# FFM J2s0_! ťg}IIu\Jfj9B ~o8ˎ`ۍMy*nҹQ5fqf^$ͫL.Xl- TK$nALj#]FjmaxxtŔ*} 9Bz(?ܵ ~ Mu=sag)Ox2b a oxHwP&oaXȱ<ډZ?t4IφezzSڛSu)!{Q=ܫ816h}Y[<w&.Q p"mrN>ؠ>WX$]>bڇN*wĹ!{B|؝Lf8|p lhԈ TJm x ϲ4q YR|n,0i g *Ѵ }!;osTezYaƿ~6 J WGE?&z'x^;L⩾=$}b\ g8Qea_L$ajjBj_ 05_jn#@^Y m/l 9+< 4a΃/xeڲ&a aιU=PĖオNăY~dʨʯOj ى3ȵNF_:713zrE%1;ʶ<9N`qI_kD QH1$I= BwDTܽR#omovjhR} w"SNn][w qyجA/ݖsy*AC~ ~ݏQn`݌&O9_O[np4 ]l64WNSnFYi64[2 aC柴Pa-.8S!1GPe5Z->Wΰos[|a]M aaਜaDS7Ui\r6o'{S&v1S]WPFn !ɡOM0Ja'SF ~AkxGbν4{1sN!t)ex10+Du10y50qj4nTBК#@P- Ig}m뽉#2bz@]s<Ų^٩~niswfD$<yy/lK+!Rc4hXDea,V}BWa`igxIݻ/[Y) $fِMf3t>ꎫ'(vڎ{t>zzj[ -z/N9Gq킥ذӁ`PVC+V WAL㊙t'U= b3z;pSA4((k=ƻfՐǀ|KWs¨ջ.4jծ|;19Vy rdV Գsɏ[f`QN*FU#Pdž(=Obbpyt)rd_'.ǟxcqVޒ(&O*rpEB"ȣwGNjxwIF.|iF=&zƴ> WʼnpXMeSE 'o)YVIͫ9g$…Z:rղ]io]Da-{7|oŁN'{zD 1v̻EmeM-׈Ѫ T _=lkZ&x7$GT&olӔj{ݔX U5nT0d9] nk; ~#i۟,lKAZ4CLhv(οMt~CLrj) x:HqQDt KKKjH@anh=7}׎oٸ2ro|mHu8;^uc8[HD87Gv L#z~gY5 T$9"?!'g'*8|c΃V LB«`6nʢ > Ih~HEAA[ڿ\f@WX* :s8>{$7M1];d1@r}8t}ݖ;㖭3@=u7꽾rA%ADBإYS˱BC3$,گK?Fna+6TK)_(/Gfa_-z3e)t=Yq2/i(  7rOIߣ1 6ɺ9`>[m"0U?b[^mT~vg>ٝH5pHʮhiWČ"*|ru$s cduT;Fʧ&(vԌ c\\&y."m #J l_kXbJ' %8522szG@tΙa O{Gwm{t62֮ArKw(W~> rxcUO^2ܵΙ{U^pyq*1fK*a_DL{6YMs*#oZ&f}λk1i]7IRΒ q{j)r OݬGWU@VKC!t7wa!mRPR!A}o j~ h[?yj' Zcp.,pLe>RJ?F"J[u̜?Ui"qCo?6}c"X}'iL^^|Iq67r ۽_ktA))U9V/%~(y`6T)b{/. -%,7Lp l$<1g>͂qq*naD$.˻bDAE0uGJ)3oy+Z[ziv4{$.>K3m%RgYI3Vq߲5jcS;Vd6HǞ-M{p}B[c{ZA Ȫq&D`ݹ+u"OhB[ʨ,2H9[{0rWKU"w 1 U, D![>;ZQpGS:gWqK*n'STA4uU9c@׆R^k[~:|2oV~R8Y- v$%c)ZLGN˘N)- Z;wA#Hi[%[Lי=,M̆Il-cqؾ8i1FBƶ둦7.xvNRc]*Ԍj;qmH"`vͪչP62{x-X gnY5.D diJfDB#XsQ@?-t,{ɧ #?!@ٛ;]d|M /H}y o[LzM^6~@uY\_5i򲥈G;O@mmqa˩q^UR:BWy8h+hhG+"xta#CD2JZ4'RPk$y^GF0r<~)_7B~ U3"By0/>6+ jY>Pm& f|Mw=VY[s&ۨrQӬ_DlnJ@F*@Vo,/_*Ƒ}'FgaTFZn~\BO3S2\.%Es>w%>IA {%08c@.Hq|Lz)訕(D r;cS2|-8v՟Ѭg(c@-bwC e_7xeZB+O@a0 9DZ AV" W bS6eg-[mڭl}uhamd6x/X/cҞcﳅ NHK"`,:v:"n`#Vv(4|QŸ@oվɞ]BT}:{TIhs.U䐭w">-~?,hqZ-|7D8׋kJ&Aw>2E5I7Ϋ<-Q*wƈD)|1eX46ZN*eC-v%(<0γPOd4kQH4GE*(q4lF YG>!3#x)9I1[4]'ܸ+c3t8M69>(p.۝o9wN<"mH_G1&{/Q{`5&!~\'etoǡ:ъDdOL}~-ce[ʋ_"?&.PoOF]P4f/oy7k$}X Dy675.D`[#Lv C\R#9 wmTv8K3$t-A"UmD }9J9<$Sy^ۡ0L^ic9 㙬 O'V0Xֲ-]AVx>.I^RB4+3w)>}IgEIj)c+M֚YY.v3ұ觚(GL,`Π'/wauЫzgb^@B84;K&M9M?]Q&_4! tZ `c9)OeVPodG#Ds˳gyԂ0=;d y, \73['=)3RTX90y1 s}<5 ObfBU:YN^۫:e&(H"0bZ1BCOO$DO׳$^5&%9j9박~;v ̢^X)u$.vjV$#qgvRCrKB~ED*fzk+^S陵a`c ۼ(bk]IѠ:Y0Cd} W=+G\VWf|Ә'M[O~)0pIy jQ%'e&JC~fHeX;>FQ+RE/0<&zۅUpL ?,-Xd&cm~rzG2etҥNcu΄FҼe2_2oE\NHܸ|[#0t)-]TW'qtS7!#2-2XgE40C;[,|郃͐JPvphJMgDI=9E<]`Ֆ'PnkAULlBcxJWmgSVqvۨ'^:=vo蟎Kp"X*p(G6NVMChYR6mVyӧ+OHvB-NE{4#9-אz@ 0YkpR+q| W+[D\oxypzjxc,ܹ>4-dfԸW+5[ƭsAaP1mpPn|q(Ps_3~Tl` z#4)b{JNK+{Tc8itLl.IfY݄vf-pazQѬv/[<.:3(+ t4jjlLʮ\\Ns icuh5iSUBNhAHNgChfWVM\2Gj Sr~jﱼ[]RMR/n#*CTz^v /Z j_x.!( :&qÉs#Ryq! u1t89QaI5$kL F\G|^ڏb XEG!oG3νZЬ x,)em73d6ط3#O8|TN#mvPNSo(UͅVY&5mpi7X4jx{'C 8/(%ϏzŴ6($uWPߑM$;.HKRw"J#TIogR:j`MXP+Χskc(V*՞-/6 `0yh'6tS %}}\4uL\Ap5 3šq2XL?ƝtuNLlvȎ5VOM#j ؐlA*p^J?ә| d*8Esck> LKyjpU?%6MsB Y\ێsk6mKڡ}W눢K!L;_d[ΧMm_7dO7Gƈ. kH i(ÐR/Co\e|f%fTj#(&zeҢ&bף_&uSY}S&C/"?FQf#,}=_-Sgt[`7Pe@1 {eDGV-_oXĔYRZ3ϤW(:ϯL+ PQm{NuzX\1ȈĻ2}N0H0<*s>_ H 4ޘXtU~~:gzVj0]?O 'j^PVP>1īpKfm:ڽp =lGh}vlzaR/`R>AGNUsA*WE!DсeRFuPDzOsbb){:pc$,c_d"'m n 9D:ېeoy`>ksKQr#2Ѯls4݄2(D5#c\M ӻ t-WF[˩Oնft}nXoxzˬl3sd[sKÒ5$ g+ѩg:}IB- hTta3"kqaKj(W+ZyB6!f}&8ĂL 3խӽej`̙@w"҉x^AW$YeE65F JRbB8Zxg152bD #\R.^ٞ>S 4M`E&7has&6fm [V(N8FnE{n7Chz܏Rt8mHT)ΪʯN<Vk=ݎZ/-?x`)K~<Ot^`c|'N>|~>Ǔ%a3ڪ` ]@8a&-MN-zHJs!-[1hVxVq Z>$k-o{DD<Z+_di S 2Rڡ/ %RHޗ^ZoOWj4Ua6:WӨM2R+R CK(7:Te"NF2rMn(˔Z7U_rnY[~D8[.lNlPQ_nҔ)gs-zkW; W 4Ag>O&1YH0H(  Иu~*szCW;9$=\Pngۡ\]dIɏ^^ʳث- ~2˃̴Ö#Ge7c+oo6u(O;96MKg];}@VOBȌHf\%.iT_,C5s7]&:q2"53CBùXi,>>)M}NXD5`Raн!BbÜx-]nԂZQKM}A"RSd@AxY|c9w2v"t;1ޗm_":[D_'AH&{cGl eyO~$H181 j#LΪp:݂j)f{p%{[kPp~ȋҧPt+0;@xkRl1oiqH)y_4I D y9ϷI- ֢=b<:hחҏ|e$aȆ)ҽ3 qR:łXa G`LC`ag2ZNș*,<7I XOGTiܳǝWN.ф %٘N--hp~(TbzH?Xhi2ЭE,!G)Bb "W;]?$wpwZ?h7o]^رP]Л*ʳ+%LK;VgI(QQ 5O$@mu(PK݁4Ed"b~r<-.+|&ݲM,b^9ׂ np̯iNJݱ1&a U@i tY`0+$'?8顦.UgbpլXJs: 5 f>j=!bzeulgp(⏨ںP_G56ML) E'37$MhKÅ<@}9B:ު\f63;P0(Tz:h(w"+LN&{.6Sy)2 ԁ14!7\"U;L.s~Q=\iiVSC\?퉱OL I0pH;ף4> (l ZwԵ &.6O|FϥP6FOjiwV~05PJTG|#viΛD?0[<x{ *פ CKRU.87o3P]ބue">2-_\3Rj~[_U;05#͘N )lUG@&$cVnu_7?!^"Չڣ9,N'@(~w9FMCw T̴IA&1BU1b90Yz<Š <[jP..r@(wwE@NS!8R:lSb)I C BĜ bY#%wL|x]E.m1:C c)$.t]Mx3$;Q/2篔b{Y Tބ]HmI01жފ7> 2,5"0 ls⠭!:wOFE2 GF|Ǫlر֚Bp YEĜ\ka+=DMDEÒH OBd,o~= MLat%i)iC |'=bwT}clซ\[5Cr Ne fD%ҁw3 O>+(4e@::B[)( + k CFK4x0chϪ<9vf_٠=ig_YFD.đQ@ćY Qpzt& ⇁d ŔC-k_Zy㫲CqUgԳQ| $¾`ױEOκ^NꞢc35}czJ Gݮn_\v5vJyjQ_TUbB-oP5iX_zmU&i-Y uv dy)J{T` ppQW9xs,†k R :qSY 2-8qbX!ĔqHAonOS$ Y3HH(vTˆT=Ph$~d,$7M{7eS{ ''{];Jb*Q"JzRY GE$-[ 7Ag:#A|>̭%K9qi}J??]{|Vѯv,JgCX/5'd\R$,~:oLV$=NśdzfiA%Di-Y=)5?If^k/`K xYf[ZءME,ư`z!H5.wQD@ዱ늘sb)"U?);G,忂ՈÌvOqTp\N}݃z gWf*'/T-ŒI\m҄,үM!fD{R/jv4p\Ra|ɢZ i<,5$%¾qh6!x!^H\Hkn<])Zݿy~ׅޱ GiHTsȝڍfVѠbۤd{LEqi N&㙅O2]G89 ?a*®=U99,LXre ҅Ož@ɜ"Q$/mlO(¯r-cq;xmy!DfȗdW&.pƝԥߐ6?[e(/F#7% sQo*B),HoǗ5↛1YW47bYU 278/#o DC h0t3i.C4ZakkZ>l }lh0{?Bsb=!w#mEY|6hZ u )(Cspx_>K`f/<8hРBN_R8;HTc}G_T?2UO.[!mWpBnx/'qHۋsŮj5w܉R?6_=)ny{kq5T??ũ΅i_2 ܄RZHU >QY 8Ϩ|jL >b;]WJOs6-g5`q2{@y5U{}jΊ*r&ߧ$6%ŝq΋²ۗB3UXsԼ[rة"flY. Tcɭ=LV1h29,jՆEo =qou,و!Sz.