sssd-kcm-1.16.5-10.el7_9.8>t  DH`p`{$ƨݽ~!ֻb  RXVs  W`M O**'Jޡ>&P?&@d   H .KQX4 B P l  ;^AA A(w8B9B:B> ? @ G H I!X!$Y!,\!P]!l^!b"Hd# e#f#l#t#0u#Lv#hw% x%<y%X9&<Csssd-kcm1.16.510.el7_9.8An implementation of a Kerberos KCM serverAn implementation of a Kerberos KCM server. Use this package if you want to use the KCM: Kerberos credentials cache.`x86-02.bsys.centos.orgCentOSGPLv3+CentOS BuildSystem Applications/Systemhttps://pagure.io/SSSD/sssd/linuxx86_64 if [ $1 -eq 1 ] ; then # Initial installation systemctl preset sssd-kcm.socket >/dev/null 2>&1 || : fi if [ $1 -eq 0 ] ; then # Package removal, not upgrade systemctl --no-reload disable sssd-kcm.socket > /dev/null 2>&1 || : systemctl stop sssd-kcm.socket > /dev/null 2>&1 || : fi systemctl daemon-reload >/dev/null 2>&1 || : if [ $1 -ge 1 ] ; then # Package upgrade, not uninstall systemctl try-restart sssd-kcm.socket >/dev/null 2>&1 || : fi systemctl daemon-reload >/dev/null 2>&1 || : if [ $1 -ge 1 ] ; then # Package upgrade, not uninstall systemctl try-restart sssd-kcm.service >/dev/null 2>&1 || : fiH 큤A큤`m`m``L`L`a`a04a2af0a27631b76215f6cd6cf6305db78e371271c475ed485f4d563fe2f3d54d50c2b062a96fdc50ef141b24132b40a62b776e14ed89c824f51c45e7571ba106503af72e4d38cfbc8b6f5e5cd39127b0d8d6e42e8bcb0cb65b0f078282dd761f20d1a8c02592e8120885d64acdac309e6d094eb31b78e22869e36defca812ff4d24138c9884c25f15b4b1109a8ffbd20054a03989d980aeb2c208fa582d08b491b30e576e05441743fcce027767650f498cf10ccca12ce0bafe8505f0e87b6frootrootrootrootrootrootrootrootrootrootrootrootrootrootsssd-1.16.5-10.el7_9.8.src.rpmsssd-kcmsssd-kcm(x86-64) @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @ /bin/sh/bin/sh/bin/shlibbasicobjects.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcollection.so.2()(64bit)libcom_err.so.2()(64bit)libcrypto.so.10()(64bit)libcurl.so.4()(64bit)libdbus-1.so.3()(64bit)libdbus-1.so.3(LIBDBUS_1_3)(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libdl.so.2(GLIBC_2.2.5)(64bit)libglib-2.0.so.0()(64bit)libini_config.so.3()(64bit)libjansson.so.4()(64bit)libk5crypto.so.3()(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libldb.so.1()(64bit)libldb.so.1(LDB_0.9.10)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnssutil3.so()(64bit)libpcre.so.1()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libref_array.so.1()(64bit)librt.so.1()(64bit)libselinux.so.1()(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_cert.so()(64bit)libsss_certmap.so.0()(64bit)libsss_child.so()(64bit)libsss_crypt.so()(64bit)libsss_debug.so()(64bit)libsss_util.so()(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libuuid.so.1()(64bit)libuuid.so.1(UUID_1.0)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)sssd-commonrpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-11.16.5-10.el7_9.85.2-14.11.3`@_ _G@_H_H_=@_;_;^3^@^V@^m@^^@^>@^@^@^t@^r @^^@]]*]@]]]@]@]m]m]p]p]p]p]S\Q\Q\"\"\"\\\r@\r@\r@\\\\\\\\\\\|\+@[@[_[@[@[l,[b@[a[Y[Y[H@[E@[6@[0@[,[,[d@[[Z@Z@ZmZ@Z_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj 1.16.5-10.8Alexey Tikhonov 1.16.5-10.7Alexey Tikhonov 1.16.5-10.6Alexey Tikhonov 1.16.5-10.5Alexey Tikhonov 1.16.5-10.4Alexey Tikhonov 1.16.5-10.3Alexey Tikhonov 1.16.5-10.2Alexey Tikhonov 1.16.5-10.1Alexey Tikhonov 1.16.5-10Alexey Tikhonov 1.16.5-9Alexey Tikhonov 1.16.5-8Alexey Tikhonov 1.16.5-7Alexey Tikhonov 1.16.5-6Alexey Tikhonov 1.16.5-5Alexey Tikhonov 1.16.5-4Alexey Tikhonov 1.16.5-3Alexey Tikhonov 1.16.5-2Alexey Tikhonov 1.16.5-1Michal Židek - 1.16.4-38Michal Židek - 1.16.4-37Michal Židek - 1.16.4-36Michal Židek - 1.16.4-35Michal Židek - 1.16.4-34Michal Židek - 1.16.4-33Michal Židek - 1.16.4-32Michal Židek - 1.16.4-31Michal Židek - 1.16.4-30Michal Židek - 1.16.4-29Michal Židek - 1.16.4-28Michal Židek - 1.16.4-27Michal Židek - 1.16.4-26Michal Židek - 1.16.4-25Michal Židek - 1.16.4-24Michal Židek - 1.16.4-23Michal Židek - 1.16.4-22Michal Židek - 1.16.4-21Michal Židek - 1.16.4-20Jakub Hrozek - 1.16.4-19Jakub Hrozek - 1.16.4-18Jakub Hrozek - 1.16.4-17Michal Židek - 1.16.4-16Jakub Hrozek - 1.16.4-15Michal Židek - 1.16.4-14Michal Židek - 1.16.4-12Michal Židek - 1.16.4-12Michal Židek - 1.16.4-11Michal Židek - 1.16.4-10Michal Židek - 1.16.4-9Michal Židek - 1.16.4-8Michal Židek - 1.16.4-7Michal Židek - 1.16.4-6Michal Židek - 1.16.4-5Michal Židek - 1.16.4-4Michal Židek - 1.16.4-3Michal Židek - 1.16.4-2Michal Židek - 1.16.4-1Jakub Hrozek - 1.16.2-17Michal Židek - 1.16.2-16Michal Židek - 1.16.2-15Michal Židek - 1.16.2-14Jakub Hrozek - 1.16.2-13Fabiano Fidêncio - 1.16.2-12Jakub Hrozek - 1.16.2-11Jakub Hrozek - 1.16.2-10Jakub Hrozek - 1.16.2-9Jakub Hrozek - 1.16.2-8Fabiano Fidêncio - 1.16.2-7Fabiano Fidêncio - 1.16.2-6Fabiano Fidêncio - 1.16.2-5Fabiano Fidêncio - 1.16.2-4Fabiano Fidêncio - 1.16.2-3Fabiano Fidêncio - 1.16.2-2Fabiano Fidêncio - 1.16.2-1Fabiano Fidêncio - 1.16.0-25Fabiano Fidêncio - 1.16.0-24Fabiano Fidêncio - 1.16.0-23Fabiano Fidêncio - 1.16.0-22Jakub Hrozek - 1.16.0-21Fabiano Fidêncio - 1.16.0-20Fabiano Fidêncio - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#1910131 - sssd throwing error " Unable to parse name test' [1432158283]: The internal name format cannot be parsed" at debug_level 2 [rhel-7.9.z] - Resolves: rhbz#1922244 - First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0. [rhel-7.9.z] - Resolves: rhbz#1935685 - SSSD not detecting subdomain from AD forest (7.9z) - Resolves: rhbz#1945552 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7 [rhel-7.9.z] - Resolves: rhbz#1839972 - Authentication handshake (ldap_install_tls()) fails due to underlying openssl operation failing with EINTR [rhel-7.9.z]- Resolves: rhbz#1875514 - filter_groups