&܎n[k#&R./LQhy .jb!)-g=G"Z]ZФlK W]K Ml^EWtvu o ~.X  :lӥTfURDnй*m p`_v#3{:ZLޏXP-@,6L#>^F?\] dHG6X 2#WNܢ%XhuU*`<}nx\7z";KYcyH$ѧķq5c xNznS|-m'Dy+~tפŤhx)Di=GOfǾ ՅR\Z 5ܷ^9}ARZ=_|8).d9 Xarx&d&QO/tj>\8|,ɼR ߈sYa2iaGa&(tSMs37B/0ѱ0˪OwaBמ̻7#p,O^T)+OyţP|K:9 21v &^DD3\WsԍYW\"A`-ʘbG񤾐i o; "%ȹR!Bǣ%%^+^V#dCN^yڟ1iۗGCxxJIF&&+[ n[iHG7]DYG3^w&}Xo]Z€u zoRbղyf/ ^*0Πݐ$.-5rlݦspc׊4j{s o@vu]%LͱwW4j,-y D eП?7+/m2@ :J>Mr@NR̛T}3Cr9C^Ym6d[z&ve|׈5`1"*u,XJpXœsHvNs8hEܛZD7|p.6g8bڰ}x 0嵪P,Q5KTBC7.]m>7}+m:р}aFf̠j4 YMQw[Q+5ʔH@%YM/@J5p]]分He@xvݿ^;2k5U6hj?_;*Ƌ~NDA:fic‚~>ćR2k58_B_NA&ү:!MdTd5G5=]s? *Ę(eDz'T"Hc {ubIwA;1$1Q :[E:r&("{-IFf2/ctKW΄U ,m,$9|sEM8©pRKXjiK_.nD˲3cYR3.MjUsO m o9po+`MqE*汚tc%"fW`< :/ o?Ue\!X 3sġHFs\wa`՘q8UwMj}LwK]dAf>21DͯJBΖ7: vgFˏd=@Qlez BN׮C] PR:5nNgۀvcU }B4C5+/ک@ogR@:7u#n9%^ΝogI '[@LY**>e;ZA[ DEd,l'63<Ðxu&G2W&1F<-Y>OS L5 < LdMҶh1%hQ3_vU<8ݤ 1(SˆPH1U}AijxLF6d!`Ț #dlªޡjwKQz"\+6@wc_Ǚd _9%50ֽyvd?l=7i_7bǸ֣#FGa * ;nC}ϗxOW<;uڮC=-d:tPqK(p߭PUw| ,zT_0!E07|$qEZuUk9/'KP[o(4vrs5 l9pU{ɋ5j: +_EbꚖ1sb5laRtl3 @t"tg G {+n "EMe}a6r*=%%BF, *JD ?cWv=IiHst|aW0W4,' M:T/>Gm},&"0mm\y6 u}ҙBgIbd 6q%{m;8劇.VJy`x!2Jxݟ "P.Z$K7E em$kX(̈́' 8b)bV]40a_ld*4,UG={v"~B=- лd knM/D(2C9QG3T*g}+6Äu]ֻ^; [U И0 +["-+~=HQMDz@>Wnඝb{Ge)[!hpǫٍw*xm\ORv@q3"{Ltr.EɄIQtwd&X<GYMj cʅ`)Ȳr} Ģ( oi>4 \oo0~|@f%夏/ z<] 2ÞB\䷈qhH"'locNf4iuaӧbvPuLCKRpΰg3puR?%3`Im OJ D0X-[ L7fjn.[A_/JGS3?r5Hgi*|72mKBY,MS 0L&"{^1 hàOL844wmTsXA6{OCi{u,K[Zק~1AC=EiVQ=]蹍X軤ثm1|7}sWH=h{-U]i #XC]0F:8mKG4(V(2$*d%Zf5^.9 \)k`ϿW`mWK@٫qIprRԶII 6+aL,])q:똜%8մ0NaRTxIa*&T^SCn{i~[b;`. $R|vwHkj8w޻wx'Tue L'_#4oC;u1ۖI#ZxKl ΅ ZhQ'` m i}F^9<1_BR#Zd4z4e?K24)|񹐛:A?*̆"8RB!<4}p${΂dpFTJ,|ÿ*]'~}[luwJzGVa5L-C)TȐ#hq :?hV|ԏlPԈ2"Ҭ%5b~˿o =BEA.#*r~9srLe4e-pB~jL2v+tg0@j, UBFOv"oT+blO+T&mP| jTu4Lc=1t= Ld.""$=iu)r} I^Gq?Qe07˙GG ?)w5LiDtL_:1kQw9]uq,]b?di̪ѾJ솥Vy?ahJ#ҚlI`]frοMk_ΣS(<tk]Y`K(Qih(m\ܝ_EFfO Hj66/JF]Vo?Gƺ]fKct3o ahAGj".DXWHбϜ z'{v.vbWe$z|Ɛx}S" {]pAo-RȠ;lGVT Lf?_ `pV +uN$>%e`׆RTd4$ Dy jdw5 mSnp3QY/`ӤlUoOFiHyxutGɸpA[pao$i87`WOĴLa C;!Rb 핢,Y=,5QP/1X]4 g;:\!D\U‘U0 j1dE.AGYQ1J"i=''&wl_E)˼5P60fVƚaV.f0 ,!!Q.ټEtbk@3^Q>by'3+ [omtKP%d'+$rq>FxDg,EE"r_*+*;Y!$bep9@ }rLmaiQD2FFsQÊ̿yV6MyĻ5s %/%WFYo*֋'-k2Y|fCOֲ}gAQ3#ci!&N_;d@kbߘdר95 J,]o3(f!lяͦFQ rDʌ#@}&~Tڏlz_^ȩ-VZgWaEVVa |f#d,bŒqQeOiG~dBM@"oe.7&_H벹>d? ԩz'[sMFk [aMe('g&9q:5~f9 Bs'_X/-qp,jLcyj&v"gӂƤ 2g057-Ck݊Ʃڏ/`j/(e/U^|NaD  9|~홶 #SNj,]&;Է:oc0<.r TFvfl~R\{ӱ Dˠ|H'A 1%O&q^OCʮ論"qD j%&?.dټ׹`_c9ؓ R :xUC_[| SBD#P0%{ƀ7+r4 mM1hZi&f|N=nFԯ7U9`P骼CEH'+0>/g vI^A!\J\p"'H4vN}K*Sz<$ )2aPP<&P~a&gw #}<LV:JbXwPͷO[+{}[[dI$Pm Y;Zl T6)C&)!DVLt8r~k}@YEi^1YUfnn̎*x*gÉٞ=< =Dj|z^ &&ٝ)CXkq+$Kd]Xc 7aS>m~Yw]6:ܤL::aZBe?ߎw2ZZ5 p!0B<n[R%n;B6nB[ufǾC.uub{u=>㒿(Ẃ&uQ,#ۇ@^?gjJ~\>sGv7l DLi] wHNPY6E2!fuWmt[}}О ĔΏy!H@ JyAkB^Q+'mXPwazcH"Ly3ў3ɱP-?^ zٚv|J(i!%9ҳ)| y4U;L#\z0%3 ww%8ǟCwIa}*Xc_YuE j0]φ}2h)@&筃f3o~L} f t:(fA{Lz_,N{h73 0dm>m]FEL2'p/wzapgnd/="|S ,F'1l 1DŽ,;ʷbfRja6n%2y5s0/H=$Nɂﭬ`pџ|P67 pڰΛAf6d3dEh;Krvdl&Y1E"N[\ ɏ5u{Jq>-BPoNZ Î됝s? V]'lma9Hd886wkCfyVpYdě> s쯌vJr0߰єfp2L^0}tOr ҏ+l廃 cY^ķ=b_}8,-+0X5$ eP2[! k-kyHܘk^ >*YŋA9(_ޛǡ+׽\#Kg[bM J!ؙ|7G0C8?Ᏼ ;Ja\.CJ3!D9Ý*:dsMVb;WF0>,-{qbʹh3{W-6xGU5jkQXPuuޞoIJ}.1ZZ3乫F5v1 3!#RE%{YF٪`hVb5cמ.i ߨ*@m[[U'׍ uDdb=/ਾQ17/wQxQSAM!dh>I{?A$ш0(lh?Kro^ =[Iͽ׷5}[Hx00v90Lyi4c2&J Mq-#BE3.v՚'DAZ (PT]3?1ӌP)O%]qGd]6OuH/~_19oCW!4~RԆC'kb3h4,\*6E7R'6*ZBn1x@ Iۼ^X ʣth3c@ h5c N6M9 W0e Jށrqʞ"HO q= ޣ( >a$X'Ӿe~"|XVU`iKrSLn^(7>,)5Vműu ~RrXEif_U;Bf o׏ e+=eG^>1u(.ʽaH#EF0œE0kWMóg0&?DXRr=7QV{ϡY' 禵9F 7mLgW,Y(y&c=ɥ̇ V/Qn?\LPqt2;l*(DWYۈpϵqEc| ,a:M-ԗ[% jd2gCP-n?Ռẘm u2b}\{0Hz3G$$ŽSgJmlf6Չja(FMzG ĠIY]xY~sMt şXHxA-4a18V LhxI-IYcEKRw5M_p-ULƑ$T4+Y 19"Pjϑi|6/ C J>/Syn63YSثHAݡuٖ,0yŘi_Z.O*%w90ֺL.q$ʑ[ipۢ:^zX@oØ Ie|!0^M Y?n{!`IwGp"0tRa0N!5wlD_A##;pdilhsԮRDfW+*OWyP,b:eP)G dTVK&<%I%f>:YŖ3 ]2 FE`D@k@ a#?E[Tus|`UG _kpa" qe-<xR}ssmS(U9_ Sk+b]zP9_clhOe5U.Yd>9Pc&DmBp +nxHx hdFGIaTlo(Ι$S K5:DffZs2l--p&8 w'zd7w,yyaz[\U"C$r蒢*3AM3ȗ`o _\CR-NÀv4K4W"9)Dݱin8ISB.L{{$]Cv^+Z߫ބ)AK-TT76kn\T8"wϙGPAҔ0)F MozD7.MDqxSZwoD(jf K{O^p,""ՙjBLЧO{aTn C7!I3:P)@3:j*ʗ㥩'gcaHeȻT ^Ϟ1s݋(F%%[+cpMR.˔m\$N &|Oqhڔe3Kc$x?RqNI%',?pa}F_-dog^iHP͋t,Q^3c$9б::srL[ppjΣ2.^cAQU̼DڄݚlD}vNAtD$2.~;%nA <Qsz[~0̈́3UħeF^Lm*6ɉ\C~$2@7_$nM SnI<)Jy°dNveJn_#^ұ "dvA'κ TN/81<Tn cNjy9i}'XHgc˓)T,ZdmYڢ.?\0j[Ra1QqO_Vyj,,l]߆& m(mU=6{$|/8HWk[ng䫍rkPi0+m;IK1eW(]Y#8c#CH.u¹ Pٜqj (;KocS pְB_zn8;pJP<!|J|!(?h\iX9#L$Hu!hlú5?.diTh2܃gY;⇣(87yrӭG⾞PAkB̨TpeE(0)V~UXj<-I=>]QfVc K}K_|vA'L?<(\nWqn?Үh㡬7J7y T+j"Mqt{o@ӊ,TVc2aNDz^ 5`)ʨk f,@?oOǴ>f-J~u馕w4]< nd!MK3GȄ#خC>BWzFpT=Mޏ$,ٔB^ɿkhE_sNfQ;,5_jx=YR~|a!p&`h#( ^k:(Pki+qz@enu!z; ߢsPP"pPhR2iZ$BS0˿:Vq _| $tD+cM:OXBS4CihKzޕ.5`D'71ÿ%[G,:lUG"H" +#hC(-NS*ePr~ 0*s4;;?[J /iF{))MƜ*uΗ@R)DJN{Ưd?e[ӣ0[b!7ӎ[d7t3}1QyNZ2zt߹[I9P*aa ʓI{w:Ij /&1bfPZIư'51>pVsZU Fj][~Rx[ԕ,im瞳 3#Fuq]o]ȇ Q0jw4v#K1ؽ=*Bdhhy54g5%*s.,}ce[6VN3^uZG8%>@1GpY6Sy D4H^g -ry rd9n:`B[k3wVm.'bY0{ >-3k2?y86ܾzB W I (d>Y{v;G#98ZmF)YK8ymT])(85(wg=e}'Y*M))o Xd|Y9=L 9tvhd^e F ㍹ɗ<{hj0U51X. bgѹ,Xaۙ}+ ܳ)Sld~׹%2cm0qhE>$&+NA9}OC!,fPA 8WYh1a`jXUNC[) $W/]2ohbdQލUC00GJTgd@׹Ƹ'4.x,Zgqݲ3}Kp35bz^?nXe].i,=ȲNV(!8RQ^ , %ty"IR, Uy;YH!axaӹ5 !