option partially filters the group from 'id' output of the user because gidNumber still appears in 'id' output [rhel-7.9.z] - Resolves: rhbz#1772513 - SSSD is generating lot of LDAP queries in a very large environment [rhel-7.9.z] - Resolves: rhbz#1736845 - [RFE] Backporting certificate matching rules for files, AD and LDAP provider [rhel-7.9.z]- Resolves: rhbz#1899593 - sssd_be segfaults at be_refresh_get_values_ex() due to NULL ptrs in results of sysdb_search_with_ts_attr() [rhel-7.9.z] - Resolves: rhbz#1888409 - sssd component logging is now too generic in syslog/journal [rhel-7.9.z] - Resolves: rhbz#1852659 - sssd service is starting even though it is disabled state [rhel-7.9.z] - Resolves: rhbz#1893443 - User lookups over the InfoPipe responder fail intermittently [rhel-7.9.z] - Resolves: rhbz#1871288 - krb5_child denies ssh users when pki device detected [rhel-7.9.z] - Resolves: rhbz#1853703 - Unexpected behavior and issue with filter_users/filter_groups option [rhel-7.9.z] - Resolves: rhbz#1756240 - [RfE] Implement a new sssd.conf option to disable the filter for AD domain local groups from trusted domains [rhel-7.9.z] - Resolves: rhbz#1851112 - LDAP bind can fail due to unconfigurable DNS server timeouts that inhibit SSSD failover [rhel-7.9.z]- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete (again)) - just bumping the version to build for proper target- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete (again))- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete)- Resolves: rhbz#1854317 - sssd crashes after last update to sssd-common-1.16.4-37.el7_8.1 with servers configured with multiple domains [rhel-7.9.z] - Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] - just bumping the version to build for proper target- Resolves: rhbz#1854317 - sssd crashes after last update to sssd-common-1.16.4-37.el7_8.1 with servers configured with multiple domains [rhel-7.9.z] - Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z]- Resolves: rhbz#1804005 - sssd doesn't follow the link order of AD Group Policy Management - Resolves: rhbz#1773409 - sssd is failing to discover other subdomains in the forest if LDAP entries do not contain AD forest root information - Resolves: rhbz#1551077 - GDM failure loop when no user mapped for smart card - Resolves: rhbz#1507683 - GDM password prompt when cert mapped to multiple users and promptusername is False- Resolves: rhbz#1796873 - [sssd] RHEL 7.9 Tier 0 Localization- Resolves: rhbz#1553784 - Document how to prevent invalid selinux context for default home directories in SSSD-AD direct integration. - Resolves: rhbz#1836910 - Rhel7.7 server have an issue regarding dyndns update for PTR-records which is done by sssd on active directory DNS servers. It is done in two steps (two different nsupdate messages).- Resolves: rhbz#1835813 - sssd boots offline if symlink for /etc/resolv.conf is broken/missing - Resolves: rhbz#1837545 - Users must be informed better when internal WATCHDOG terminates process.- Resolves: rhbz#1819013 - pam_sss reports PAM_CRED_ERR when providing wrong password for an existing IPA user, but this error's description is misleading - Resolves: rhbz#1800571 - Multiples Kerberos ticket on RHEL 7.7 after lock and unlock screen- Resolves: rhbz#1834266 - "off-by-one error" in watchdog implementation- Resolves: rhbz#1829806 - [Bug] Reduce logging about flat names - Resolves: rhbz#1800564 - `sssd.api.conf` and `sssd.api.d` should belong to `python-sssdconfig` package- Resolves: rhbz#1683946 - sssd or sssd-ad not updating their dependencies on "yum update" which breaks working setup- Resolves: rhbz#1513371 - [abrt] [faf] sssd: raise(): /usr/libexec/sssd/sssd_be[PROXY] killed by 6 - Resolves: rhbz#1568083 - subdomain lookup fails when certmaprule contains DN - Resolves: rhbz#1781539 - PKINIT with KCM does not work - Resolves: rhbz#1786341 - SSSD doesn't honour the customized ID view created in IPA - Resolves: rhbz#1709818 - override_gid did not work for subdomain. - Resolves: rhbz#1719718 - Validator warning issue : Attribute 'dns_resolver_op_timeout' is not allowed in section 'domain/REMOVED'. Check for typos - Resolves: rhbz#1787067 - sssd (sssd_be) is consuming 100 CPU, partially due to failing mem-cache - Resolves: rhbz#1822461 - background refresh task does not refresh updated netgroup entries - Added missing 'Requires' to resolves some of rpmdiff tool warnings- Resolves: rhbz#1796352 - Rebase SSSD for RHEL 7.9- Resolves: rhbz#1789349 - id command taking 1+ minute for returning user information - Also updates spec file to not replace /pam.d/sssd-shadowutils on update- Resolves: rhbz#1784620 - Force LDAPS over 636 with AD Access Provider - just bumping the version to fix generated dates in man pages- Resolves: rhbz#1784620 - Force LDAPS over 636 with AD Access Provider- Resolves: rhbz#1769755 - sssd failover leads to delayed and failed logins- Resolves: rhbz#1768404 - automount on RHEL7 gives the message 'lookup(sss): setautomntent: No such file or directory'- Resolves: rhbz#1734056 - [sssd] RHEL 7.8 Tier 0 Localization- Resolves: rhbz#1530741 - Trusted domain user logins succeed after using ipa trustdomain-disable- Resolves: rhbz#1746878 - Let IPA client read IPA objects via LDAP and not a extdom plugin when resolving trusted users and groups- Resolves: rhbz#1530741 - Trusted domain user logins succeed after using ipa trustdomain-disable- Resolves: rhbz#1713352 - Implicit files domain gets activated when no sssd.conf present and sssd is started- Resolves: rhbz#1206221 - sssd should not always read entire autofs map from ldap- Resolves: rhbz#1657978 - SSSD is not refreshing cached user data for the ipa sub-domain in a IPA/AD trust- Resolves: rhbz#1541172 - ad_enabled_domains does not disable old subdomain after a restart until a timer removes it- Resolves: rhbz#1738674 - Paging not enabled when fetching external groups, limits the number of external groups to 2000- Resolves: rhbz#1650018 - SSSD doesn't clear cache entries for IDs below min_id- Resolves: rhbz#1724088 - negative cache does not use values from 'filter_users' config option for known domains- Resolves: rhbz#1422618 - sssd does not failover to another IPA server if just the KDC service fails - Just bumping the version to work around "build already exists"- Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization - Rebuild japanese gmo file explicitly- Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization- Resolves: rhbz#1707959 - sssd does not properly check GSS-SPNEGO- Resolves: rhbz#1710286 - The server error message is not returned if password change fails- Resolves: rhbz#1711832 - The files provider does not handle resetOffline properly- Resolves: rhbz#1707759 - Error accessing files on samba share randomly- Resolves: rhbz#1685581 - Extend cached_auth_timeout to cover subdomains /trusts- Resolves: rhbz#1684979 - The HBAC code requires dereference to be enabled and fails otherwise- Resolves: rhbz#1576524 - RHEL STIG pointing sssd Packaging issue - This was partially fixed by the rebase, but one spec file change was missing.- Resolves: rhbz#1524566 - FIPS mode breaks using pysss.so (sss_obfuscate)- Resolves: rhbz#1350012 - kinit / sssd kerberos fail over - Resolves: rhbz#720688 - [RFE] return multiple server addresses to the Kerberos locator plugin- Resolves: rhbz#1402056 - [RFE] Make 2FA prompting configurable- Resolves: rhbz#1666819 - SSSD can trigger a NSS lookup when parsing the filter_users/groups lists on startup, this can block the startup- Resolves: rhbz#1645461 - Slow ldb search causes blocking during startup which might cause the registration to time out- Resolves: rhbz#1685581 - Extend cached_auth_timeout to cover subdomains / trusts- Resolves: rhbz#1671138 - User is unable to perform sudo as a user on IPA Server, even though `sudo -l` shows permissions to do so- Resolves: rhbz#1657806 - [RFE]: Optionally disable generating auto private groups for subdomains of an AD provider- Resolves: rhbz#1641131 - [RFE] Need an option in SSSD so that it will skip GPOs that have groupPolicyContainers, unreadable by SSSD. - Resolves: rhbz#1660874 - CVE-2018-16838 sssd: improper implementation of GPOs due to too restrictive permissions [rhel-7]- Resolves: rhbz#1631656 - KCM: kinit: Matching credential not found while getting default ccache- Resolves: rhbz#1406678 - sssd service is starting before network service - Resolves: rhbz#1616853 - SSSD always boots in Offline mode- Resolves: rhbz#1658994 - Rebase SSSD to 1.16.x- Resolves: rhbz#1603311 - Enable generating user private groups only for users with uid == gid where gid does not correspond to a real LDAP group- Resolves: rhbz#1602172 - SSSD's LDAP authentication provider does not work if ID provider is authenticated with GSSAPI- Resolves: rhbz#1622109 - SSSD not fetching all sudo rules from AD- Resolves: rhbz#1619706 - sssd only sets the SELinux login context if it differs from the default- Resolves: rhbz#1593756 - sssd needs to require a newer version of libtalloc and libtevent to avoid an issue in GPO processing- Resolves: rhbz#1610667 - sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key - Resolves: rhbz#1583360 - The IPA selinux provider can return an error if SELinux is completely disabled- Resolves: rhbz#1602781 - Local users failed to login with same password- Resolves: rhbz#1586127 - Spurious check in the sssd nss memcache can cause the memory cache to be skipped- Resolves: rhbz#1522928 - sssd doesn't allow user with expired password- Resolves: rhbz#1607313 - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails- Resolves: rhbz#1600822 - SSSD bails out saving desktop profiles in case an invalid profile is found- Resolves: rhbz#1582975 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers- Resolves: rhbz#1583725 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries - Resolves: rhbz#1416528 - sssd in cross realm trust configuration should be able to use AD KDCs from a client site defined in sssd.conf or a snippet - Resolves: rhbz#1592964 - Groups go missing with PAC enabled in sssd- Resolves: rhbz#1590603 - EMBARGOED CVE-2018-10852 sssd: information leak from the sssd-sudo responder [rhel-7] - Resolves: rhbz#1450778 - Full information regarding priority of lookup of principal in keytab not in man page- Resolves: rhbz#1494690 - kdcinfo files are not created for subdomains of a directly joined AD client - Resolves: rhbz#1583343 - Login with sshkeys stored in ipa not working after update to RHEL-7.5 - Resolves: rhbz#1527662 - Handle conflicting e-mail addresses more gracefully - Resolves: rhbz#1509691 - Document how to change the regular expression for SSSD so that group names with an @-sign can be parsed- Related: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch- Resolves: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch - Resolves: rhbz#1523019 - Reset password with two factor authentication fails - Resolves: rhbz#1534749 - Requesting an AD user's private group and then the user itself returns an emty homedir - Resolves: rhbz#1537272 - SSH public key authentication keeps working after keys are removed from ID view - Resolves: rhbz#1537279 - Certificate is not removed from cache when it's