(U6ayBk0N;a]6e<漟*91bz>~mb8mߩ(RYExu;tz^5E&13Q^U Q126 oF Do-Qb$RvS%s\H79YZ99p O}B%>R-}`OUh}B퐲.I[VN=;jV?VX4r6?OE`t_ߧ*jp upP;6' nDYU~u\C^ G֝'lݝAi\)hqg '$&AMMxϸJZfy tw3Պ Ft A2!E4HvxB fx:r ` aIDIe qH_܉ *8tەlԌ:nt,H2 qFsvG_ e194Q=ſK}!4\$ &)#A#̃yN'z ,Gɸ)6aIrr6)7"IrV,oڣ Sha]:-cڌ># `LIef;8KN@P`ŶSB;/N? ]l`.)B?ZI 7 {}oWh*#&~ZiC~ӌ++mpC'8C!#ȿ$}wK#VN2Z:q =D)>z_亁߳Cm;+wtQɑ=1#Qm_ˉ鏤Z:na?x̾y 6,GjG)d]=E=յB AS-1lo8Be.HNoOZ`9W,#DZk+) %\sjGTZ\gcW-ZcmH쀬va<8kg]r@ŏY1@<5{ӬUY?;8=o,VWZ}PuD`_Τ9l>< yo20SڊuLz=NL`D\ O*{,Xv蔽i̪{΀L$4vG l<)\5o")9b~yQf;6HcTV ~ R֣:m he^9QD9%;ZqM^*gۮD0m pIJ I֍Cn[%l| ݍ/AW~)4aIqĚ$(قO",y (袮3 ^n7X8s,O;rѬD_QX\E+klֹL?p:<ˠ RGC7/*BR<Y - < 6/EיyJ²/.*cxIu eetI*/AE'"[YL O4S 0AG2yә rWb]Hݔ_QӁGF*CpAC8ʡ{K9ރڔ@t@ sg-3څeR>یIg# vƸ=.ߙўyz^uE?rcqiU&5`+[.EŸBrL|& c'f+3knѾZOVr%WpwEJSA'nZť ^% ảx=gET DQMץHzI$ D1pa|ѳϧD]y_ah"> $Y!h;;/z2~7(ٱ[[2IΆ(sm1u qm?e&]M?2ۙl}V3J@&+֗YDA3W*lmjJ\S+cZqmO@Fq Kgj`,݆N Xp.nA U}™A3}{DP;_ӿ*w% nk`fÌR*&N% oIe Lj+RL8E &Ey^-tRDŬvh`RC gP۔v"Cms'e bAW2pN)*a#g2NW|Y:띪U}zf./щzpsS4#!͓ӆx(bEk#OvEsܸ rt̖4QWv:D{9iVLrbmOĨ: zBԖ$;Fb;񷡡H…}=¾`a?Àc27ܿ-Aj1W}N[C&F$?/0HTZs33P,JA缾Ex~~5eA'_&T\ϿA2hQ4Җa>]6 LCA)o$vG:w7+W'ɴ-%X];^^mjĎtUծfOw8> ݹb](%^#eתwF^pCca|r-:&s_3psT& $7Rɍsr5 ӷgNa HFFnAtNυSh1®Mmܼc 8YN>8jW)Œb@JA3e12[-+Winb`hțU^U=3vC/K;jmC2"6D钖;g3~I&ensI@~!D>)ݝRS#Ű=4_]Ƀd'PT# h`wc4 ѻR92s!3B\vҟPfWnVf|uVN8,xjZ|v*-? 3A$ac~7rƝjZ[Z-ج-jӧ2>QsF%h7ቾ`}ջ|U92H^΋v#@N r/,YbVd(&ldZ Jй)'I96LG !,\z!}ޜ@EwgC3az.S7 M"Gf27<%NMg씉UeN;KB6J*)Rp-$ -J%05uFR5}9e[*xnW<o5S._7\MeF=qX/nZv5ZΒ~E[Q<͛$ }D\IwrRCyouuM80>VIWgwr' p+jDƉFHvEvf]kdj5f3|9?>dӞoé:?Uͼ:9k_ rfhǗQؼ~QqF DԢ QjCqL^Z?~˧>9I/qfbY/OnVܘL%}I',hse[\e+"Gw_h-.v[=`$s)dv (U A9 _p{荼ÿ ID>>jz.LGFX_H^NNF;fdLC)/HOlF^1ժ2&*ti;6'.%=鑭KXE_A˂TT:u+꼐ţ$` Ë r T0fjkh}1p@a3E+u`/Ppr,@% ~}mxB#Q?ABzdjo,,v:=}J<%%./5}L!ҹkXE`3T]XG]K툣:qƉ? `a/=ֶS?5:nPp]U ȝRD!j9N΀QdPRO9ifk3;,ѐ,:Qhh>ڛ6=Z\҈j@`z[ntJ?K53K3N־[7gaP!M"qJB+x=-5t.o"TyVx' s uu9#".(1B&Dm|YJ3|| y@eO^5S=AsI!Zz|%>0Ǥ+7<̖.r0v$i鿔37%ys\E_"+4. {BH|ު껁tHٍjW)OLܽuL3IuB#+ًLQjK9;J2v.{j`( {^eAK]C܃И(2Lg9m7ӯr 3}ah"?+JA_Wo0`/U椳OJG*nB%:$u}9#quczVผ !=>YUgϠ Ϭl 0-cMQnq(rkE,#i E 3^rW|NVHx@TCdjgN K=/@LZ]߿kۆIzHuj!?(hmrQΆ,~jiۨ/Yb/ď.m |Ɣ@;~3&t$ϪH*[!]aQ=wՀnvt/[&_LaV>鸶jN]<#ŵ>u5^+~$g'$(u>i8ξ MkАt~i΀}eo?`LTi^x`_שׂ_Q>F33ı|"5:H"dwѷ~xLӑaV7dKclYh6_A%9&veDn1I4|:nMA&t =uydHtDˉM #go)P> x5\f6|%5.(u (9`~@HPVF,+=*j Oϝz򄺅w~Ƒ83MJ-3{Ӥ͚[%nD,$MCgk-&' +dz sh, J˺c&;4u-bXpLiX:Rÿ]<JqV%ͽ {B~% ~tyٿݯE  4r/p/DBG'U <(ai3(dUcbR[&UtvnΨ㥆(Zr GeM*̃ S*Ѯ6mMB}<׭hSmfPNa !?~mvOQ82*p)4&O~KȤkN2bI}(~̢__h%o6?%# Eȇ@䗺P(LA<^r2,S1NK2mR+uNL݀]>V-˔z܄]/'H lQ# L'GKfMw-^9Zz$_cMiްムBj9lH51\fJdD?_kK0F+G2[4؊E"*zLܬ X ~If.(ELN6- >eO<}kLM$b)aeHߒV0$0[ͲI:"hd݌ɓhī6?, :gnyOmMنp$#$ڥI/& WAo\w4=dP1M=F9t,X).Dž#5a4b^sze<}g/[SRM.D_vw%IK3jiM,?:&^hlP8-#|c^i*4\ӃuRnHT_$l.KuJ93sp$:SudʑBL lt`R9pl@Wt(VR ^]}Z'>1JЃAS@14$Hlpv_;sX&G?ŧ_[a!2ڗ\nY^C{BzjXYMil)> Lrc,(>~X=<뜢5$$b˕(bwuAO$G،Q"2k9ת˜ך{iXjی UEQ)c޵Km.R&ܡ,:Ӫ~kиdE :m]$v4a %cOҗJKV=ulMلp@%#'I]c>Y0uvHP8G; qց-Va)p[ݔXNR[&Tc.㴎 +Yh)mrּ3(rZSӮ1mWl NY5Jc㌜̓hJ;.0[AxnE,| !0me}G&^TN/o Hܔ{>ެEx);SӃ7( (6S`gݥ*Bphqk",4vlZ23}3;V\d䮜t=ֽ Cqk^7D[ I]̍;b*f`M[I) pG@[U_U]4t(L.g-^ҿ#>u߫ @G1==.O&|!"R 7!AQBE*=˻)v ڡ"/L+:̴%+EJk2uPqA6m.ڬp8c`ob-1Nߣ+uDV|;l}EWa-3G{ m:IW?bK:-Zr5+0\^sΦ5f (* csB听dYq Ai%`cIU5Ӯٴ J^O,[叝 0÷rEd\ T&dfRa ZR߿۝f)rn.σx3ʫ>LvX3P~Wa6>Pc @I&zy.L|JBtɗ9] 2m xOLa[}f8D7 "By[%@TRf}q}*vjB``g0y@ēmy+h/_b rDbs$ i1V=ͼp 9NLIu6xʊ"~\Q&AsGt234!hd*pڷ^O_Jw)VrEťngpp9 讪&a Z.I튛}=#.(pŹj%],E^'›|2͚:>a9F:[+FT`E8mMQ9T`0fݩMK~k.ڑ squqrL &vQX!(ǔPc~E8Dpkް!9NMǖƃTSh_Xj3ppE&.n&fȴ$ޮ[y;I^1>U2MIl".;Wi!,iphEڮ 󭴂 !⊆Ωܕ/tNS*zǔ\Uf{0vQ2@ "=#7/WFH0ک`ŽjM^M g?Qu1pkõ[g|VzHN'Z\!zY_M(îc {rYOMߠ}Q93{aMx̽h7p?Q ^|1Wzrw48B;$9.3鼣xyfI. 'mUɢӏO<v\6=h ] W= DхX-qu $!甝Wl' |:vLL܁5-w[l 3 ҭ?>WmZ=1tsۜ!FޤXaaH{s9/xϑ(zM͂q^_\"d |#_|۲2GܻC7i.ͽhL甝vĸZ/9m5x˝,TGikd&%-9N a%:{,Eg,583%{AvvىzwwsTin[IL;}]󡉎z3Fl.+|YB[2, Ob\t@2$nM#KL`qPUC5f(-Qʭ("VW,od)kA*nW@)YɍP?̲_& e\9m!0`L;1fcͣxek) HR@ R,ʾGPcJB<@~jD?E6{"(y'ӡJj^ZrC2T'M8H50#L3F-B:Lp A7nA UF%~"YsG9alnvOtF=pc8 8T.,ƓQ1`L`o^*iXIZsݳoWL|K%Ws_X@FN?ҧ+ JKUUB79x ?&(GfH-aoU7̯TήM+'\S)̨R?Ŗ4|Pj]\QK!P@xǦ39?/li.Q尬ҮbMg̸9xCX?3tH&*,*t9 "Dح3+6WJw9_1's\<J;{oIֈPI~Eg$}R5^&uZY^PK^\$^(>i #mveVpܤv<^dbnRwiN\?:xC !B[ֻ|'ż;Rb }+D/|l `{g/e Anߥhf5f”_DDcc8MO'93$ 4G3j: ,`fm`Evs.KP -[=L_D^MXGE GIj_H؅aUI{x{;^bWFh03xwRɮ!]?ķSdmwB5U5HK1_>=Z 0j4:TSΩ7lɇȼ3D6u]Ѐ@ޢӟur HDH4yvC9BbRBVYn2a|'ޘ\c f?}LR6ORgQ,ه!'7< FQ_}AГ/Šy)D#ȸ1KXl[eRѓZ]Xtrj}b)j29?XJ=t1 ?XT(hI?%m4Yx,D+GӣfPPD7oX+9w5-y6ʋyc)j]mEe^)w-ei |bQT<}Qα$ t[]d.M^ z K]U41@p ɡj\-K fKq.+ ~ATVFЄES' rH4^(05PubGC|KM{~# γ_Pe6a˄Ad67Gy#wjLo;j^[ d}gRI3(5gR'eV-Un῭?zLh\:H{5&?,40s7E`|#][ -ԲVKTTIuxGwVC P"z7]Å7c\ؤA Xy4t}0*_ѵJ@M /}d#DCy9\5*b2]` , LY,Ϳ2Y0tV s^"g(g 퀥ߖ |cJ^XJcm'WH W8UH 3E|Tb5dZ%Hdʎ?R)n՞ o+,wq"mNt9^Jmjcqq96H/SpSu71+oHXZ} ZlU7I2oCDq/> ஔgeONb<{<y;t?;NsS@l>s{8FC.ǀ$y=}bڅXH}rE.0 {͞2h }Fݦ,-/V}E9F6(=Y {-? S<{ Gxhګ@xzxVW)Qò̻TB>p=ՙET=Q8 ~[?it3I_yQHs0 ( cs@p)@khㄾbq.orLj!"1I ;{rUbY"=.:$>{i"NjnqLj'Q+t.:K(ܑc}X:O8TQ?lzP?N gRag]k']~hwE>OiIpҨހDya?jܷ7Cn/lrPM\Ӗ-D/I9Д.x %V:oJWzP6}t"(Nt}v@q9meHykΫ[mp,&R8|,րmic.GזvRy 3ZϰD|GKo0)(.