removed from the override - Resolves: rhbz#1562025 - externalUser sudo attribute must be fully-qualified - Resolves: rhbz#1577335 - /usr/libexec/sssd/sssd_autofs SIGABRT crash daily - Resolves: rhbz#1508530 - How should sudo behave without sudoHost attribute? - Resolves: rhbz#1546754 - The man page of sss_ssh_authorizedkeys can be enhanced to better explain how the keys are retrieved and how X.509 certificates can be used - Resolves: rhbz#1572790 - getgrgid/getpwuid fails in setups with multiple domains if the first domain uses mid_id/max_id - Resolves: rhbz#1561562 - sssd not honoring dyndns_server if the DNS update process is terminated with a signal - Resolves: rhbz#1583251 - home dir disappear in sssd cache on the IPA master for AD users - Resolves: rhbz#1514061 - ID override GID from Default Trust View is not properly resolved in case domain resolution order is set - Resolves: rhbz#1571466 - Utilizing domain_resolution_order in sssd.conf breaks SELinux user map - Resolves: rhbz#1571526 - SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'.- Resolves: rhbz#1547782 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process- Related: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1516266 - Give a more detailed debug and system-log message if krb5_init_context() failed - Resolves: rhbz#1503802 - Smartcard authentication fails if SSSD is offline and 'krb5_store_password_if_offline = True' - Resolves: rhbz#1385665 - Incorrect error code returned from krb5_child (updated) - Resolves: rhbz#1547234 - SSSD's GPO code ignores ad_site option - Resolves: rhbz#1459348 - extend sss-certmap man page regarding priority processing - Resolves: rhbz#1220767 - Group renaming issue when "id_provider = ldap" is set - Resolves: rhbz#1538555 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000]- Resolves: rhbz#1565774 - After updating to RHEL 7.5 failing to clear the sssd cache- Resolves: rhbz#1566782 - memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/sh/bin/sh/bin/shuk1.16.5-10.el7_9.81.16.5-10.el7_9.8sssd-kcm.servicesssd-kcm.socketsssd_kcmsssd-kcm.8.gzsssd-kcm.8.gzsssd-kcmkcm_default_ccache/usr/lib/systemd/system//usr/libexec/sssd//usr/share/man/man8//usr/share/man/uk/man8//usr/share//usr/share/sssd-kcm/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericcpioxz2x86_64-redhat-linux-gnuASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=d74061f1abcb8288a274d230963383b9329981fa, strippedtroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)directory9R6R2R:RR#RRRR RRRRRR4R%R8RRR R RR9R0R'R"RRR(R5RRRRR&R R+R.R-R,R*R)RRR!R RR$R R/R7R3RR1RRR>? 7zXZ !#,] b2u Q{LQətR(+B>bR $@hn*ǐ< O !(V M7b"ei,&D-.*tR% '*vRj ru%.ʍ#ׇ)$($$-zcbvo?ifxzج]6[3s4vWKIq6?:znڈ@ρaz;&z5@`Mu'M(i5)U_'XDiR-BؙÓ v"{d5+@nDTVd^T$m1XXOӀt-Hq䓚d?x9\} ]F:fY>ޠ:g%i׎@`'::ݮpcjsWrbU 㯒+3nD-LZ,.flZ1֦Ah-<AvFBnk)o:(<˥qh? l yZo>W3%_@IɅdϡ8U}/R zqou`[)1J31(8LWh3>yjA;}Txo J-xEvR)v]B= 8Y'"/zn8Hg0ˑz3syqd-v߭ޱy5)w]IY'pF۱@Zsgs|\fhۏsk- ocfr6zb~ `.RF>F;QrӘMc.2LҞ.5>3 Ҟ;b}˂$)YRاM:v\yb6n-mZl2=S_Ul<("&GҢu*lުQZ/6?vpk6ψn@Ԭ% vj0Qn~NqcHxЫc1Ud"{#~dt;L~I99 I?ڑ!)^=Ud)R9ѣAA7\2}؅ 8Ҿ'*ee+NFHr$gNJBPw=[f #A4b N#TykJ3OXS?mS2tNˍ/szK7ݎ*: f8@ %ߚ3a:e㙧X|FP~nZ~ogb;wT:D/2JZB7FQ$>/tIi:tLU7ܢ/< A\4sw,ЙCMW_WSe u_crXsZmHݹwЌO0\ڭj9 o$Le憰cSUahp( 'ohڞLvM맯(P+s9, ,AW? FBfu}"-m~.a;m_ӡs^4((SB GO+CR+o"พ .12̬Ȼ4<\)\Fz@8!0B35wpg]1agu['4jPvtp|̯ǚ]×A"<~Ǚ&|Mq`p>$ӞZ4e) J?'6 ¥ݚnF 1 ܒkaNHd#6 Cc`OZ^R,,J Tئbo.<&u߶qsaJ*ਭ#̠C -2V笴v`$[K{\5k}zXOW&^kxb'/!@%~+,ic)y.LI'W\+i/xf@~QP\[0k"uUӯvH`gVy[, =6rI]{v>KrTnq0gr e UU$>ajX-`cԌAX~MOU[vv#b;˦U7/K(gR[ Dřs|xzgOiNTm ;O>;/±47,R':>,{d +3~oݚ1UˁՒҡ"7kZWgENh]_^t0T+;}u.@z(UjOAуw4gWVk;#%xsTW4M㓽hiU \.f͞oz Zb:&p}|5DuI&&C: #ysC|`\@{L~(d4+}Vls>`SYjĒ{v[sxZͷāi'5}|&³ט.SuLIfFRܖEe˟!#2d/"*yrRWo;}\(2%R+]A,,U0t˟i@2Tf7.f$dI $yup6SwGʓf)^=7EF`Amz78 `iন<& J5 j =ra)KMwZm*LW~~QS\6%9]pf@f +5 6R8Et|+ RPFʷUbmb[bx镟ḱ3(V]Ά& pGh_IyDTGղeS*G^Gd&xNOŠ!=0VS<VMoJ (`ILYkd"~@F1vsny{2+$&2 zAVW > *R\ұ_QB&HAw@Oye8؈s+0"8]t/҈b#Gd,{;Nqf < JƳy|e~Ι7̻`s'Bi*Xv_c4>V!];d\N>TۺL젨BVkg>=)Bw1Ȋ# &z*<9KxV/>Qi >{l8ŽODzqg Ӹ`sx%&wqJ d,<̙n߀]W?̲L^56ؑrCR5 fqgAq4#nwmeuHx}Ź&yVH8ZGaNEz7t<`\^@Jʗj2 >zm4`bfIW@< lӔ?<&i}O"o ,PO05B`gS2vLXRcY [GF?`smjuɩ9 {cIuF;"WH[%Px"p]MF&?wseuo]hD`%#|v%6zq c__*"~ƭcGm3F^~CtAh;]ֿYa3@* @5VZy]l -.M7AU){AQq͞";\$֢@?C 18\=.aqԲ&wiHIGcڶHaT[UTʈ$ditɗ*5 nҀ2T&NY=4 3;En'S5~+௚b/.zAYѮ`[3O<#lάHAsY-AJ/<3#=l7{_cZ[{G-:iRD|u1"(Oь㋧ WxOhOvajHߝ$zns1n~{*$rHU-`H} Ʀ_wm)p;u|Y|4E:8="G#';<Χ病S1w*- 2KWo.+"NmKOf{ul"5)i'$,/RY5dviT#c zR *z ?'z7R=d!TѪLr6}- &S9A<% ŧ+G ASݼɽ`0Dux)6)sHqV;%ܮVS"K"nK?Nj%FЏ㜖j@rwb9yECf 2)? Eq70n];' rt6qlcR>ܺPV2?öY-j1a](,Wv1/7q[-B#On$0[p-ϗr?*e d6E X.]R.j e_;ېȘKkc&`ōkH>EʃE^Kĩ$mkv;hl&0./ JnaOۼR%6VaM2'FMp|Ϫ_o6`3uZ3BfAgwƈ̓@my 47ߴo.αŊ#RbqsoQp*wtCl8}}`b(OH_ۉ3| Ltc]5C5a"%0p.өt97\U.IO+$UOa)KeWhp4c*&&A=,ǿ"5fz>Ke_ۊyL0 fT +Ș"ȘXT i3m_nY.y5#am,/T.ՆAњMUZp~ɹ`רݪuU55pˑwN:&c3n+V8: {Y/) TIan$Cx8~}$QhH$rI Nj\]~[?cM .78.S4띭⋢b^ z/?̿g+:.Y6m,aUOvRtK7OA2fCrJyh@B 4=G^u#bv+{"@@`Td{C4(OQ[ODH2fFIJL. tb4裑0mf#I2LUidǸ\uSfMͼ뢘|{qivYFT. czɌcMCeSI]ۘ0 `?3Ԍ_,k0#Lk<#OFGb$y9j!eS7hDX9A&FP yFâjwZW{ZTR1qqQ6~^9h0/';5%6`?zofk1ڸx ZF(B?CU Ђ*fHuV2y}M0MMʈW.2Pܘ?' gZ݈9sC+Q2D gNKVgf)+`x9|%""lLQ"hs'8DhRZW |B6ېҸTNj iF]'pҿfua@4ֹn1˷E&:>gM+hRs<6P_&dan{6P$.M*!q{J+y^"K`՚[`rjckq|ڈ=]IiʧRx#DRuPxo"()q~BBol_wƛ]`-;}GFheX=̈"X @G29qJ|~ 0媃J^HuaO򓒂x"@NSݕUђ#_K!M8UD4U*M{h񂌝wZ6œ@E/7-: kB0rΎ ;#otZBAk! 4[[jxyŭZHZ3X jl{\ǖ/ !.B-ܚ6r?8vn+g d-uJTN~GIIZW%?+yrx*.rWz;aӻ':o;%HY왂3f .H`cm6~eWD&>*UWRvpJE>Ao uH(HA "߶wT,܃) ]?mNUitԟM;*0|/!InU{ǝ6hn æ@oq37郺Wh6َ6f(&ul?HqA~LS1/m |qūέ hC8y?9\`ܒW} xQX?JJy?c%d#@!K, wytGuç nzd8oJEjQV1b:IzkӖS)';]gY{M լe)~4,9m:`x"Z#x 9MGp݀3׊ JBaU76Iv_9 X*Nă7[vz{L3hϠ7]T=Pf=J]^ClPY {[;t1S{Bjy\RF~pe1+5t`/surh/yTz{ W0ɼ]eEUȔXKoSxK=isf$3 7 I-iLˡN=bsrsqڴ^]6vRrԌȔ.@ ';FZ~Q9cJOgN57Nq1 (bb)+][!