~ PwW 70/*[?1OK*S) QqF0S,>(NnhtًX)^_,㿪Žz  EA :SFjR& ȋT_F+Z6I 1a\.muܑėtx+H8=w>nΚpDF)yxPGL w4 ] QpD\Bk Y>RߩE\6|E^N:9]xؓ(EO$ L4r1I`+Y=F JAZy/X(X.k5To;ˮ4##-km.XL-;tބLR?2ދL4cZzݤS"ENҚلWŁ{>vWlDNyؠOɯPm?5 yJnPۥ$vJXn):{jvҍhJ҃yWtY_jjZuZ YLbɒym>QGdI0[\jxl|3]Y'i^|:t ;RVUV~ ˸ [[e=U)Z^:px+3U0PQZhV_[U . Sz'0&]>f|"^;0$L_s;HٱFx+3Kk&E zǟ }S|X0rZr$9Q]o.SוpXng, 6@Oh=4Sy9DXeEo^ʈ^5@g*$:9`- @Qg!챡,z=fdM1&A9;.\eZ&0Lo_}$ ./z--׬0NgJThc[b"XiEcT7TgHj{c# {2W'%#0ZC1Gmރ҅yB;צӽvY#E$ǣE͢A&8}q<O}1\6ӕN.>fd)M!7<\2 ]P*7W+О27ƚ'U?_A6emEu1hg6esnj2Q6x֎-99}b+ GPc-l0!Em) ]14 Cۯ{_h7pI؟w)X" `uH_c^nI_<%[2S.oGp;Mb'~\LճRwclKx/]xr@'(`wxffQ U! vA" y)H/E@m%[/GTQ!_ 5]KJ%o.ByBvD8{b#q_XkL^O8qz6/D{:n_A~ p &k? #3ʳje J7c~6ϋ(CESbv?;AvտcZEVi&Bmn04!vEJILuEVt{0l8ӸMasLD`ڧU~{Ŧ,J'cC}]18S(fr"ziG զtTfjՏVPBm΅t1LV l2f9r{;Y}!j/R_h%x,cm(>uy 돯짮R ^n`~ѷWodg)&S,lI ˲&~ؕNNP˭M՟ PQ=BxSϝOޘvj^;ք$\N!H$9{=M:pi=zV!C&_E<=M_+)0= W`c.wZKjl<@uvrCWA8;󷷮u]O0B>.Ujֽna# 4}K?v3};{N/Xl.'WH1 g΅UgH\YD& 婥j=sUT ]bDQmySitMٽ(ߝ8`Y1ۧ>{K^emEL@ӂQM|;֌`ԟqʹ8LƵ$TJytɤ4{}YdX7WVOt>Pa`' c'@9Bm)mQc6 Q'7d wH"Y]sĂFNbeh[ F¢V_`gHQo6p߀MAO{E$rDis )"c!<{2iz9r3O rHuCO єZ-Uf&1-Ġu`']1Ryd#O> Y9|-|IYx->"Kםf6!5KIGVi$vj/m)FxzOi7z;5fՔP='¨udVjFK(4X0RQLuSfn^Ni0d# w\rXېDڥV,ߋ~ݦ QR#S_\8oePLD΃%ija:܃P913rY. LEHP.XVzz-rbYXj_J)Hvwg?'۲<\t'hK뜒LZa)o}NཡnZl`uePB&RQÈ# W㴾 re%+̀.T6M=y>dlsp-NI8}B3hdqI3'|a޴*%,.צ'!f!R60Qf9iFJ70!=:s "wn!{rg].fg4Ȃ T;\vz󂙳 N=ekO$ Rr֡1Z^ul&a/q{3.۴3VCTLx.sOsh4LsLgkpyjM[~Lҋ͵e*kU)/ǕXCV8s&A!`}Ff(5MWհ 7G~vM6nT [M-a,.e%:ȍbd3-N{D'LrY3p_/,/azLQb{9HHsZR?.깁tM ~0)-6uK3kz%NX;RڵAd8i9pñmڷ^4\J*HW }˷$@6msmo/܈F3B^i RN- ~ pI*4ĩ3ّHn 91\)PF)T>k$?_bgX_ ElBTQO5>D5òbR] Zܳ3wGL ZKpk@J' (1w.ѝl5 O\v }JG1\(Iޅ,ˣ6mHuFOGk0v1tHRf <{t۱/߳-'(Aġ1BM3ٰAiAu%.*P< |!S0Kra?c җ ފ4͚whW=at\p/'EUl5f|Z熾q3 xqlڢh>;KĪ՘r,[30(ni9A=Dq2HZj:ľQH4T1010K}tm6za 9`CUEhxHLP4:>G6st q4Ierf .0} (| ?P/vڃ7 (#WxX#/^ȥhcT3SE$H^ULYr<3!X#;m. t$"rXb;u5u ,sx۹ F[ks8*IƢp' fDq[輍/e:mv/L1p[igʲv&-M#Cٷг{f0TM: wb29NܶO=I{:Jnk"jޕ%O ,;ZLDEUȩ~>֨ l,T>VM,Z:e@}ơH 'єx_07cd #eBKMo>ͻʀ޿/ßymgg[h!CY)iktOr@zm">Lado)Sh^~wtdޣMO5b{m%>a29㊆mhP!#]ʩ0xe/+ vZ="~ JNx'wl'UՂ.";8;:X Ro2VO:arѯ{V N`fՑ ͱ5Oܪl^痔_IaKx默Q AZC{L"nY@_M1#~HK:e 1+ K^ӈ^!o׍Grhט1H]e Vhqxҭ -uE;w jЭa&chϛp/0^E#:9-̺O#w{x*Sє7ɇ!kkwa D#LHNZE]=)54 kVA^r}zz?04;Tux uczUKI1BQt)o :)Ea]L8q ?2byBٱT-ViB 0)sž Dj\k8V &˄I'd} o&2kD%Bl~P_zG</.xQz˘qY$Aqh48T스؄Crm-~,XYt8r0>c CqD7Q+ <_2-$V~ᇸ3' ¹ԼC~(@'۔48#0BkEòis'eLt;ZOSkX邉i>@4ÔbGۖQ#ڵב԰ZZUG//rVE$Z,K %c ۵xȽr" M/H(9c ræAd  __Rꝷ}j@f,5;8[ /qBn}߽h,P[&:_c6/v)Uѩ컣/v%+-Ň,T_ K*%wyt !qnc^nTI\Uޑ/V M |*٤_Xb?s3!r\ :&Ϝb`XB#GPvpޣs*cQḞC^7˜XMG5.$kkjZpT;Ҁeڻ[[Ix'tY6{Q4k2/Xh%fsp ﳴKvQmɋ/Q ˡ~q5GZ=̶#3E4fū/oiB] ݬT C-Qđ-Чm3_A~"XcY\}ٖ-ف),wV+xa%ZE`ubA6=ӤjL8@&(2`i>rgQ׈r8[ kg":"fb~w u@BOeG!yXjszEgWBs=$"/ӒAwf<)hȖg}uAJqdfSiM5׽Bg< \ăK]x\~ŚR]75Ɣ o=)g>cɣ@-Ƿ/%3[kbeM :_~ (S+===پgC%D6!k' 0乀kCo)H tY 3zw q.?]>J~VtĩV7lWS0& &#Dڞl,qo%׾n QPkJ$e/|0yt|B#FYrqC.SɂRnKefؤW= &B {Ķd!F1W7dS SM PmsB,M \h;@ eêDŽrS4p_?N ~5! GZI/=ɥ^t+ ;g'@eqQ?uQIW[JlfxiMR"8NSM {҃4tn_g|S>܀hGqS{~pB,P+)%pYPJ Ó5,8h>(OC"i4Ք{ Cf9m&`‡Hno:4敬GI>mdNken}=C6"8:kxcjNVKB856"RH#֐qrM^7/(ԕ :*CP3GLozrƓWW"H;n:9SO&K$SWԋtƴ۔^2;iI /4$oqјb;U jv7o|j">Nf_(Z9`ݬ!\"&fG.qJoW2kU- 2##_"堲ශ43i~60cuN6@IgD,Wɗq $+Đ*{Є d B5v`HcNBҾ;ҹ5po KJ8w7V=%pͼi0#5o7lI}0ׄ=tHS ذI 30ްaǰ&-sr&F蟪 fEDX뺒|S+jPUH qK HBM$Z>d:O"{ k 1hwm]Hjnѽd\=rOHvy,'*v(dˁTawvK )$RO Un Kf+s\^*V.U2(< -n’SFUʅX'V$(\톾T{~Y4pI_扑+PDZw)yWF1ס ̇l)ڴ6@,A+|'̼u|s(.R 3ۏXd,4JD%cX4wcŶU:=|%X 1x¥pκY7~ykBQ9/v j7#Hx81f77FLt#yGM=9DaDJv!W%y@pSI}d)Ј3<IFapƩ_qD֦mw2P^6]iu;MP+UFǾz%~lH>U.p^fR,]Z>wi{S@ï؍lce׻&M#3 c+M FH9( cl? KL)ĖÎ^wf#\@7Lt6.r2z NJnl`˗hdpdzz~1~3,grhD1IkS~]^8o˸=俷=\0?Kgڗ,p!y0n~PlCzq280/B!ga['嗱]>`КՅº*tBC%ڗhPJVEdˎCᦈj(G|f\{ ¾./VM i`\VȺB@WT6cΑvF_7~MǽFȈ C ]7X%g@\.s!]TvޭS7/ЛM |V0h(,<ʒwԝh-M:0c=4CL+c[|=jlCTOQ\Zk 3:h䣼'T]]l(4i%̞#[ U?9Yfx|%K<QXr*~%'{ouo'gͲ֏5-FӝE?7r=7noxQ@d}pI:4Er6]ymj#E.r4 j 3;ַD,*&[Y' !G1 Q#hgsB6Zq&)H&ܓu?PRJqu.QK&Laۀ4$Ep B?RVaz@1t7?LF #JEްfq,iKj(C;H3vbxԉ}7{T,I7ڍWЅGQ>Q]/^UH0ximň'D#`&uԡ*YY}ivx8|]GAd=a]yw1C!BO|_TiĆFT0F 52y%q{u{C틡I0'LI8ùi񛹀æJ-1/<&`o)o4K..yˈD a}t^]W~÷:-tøW}~D($V-L8ϽOp"5\@* 8) qP0LQC2Wl>jfH3jx);gslzU5>kA:#P`̫l ڰ]4\2R:S]Ы<:$¿,uݢ{7=Ko|ChG0ϝk <; l!IJƥ,S4|+?.F["_;ZWyr/ǍSQOT-$<=R%\1Z-M8- ʭ36j'gN;W9FL RHk!] ;iM);g)˛?Ր|)2$[O:6 PFhox[e01(=u뭷Â<<,[8R]z֩z> ՚cbX[ozNJwʎt>]BLxn ŻYU2\oJ](ms{lE\,yGS4^< 8j\f?Ts9{-0d 睓o!:>C]}S2WӀpUMdVO2J4چ~6hw?QI%viM|Fn|*b=<Vd9j])[(J7;Z_b<`[A^|%CO]#;_d8:*¤0C!_ҟJL5Gw_5ɏ0?Y عn=}Ei壀is{wޛ`t]لyF9X/H0& #b^c{q)=l~jv}_ m_i6"A\K8 AѲv>7ʱy+U;D} .ʋ$b0Hm=:9EF$9P8?ԔW,YȽ ?,ݪ ([p7PsxߦPkF,5Ko״fO[+d8މQ\ -Z,J>}ʖ$Y z?Q p{GcNb4٩8LzӣGjʦ'peϚ+-OwA_չ^~S*n;9Y=ZӨ; tj;X6}DJz {Z<HVlZz7l3r?؄s,G+B+ ól| h-1Ԡ,~"c[' - KycUf㏨sr&ļ}[M٢EhhIK~) _Wc(Q?Cbd kAT~?09'Z\cjc?hhEҮfj C c_NX3=mYi=VL)2?A=NzsZnmӇ?q4tvivU ו# B(WQ@Vy5_q35SfRl m؞h $NutuC K.gHuv(6"d*" ʞ5FG UsX %{tgmꢇs[doK"R8HpW~I3s敵j¿Yt,Z3n9I_{׫ ko1-ga>?w/i#`JX\Yw/Е^. 3s"Hkd{u8&C{iү9M i d{itF+4Hc6|M^WIaaDeoɰPJvT։ٚk<_ՒH:v\ #b2 ($7/q3DD1ϩYC?!B!u^š'[]kN0 "yT*90G(xAzfǐkXOF"r~ً4gO\ćhX^Z"GTVrj-`b}x?:$'F &6,fxa1#+`FGu_ "[ ;sc%v : *Hܜ>䠨V1`it%/Lr]t%H9븫S@5IʉxN$T*ϛ?;>p[ÎPHՁG?