ڞlk)=@XyX yxF'TF4/ɧ5lzOZ]W x6t^Iv^rlcʬ"Wv}\i;\; ~|-VvYPK$05~ǾsA Ҁt,en2t MfPfYMF,{5@s3W/ rԬ `ɫrif-QAW?p4fnSw^1n-Vi1]Rؕent~lJ k\vo[b&Ĉpb١G0U/]Z+=!$kAk'6 >֎s"6dMHߓ35a^ȡOi\ ZD J!:i d aY_ W|ԌLeC5#$!n8TiҾ1tCqЃ[6%;R*ݭ4(p~Z`ثؓ w:)XB &$S.Dy'a[y @t^}JS7ݳHT PgaWٞGΈQ`O$IJg6"ʽHLv2C™kod?< 1h{-@Lм~25o-\c( c+/<Յz{ya8{V׎7lJbn;C;ڀ`Z{&;NPL:yUl=Ao2I40`ojsq4YDt$t1wqX(Qs4t\q֋6!(G->+&?d/_+i#YO^?)wS./^۾93|CE{RS* |}QoʴNM ;/x`|*. oӼqeoc&p|Iԏw܍s?yʷs D9wJzlADd,yoWAXd&].,(ڝDJ5L8PXT17&;Cb؍Jǭ^2k uu2 yU.v^Zc'vd[ Y'`T?.ȹ(6^Vk̜[%9/)fʜ<1@M&<#ʿUX?½|Ttw=@@E寫я` 5ٽYXJTiGDq5:]QH<8+J v2#fQ7d23:3+}*;ԧֽgʥ6gn FI݁ɽ}'򂸿/S$ ϗ6rJC(џJAwI 4"{?-i>4I/2ުk"!y!B*K QQțbsl0D_[ (3d154Eb|&©~|מЄ):zmֻ@ /Q #}'o-q+30M`/'#)k/X#a<.v w1|;cS|TU`< $ʺ##.Kаiʶm\&۱WT4ƸU5CnU΍{]~\NsGYt}/%+lVXB8h#F,bmwUf,tBT=?d[32o&D㗽U|N*GqL_`҃(l`bD"̸HTZГ rYZw +=|3.gbn#W @6 R~ڍ-J:p6 KBl͵u׀ ؀t|ZTn c#VZ-73nq ( EɸXWM T0ض[OڜtJ]3cȘ#9el uG]&Q+}8=$Z}B@գKu£o'wŎF &Pz7d4QCajmǵ B\;u7{J_yBP溳B^RoNx96WF%j ǹe6u Lq]fyaݕf \[*HR幷] HBLr=ZT)VC,d~sNy+9Oc8(0\*W['\, NtgikB`v ]KC5%0'S8WA4DFSUXVCddv0)pMd`$\{ZKr,AwmXANP.s)ZMuM.Z(ԭi .;YOz]g!*/&MuK"_$q'?Ch Z3]/wǴn\謩]N $:;u"Iqa9Y^qDT6,CDUIJ s;g)XJXυԆ@1MjI6L&Cҵ)^B33Gf\,nLQO8RK(z?حM8?*28Vd@N\`cEÍ9}`ySJ~norU@?⵬Uԯ{#6$g|-IaҦt](ӺAf]LA2gT|{M|pV= ڛH9^\R_‰D(}y׌[U23b8lG`ܙxHjvŀ=TYȐ]wt{\`m`J|XK1,yW^nehʢ y&2f2oBFQTa%^L4 2pƦ##L}2}TRKヒ2ONB|o{7cPIdR֧քԺ?8t᎝F0`C7+>4d ŧp(Y"o U2ŽZgEOn$jj&"1٘eP\;ϗ~7 Pk;g:ɋ'"P9&NhN6ɭ}ݖ0UY~@Cp]f0| ڋxaPQ%Ejv])Ȅ)y [XCX)RmwGa&{=p_MG):ͅT ک_7$MF4qdVb"׺0ո")hG>A fe=Z+ my|6KZrsZj a^nűtT:s2^k0B*OaYϢVMl^=,LdxjPl)ܹ<~ARޜgxytݵ@Jl` -㤦B$AoK^Sμ?zW_T'AwϫÄ抝ׄ(ѪEj5􆮛qOʒo5m^mWftG{q3]M6kX3+xmwpt7E((aM_5}/3pNi?( :e4INU8vbpeՉ>fbH=D_&%`ICZ+2Z )%CR@^|M8X*\y͠rX*Qy$b\Lx%*[nn+"|miB[F=1ޢx6yeyJ9@f ئ3vh\H[(nsoscN2C;,/bۭk_M&T+5"5e{6E:Ńy89j_}K1FD7l<OLtQO # Ba"ƶm4e)@&qKZ~Κrxr۹3݋\Rz%|{xS] T湚f RcCB^iRÑ)S}J{; cFcehC VKH2?bd^W"kOb| u:tcՓ9.!gn?ǂ(ݑ"8`Oa2zMtj;vEn;C xd4ΪsέvДs@m46ETB\ a%yedZd(LvJpgŤFW+pw=vuE ?'ZZ9Y*f\O OsJk9$M\A'0o0ؚ;'N%Sg&=&U;Kk|+X!}V@*/(R$s^4)64\ա2|JDyEN8ؚZ] lM+\=yL¦ ;sXEjSxhW|Q3TaӦ:t @`˓/&u^n#ݵb< kp1^lp睘 8 SVC5{Մ~]]a+y4,ޞn.'E\s )TKJK~4FXQp$S<$@A@*:B2X03{U-ɖdt?7wñ# /%aՅZͿ[5.B5|#*FXo?H3xW=Wqi]Nx27!Z {/82jv=uRzFS癇"{:Js=MƏH-Ttժ' IYtjA%%8M.kx0/܃<,[ـN $;ֳE<}B |pc TLINLGK5\k 0ѐUX".-د0}P|ꛦg6Bz^@S.g2>~kjBKV&3G_\jPu"ͬf`uG,ɘa[K2,f(vqiqIףT^ƲKSkLXYG"4y!uivqCXLS;Uwrꨝ]i<]݆67UH8iRqA b}?(2ՌG#;VX|BMͭ(((ݕə[OqXBۚ@whHgۊ>IS(ԂNTF>!-tHo2Zeio_7\.pc0b h(k_\憶tM~'{ $Jբm00x3kO(xY7UȅWPن+':fgżƬO$l AF^+TF*Z0zCO}ѲL=6; Eh%FćYV2z;l&#F /U̇wr@yru|= 娛Z4$䁃ľ޾,gmdj3t$y:}k|G&/XUxOj)ZCƈZ]oBHT]QOuPr@>j-jJ`Q88cm?>pl~󋹽)&>6OзNb[j{m3~[ŒӍXbacr&Wh NzxK=4 ?=wkRY }]JČ`,|KڔvK<'w&h运QIf =}Q7ĦA=)3Rl_n$W!4}c=ya`W_ӆdL[-+%z 3*s(%;Ƙ5Fm*蟬omU+FEK("ުV5Dr ѺܴS.(F *t>Y [`]-D"7TG"U2 dy}D-=}x$;U#K?Vqd=u%\"ɓZd4IG6}a'2MWa6ESr]|ƃANd ݇xa08誜qi˺xcLsv)_w ,Mɽ8c[Q(?1hT `i{O;X鵄}$4'1q+V4;D> $~NWx*AX 𥟹2h`}jnAEԝ@RֳJ7^ь}tD`ayY*}!hz]k&;x.N8mb2 ;r;D\eY,-i⤏9U] 0ǭɘo(. #N[PM^I˩lrZ:9yC1ַ; B;7ChKXEwVqc'pk-4j$7r$)B5`p6Wײ\?+Y,ukѶxwN9g.sTRFGC_2u&#ms;pT' klWVCYa! £;!3jxdtkd`T%{z w?e:O*aX s lsҳStOP8钩r7|{i6e )œS>YcbQ_sPgD^eVĀ6ZŤšA 6t5?ҼSWj۷ڊo}$v:"IxDu͖쫹ÉvKwc)ޮa)DR"HE; q$a(|,.mie$3ao K;ϊvγS l(8)uI0ۅѤ6(kdCS'PWd?ihD  6!!i %LAHE}OʣrrQOʈsp\S/g{[B@lћT4}Va F %.nר1/U|>P4\$a\Lw(XZʁ;M#W*Uy&mƬc*OXuQ5HmTEeY 37R||0Vf0ufb;eiM ǥF&B]8a6~wT6f¶ͮa#kslbf0Y Qڟ)#TN1NiH{&K O|"JT|6m.)!k#"̷OKsdp{R5cZ7.c'JcNÊI9)HI 4 k$bnqgMgqJ3!hΛ6iO3\FZdQ f~ ۢ {uŨdXQP*zwKmn+z/M}bn`|ENLkβG #Tνб$Q@6Yqe;3+AN/T=j'$`R/lkˌ Rܥ q>eO [JX~nCSv,6tcdP=KYH9v. h sft}eMR5S4֙,= KOՒ=Z̈́,nk{Z\Phu QZrcJ{vP Y'ӌ?bտw1/lM P>Ô"Nv>b-Ir'uY;::兿8 -raDAkThj 4|40 Gm=Mf˅Lk^]'i!}1Lc ĉX+' "+d3W"5YÊ'3$NFUQը@!~Nϱ9Qo W6S&S^K`2òFbjd `:!Т 4 =xLimn%a}@$J`lTXF`p\ⵋ7( _"4" 9N̟yMhsԄVKצ_h/%ǔL*3_k}D&LuJ;/zܶ[|y zi=0 !XưUQ#s5m'tC0ε]kԣ)gu0=Eev`iC=NI!)XTL\5VYl _\I!H& &2M +I8. J'{x M-nus e8E\2pi?]u.!ecD?v 7h8É= Mgˌ.AUMRYAPLj8cgiR-W%֟RP8UWik7~əxn"na9G?4g%D>BD$aB"4ljc>1᜴6)tm?0'Vl9M?2?Fi8h<'bi(lᔫ.6S"$<]E+2dL5qtd;)I\TacNv\(ǿ qaŏsy;ާkծ2q%ng~y% s(4[Q[yqŇP\puUǤiA<, 5"%4ɻX ?ڂT2åx >g| e1wgXH`e'6c62_A[~[!{8H0!t^8dOE:c'~&|3npE$ SC,6`j18ȹ58:XG{W>7Xc;Q3x_JK_`MhaO0y yؾ* یySg")nV91!SY. cǒ>wZUR7_c(g=w$qkuoRNY ӣ2E[^\1hg)ƻynGupC)rxKz) BQ3iVy| x3+ 45 T?|/|阏T[gt!a)Q}} W%}︲ wX?R#\ē})TBR8 Ŀa~4޿EN<C ţfK#zQYmV=<!_9( H:Edfߤ@Κw@Ū?Qy7qxK4K/6U%뀦~UA^WoehFTbLo6Y/qQ@PayT\!ã2p"Y{bOoe+fr>6]lϟ%jMىf~} 욲e.$pVQPbS.2Uûqfx`!S*h4W~̆&Σvu/h>F9:_!< qirh/AʒVe֨w7GASP+Pڰ SƱ$K#srYD6Y']XMGx977%ߠ" Ϸo|u hȳ-'[njX%m> |.G~/gvw)iN1_W"eh:-C/xDvd 54*3-jgt%v!9יՑFw#[ncvL@ O?`,@rsF'Rb8B&_ .$# k 4G(s^>!?)k@ a D(^T\d=ي؁&/϶ː|{;T+Aɮ ߇!d}pc)fiR+ƍ\$@ kW%^۪82ߜs( i\$[*;(j&Lr9:854m*nkvj&ts}c1H04^VwxR֨9s>.XBV,Sm1Zv`M=* j*tNIXcM ZH%JfUOW&:0iO+$M3IKP>_TA_:  <jU]ٗܺvx/;\7e., P?Wgv*K=Xl^4b$E%M92}NDޫ2tnaN/S2jRe/p)iߊ{X8 .@s/979*a$*˨&ufBxW` r*;x~Mmj 3^:m`rTC&$N b }|aQ81q ]D1?kP(w=$5;P 2OuQӣEPq]EN$Ag`geelFlo6hǏ96sYI/qmڧߴhng=:8U ?#yeSn:5|衒R0:rw#Lw`x1Tqdq.&OQpaXA3'\RYڔ*x\O&# g(B` g_Mǔ7֭K-Ds2HuIrmWx%+ݽ(\Nƪ>yߙ4U@?J Er_cf\T†g}58CD@VX,QaU+bxk7 7'fɃxsjh#7ǎ;-2k剓Rkx"0Z-êdޓaq`ٻT4",sI6C~TO&ht` *ߒB W>5FjK 0#^9Y;9?;s3d0$Q ܵ~)zuRS=/ۥ p(EeeOSt,3x(Wupjf5aU{XXV.^h(C|ZkIϦ?ʔ{gv}nkOh>Ia~6yXm i󶽮Iyv.J>Epⶈ{Y"2B?mHUnkSRVv~4cڈm>A..(Ϗ+nAOdK`\iԘ3#Rw՝qh\XᮀExsWM('*1TМI仹"?xZn̜)SR>Ae/T2> HǏ v=c3eժo8kX8IdDCQI|PH53'tu 6t4D8-2՞7m9yfJ?@`(@V?t ~x:EN/5@}-v^]ժ1`59V[@q0 իda'TɏpCij۟ [/~٦l5\j=կ C`]Vwu< T *TӞ CҮ[֍jzS$ϮF'ϽRlI(|D*1 ۬K5:nE9Ct!mp}VI'A[X|=^Byga!'CIFAUY nAr!eOUGm:_@8eP j9r?IӹҊm8d&Y+m!5ʝT&!uE p/ HlֆIŠ@/K c؛O29nz7Sir͡҈[3:V (~ZQxzΦ{Ά䙳vF ɒԐW{ Rq]a_&cWQ:v@~wwk"3°^3^xAdQ7/qAABw"R?x  JU bՔ`yri INgH-BR|II-zBdMp:)a6#AO ڼBobE ~A rp:a'4_f@->+N8Sl4!Ho28p|<Y#I->s!pj{UX( J⟗먥Ԉ ^$`R*@;fT3yKJ XLHMyUQ#~m_dv` "@DH:ק="W%b$߼oCϠ#J{PSͺi]SҁB[ӹB۳=sn~g&).E1hRZTK_:_ػXS]!_^v<t0V)?.zWhTgCYk҉i 7gUM&(t1B3NLyNߢ cY?Tm Y }uv FYƠē Ƽ lpؼ򳃥&J`u2r^]5`'b'd1A*5š) @ϱYd_%CBdh4atnǟ|vy 0|N&Z&\̐RU`Av゙fʤ=]@# ޠ4\O Wөp_v\`4-ciy]CQBw{7<5!}֗^iP'{eqD*%+muYD=xPuƉҤd X_N|^f\EL=luv4\>Jϵo}mڒWy]i&um~ڂRoY&ĺD ਃskm`¹ss`X$8BD1>[pN,*E1,U胫bd۲`>|nmqߌ(ݱL"xWQ#h "{Y9/u|Lm +?~މ紌}k'?7v4!ǜ]\RcK䞕P\ ŠϟH7"@Q3ؠs7  qL~Nb#K\UAݬDNcjv AoWZo ɗ UBZ/c49l-M^Y/s?;$xQs<}Ȏ*7""uxĠ,tGH|7kt@{ƒ.4/pK9@t X9#[Z$d.ZL5H[%|Y09(MICB^﹇f#]=# nu0BEE)th?Hbp?^&:F)Rkưݵ4?g_Xn6wxɺ+Ёp3erRL=ZRc-q",C7\aCeאHIBl%b[]w֢^YL~~Q&hP/&Ig7le0!\ԓ)܆s%P7D@9UGBgWUO.3ZP>/;~B-N'PuyÇS 5F^؇gf,8JDu22yq / zX' ’W ƨtLblQp{~ĀsSc3t {,%bEY8~rF)ylq# \. N r"e.9k4fk0uĵ)N/{K:?'-kMs,jO3A I*yEV k[ ]Kk?F#$PeS\ͨu~1gJ IYs*Nir\P*460$hm@6:WCV*PM<{H\!''.ݝEo'ڀĊQW͒P9ڴ8y>qYPrSӄn!&Š(bd ?R0IL@Ȳ$K \ړN-< [ų\6ߛn/]@'> x^^rR3XѴ)׌jh; 6|kIV9Mq+ `:2ii@72\V<( qEv~Qs zy""ؠ ߻C9rTK$ LYk ?P=7"5QM\/ϵ&?<^Dx>!u*ڋ`:J`Fa/ft R+ZH@Uuh~$dUMsqް*~&kf z=,(<&} l6M,r@ k~VQ6H)'ordfaM0mh^G,= :j$m@@շ>~ʸvYvnVH3^*K[$I6mX'!&v(;Ķ=A?F9ӳ4ӱz;~8ɗZTf@ΥӺ濛BUSs(kN3R센2ꖆ7+e.d%PXͷ"g ^\ &s^sL.Ĺ 1\ v1O%'hem0hr(C$ ZPn[H_@cj{AK9s]iZKcRޥ̯ fDNrytf'Uo?nTT˺oOui A74̴[FRK@cqЩa/\}DZL@>BɃt5  Pc_LJw=9gvvG{YE-vgS(ii4#.m h,3.LagVRri.67O7>tqi{B(*o7h[~ƜVMl~zlfNL@/It2 <⍻@H!̾Vx:ldC3r<U%yEq B'5 흩%C*=!؝l)?82xqՒ3j^8sy̡zЀø / O>Y0FkޗNB4GDlAsݫ~r,Wh~p'S`D 19E6:̘ܤ1hcُgMWGTbX/.bjG>ceU(Ͱ# hmG}>69DXVqK{#螃Se}sI?2wwL"?ӆGxaS=EV&G Ἷ4:1 O|*kLJ?iþ^|>vխ*z%DtUPktd+ S#gŸxy%G ;/dXiOdAHxy.*KWW4 Nu=Sq؜db$gp /~<эZTP-/VB@DN(btut>&՗#f fV)(IX3pE 7Ȳ_UzYm\6 0 %P{6Z m=\9ވ'!}uB:tEE{K  }ofS:L(,¾T |9-zK|es^%G A^TӱbW>IGpOZSw%>[ʪJ`F 8KeC:@?j0s%rԭ]";t~8i߿M Bn{e8 %(볮PxRˇm냏 ?Xs>b,C>}뭒@L;lTXLv*w;]\;ґJ=IX=| .6F؇}=oCC_3ͽtnJ&2Qp#cY~>t+c!S-b@f_üGOB)¶~ܣGSg^g6@JԳ.uKK;6o.A9"j h]= vG8%rB(hz~/x'?)<][n/ 3xRr} *WXFGןciQ~ъ- R8S4ХrY r;@պ &u 4ښ,o=QM!nkJ܅$kS.;?jݍx}]9 l[iN}I[˦DGc@N 7H7(rSH t]j˿,|깜xg Tx"SL**'n x̽XHXƕ< xH2:F%3I1!Tf3O*m6zc[/Tu>?s:)E4[M;wtUhӖQ/gcNUFP/V0h)7a=0!_A&T [РiPzU|k4*Lh>kwL8-f&#+sniEڹ馤㮘,'-I?<3jD7^n]FW5Xki9 X칛ոcjwo㟂qACǘ1H ||I ATy&G%zXXaR<.sC8ID&qXFsF)stKM#g<9LMc ەq"Jq .-'^$ok>eh)->6Jb<bwU㥄#{kYƁ_G ;؏sJ*#R() M_gv؃.S*l&&oZeQً>-@P\MVd-"\Ǐ1DwR1VʃVEE+݂ szU$\hn",A v)'pPdA.DGPv=?=f0ORK47v0lω,dUA᡻c-JdN?bM]S6)O74NǸ0#g?+tt=Ne? w)grŜVn,+Dd#BFo)z|$9J#=]E|͎q"BR a:Y; Eai@`:i;EE3LݐY+ǡ@(c'O6Lg AR|Z[,MKB&]" bꆣF͐y֜'5q) f'K7UhdV>S&i3O+4lT^K)equ u_;$5I?>/Q<ÇF_Y;ʹkgBZdM}:x*3e| F7m3qOU> EtӾ"J!kɑBVGu=> oN~ bD<5Cs9p Y({c1dp|Lr Kޚ:0l/Juq$ư|CD\`%EHɆ. <(%mR-%1-2Z -5ZP"SOQ. j ါҴ4V4iou&[gY;vOdC@.CuqrlĪB:=Yz£"I/9B|(q%OZ W_S_Y;65ޗ~5Prg*\[_O~&(l2I]ж(A9SWLxbs*~f rY/Y1=U?ꕂh,g:8ōd@$J-}"sjoI[U~fZ6q-*\Ll4ka{}ͥF[`gc7'oƶ[TPȋrcja3Pfxa!j+\K~Ͷ,^.?0 {,TI?y+:dZɓ@ Dhaꈗ=n{5Gw :F/=Tr'F }[#g]ՂE3V&ècI%2BIuD7,sptsraY< S_ohv>V<c\R6GE\u, sfQPI4ZGPJhBՖFEDpGFhS@f7lsyl'5X9 =퍿;?!.Dj2ea1Lbdƒ v;x$?giy%,JƹdGƪ܂`|Ohmb_ \/&qBFԊ7']GR6-lCՐ D"ut8Uὀm"UJ%.ʾ1fGfO1&"U{cH{niԩS ίs!.pzѻzFjy#[{ )XM^|$,$#QuV.i: !7& 3ȂбKic!o}ᦉ d;#]rDhg3ãqEiY^SF{V -j# [d6X`au|Y4.4opgw f^VOF~9=Tj 0H(;7*vs=QG~d—> j{"T0'eyXȱ#=qJ9 "Dya>iE5'D-/.ATak.COxlE^o6+WyZt/^3E+ZbAne[oEu~T'k!֬ǼE2Y}TxJ2u*"i"#u^j"%0JR hS57˪+?˳/,5x e|ʮ2kQnT{܀o|⹍gKwqQxIA*O)oIFBZfܰ {#1z&N/a; q5xi5+J$3$u=Mot$20pȅAi0_ΛNfP3v# 9f 4TGt61 F~~CM]"z@,7ӪrOc]́pwb3zIb}>Ml`;^EڍSSN3*r?͇y\F2]?m FmH1(Ri M'JaRi+h]é}A(@ʇ\[/ yX toWr?weHN  Q <(cx-A=%Ldظ#MGk.gr//^6 BO"ȴ#u}1*U#Ď@ |E}&$ 1h/?C 4uq-RP`(A 6 3s:lHX⦻M^3L}8Z.{*:!r0mZ6l_ Nz`/<;Т-OH741ϫV|pP3+l~dBT'2%6 uȾ~~Kҽft\2PV͘NwB B$}';]=2KYƀ+CC- @=Kv6P_8`pIKCl}`η_ dkQՉte7սӖ?߯JbKG 1]zweC'' c=_M3> &d2/6ƀq;ue 'EJ3=i]:ʬ5,r-I~kEWBMW _[tǝt.! Mpf-1a /{\ ]zC ſ\<Ԁ0x| axM fZ7柸Npc*Xm6ܦn6t!tFVW C<ܾucVwE=BK$N9p#DSN|ñmQQ$V=H^3{@LԈȯT73 m8R*(z7NjD.$fZ@8:Y]YzoRb;E 0 2U*ٵ3c=(y}K_i]W; !Lyey'] jsLe(D0DQZZ_ Emi"YdC+qM)M9|̺Pͯ3%Yg"lJ FldlZaXM6S,k0>2LPpp|ڀNKxT4],/1.竳*]PV G]o鷸v?HG$bx3oj;d f:tTWElvs̡P+ra^^U +EČ<5="I ) 0OC,;JcÐq#hS51.,?[n7*C-Phi옾j 510mj}ږUiMS6F3IQiBzbtKws1l`u!t4GFŜfL_g2躤pe h]y /FXGMnd`qtBv>]nD֣vl47ƪX?k#LJ M:~=mX؇E9vu/F[Frlx㼝D)[@Κ|L߸Tŏ<~xS!5u~WS&"#Ǣ׌#flaho2B*$RQ$ $6@DZv,gԕ"K^ܼ2C7ё_ls=^swh\K5.c%k\(W;ݫ-8ѪV*c,yv:ѱ0n1|ҕՌYz+5=i1>;|RMmDwkb/~r6T`ޙ/Vg_Ԏa&7}35X!LJmʤ[LeL@Au&%QTL/Ӄ wH8YdSA{i5/Lqñt5('/Pp)O9:љ8(֐NMrO)k)$7\W4Sj޼B QU@L%)h 9oxzUhV>g0%MUg}é.@.VS\pCrwL1#}vH0kS̢}Jz%/bܲXFM$Ɔ]T &Kq 7g _.+Oj.Hs$~!W[ԞE@exF 3 K *Yw>^$Nx#aL췶$'{KD 5E`4'޸E\l^'^S 'O " A(֐VnA@9@D)t*ڏDiSp0JM7>@q{3tSٸ]22M@i> YzDS7%Bӏ'&n-@BȮgpIubٺŵ**aˤڔ<|4^Tġt9֋`d5Gh ;-J5 O P.W?Pؤdt|;6&_wvNwr]"<(Dȹ]dqcTIN'SslNX'Ҍ~B:gQڦqʼ2Tpo$_$5|,ۆ7ا3is@J/Xa_< 3ۇa LӔ!j9>[5g%9i{TeKߐ.@GIꃺJ3:ٹs(޺ %9YơJnAX):'1̱!ѐ APDFB(;Aוwgl.OM d؜"F" ° 驩B71wv$S8Mƀ}* /OO `DrO,'r0" T;Jk@SgY;y 1jq 5FB#B{FV1>\5@ %;-dqN {zU]D C{ 2gϱ|SBEuljXa(xAJ3Qi*l $V4Y!L;: O@߫T4es 6L糱RH<@t+dGaJ(%LE&Q"D>Fs++[t0: jgN-KQr^k8 b5b;[[_>Om^v < qrc(ζT<.`f(p pVD#H:!Aj.ѻgKqRS0ͤDs-w8d q~rIـt'1 y9_Ÿ"ه?;36[FB$ҾGn!e?iVU&K1,::u( ź(9uE=Z)GrOr͛|^ %.v}0ٯI)C d' Vd`tٚ0>Y-Xwxf!_K|W<^g[]3~%kCrwň03>5s!z3rC]F@`}Kp? p~{VsZ??h8A_4+X.FM'R286tJRB))#*SLVDKktW4ʾ0L a0yGO? .Bwp:9>.)Lȳm0eϚ}|Xcb߆ lԱSp#.f7WbhTI]~@f\$$uwط\JyߐҡEeApƲ;-6h-a bvv1Z(2/Ny:WcU,tj)*#&ߴdD|d!;ܩ.>LBc1+sBu{mh|&|s;C!k~n;|t6gt{@"t|"D0U+ld[pzj4AtMf>Wo D5OqJ{EQês0@6.! _M>BvZm~gaP^CH,fOJ)lEMsfK썿XZk=eFZF~840UdOFwdWDSfrݵ:/G櫍i#ݳh |-LyDOsQD6/&'syé:YԖ땜'L]pc XڦxxNSQRٜoH"ٞmWJ`]85ԣPD_wQF> `ѥ1YMMĿX#pKȄx&u"uG^OZ OٰLgbixu6PLoR~xHa$ o,'$$Kij,T`pjHSL]8wUV"7r-[ZcIݺ|yK "4ķ3)v¯l 7OTD6bx4K!OI+Puxёg+CpZxpk}M@;7  hTTz)55c$hF|N r~{>[&5QK teBP 9%Vv ZݚS?UXwq6ڃNmlg ÅĜA2fn6IƑy(fWr$G V~pP k״i[=ў0_VZi̶'dկD >=HU0v[00KWd_a/~Fx-+].9א1z"W&=bd͚~Kl>&ߣP vz[wL3: /ꉧ #"9.\|L=sѻݟPAb툩lkeXyK' {ak#7|4ԋ03ݡ(^>'BGX,~qߌOgg 1 >s ?A;-{^TP4u 8}5m ?)з}Z6$|3 ct}38T1gh 35n̽#7;d}ԆWc==ۅ?Z@l.2=j \P<',e)m܆I󢌵3;w=ό{" d*XSQ vKMD,W>sG&zSI!-BFȶ#=)%?seTFXڌz'j-kpʬPs7$"I@XJgA*UTP$2ntQ""neUϫU h=`%PxLPzths;j~'J t7V" S_v $bOCx-]~(եUqѰ9H¶v\?껬,oܣqҖl}Lbu4H]]UX냡N)"Jkƽ ;jYyױۆ RBɫDTQdTtGhim<*]MuRjR>ҿ=sP4puq2,3)۱ -|^ p;y`W5ԃߒir"syE13]L;}HUM>B^ 5{BNqCxmr( .[Qٴښƻ0⍫u3b ޫA8r%̳ td4i1Y0dMN0BULx..U.^WlA+ 1BEH `cZ8o%Ѡ` y5e7 fIRtRzG H uUr0YXp=rTYӞ1WO-9XjE&FO9/# ߦ D >ԟ k,?"`NS= KNMYHw vk*˚C>;2'×]/1H~7;9(SҐ{-`Qpڵ y+?