@D%0Y瀅vkPh2MҕGm6{QOBk E RrX`v e h@q/}8aKԃM=Fn&Iߧ\Ecrual1;G%k\wmph1'7nnαDHy:Lmo592=%LÞmZX_}%x¨EʮQ̣`&-"žb\@C]B/fjfM'>=3Q?Ab3%{@$ASS[-{Zغ%FI#+&62?SQi!²bކV~rz1 KZ t2O{̔͡ ZU'ѱzF纯iwNҴH,-‡tɄ#::،V~=H3I%YYo!]`)Gm5U{86:!'VĄ0kB{u| *͝kj a 1gsTUvTߠ:Ap}K.$^:/ ؟ =C7r5hpdDij)R<`RFt!>D:r1ii @ұ,RX ).&:r PWs,[(eH5zSs6P9}n//{~)K:$ \% ߯QVzY I5Lr!Eڟ8MYXn=OytYRHA*9)X57ば(UН Zo[w 1$ c@c hm#*+pH9dV~z\*[+). [WI`2ѯ]m)[T3Y@4:KJ҃|mY5oș׻%Pf=Mj(Q: 29e<+gF |3+S;R1dؔ BW~̓go^e?,Հo;(A IpbVUͭ栤7W>J#v,1ƫ~ԌMjjOd)x;+}^Կ- {Ƥ9%H&-bжџ7q`ɋG9zHnMӳ' 6*6S&t=76qrEnKMS&vЇt(u!Z(*+ +.#ýB;h{Gl0f\vP%dH: ledbߑ剫{rrpZy~LЕr2We3A G@̘ ֑u6ybV?s!@9)MR>PU0wB,^:,r{ZbmPi^4U O+rLZr̡dLZbHvPy4tsʿ2\0Un'eY,UL7CU <5,ej+hBaHB jE'XkْíazfD>WƦv6"tN^BG_ճOך!GJrJ(>!=`R';XdsWلTHO IL6~YC称-Q;}Bфvb w6'q+雮g * $[xG:2Gb}Z~3:BO4VV@֝ѵc . U&KlL渇v$;er*n>.8VwOmIo%!ttJn-XNlNK,K-4/_qNXҩeD@5N¢UcwfdX^OvPY"qrBl0?{qd|B#܂m`r/ nB{V R{)SGmE#MwBY#/t3&uַ;ar]}OߒTVAMUp>AZ|B?%V#ʙsj$_n 9aQUd)g:wg}p|ڼ}{iƣ!LɵYN|!lWz3Ӧٵ_6H(u%\ecSRydMiCAd Y -C-|/C#y@eQݏ6Zυ DFЋj-Ns-Y{r1~ފE CTtUZQ'79# eQXW1J2j!wG:2fڮnVo~w8xoOP(I͙j|\gUP#M}z?e >hVFg[/(P4$wŊkŮ*O:){\B%ִyJ M2.+ B㙼,shNs$ `4;%kBv'q`i` T`n_9*vejbHy V1pfrND@߃:4##[1cBd,2σjHLJw!b$bWheˁusJ$;8efhق KZ8 =KSѰǩeRqm0x\G >;!^ C5i,ys1?G28x+=\6Ś{q^Z   &y:YQīy&&^ﶼk?UK! Uj*Mܙ$P܍4s0J)QPʤӈȖ\ &ss DQ=? f1$ࢥs # !;ʷ˭], (Ϡ]@G񕮃bs"Zܱᡙc?3`wtĸ̾]ݱ>P Վ ߣo9]{O p漌)% Bcb?$xpy+ UlJېVrq4::߶)ǍoԞ`!3VQ{X !•X~%B#Z$t܄tjCq!ùǃahɞ;OG&,i 9eDjӝXSމYƥbrbMΉXi'4kOFIMΗ"6g&/3_*]#+aV)r;ViquRd~{Y{Y.ݺѴgL'W=iqqgIy{>G%I_S巘 i*? |ӶyˑQ gY1@)0o$>VdLU奬O>ݶC@ 0ς(94^?ʾ(O)yD$RuY`b:󴦅 H$>o"dL),82*c#[dlP\YqGƑ{Vg9dT6TY}#VJdrBxk䞂C!:K L\Ѕu - "DDBd0y&1&I(7Uk}TҁnVXW<߬r5쵹aD&ni]JU_"r4W(\Rg&셸eq\ewnJ#aAD=&91U;]ULhgV1ъmj7ݦh@7-P|Y/.b!b9cmJMc&wbjf[:;TI";7zW}E)|As4dX9)nqn$_XnC9TbH=]O_-{ }}8-uW\ⷥ5"A W9J ĉ&LL!gAHo&^US_@ٜ^* #F.il…ITA7"ٵ;~%9 @UU)G&,F  g[Xv;:i"izuQ_#Mo~ UN )D'`4#gx9aМ@)銀Q۫2CD,%/LC(0}ҵ 1&QTxCʅ/St{*bc",ayI3آqd;{K~LHֹ|o yf{xt+[k!ASբNnﯪ V_pj;^0%DiP[ ~mgfFE&ݯfe' L,?(y}i"rJBx\rN>i FW`7RN,P_xy~ xЈz3Acn}‹uSƏ=w2]r4R@c\v\Rn2f{ݕÄrdy!l} &|@*,D-h텆?Bh1UvHk{dK{;9 2,k}=t& !>IS%=ȝ -l:X} }!YKZD^skc# ̲ <~DB3+2U(=a?9Jr1"Uk{^gQ ʳ蟤 %_jIl!'rOA>;k+I j3hPYk< |$X\?kԼS.(Fo/967ԗb=J"6+S96$2VEb]9`r52t!ٖe/qx́l\ .jb6 ] aẪ78ΉbwYsNϟFw!j=@b5u`V}F8̴&ԟO Q{2aS6x@ w$ŞEq}!mo!GH^V-[KƘ,,[|ØhoĴbhn)xA~DB2P'|bFCR" A'O9\J+zsF :V=ZqK]$n,9Af6%uA!'*0.Ts^;ӄ 0/xb&ϓ?͙!Ӣ[_5۽Vw#b5j_ʌ# |h "hۣvE!zx-LlYu۠:Opc0X k|D/&bte7iFR*|ɍ(&wf GauĠCS)re9eD ^@X >%\J8!f<`|QWf~Band&ό7EO tRVBwϨHLemx0hg-U6dnOP+~'o8\+ M;vu쉗A{/d5L? F4νk'e1 hFJmg<-3MɛPk sWÿ'`:&99b E?[։ypЉ̲WZŽF`XRWXF70ז΃DZeA۽,fT3@Nu`ۧ.i]z5; ݆t&0׏j\(-]ercku6k;+AOHW3Bj'!O},d=RXo}{N'6bI͌>4a[F_@] v RvM67 2N&ZҞnʆ8ΥJO?|H ]Kz8h2dgm <=hN_6-LvP<y GOֳccW_r>4i.)~oTmKp:boYM 'CF,ZD9V o zgI{ʖ_AC}GG)Siʰ/OxCs`׸OTs~cTPe݃þ^I yS2MDr6 xLG?VE?qI?B@pA5!'euKz=+B |5 XPjM^)& {&Nze2g3)R4/s)B v)'n2 5AؖVTe.e U/U0cB5ֈ K ]x2+Й4Y}|%Xs2fdP]e9aV[l$f-qjkdJH6HJʲAMC963s2ȩ8wM HiX}*j' y|A#"qrD}yUCSVcO.mù(}V诱-@ U^vU fth)Qy}T˃u 1o<eyON?f҆G|k(MU3E}ۦ踻l|5^J~NPm/*.T!yd-)ۆLnF,~ɦd =ru]}~wK+Kْϖpd\aY1GIw"Ti&zWˎZ@urZ, G"Hx h8( QE:tCUTyGHr!s ,@g8I2kީ \0 ֞`ia>#)Vu4M[M#WNc_T>CSRdnz}aTBLX<o27u6^ecoL~ N-6 A${.,TifZ §颗)"Pp۔k;X1լ\F] 4{b "Š @jJ!Q:,ri ds|l SKO&789{YKknRq+OKNCdF4RTUNwtт4sjP~+'ёb$'m!A͇܇2iۄ?>lkniK$CT &a]ȇ  |+OQ+&8m6aEM)V*Q[';ڣ_7eܨ=i&aCzF|1Aف;@9G߹5|Q\{iXqۭEVkg硛ߙq} N_69*DovѨ@\`Q5ҿ ĒMe,n}KV)1a6 ʕ[{%zdzmr cBKRzg /:&{aXhf|O2 vKFspecj!Q` 1h, ~ =^/g K}+hݳ GYQ tA6ҪrPI#`:x6tJqV.o兘-QPO؏g@! ᘻHnT{vÁx_[OaZ1K\"UiG_pJE?a;*BW7P/RgrC@=TAfoSs WͲw:5z% oes2h8OJ\b*:WE@T0J9Nm uK 2{Hr[.pȡ$78o{Ub^n QaO 40g/2$: x* iA|88b;kጪPZmԯa;(Yvjm"m!{8  ߏ2A@(70mھo^pn!%4 \Rj=PNoXȺyNe[Z$-1 a# b +FYIN"f8rT[i9t^+LҢ$q2 \rnY!;8.QCS{>FWo(=_0Y,@ z170j!_ ] LD$#Յ zjHxHc@ί7ﶣu͂芗q/6F(") "U\ŶEzv'|4;#p?5"QnvB:ɍ[rAhxXv1(O!:{k:;H}hQ뒀*%,$g u'#9ڲy8w҅[03\P3)`j ˅P7b@)mi;{G B*Ox!qD$A2ߧHFpI϶ݿFrR7z|3I_>=.! w;dE3[/crlmUp͐:B*Y,~цeZ m; !s}(=8 Ęo S Аr6v:Gmןi. ʵE3/c8 Vz?phP5pr!ztI Tj=g[FQ*=eOih3~.z:""0tGA pCb%sb+[Cv6(UWo{{c{fMm=8wUƫ7OvXڳO hF<|W=I6&(sA8l& ,/k5l\Nd 9a$3/ d^J2Ey$21S Vd0Lo7!1{"mIn&3Y!nqN8J `sT-f .OF}aeFDk޼[9Cp4lKJϷYp콘pwm \ަX2@+˖Qk-dJuO M-p TBhAkN"'՘Yv$p@b)P5)}4NsFb#ߝ/_!qA%-w\t1)@0~$E#W5q\Qa6 }I.Y;6RS#ր|RrzQ Do'J$^"](Ix~Hd8[geCF1\츔z.C͋qxmnfJϛT w`t! |#yzЋWiS]F9-14BP:;SmEPk%/ O$V#HB _'Ι~x.tqG˼ߖf :*3q vx;}䊷lI8dFV&"1%UͮI3%vuKQiEfiVO (6S }UR4n_ 1{obWQY&Ыh]ox\mt%CrRr>At 2ƪ=r!wU2]#J9Q=aԡt;?ْrKbj]H nXt{$I? ES fua7ܵJhtrȉ7XQ)W>D8HT Bxze}J r|SJ7=o xP3vok<0s&@.qJw' jI M ;㶴6V;}M  K'unQ mso+F Ӷ.~i 4RsϽr)lPtfM}|+jV]pW=~tJy~k9G*X8ɼ2 ̍B]].j-̤ MbU:J RY|]r_ՑۘD* {y؟>M? 25Ț,,뙂n^ȥ< &Nj'0m4|N\f[&j>8=ZlץNtr4 :ned 0ӏ4%:$7k*wMpnL@Ft|Cfs3}zr`qan#'^ c7!P,Ǯ85}^ET"hD~.FQxLV,lHo#$IAx-ZlJ$؃gn/_PČ`ܨZkZ>|j}tM^L) uAɕ0ԅxy>*.zǛ}˶!O^c䵄JB"C*i7r:w$!E>^+?Q 0 +C-ĭw~ OÑgj! ZC@'Ɠx WF ZY|T`Pks`aUKaԴ1pˆ']@ZVŸ9WE#Af,wVffEQv1dO 9)`j{jrp=f&b,[)q3 ג$$8;3Jh4WT*MjD`ױS=Լ{9)7k0b!SeHAҟ'kĄDoq߫ TYd\^2܉b׭U|totV:ˍiEEGSl1nĨ;k6_R_ǻ(ڗs*9H6=8 2\"FnDQт20ft=OU?,DPֽysA}TϴUH 1Pij=G}J_E["aЏ&SR yYk `P:-Ջma Rvτp~wXsK[jycX^^P٪]9-Fni:ڝv8"^-Y%#;3$Z.eCvOЃ gb;p7%R^!ۥV4k[@R@SeO.B!)Z{-6q7/K1/G,]"9"e.<1k 5b;AKfF"7t-vVXOͧX .Kɲ떞G|ϣ3KJ*m` Aңqxid5#_oi|& +03[;nqo&Ar&q[ ߢ??a*x^>E\;:ys :f^9@6Ei!