Ɨn u<"\ Y}XulځPhY&^o^>hVZ&%'US#t;`_.H)5EaBn@)^b n`Жd@Ow%kU\|c3(7|1>MMK˥tŋTLO~y`[0L Za l3!x`~E7.RmYC]Gқ  :O[wh|e3ݢ9%,`2Wz"6I{+9g ty12&=7멎aMڜ )`ToKy&#7CN[Po7ipC2;66 xS#_3axQEh{)$m9m!NW<;z >Boȅػ-®` !1sQiɫ:I``)2)(͖R©:ąMκRanj~DSQkIrJ4!H{( 1(K_`*W\ݮVx#{T0՜{J\v$c- V<E-nKE20#=xacD@Ì,(;elBOƲdǎ%w{k(BEN]+6X"r>Vem̨ N]0PYzy.Yq&g݈h ?2 <5ilٿszO+7 .uA@weOCs-Tޘ*k( Dt3 rbݡ#rz#6!V;p8\FT8~$,h0k~(=W,>K%,2Og q ߂*JoڰG NS>şXgtKB!W_^0c# CoS;>h M]d%&K+܀2fnUM8b幕yNx;NCCNa Jj P.zrIs`Ur6XGh.97bnCZq{Ͱ 6bGnUw,gƱ6"x%qQE̜gs9 8f0 u‰;.TQ)H8W'P3ңo{oយnC],jcp9n`2'q߼2AZf7'oc.rՋWImb"YBO#y|U)4HC5_=rqn#oPmMph ۣh,ׁ>0(05BfEÅbWpW2"8bQk\pa KW0o0.$ʽgꇞ:ZrZ"K˃X< ݘk}'`puaG)Z*dnbM}Fdy ~7RP,y3"El)r6.fF!#vRCB@iQ_OMDʦTvGԮUϕ; (iX( \gM 4a#&8hCS,vy̶D?"r[)rn9is+ VF@.G̾Lڮc p|(pb+7s_1_5L7ꦕԥ/p2BNXiX:zue\,i` HLVl|3$ԗ.N└ś>+Ԍ^dhsBSnͭɓ D؀Rz)M1ֿql4> ~C?Y]g^n !d󼑚 dCXBhɜs_a'ٕ F6e~; s5a {]Fyc`o{Ii8wh|DaMY?yBq[t su/ԭ';˒w;!r^Q;>&˻,h=+@v.iwiF3I Bj5{UH4}@(9 b;'3æFm+`GP4Ny(fpcA ʟg2G-^}_8ۋᕡXG(jÑ&!*Һm!j2@˕vi&.{E%9>E3X<9<p5j.R^2VLQgmG -wЃhO"1vlX(u5َ9_`N=ij KDNǪch|G4<2We^,z[8e)lDzY#jƯ\@nw %NBVc?,qt?~~" ^5-x%>VTΰjL\1n#mT%]g+r?.񠭙mlln-5Hi6l_!+ |x*, qePQGڋ |GVVA &#} $i| "6dEF"+0M"$1[4XZPw=bzVf4NГ(SKLpxFs^8ڹ&ȕÙi//+SlYQ̀zH=!ě9&ײE+?Gu>xg\sDĖ0mSbGwۨ^6HpF|Hfw내rtsbe2| Nϼ&`#O(0gS4=dgx0ϸN賳Pd)mw4)]T--eܲϰfj[{+<~_Ĥsj!^Bh9P Cs *T>p1;z.00jV= #?&w'FhnA^"S=~9+ǵnP勮j<j~k EqKsBX]4K#oh>UvhTL*k<3ND!KMS5d`r{֎ts>Bɱmukw#(~?Y2;h vnMIN%q/CJ"O˄ ƭ)<{Hs} kyۨ˛ZX}3γe]}ʬP58 d /c,ﳞqm^LM*PZ/Er붸60ڽCrpTc:LUm=Y: k)w^-őǨo%jgTW&[xI2oG:m-Pr˃jG^(U+$C%Bǡ< FpBiPL/)U$ k(h>Ptr0G#Dܘk"_Qף y7 5}> 飤vUMajw%ɭԠX2)5*O˂$yIN]6x!A|nEf~)5Ɔ&EXqOVV С]-4N2U,w;>~]١&bFUVvɕ_ MW9'f7@L Gz^r_ͮ,DYԝ >R 4DeP{~Q 9(@dMxn [Dqpp[7;3&:I!z!}wWC.x%Oμ+/(C +͔b^sf08޹*P4[Y-]**ni#sUi{-s&Ab,'\2E^єr{)~(4K{hy5bG):Lާh\(ZׁZ$go'K7?] 7_z-Н!djcO^q<)?o OC[ %C5t/5;8 #R=pX-`D%G_(u3y{шQ'Q 7GMxn.B`ffվK;FY[_x!gcc@ R&3 YoA{0D.I/_]Gcu(v_-B݃;'+W4sq$ɂqsإU(#t.Wm`lV28PLi+:<k& W{Ps?,a B dvj1cxRZ˷b[d.B3 8Q"f0~k% g:U.Z)g2_B~pꛯeNrmv4=c_3l~o`d#@wio;8>1[6ZQsk) ˨%FzS~E'8CV+&xx^ +,FqLRu -{(}kd;݀U6'YH8B݂&JG6|3;,8f2KvaUPyEx혞-OznK9=ڀW%=,x9,/\hT+> c =fU-_ "JadA-z$ᥘ}7K2(~!B9"6&lb^d(v=ԍGCN1E$o!qo,C fW]M[%&X\l zK; '-94Ou#N phOR&٠#4ˑ}-_[PH8Gx˳HȍE~*fDxCSB^Al7Թpd}MQ2\zH|ճ=ejpEइ$ܭ)c+xJ`T "w)7eќQ)yeEᖱ3E15e>BݶCKlj)ClGWEPL0@|q͢q;0N/B0T H,i擞&*#y>ehX⏱JDDYB-ѲZh ]DV bB") Ёg;wE Mޗgsu>!;H\^nrr͑?Φ@ȡE:)7$)i-.:JOjmjv%I\@o•%?a;s͐4Թ}KMKnXJзgaxo8"jΚ(97eKĦ".^V]!Ljd<++N2nk@&c UAiF@V ej9-:`ЫH %|}OTߺWJEZKփ1xh>jBH\U3! tZ5CNeKmD}S/g\y xl)E 0S佫*73 Z`mw@-&AźQL|0/D"`T]8FK2<5O4l3-$h?a?`dIiwzcNwH~4OWk|/ˏ);:⟱]e̳\.uo΋tV6 d} C;;~;Hߦtcz&~K1o.C}PSu{N]5q0^iWf X #j#-z\rpâ'0U_.04hϬ>p 0eUU?Xp_%_SX*ƩkNdƓ:C*c,8mm+6㙧iPvZ2N5X<̶Y;u8'Vt{M> MS+WN.lJKvhxi3PfCqZwtosts8{:t8ő{ϗ \Y5AN!M+f~1KdIz4Ȁu"іG󸖗XX*D:2{hsirizdAn=Z9%0(vm.,l_ӡe躽~'<쉲"ic}ߙ.X>ސøJzw5+lߗNsŗ"!"N\#|`0V#š?gG.K'% ©;E{0B_ %`VJ//ۈ"\7vqHd*PP3g[89He;իZqQU鏚]X?lI:[н;W^QuW=^`?/$Uy;; n?Hj=\ٜH5k*mLj9me;A{c+|d6&ٵek3zHUWpY^:`",.-lNnIm>v=䯾 7ªpK (pa[6kLB?+cP+mғ wj {Gɳ K1l\BPty| gTkiHzFa]dAcCPrz `2D<$҇#>~ࢁ^2V6ѵy>A.(-[#/ X9H2_8W•aYR`9b|Mo"h4ٟHHmɚk6ߗ3I$gaxL{Q^ʯVcKO\FU To_QX INNԠRS>ʎ@MߟΝM+yzjpkG-5&n3½nM"F )ڛIjɤL]6`Q6tڈ8}4:>_Ҹ~děM\lP!V"i.Uhƅx`K`RaFH&:&,\^d͉zEY[XFZ*ti)Tw ޸zhGv:f%57!j]IN ,BW QңVX҇Qsndn BrVGwJ&qNAti*/' ;2~:w`t--Z*rtO*6H?6i/'U 9sWItT8-NJ/y^*!,R {@F>J] DBCwBb^,kשƵgMVYrM}Zejzc rIQkL+@P{%KE@.qc{;?MEDFQ˟LU4ZQ697 X zd\쪑ƈjD#+:M~)mt:ڑ` B 39}+m &H lq#FÊ[U^~qk&Ϝ^ykTNgQbUQw^;bA 7h")$/,n>,J1Vw ,0 9g9 b}FH:SD$E\bE=ZC&o ~5T=k@p$vӁF3$A6Rkl z,P*c<޴K԰Vk͐J )"xYrԖ8zRm@F^s]"0>_m&`a[U]D^߄GiyKY 2 _QHդ0_If=lut~S1ޅ];1}Q%1P^TR¶%Z4WM흁DSKeEc"3' ­}=LZ wS~:Ű7eG=L,uu;Q7ȑx'^Վt4%sT"s#1M֘5î ?۷(ȶb!7'O RMFXt\kG!r^aq>CO\~yaaUCԋ;JC+J~¦+%K,t rGLr[1_1XMԷ}pdZ7sAm"ٓ51%vczۆ:]Yiɪēx"pVT|mLH~*9]W4"DepD:Fg/A)j\$ecZ3:hD夿Dj@T,.XX,˴120`DLW?!V毿pxqI|fΈ]m%'KD;k(`*9'z8 +Ut P {Dl@5+n1*aK8DH59qs.ZƱC,oG6@wd ecoi71>qDbxp.?'f"krFg9 (\F0UaLu%kT1yܸ6iz)CoIVfiHI$ȥ xEm=ϊT!sNI1oW(s:`y_83 DCI8E`r"TD WϵGBS `LJܦ;Ew2Qid06O` '=r6lP26A&XT\Vr3=d$:kCGKUbc12LhA[+xF6&e&4 #OѸ>(i߳e֏0 DZ{%k|͓^AN/Z;~+ htGP|+r k,D>\`#phN"r\q:Et-5i4;X-`^KhވaXY[|@g+|qYے)WCi|j e T{7PYK|Ѵ֮W*ʾٚz=Aze\+܋/+lkshggP޴1 U˘:9(`P-p)@GqI&IKd;6 F$Zo}&4N7\mb3FH`-X~%BWdzN$ն~*FYmEf4maHJBHU |Vv>U}hK8q#r* #2f2s*ҞB },LhS7I6ّIIY/]YK$)vioCײKV ;K_;, cuv'5e'ZaZR$b ?db4NPV9|~3N 4Ih0`'O嬪SN5[]sA~`5=]gCE:UHsٚ4qa>mFZR Q 'v{*RhXDܒ20m:1ٛ3ry3̍aUW6al4 %)Œ CG2a19sl#^Ac&.lfF+HjOАH\XnWa (+9V&N:IHU)=SƳ1,%؋jZ;%v7۷5Ѷ8wSZ*7v5ԣ ͙i{v*plbL2_ةqcan կa,5\2Z1^ynuse˲>QfpUHaLRlFmwńm a FUh$m'% l 2Q! #"@P ٫Cw=jBÂou -wl~ɱ($w" RIκK{~M#~*Ee0 S f`kA\ =֠XIн4ۅ3|ZķK-MDn/½Q,=1v=iQO`kۛ)?̆M Z=h8hBv?\=oZIa-x؉ sDai#dz,h_:Y+_$d(qd1vw6<ˌ+>cMYFqLK(E!9>4ٺ֙"X=6RL/>w4.mŐ/&Lnk(d:- Afg\tiC{r{/cN.J2,@PX8 ̣f` 54]GXqJ߽McB>hzJ5Nԟ F,!'JSѕ# ,OD.V0{.|HC6WCVՋ3'JgA%SfWf7gIQ FnTY#skZ%DBb P tޚt\q'ɓXy8?^RXʅ,ER[+o@P]_VbUC]-cuk/y)֛"R<@bs^ET] !>ǂ-¶ Y,SdP'UNx;mm~!DTJkpab`^omHqH3 [$Vt~WߵB>OM w=_8q, @uN +\'AxҞzW8Mqa^ -Z HF˧Pk6TQ8B8fp=qR12|0b+n` _} FRF,=XZDҮMQ2EJx 1DËqb+ӟZ a*,{BUNW >LZE|[jAj*ǡ]@Wp:F$"v:Tg.ƛ*i;ET&a['[70iKh^k"'k_G}+i0W>Uh|~w|K6'u9I(tۧ=1j)Ѹ HiZڌW`!,.XA};R4pԽjbDPN{$̶`K_GJ%"S_$-K6C(Nᵗ70_p+؃evxE_V$>xbs9 S:7g./My'%}o~V߄REfrXK4^JWTMj3B|;&{pVQYrUuN]YԨrXc/ %,~YLIhTynFH#=Qr ̞lp4\CEYmRH Kqc\쵂WQFMx_rd-~t+_TvY|-\ HY,H$6Vuc%Er}P&5'krѲ7L(M Jnae2nh|]y }Bl/h.Ȇ+Y3=>4Qb/(ISe#+ \jn Hҙ`-;S v 2I%Lփ>3īڽ>Cm^ ()+R6Q0(R YHӌoYƗs[‡糳Wum7")u(A߇NJ!X nTjR?s0QCӕ$ 3]fQd"Q#A<ҫY6->JB!$%*A8OfE y| `)9Bl Op8k SB /ѻ?Ẻ2X]V 1,,!4uD!A5WdqDvhmofڻN/LxOÒ|JUl#aI>-2!Ңo d H z3D8..Akqr=,Vk"*mhZ5w45gGd&戏 T$uHjѶ+,2j0b0 ]ݖAR[N"cv%X# `?}"B `? ̿/kֲٌ.K1Вg AB]5$YS;J 7> 5 oMZcR^_6fS{uIȂk]r3 52gYՄE+?؎ܧc]m9Ù͘S_sjw&'?N_|CJ&ܘYvyhH@5x#5 /VS޺NV g~iK4P(HN(wͶRt ]VJq˜b$;o8Ru{>EYw |%=yX/4wݥ-B37ILV( .heZj5C]n9F_u?64BM};Ovjo gۈG+i%Yș! 3 A.~7Y_hv^R pM؊m佡Pw=<`*z.ĸY?Y@w SRUzygᲚO]L2'~S15#ԇpB +2W~[u8@`Lg<:;Z΃Gn(=٦~øەg~%o`%eO1`5j(%Fę%("m ". YD_y{<s v}6qd #'`cJz3rPtJLVڬC'FrBȯfVT$~| hw ːs0Yۿs!326X 9r!{TAGJGMnD! gH{.<+[B@X9Ǩ_}IBdts *w=ߣLԗ@N朆-M!)_*;Cu$.