&x.YEan/5{*?kƱ|jNZ^xnO W EYGLnQzqtV5>mu{롆@8^`sfNv7߿ˊIqcOcf e-F0jJΟIw$QHwk.PC^V`40A6UofQ H"d!bܔ(|ӍU?ؖivɹZI#3rӦZ,ʽ~+%yڳeGhBKSpj|vŜ@&g6_teCߜt~ix.NJ꜐1:547%H4O,'CH,l"p 7A|ZW btN$7nvӄa۫p(_pq ɑ=5¯gLR0y^Ü&%`ꅘ&˫0B$0}UW4+WV~32@lf&H6´'fm}<[!J 1A#jOd"ᒑ2EKsRv=VI~ ?/0F [D9pM'l{l,Xw'5ƌ^(v-|{A\WΕ;O+5gOץ}-##F2),d)'dgojh4bp;|js@{lLjϿ7R.am8l;X7.4 6$ Qq[ǚP[sYթlVĨKgS[&3;y%b\;"b1*;t{}SgҬrs";l߂[hfI&"G#I00ܒX[$ąErk; d}s ou_n245 ባn{ZM|q]j9 E0]z]Kl(X{0>I[+!O~|uޡB\O3~:77Q1sczc sA|I*f^*Ke`<OMKiyL([/y{!HN{R[n6@T LQO{rCBKODpbzgMֶ!$~U&J|NȨ Bv9JWFYRd{;,7е$mz\nƢϹXa9k&֤0L Ry@h1KaY8iscpyu.zDbQ3 >0IgI!Խ 8\s)ZвAiپB-p>=A'8cw TA66Pfiv{X]^@*g( TM_n & Ȱ'Cg~n`_۬r>-rWϜYff?T/ā9ir];Z(X~>*C;cE'j^&<ʹ`2)?_" %z 8ZA˓sKYͦo9^@+ZɃ9XYYFD @b4N.o4xs:Y9:: 2+c? W K'XfO"mycstwum4=䤈.!g@ Ͼ3j hG,xaBq%|u) 6>iL-3Tsh[`MT]FtY3͊6X%C)hZFc9ܐtw]R =73 Rɠ-_ѓ+a`E==NZ'Τk.JSZ\>oC?Sș0]۠P3O><}Ϳ ꂝ΂h]~ѣLAJH#̅ǻ; ! @$NakSwg\Ԣd׽܌n$=;[4wYi>`yM3?Ͱ3Hb 4p9X"t%5A:3k [x%?dC) y##BKK谞 Jݣ*f~tsuli؛)scUj/ġS&L0H[Ipm1O6He}$־LY"*v3ZOG ()9[x$k<lXDޟ\񒏘JK7t-Z pPødxfiɬ=s[b &q'Pn* PV;0 j1Lb EA t T<GG?k:nP(m *ڞ(?Mfj[ JT5 k)˼l 2Pmi o ҏ&|s$h Nif]Zv +mx d&4OXbzcW@sh"P t>1X*GFb9"慺 {ֽr‘+&FNbw*[ * I%d2l#-5K_#ׂ*BNn*»>R& Gcc|I~7ׂX fY(GX'UB]~)yK59N< 5Xy` 88;ag+#nfUzlgH,_FM*?|էM%{0艒,MӭuR~s*HrޟhzDʢWQD!FG/EMUQvj|.wQGxd"G?h&wW)hCD0(!g:N 31T.97h<d>@fĻ]6-Gwy?*bpf~X/x?h:nMjPW!4 Ԭv&u5#+Wl`*oE`olV (E/JiA}?;KٰeCl;5u&$-^jX8K`ֲ/Hi$^L!lvyүE*%"{|$JOi|u @tQ$9%؞BY#E*b@?*E1(ݮw)U ŢBڑC&6\%Nw$T 8)XᤴugQȔ@]y|55:_At8a: RxhmI+PYyUڠ979lD($TC^֕V ;*>鳭ؠגbm&6avO'-fPWoѬ:2o"oNfY-T0_$VY^ϵ0W(W÷x5!Y;5[UH33ӯ 2t B. <>4o#6>17 aN^VzN2հ椳iyG.')BsO=y`fBy2zjXEJmWh!c^ZR p"OÔmvrmXH:g $V&aIܝCuU$zy-9O0 U`7?cylaoBb0Tք\ds;G5NcRO6H I&"I2 وS kT~Io}ő/l}UV~5ˌ7-4@R΋vRڐQ'p099$ vixE[!iJl>^ +OcT40E|hBj㷦d*d,{-iGmҞ!T16?GX$IyiT۵>~LƹջIl-B:}wY33\ Jrs{n:Cb3EGa;Q-ʢ%I/u'rƱ&kafņHB l;иO֙ P86TL:Dzw՞m6_E;T]~H,͸SVYv*ʏ3]v@J>񄫁(?5*J0K5֝b>4vǮd[AhH".aѥ5Cy 66~JQbRrGpw7<$ ao3:;(ː[0Mn"O M>Hʤ%YO 5Ўm(Hdc&Kv RgˑPl%L݆@Ӈ>96ZC鮜RsDj', 1Vz_:oh}B$3}k-!i1([²tw bE`bJi`sdg r 8K}~K)AVU|aLLqbnrZkw] 'l(Ly:HsJ{GTGUW!a_$=utޡ/ri>8\t ɏ&fmn8.DkGK>%vXH,)1ÑUV:vk}eGɥXJ!}^\U moa^x{^{*H&x+ ,iI)XxOxpMEԇ_vǼbG41)zDrNRGꛃ@! b}bSEv92 v=Q q~K&6j&#cK B_'ݮQroԗZFS6Q5>YaMV ` #ѢUu[xml1NK~YiH`j3++K4+K&]aH"5-Fw6 8~ ՀO 7c1VB6A`ѷ 7Ѯzo+'M#a~sb'=kG3b𳉸C .>g5 RԼ?M|c&fS?]6sʞבV}wIc3̦YN͜d/x+HEF6zkMHrH eIcC)}T!t:|bu;̡_)? A@VC;s,}4AEdb 3ƽᯡq $juRSv&7]E*#&JIa 56ޯ_X4Q{aEcư޵=F-a߻rP#0s(V;2g+Mic1(͔ tf6ScR8j:xn(!$:Q}bJ btaYQs}uH RzQ`3IDSNXWBb9ZBhΕ/rz .I֬vQP[_BODRk|&iO\$)U8WBE~#wg6,Z>@qJ'#*}?8k:++e^|°ʋAms@06´)6%'Mz [=YU .LM\S?ylz=q*rZ$wG[%U+Uarߍ((ʭoZ?OBBLx*+/b9WrۘREVxo˕* g܂F7ަS6PW v ?35{;<|ճG|O)9"*rP!C#k 駸6FUR ;UZrrrh[ ~TD9\Tgt:=avR hP&`%5A?6b5Ӎjº8FSۗ{P!sh+M=lFUT\qQk4IS{MO0Ӗ/4ycK"f\fh 7TK 2Ve t+R8dN,Vm ĀReI3kQ8ة2 %漐POzQі"\ZjI'ڙq~3RwNbErʓ&Ix7ă=ZFFn= ץrJA< SND9 #)ACm$VK0uLП"՚1{lE֗WfQ17x9|2OH #n`?kb]  .xsɆ& \xV.aiWEM"˅C* rq]O oF҇ɍI+.'w3 O3%.WOj] TM:ؔ c%\J)c{d:Ar#@XmI(6+7HB q™-Fh=: PT|e!*tZL| ΍'dHyL-a*'`2%/wTeaN֒Ba\vQ{'r|XHJ?;2EMiέY%N)o|6< 7s]GDQ~Fqɥ1D,Gf:NsIξ|*NyV~w3ϒ8?kPnѦ\!AMLG%\٢'ImMԈ>-fJ 3i$RK3.k4+ǯwƔ?Rq|e$IP5E'dL@H2 :=Y3 e ӝH2ðkq6g(w".Юr]r`2kJ bQ ůzP\7K)+z|{ie{s_oX!UB2Fjd&SmP<)T;gmwz3J+']"^y&֓_9m?Hk?_y-|,DϢwK*If%Ux~z@[`39_$5̺&In_0V5~ To-,ǎc ӒOQPZ3C' ;n.j'hyW[ \LJ>߷՟ a9~Fa8Y2/>?^|!YNVը)>3m)j"!^D@ MLkT~IR2(OUyچћxqtbD2qu$V*Qcc-d.sV1^1yo 慘ȹS鰸?t*y->ļ,Kr[˞^z2ʫ˭6Z#Uբ.;7 e~"cdcWKƗ+WkN;ǀњdTJw0"J7A>#).j?Ԭ29ҥ0;N>_^xU>?n;%!*1t_E2 OGbXX]t䅺z#ɸa+2@2;qD.f׫ZkIwwۥWa.IQ/T*ܒX5$\Ȟd wi˺LH'i= 5wedP8NJ\?H;Ikl_+_50w1,Lټ4&D ȠfEoS2߂DI`/?! f|DbO}Kvkf9\e\VL:лߧ6,ǒVA#`%< kQ5wLKK*:P'i!h+ƒ1~,$\QQ0 |Bj]Ft[>̔cLQ{2AIY޷`+`J\ɳd!M7 с-'%VYb#9S.h3e*;A\6'z"ű Ekt݇pxp6tde8&tDOs4؇QٔY4]0[ ZLk޴X 6ņrEOJ?DRjvBQui:IdU <ȿ?A9Ut3:4`!H1DKlu-pa2,<𢤾qFڴH E0gP]Px1 0hC9b z ~)&E:>U@ <!ӪE +٦C`@f.xl)G4D3Q[Ъ}K`doCqLPhGKM\hW)LkH+gc $T!?E25Z"՝ԏ_|leuRy0N:LKGa)'|bXB\C(ӡٮerR fxMPV&բAUmcqzy@8w\e{͎wZpa3WmA %Wy>Uv &-ޜokT^w)NAsRPQʜp"Q=4 Ra;F«|N|hY3gO:jMSQyh%8 ihHިO|ֆZ3lKgjMr^}mv( @el#U# J9 j8s/ y#1q K0܋L;l髷L`G4ڛI1rC i*waxHʼnq |1--ׯGq4uRǽ6V51;ϩs;p^1!c9[q}0u*>A(Wf fGGΏŁ,1";l}0ADA4;5h⭙I}NRkkۀ\iFS1C\٫g)[\]S88.WCŗ+IyT(uUW&{mΘDU<@)u +[½oīJCj#Þőַd8h òj ,/D?j#/1Hxr?:"pVbLH( qL9K3OA64K ͪhc ѦmVo=B怋iҏBEeY?'&"|s9s a!C^I~Cr{2Tϸ1Qt0%,ѻp Q#Y~Lu8&b ~TD]>f_(cdAI~O)"mm3V3n;giE$El;o~^M-~(6_ ?;&{ J1WOֵ*~G>KQ_Om#z3)# 87Ρm= ȕv C%B#woz/s Lɰl[%<$Q87XGb;W/0b?B>Nd'6JfA [<[ձxtV1<Ƒ!Ni+dJh歑0({B; ~\&, Sg7=cI$ z5@46yL u=E8~qgN#Fl1 ˿ưsAbq%_Mx`$J:{X(/ΌhA@Q~tX]5,dm5?ԍgp]M)AW|9 +X]ݓڅa(My4رޘePUuT2 +Rt2W rnw[i| PuaתHz,4a/H *"^I6cY3{ tbI԰Lo~+2&kMx[ohr) 7񞄹uB!N]CSTT$+^JbK)?"[*!܃%7TV&_Lo:=PWA~ ǺV,K2dGBC88n#!㿎f P .޳({tERz`n6?E'8OLxrɼ:}𲹄AqφUة_#c. o%xl- "໫cc˦)${#^;CH.Te]:KrY{cb;]+5jeK;WZjRW"A%Dl) ݔEױSPw35<۬!(V#(@!r~hD -_;"nS0k JҠLm:O):rΕ,qH)\,;`xטW+!Q .Hm: Ke3nӹ1?85|^DS'&u<]F6)RAo?J֨aYy gP<;T#lNQw.ӡȭ/ݬe\=Be OSLL_ج"GNloYөaΘ8a-)fxs㹡ղ%Qc jD-yPEr )Ɗ3DL뻵QqaoD!8*H8G4ڈfrUFT8"D-6lhH˰tE9<έ{8hJ2lX_{l"q}=2lo-בqj *1tAςU\_+`<³k}s Ţ1)^ǬR`d B` gg]bR5 S*es)Rhҭ*!I'?v =L laP8Lx?C؁@F[DK$WOƒXsyC~@GO4>$!-Pz*Xϝxc b,ȯzXoDF5QYUB\=̲T 荝4N]/CH;y@!z;8D"m n]=<DYPt%rT,= RQq64`JklsʢlG+{ |ν_ z02 bWj;{>M';Xjl]jj7Ջ442: mm 0ES (DX˒` m#gK{_7K^wY{]_tS[_pCj[&Pqn O6.NߴDØq'Vx #޴DF^bROKu3:P+:@D1lwPt2(ɤ#6 ?F᥅N}~gtؑ!9AM;p]I$_M%Ztj}-E@D(a<~;,W86DMk(A-wPr$ hŒ$m6٘wWh#>:ÜuK-H-}`ЁЃ'"a.b^ b&Y1»$%8T2 :KsT<_wÀSj,: P,|KhQP_^JauQU7{W?MVSNCƶY58t'.; CYߨy\d &]OG* uIU> wxmӱ#ə,56Ag+^ *16FHyVA-IM  )_%]C*G|c̕eUg:ojbO>7a1Ņ>'!0( DG~> +_C(vH)3YF4M~p$C%.p)2G+X"럵J]ǵ(H fv#ϟ:%{ =Bп-y8~MkJj;+'0_5ܠer"bXaBsoE2 d+l.Eބi?HCx1p:rmGPqD]k יK*X`d߬46fVJ,_6i\*03}Y_K`, ;VoW*Ǐ3B+_j(y`aEFO<1#[7rr:n(^NL7wY-`FݸŸ/TMnV⢲D.R} H&PfiZzĨk}]8;g:`=3xO^zóHyH'ps︋]'m_*7enQS%8q9Vm9{˯}\>T Yn!paVyxIqIO !JߦW1he05YAH 0 $?󅎍/Ezmir-ñ涟l˫\I]%-D,T8qzW)Snԇj01 *J2%?bbM=&fm TP#iR nF0ێe|إSVWզ_؝7eQѼϟf'0(0%BBw0ͥ rIZ鰑'hՂ@EEc2g[]|@t{seXmF$56xA@<3dGnKAeKA>_@mO/SH7/Z~sa|D1wmW2ACwcZrin*ަ3=Fgu~\-,ԪkFB} ࿰t3.T~ht P_d2E5&>2t5<3x4<]`|tMQWP…aP~)rO h4 6xczQ5:JM-YsJeJ3Iu<:u8B}Gx8AO@wO:gۂzaŊ}iF͆(s?m`<"!KOiR.2]!,v%zJ%jBA~7J?}c ġMXkKrd-&)jG9g X wKxyc(3%8WHEؽ6II;o3+^V6c}rKch>{YBuKQ&=ͩ_*?ヸ#Svn٠W qTu, 쳭./L"x@{1:t4 dovBK2t+Hw;4T⾝q'W]ƖhL { Ǔ"[#D"bIMo Bk p*KB=1?'<$2a r) (+Gˆ94 n N߀` B)Чh-uC*\kP˴ReR@7Y5%pઞ+^w =aysn. ɿ+Cש!(^.&""=uė%6'U]v ca9wK"i˫% M}CE(aŵL9 vZ`췺ǰ' GITw4]O hx8.gFsz/:(gR=K+𚴣o:!n 3Eym! F^*I }qFE\˲F;G TfΠћ3q|\cq-wM|贡'( vo4E 㖫&(;bu5lΓ X>w\@ڤ_rz{5c٣<ٍtC1hCמd4 <*l#S na-:b^/Z5T&.Wgt]r.YR72)}(߰Y4{Dυ+n[.?t1bQ:9針} 5VֹGƧ]wiV$5yJSJNts+/VuAò!,zdkܡ_&k )]håˢq]l" 4ж]'}\Q~Hf8ګ`g1nOֺdcI5Oxzn9dQJ ۼ=!O r! 89_ ףP2XȾa+ -h->ߡߛ?sw{(z~$ԺGlA4#%2Zd:{wR,{Hji& tpx͂ ؐLӶ4_6Oza][}RQ2D"(¼ǭ XTʓsSE)t$`Q 3A|,H j؉q3 >8)'$xQ$ p_ IX,KĪfcs:B"ByV,q{^m#00/cWqbfFߓ4;㨉u \W}κo2qsSs`qF#hx~!oѼ_^t{qWi!_7CDAZKX( 냑M4䘠ԏ&_F6VҊvηI 6% h6Jw(hHx+6 m >b4x6K ݻЃ<j7.RӐ}|r "#.*33\TT$hƗ_!%1CI+dRՔ5hAc׵R~YnNYl F.7PVVԐ\bΗۇ[ڞOĘGAnuKMMnH4'}6V,ll$:cbڍp5_Y;YDKm ~ri4̘KD:a~iJ-lG7}MJwΖ;2T=_ɽB}"CҬ߯T4&t٩ade%neo.hrrgyU~ht5cd[`cOun;rq+Z68 ji /S *.U=xQDWkCZˇM-j5% tS?z z0vwv}Hl$|ztC|>Ua˭3#`@yx$kڊj*R%@~]!z尷Od/HD{ jBNWc78,y{R^kgZJ; >jdoRɎZ&.r'tRRFHʐ\O/-{ae r _z6; !#%mP#ъa_{r[j\7tZ+M󝚀\#0s% z.wpC:Hu$D8䋥k7I8@G~6)Wp+I: a3KÛE|@W ht@kt4.{ѻ$PN}YkoFs2%/ 6@C9Ss[5 :nt/y Rn[W\_֦3gyZW;'[Ruj:&D䳐Mj۱ٮd%[=RBJD'S J E;3{U\c?[1S-*c d9d?VNFDDkTw3%x`:D_fſ"J%ԋ0 vl1$1E Tw}ܑC ]N z_Wi&<.{OHyW!!bVC  h1i.%7Qw&֛Ģ2qL<;:D=` Ec08hڱƻ4~Ѳ5)%oзM\&`*(ɳp|Qzi UƿrOVtb/s\MD!M^!Z**08wY!>A5̓yb&;}q*A=7bcRj4B,"e=tQK1h(SAŅ?_POE7ez~-xm$&;|Ti҈5 8uBeSPO1UPf:iVjD^GQLp!#Fl8|U_Ae2!'0g&q+i $҈H[}"] ά̡DWf $VL^_LC!]BmGk׊-0FlrBˤ΀G&ϭ-JP% Hd{dkGw9dc M䇹o|z[nfA6K*/6i e>J#'A~FD hkbWΨqgiturc4ovyUd^ƀSZ7B (A5,^ߋfCQ""U );X9]vLbR"@N-<A:gqwHHZ</Z~[yQ!bhؖ6& ܐ rq<+H7N9MY8,CAZ57$ơoGƿM >Ag{0Nó-Е^{ }ȔZt&n.ڗ} m9_\;1FZqwEa0#՘T'`٦vɭ=C8{ʕ2RvT: }xOK@o]sq%ՕXVD5 %̱\ MɼgXyj%wGm!b` :GQ (Ui7Ae=mVUI`wOhxϜtWCXB1>h] 9!d2{:A@]Qu1' *Km{}iaq>KO<ФD c847/\)Tc 8_>G_1"V<^m*7i8/us+9C8 }V۴WBEw1FHJ[wHXIcqM+cUzʆf&2jqfԹjZeJPzo0E*2WAT&JFQ|ֈ%nH-pm6~-X1r~gzL4;jOo8BbSVHnU QbrR3pe|@^"IG2Dh5 ?GHkI *7TXՋ\p)!ѐVSd:NX NԧlG=PmT@CHS YV NH'}DSb>"8ܗTU&lT2~B~ë+O,/ Q"dZyұF th.W~:-.Z *]<ʹ x/WU0oڛ?o5I . 4jȣ Tr٠71Uן7pq_T#tN?h’*߅Wwoky#ѡ!lDd*tf^2Dpn 1dG0ȗЕ>^"؋qzJ=LD#/ (J킴\|sڛL!DWo.<"JbW>jø0-D-AS 'rs[Za%j4h'2$`4aR>,:#{iLp8G~‹ɝg]Qa.4SPsʁN , |rtphog! HKbnJOHa#͊V:]DS"W[[@{KAh|N&H/gY;S?" -kwfw!NHuV4FzL} tظıakZ=6 nT6u!"~'1ފ.OvZ({&]Ꟑ|T*BǛt׼H䢻 G| [3^Tic $hK 1JtЙJW ϸ=ft\Ѯc 4HX .|0*RĵpI{ÕXQx󟭇N92Fy}6MC.d,N6[+M/=02ߞ( 2Hk'M#PPk,tҦ~Yl띚^2L`#kT;f7.^m3jT_'o =Zy^|Arµ69#D W ٩6`+45hg^%_w͇/?hOJ'Xi~&s 8K<՛0,J n6jR/$P#AZЅ($Y J8W;V!Z^DrYO4|0iYrHnXUDJڑG4"lg}SV#` UWlb` w!gmo5>2m=31#Z'*=0|?-SП.~m4f@ 0Ц HG y3Htڼϖ:=y9\͚%uq~dZnU![O֩fiTʽ)]ap 4ʞXKQi@@h5%G 1jҾ~C+$ٙE"4x[Sm XEI!9EuUd{ByVIg1/HKgAvtKoc^`t9Lq)c׿ю F'|TA/A`Az$DBnyǫW6T(OYlOZǮ.h7Ƕ |^|@=[Ik_a´/]iZFt:$ƍmL8ܡ!Lha(U;_;z(mN螠,eQvd3lXYoadbtSd'x,*aiٷܟ J_p3p'Cs#>7|Rdӓ[Ge~MU7^{U):t87xe1ł@qr_AxƥɨKeCτH'whb? ]9Lmz;EVsy- Ic ;q$ `ȊEs9S 4Y}W$?#rEpW4%|d.pfKմC'fN="Z@GU{@{ҎэxLrganaS݈M6vٲ\ +Mt׵D!Va,$|ߤ;ҎUT!avWVokJ̫ B5$%Ua>FL%xiJi{_3OpZ9qo{M8!53.ù0\>4]:1;I&GR$fRt[%1>yb!W1,WKLHlɧo f>/h9kQu*Gķ=@AY9< K(ѹ$/EFϳƅӠ7?'Njֽ&7d= 9n Usr"G/x+O2a +Xv&~ǽZ72~ lx)Q c ȄjˑR|uE$( )(:1-,ʋUen97vo"A|'(yClO?N^_j팕}4;k7xc 훕iw ?(MKN5a#D!A֌wd 7[$f~4~}׹}ANe#d#Gt"3R(.VVj7VLm 3!HUYFiWe֧EcWݰ3 2dg!#. %yPLu~9I'mj:bY/q*le6,aטI%ٽw g\ŭluqWxGz_],[pY]۵[~qr~ R Ί`98=xh7XαK?tqhrUnCJʅlgmlxVgaj{jD^U~<+>E@:š+ 2H z(cQ J?.+_t?},b7M1r>Yգ){7އQJ?\&[|g~z=6?7j*[mcUy#x"mJ|d{wD9zqll'WN~7k4o|F +`q$UP(, 4S@ _~iuբ满 @(m8W9s#7*HU`'1eHp%;б^ֹO3~%'J">&M׃uN(( Vm+T5-5M|K0S+p ) w޶[w%BqBO=<QQG1!IdNJed}ya`Ӂ_#uFSk$8r23ԯjjNa1\Q*ƃ,M I:q%CjYEWGM,.GKqd6+ȱ Y(P2$̛0irM酽 w(s_Vb~z iG9\ t+؝Ե AuR$YL>`O\Pdj n~xzlVqri͔g0b꛳gEQ9683)6RD5 Q0'釔]b%g5Λ݁j'wj *.QS^kG}{lFT)Ǻo8e7_34c\śl: lz 13Hb+~#d!i/HBUF8Ѝ@7Jmnd|+C} q'o /XDt)b6PBkJrNA@_xD8 l5ɛ%& S Pw"8:,MQO."O#ƅ#BޝDvF-F$~WN-E{c"2dž,UE3bboMq1 V׺֟iE9Ip##x,upjZ&$3)asB燹zوFF8KvmZXO'..UMP?;=4avjI$Q?3?vNb,rbfhk'Qx%ޱu1\;-J64-۪0Ky:?׵]P897Wv"ezh%_N { @7-Ǘ$,kSvbE] tjsH!u=a46ǀ{@B`yL9-R[Jmn{aB݉ }cx"PY9kUKBНptRjn7p M3j*)+:yq(vA6*\jw=7%٭ (+(H\lm_4g<1.ĐZn V-DE`aE*Qڑ"' ze5CWC(rKp#cV&VirԢK+\ XƧ2m6.t5: wQC;K4 ʮdtPl鋝j?iė((?>orlqf^0Q>apm3-?S_LڀXK :SvFtšE1o#jCWbԙ cIx|0&zO"q3P-J)Nzd7:$Iܝ D-ti͋H~>)?(r̛$[On8<2[^{<>'!V&G}}J~N >%"C#[zhf8N}u)bzl j?ZhK%y۴g B pc6;8s񂪒6I8Z{*d2)\a -yw-@!0npm0X:2\kM^!hѨ]$C}[ [M0PU`1\SOyKlQ̥P9~(wl>kpH84Qjxg~8_|Bz\ \9"85Jw0w0:gU69o|ʾt[`D(2Go81$ X/M5^Áu[ƤAO^R]T}uȳq' ݷfOhmfoVS9RSE8ó屼yи 6,SNAВb"؟?He3q$ yxCA%n`jzq6 m]e> }ETÍ3 'p!6קj RW 6W џJKռx );@;2 L2D&Rw;@&E@6Chu~J\D0,h5z3y0&WV9vWstטڑxx`qUÉ ssu t2Ny4MK8 A&{{dn/c!J5=Md?n}P8h'021ft  s! 7. 8\ fWqX#E擥f>Lmbz叞eAAC0j )V[DSA ǴΤA*ڲy,5]t涼opy0'WB&Yr׎fIQbl +rH nm{4qdCUSڜl ;H$ T`{tЍPGW'EcP>i&?D[t|T)5Sy 5Wrfߎ-6G\y )ըJ7|@yL 9E 3kejQ%POT8E@sU%m(! *ue:\Z4u=m,iN7}h2_&6T#Z\xXϜ]~%gZ,Co?q-!CZs,Si 3^ #b0/Jl*ɍgQ:A9&WޝD#ʺQf3erHKwD&-uT`{vJ 1`%`{"+݀6 &8mnBBMvW?^ w͝pGXZy3,uidzlp3HP$<]ݳ~>D2oz>˕ZlZ'?E`ʺ2NPQƤy72SY6l7`&vG7w}!si Lc|tN ^џQ_ &d<27n%V6.(sm[.l 2Q3&$J ~49p~nlNJfS.ub<lg!& { 0CeE0fYUNV0ng%J˶1|q!0pD()sꠐ<[;o`Ena@T5?X;X16Qg"-z+ >yӍƼ M;O[Qz?qE?Anok%v1I/Ē*J8+gkul:",aNό|stPT Kq#eyWy$ƲDO(){L_QÆm 9FǧGt)M¼E/A1BTLuUij.Y¦\J^rYZ ck7-} [AdRh1g{YbHꀯ ӷ`3RY5k.?-CTGS;g)G,6n7 y}BHelOzQ?\#" w$s >soDKx=$Q;Oq ԅB*Z.n#O6nʘT`"l]63ϫS9DL-S myd 1&Κ b돡|fۊvԡl)ߤ3R/Gʘ~l)uhkCuT[6{"\|*tdٸNMpFm.x0wXxn '[|$77jI0{ Yq$*Og8aW$xXZ`uXBoHOj3RNd8ϋY?|c`h Tu6Dok*[İg J"6L#[W@DKe|b+-L"ޫ}AnZqA.-r9FTͣP{ξnqvCM<}oEejبP"`u7#f]ȠJ s^0y [eciBܯqGh&DEI`=|^,/ d>KۣMH&lN5꟮uP-6۰A tyWPYYA,vO=/ ¢ϓRQ IޥX5v}%X6-<2N*n/? *k me܁],Bɣp<*$O>1ղvi6kXUG:2ƋiāMy4]OXp[۬AJ:oxh)`鉜 6͡%E)v6Q`ejbsݐ_dtNJq`/JsZ %1%h r 4Q$}b_װ%u".-/' R>-^|;UhEx!nx: "Md(33eP,BZ<ܬT5 Xr}~)l_bLE"cntF74$k7TJ,Zἁy\p"yR97\.B _\*=`eLU3̑0x0n;04/[&@D y3BI̝4TKO(?E.z:zǬgtΫ"<5@Y?V8x:Ld.KA% `k!Mn|JNv)PpuԱw6[O1C)6/~rd%OjF4 =F.yO%mfܒAVi$LԤGwmUܕ^탏7w(8ae&ѩ瀉 FJܑ^ٴ%i̫sh+4>ѫ^MbQPSh(f^΍+2ƆOJF=D|}R:hs#5i2c f3*eL>!UHF*h@Ji$gl) b# x?%̽ynL]cJuup.`ʪs5H^JD"!>Ïo4~<+.W8#,Ioio2NC,\V*^aieNBCQ`[}yK]xw(a >+"M__5/MEMkYggQ e;Gs-s3$&cǠp_CbAlF>}uW-;]0"C{}iw d:%AXM%G:ᢠQg6tl$$I*Ixq3(2Xnތ +F |$,> la_ir," @b/>!D $)gN]NYlCўbkҔZ)! aA{PaT\A@PGPU$8V5+ !$4hD8C*mMU[I+IBFa*IVi2j\ߦ>O?z-=eaD*xkv'ɡ3$m/优{IU|(V-6#a]"PFS$^N9~_-JەFI>ϘC7p\%r~*Bv>b$DR5, < OF"JkQ~p>TG1#\&)=q QzشQMz1&Q#oI_G:#|xó5颺8bd&c<ٰvB֢O7xh_4wkN(TU]Uy.Z˜rzc3ǚ.{܀ d r>-XAе~%t8O N:}o{m=kQ%s4kA$)˟w{/LCQ@5}bvբM1Q>YcIY=hYyö_>Ip\ 4朎ʵz te`EukuB y-:Y"iGA:×t۰@B)cYY8kMjISX޴U7T jGtLH/ >[,mZl0U*%eIɺmz墏@ H٣p(:u!an!0j!yO$L2$0qӪ{ q?acjib z )$/3F7qeA"E,B7@͕VIӪ9nRbr!Izy .*6CjWֱ1ZuAծ)jw!qA|҇Ffs{8pݲ('n,؍;qW5K#O(3sٿ"܈KyfJYBWxJm54wStaa`̾N'Fqqܓ0b_,8" 4+ {tƀUumD7kD0& E>Lebkt6dUQM!ofS9VM=`tc0>SV͂qz5y|3T]60-(yWdXA\cpg{t6+3;>[ 37Vͅn;YnV\'AQŒI|+!UX[ȶɓ J&hgv'}C enXvmslcN  FcjŤ2W.bi܆ݭGz}3qd#ޅCQ=5J}B6s[j P?w'Q+<)[xbd#O f-soKMY]K ̵w "01Ù6 8nOz_n.8i2#Vd[> ҡK{QD$ٳ#j6l?QE2> )+2 L=ԭ(F4;u%3 }=sH$ ~ܩi6CHڥ+)'B[|*DA= M)R[w l:IO$ (P:}cs3MEt6>ݺǐ"* {4'V+1>C7q$P؎t e[_ e}NА4G%܀%n'6=_IotQ{߭^_oRB-fPJVf=,U.HI{~; 1_?nۗn; 'y窟YQȩ%ZpAx@4.ƙKp[.l*`նLCE e#Oa]DCM/J޳aIS<Q֮KkF# }ox YP,79.)'z6UsH`CPOBQauԇ~$ b+D幙_[(HOl#YH\k";;d&JXǘTFNEfR;Ӡ 3 NμMB.C"GN(d2,B F1]jN3U\*h .Hᔢ}v :Cָi#ƈe"91&iGD `(03]]\˒3(#҃@O nPU3۳lfP!pJ 'K(yc9-xjlwI܆\xYdJ2HLgld]brdQݓ>T2Q@ XDI[oP/RĨ "+;ZreuvD׾5%n!Ƶ01!i|,&% LiF]~d<A.FZ!N#/ O\RT zEn^Sd΍z!ir3F U*:-5Q}G_PPH4AhMAsMnP^X59,I|o;gߩ@A,"Y0#ǧ}q8jLL+3tS. >%OWLY9Q$dn@ B&C>_?^O:e T;zIH@#vز[q 6꣙qmO˧ވg0f$-y:{ ~,Im"W4bP;$~4 琺d)5P/DzBs &SyM:qk5#tϲWQ5%%ukLbA>=٨aINN^5"-m]s#J?wS 3ZE0ԤsPPI. b#.1B6RQpLc s;c>tUEg>_ z՛uYj@ !WcF#5P^j2e >G |ģ}AezZ{OoL,~ϘuzJjW@2!O;;iY -g]yJW )P[=v.])QD)^{LeH[!R98Lil g#S{YsT:0QQ-oq;UUGx^I&. .]xO#e~.2ǚ(UU_}q(}T}OΧɤ֤C݂Li&<%R_Cn9#ktﵶl|lDuyr4'([amy4EH=ܼݒ`A,g`6Bkvi2 E@(NwjwGyJM@u|9E_{bb')8řꤛ|%[+;[uNwY訣$c0j!.YHv9B7R-Y L;Eӹ)j7T^5]߀3[sծV$hhv6l"h? D {iRH/X0&KՅQy(pOm6?h]|U).ׄ]eJ'~MTmGK 71.Q3:ݗV/z;I4eRL=C5$2Fl +weЅ ~(Ihd׸șR0W;zB6wh-Y" }|``d,}y/:!\@ Bx'Ybo~s0 ,R̎ptozC Dصg V؇ SݶfeWs\ӼbΐcVo@EIJ\0_NTrjCq-$j (9!\3Ek;OLҫ"}yfY$8*%%9]uPہaʝ#kuCj%_Xr T06϶;Р]`>xd0ZWe#̳s CfVn2s$=ċ 4MYz?y^缫/-TWv70[ޑys6)dx,xeb֍KNdbj=3<*Tz{ܶRk $pdE4XBbۋ}E 97ZKԞtO8윫lX0=ZC n8NUCfP*4h{MHME7E1F[fb)r&̀fqE͆F5Ssa-B?ȯMg$|^a`y*4:vy wwB+V݂p=]HZC9{Wq`smFN0VXbq͏^a҆0>i|1JE Oi>dq@s6!rAb"{.gvvC;Cpt:6mY#gMNS3jTni)It3o^r$s+`rp! iKƩRIu[N'19r26]ڋtM|IYT^oeqKW_m9J]5X䘷nbd3cR|sN,FwNN5{O* 7BE\}}Ǎ Mh@᪲]g97gN1ۉ&c-xRBlTg u,,Wņ^i?ŀ&"'BszjgpsU5a"ll'_[}>I A$ 9q"dNLʼtWCبn&_.Pts!|ժRzajKa,m*j,,fBA#G>5y׺ܻԽGrRѦ>IGj(+XܣЃ("xs։C|̡Lu;)Z÷7ȏorYTw Zcfm^^`XfpM4k *6l5y$L}q[7o ϶V7K2ք<8VPhuBO\rb|S;+qXvJ;t/.uw ԙxX: s:}=`?> Pn3_Ƭԧ˺ sC5qpR9}ǘ!;a%*v,h4Nϥoɂh Ɉ q߹ 8 @V+{g\OiBG2iu{ACd7hAeaJi)ꂗZJSNEM?pK-@b&WqȭXlĎ `㡴DzK@Ƣli3_<;urμ_5_?f{*(O(%K(i ʐ0)D Jk}4j1wtt5K't4<mÑkdMq7z΃TɏV-OI`_%ropS:T`iwYYQHks&x ϥn< (Fߓao"l)J\ ]3 4A"gطCPNc1Gw(*4ÿxVvOJ;_s86vcz&(õ]abXSõzv_-sj_jc\sE݀YӀ4Hn@ȣ;@Rs(xѐܰ\IO֌l3'q ܂I7a=6':I,|sF]D!CQn5S+B>Wz&h|.2#U훸&dR5;7PԴ@%0ŏ(W"uW6S7?-?ңVɂg)QEg%lJʚ|[~{25e7MV&K/{;Sg)/Ooc.8|?{٠dƪP 05 pˉ)YB z.vO#j>e79D7TP1W7Rk =qu"(  pdXiEkm'CK1Rp!rZ͆gn\{ /cf,ZZGpbT=|.~@@ꏑ)řg0 q馨e|g)FynDz䇛dM'#QGK|1˸\Qßka#Uᴱ&Pd?(E@)An'Ew w'Xh\sB87`79Õ>#n@.(= g7+ïZ] *UFiB6qF $ HS36nV4wѠK`6t(:/hp>f  Tp'hF[t1 =}tPy_?`b&g_Qbǯ!QL`z*5r-HH<;gl]!w.>(oqIKGWIN ;$0\hbLhYm1 .bLtJj[ ia 4ҥR=2}yP HXb~J0X^B=}KV@"mu8SSN(W[*-ܒ}|~m%a VI8kXaº0(f^3$tz. *?4I^>IUG2%lg j IMJR3a8]43b6~$2lJUZ.4l pJp`Eq Pñ,\ա4ŪږP9K )g9#WJ:C>Iek 40MgYï܎\;b%nϷ (uhm4m9wj5/^&,saۀǠ*E/g; ~FS;3^eG9T5~Z5`7-u)#˂/ OFƊuɦKĔL`u{ ^ʐPqoȪF@`yևmT7"&SUzi۟'^/<4'g k/T LXJCAfc)n$~fA6246#!Jྍi{^@}vXAcJ?ri g۾x_걞n@VRⱖR5Eb&è#TqvA#!w^Sx)quM V:VԠd6KE#z