}ϻ}i[њ$ܞIv3MZlymK1͚ITbC(-ԛL>7c+_^(.'6ɗdc8ΜTy8R* ~K 5ݣhg;@*U N/ PǀS`0vq-x?e{/}<*Kͫ]M,qhF ]GM}"E͛@*87^JؙLFĊJr򛓪iߚuuٳ$2NjE/l-YLšB/¿Ŀ xj2=X01X\G=S0Ee,;5NCbR!kYn[\ w \}j`$C ~Jxv9,p`;;,U"A}r y´gL#+)nȂ%#a] $^ GΜT [(i|[r67m/l -*+)zwK=;0=$EKI#O𨷧:QX L7F5Xgo6zNݲbT_/C7jee\A}׾QGcmHa礩p|1 Rds6<}Mϥ dR8dLI*x`F 6h5TAWCD ZJ>Jw(Z?g_}_*Ԕ7Hd%'e4]@E}+}zו?³V [a?7)WRpBI87̜aC*6&=  /HE5v$*\t}d[v0Au$:#POltJ~ef r8@/g[Kg.Nށr `RVS:@xm9D2]{B*%H_"LYnRTBwW/ЩTʍa \lL,a4ܿ1 􅪰p]I 65ک80ܾO">~vA'V6+l3D@U. |tj-y;\m- 2EuKvU a,>)NgʻȻC7ڼ$:6}8D>tKA!zY7Jx{%6=E|64wnLR ;DUJO\[pYСK JUd aS v|*k jauȍnq-T>\G%Sh- [zйv<Nס3$ g7D8Y~̀s3޲O4ll3sPicn- `dm%3_#0:5yVJ8AO( [oX\9־E2}I ;eV :ᖽȶQ& *CC4g)^76,oporojt3V}9l8n|t_Jp nf 'x %Z`_z#gZ4m(E0\A ܵj' ǃx*щd;t.YӹL0O2dme5iZ(Ћ0u|/x3t}ɶ;kl?{hj{1Ygic)2oHRzPf6Q-3vpg+eCEҎ<)o7R&jPgq}ƠuU6F)⊍")wQʽ,ήI^u.[Z6]5LxѺQ[]e Arh{# -ăD*kcR;=Ù ]U5~,Gaz"_Bj\}3'X;|!vmKY P#[+`{`l%Q#8%cH=w̸qI ɬC w2J]\~jFnɇ.>U6umovF<k7 5z&ҵ.-[$)p x[L&5pVc~I,WtIcT&y Tڳ@+HpCxzwʒcJytAr1i"F~-װquP[ #lp)A^3u$'J\pHi%!iNz:W'p݃N-?fE%܋ sÜ%xm*r3GǑ]ZZ?'Iig|8C2Ivޒz ]ܚh߳Eߌ|_ Z,thY={wS3 A3%4,$Ee s,*6̴~!F8v:zyFrNQ[=H3r7yТ<-I[uR# a[;qQڠ/.el2/c7Sn:N[t̯(* [C pA*wL*^nm)wxb5{k6K;9M`|wqp{s4RĺbfpS2./D~el.sX$ϰ;(fFJqއ8Wfn.VFPEIKl i;1#0ن--Żk#q9hվWGn(ؗaiS'"Ev2 ]@ى0tZTQ, eQn,LAt_yb#jy[sǶtUh]?Rݺi-d$k;hbSAe=l jw!īIu^:FQN{ߨ o *[t=2$BbUNL {sN%8*jB:ANo&]9'X"nG4Tb(Q;"를'$ ـ/>O#HW?Q(1hA/RFvŽQ"C(b0"zdPZuʒ㒥[JK?*9@2+Y~nș45Xx--HU#}mtM#I3i]UQ3*%e1zs BS5 wE<R ,r=Ӹ$r)ɞY6)`_M*-HQy/w*xY&|K.I}էKvր%KbEBWpd'{E7ѹvy6`I_JBJDV|>bjw?sKѢɡQWMKB~Q ?E‘@vH/ ?/!ˊ'FOX-e֔gាY@$mQ׺Nr|RJ\u9QU/^9S%!3Z^~ vPud4C^7OB~F|o_krTAHz U!k,?`mTNv1^V?p|Aw'ۜAcí:(B2"u(K|őTwX1ZkOt3Z7QOs7?~Lv»}z o}D1~ƚ^ϸxZ qOk I*%NH55U] 2s-r k!Rqc+/,yR͉o xSph'y#6 ;:熈 UP ›WxOh\Y3 icRe/eӺtȦ<ɴ26Zފ& !C.+N34{}KlsL \\?5j3'(E6nxSRmm#`\Ҍ7$|OJl0 JE'|@|U-FpasZr՗=e0!.4\O[QOUh?Zz+rl <ב.hI녭*ę‘@sB 5n mEIOW͈S$S ^ -4#y*/ԗ~ Ą )ޒXX,UB-YEP7W)%Z5 o$"wYb=b<Eܬ>3yC+yA3|FAz|y;_>g(9qd"!5G]iOlmBzD7Ed"IctAF%`OH"Qc@[#IǚOt6y6|5 .G"}X+ % cLs>C 5$Jڶ6(20TG6ϙ؈|rq.ʃa(AC1 VeFCߢc2Xw!J3ҕ <63pԦ݀_|ќcˊǽ&0R{^Sċm:UM R(DO?_Mdh2 _AOl6Il񧝶)*_h[K}w|OoM:N+YnꕝG+14ZP%Y~9cl4FG߅=voaL44O J6j|wtFٍM?q(3q6RY 2p@:~ĄP V!0wߊumDdѶEsm{x[(!]U/=x 3p3$Q`?-o(A@`(Q k(tiAe "7,{;!򉐲7~ )P /*|T[]u"ߥ-b7;Wg7UDܱ; AԹOڂ G?vw!XAXBʥ/w,>RwpeG7: }΃+% wh8ptw^|<ϲacuҟ) 3y]z݌=#8DY*r6 VlD+j(F}ǰ]PT=\[dsa R Y%b1_U1xYͻg9M (ĒUQ]r AJ9hlFN0=nmoYgHG'uQLο'll#+b*|;@G yXp}jT6% `Xh>Ĭ}8:rlQMK(HGߠ˟p2OѴb_DIstv~𛡲#RN>%<7+TqgLa Z6m}[v{Vp[PR6LW{ xK;HQk, K{`fY,-($ Ou14•YR* yVzQ0|G%T ^6.1]L Q|8K ayƒg$,vyܶL򉟕 #!Dh;:n^Ct>w\4/{G[٪P?>ȸвF[/@ӭ#Dxfۿ"٭ KO]z4G15Q-h(3z"Mx(vlMeIQ2zѪ6 .yъ8ͱXD\x5mR7޹i^ 9>2Aw.!U}BәHe'SM ff0'UQZiI֞*>ψPPVz)/KT˚`>=dK߮fX 4h0!yz񴀰h[")kEȍl![-^P/U[[o[%6QHA^EcBZ ^WQv30.¸#ME~y Yl: > ef` OEʦ]OX4},r =>L],6ڭi+.OZcΪ`HB3 o;bn-wlwEKdnd\ (sQ*ﳣp`:8DhA. 97(b= -$=:1{ ~=O/ܨWjY4T`ZZx/ga؃e7\.6f{2ȏLr,e%3$BCEoNU)-Y.ҦRK,|WїH?It`Z(TVZ8b6!` Eznɔ)#(ykO*y>Q"Zcbw¶[`14{HP?:i= #m~ o:U}ɗ7NK&E{c`*%k\OF!W><s?LrNfh54ʼZob PJWZDB+pݒ!ymw[KtϻR]hEq}H2C(xrj|APL:(8~o8cի5o(0mZS&y xV <l4{P?nSл+[mrO!Q'3 "Q:s8sX2x`#}] ve#u;Р(.ه2kK~ uɔQ{n$%@;'R'ӛEG  tZ{;%#e6^^r6y_ېl2br+f(_'YX)1xD٨(߉;F5uvLW:s'bv8U`kolAع$)v*/6sv =D˽dg\Q ."xH|8Ы| +wx^6F:@<_3T]tn&olH܍Ƙ"R[lUWV(Lq~`8O۶(]Z~V`ʰE}#MBh|.̩~D&a!ظL-StL[6!P$,USrvmʈl 1E$J@4*Q~ pqQ5N*8bWZGna/ 2zw7 2lPF(RfTΐU4!b縹r1tki, Z8N>a/q=~U(\ ÍP'ո=ZjE;T"C;姹\ P.B#4#0˃ɏ3e3l`c(?`"Cxa@Imxٷ ]A%6VzrII`a{&3G? 3 eth0{oۋ%?r(߾7Œ"kA5P퀙>+C7 ZYLhvW1Ql(.;\{Ds VBy>N9]H/hڵF{LL"~mT6eA7!?_J3ct=HRu;lPsFLw=RZ,_}廙*-t\ĢK2J}aAt2s 4!x$VFkWxKE9_s/-JZmez|~_ I_9N0L,7޸,7$ݮLZ LM&,!ku/hUӇDkM4iǢmxFlq;*T`[ jZa_(較WB @D ( kF/k8D t|R#iFWuTĸ!­tߣF:ճ!^l"{՛ Piu^ra?r?#4p ammB`fٿqh;jP@KrJ{#m? ̦zsU[s=u->NF4~,S A7lS^;x⨓w,] be؍$"y3 &pom59ߔ|ӥ[FXh|yG (`͐aC#˖`)Nd U [lڛs"፰Sߺ mU&ƫ4gVT6Ċx鉼]|Kw8=f)3wS&LB..ȕ›/]0@;Џz×K)ȱ(g'WL>M?Yn ]b!"iڨێQM$}2 Q} V%áf)R0V$*pϴMTG&ޜX;Y$0*c>n# ĖdvN?'PQq\WzCg߆CMSB@YD\cbOE}XXYz\i*[lȬo\ b ԓNe}O$_zP& ,Syݘ: e3-e8-!(ݷӅW{nUt3êIC%xQpb?KQo Ÿ?<Ү}w&qKAGK6!2%X?QA xeGLVxMFy6%JYmZ߯dPԁ_"Lh,'flp4ag@{8"ͼ~UZ=r8X\&p26( D8ۓ~ݠ3/1}~?'Q>'(7~0*cYsi6Tc,S¿J#;eXb<8m)HVaJ?15dTZE׷(< n{]_w><4وx~KQ} QnsZ_/⻐ `EFK^B-D_ nJ{!(a&z9'SLji[ {>ܡ%#?/"ڷڗXk Rr Cs&Ґ,I4@/>w $/poX&_!;FxQX̭@͓4ߋoZY6^X*NO|GȪ} Ip4p7HඵN̺- 7@: gI~ֵvMfvHXPJ.Mҡa/uFgq4 fFyQ ^:P3Η} #JRBľ~yn)C-I2vZ+Lj}7] G_MxuWW6qJM/sz Jǰ]t4!YS LL@JdIف/rp>;6@\+DCh(T9O7/7JA[70oj\]zIg_k]aT\L !^yjWV ng z@f t ;O;t8gHjYm?^׷BᐑʋH^@8aD9'{?m'յM@=EE =Wr(R!gRS!m 2kvI6% ]UWko =D[\w̿ӞFƞy`w]žÌ`"dCk{MvA k<7J oq]")q h _QK8fwd}u0'X*w~ŋWe- :E貖96Hcm.YXJ,9Qk#H1 SXsI!DJ I'|p%˯ߚ)dr,'7-xd*e6ĜUO*Υ[+ytqHFaP C{w!څ'ְ>( ї햧%ZqaYɽhȇ,͌X4ΰ7Y¼L" Zꓚ\@(v򤈹F,iazQl7*\<8i]s!c( S'W9E%d\2Ϸque]ITKf'UEt2ťMD)PfrȪ +|nߩ_Gү0~TC3:w5%/W(~nݾ@hp5CRB*}j:-9r_3zKNnQ/{% +oj11^zrgF?FJ7LPۏp/@7WEX>*(qq6 [`6&n2Lކi.{W躕ṉH81Lr.VA¦#]Gp@Cwz΀_?e-a 8Kٍ7KJAL<ID'$8G e୛$}" F(&^* C35#Pp-'Iڏ$K@\/c׳S-QGE9 >U#%(BмuUnsvAEt\!en##v֨G5ApQ¡*r86Gz.Hx \W"*y/Ÿ%yAKv?Y=gyK" ͵֪4a^1>X9h S:,%:&0"}>?,˷d~ qөINb *ԃ\w|h_F2-VqAJ"Oq'|6 N+3%9HxP%e/ 8| x@kaYH@\DlGflCi{tgݐ g@(Tc2:Q{B#Q2EdžDbo@bc?Y+?'Qvc?W<Lp6s5}fOsOML@\ƣtz&W O 4b >!7UAZcZISt(]ѫ:(\m:75\Vylwm=^7mcSIE`Nii ajsȻ0ewfTu2చY!KWRB:yyqԹ jDd0PiM01E =el[W7`pU0EuHn DFگt"EZɧ+;zLmyFZUU$Wo}&L.;(?pp!Hu^GY֚l(06g&%Sxs^P[w-tsn/*ECu_juMT2IS dYnוHF IbƔ\s~Օ7rΨB"'*6Xu~1g<ɂa@)Kg,k=S(vw?VH 76J2g@_DJ{g#/-_0|HЪJڮ{66bquY!$>T+?Z }Hеҧm\si` jz</Pwf\>`F8 Ħĵ(fMf?'Xɷ;Ħh"Uy=ƕhJe 6Rc?UWݒFl2N}R$B 2j6%0sU* ' mw!(TvjPYjD0_a#CZ8^Ҫ@eBP2,*W"jK8ČBtj{4ZD4"M^כ-,(M٧N}oE& 雀nN&jhf01[\S_ˇyA*V:P[c+ Բ(AW8A~G=y 6JgzhqL[d[@f9'5!B%G#5;?nλFF =}G7_LeՂp! .i@L ގqTAwԮBvFBOX)E) Áޅ8 jV" ]OC7OlҨ`Z_:uo۞PEJuNtR !\Jӌ:nz}R\5{W#+ŭ#8n 5#uJ݌,󿗉#5pujKc25m48?5IntּNy~?F̞υ/N׃>t;@BGƭ5!f ^\u<<9)UőHEKwnklSD~!yonA^=Ksm]4ߠlЃ5SR0oVTo9^I;.T>f@#p,Lh4d!_y6Vr =n Bp sɇwrJwF)7+ ֘V5}AfjQj vmȉ1=1v6TԺ>_|lqŒ42,ːlTkw,ːl?ꊷ&E{ v r;*FCmQ$!ǯ6eba}M%QQo3m^3>y| ;FCe*T\LS-/iд)H3 Sy!snA6F=?lrf]@㆔Eu'S#w&WbY gŨFƊ*Ǥr<9k[ 4_*8[1oO|K)( /6ݭI]JlyS0P'VGs؄wl򫢫YU ӹi/'W߸DvҁGF$J%W#x®$eOcˁ=:N#I^<-c}Un;4\v~[˚I d(*:of+>St~Dw򪩊sB тNX dQs= .Zѵ{5&EdD<0<@oJĤױ &SrzO`$SYiQz0?wr ?{<Ju9괁b'N=L{ !c)eLHr[Rt6obC͒\O(N SQBieh1(2(,b4XƎ]U Rjwzw{e._ < ve{7^դfO>,԰kF,;bABuǂ)9Ļ6,~!IW㙦Νp[㄂ȩ(ɧ/ 'K^%^Օ +ˋ좨aSmJ׏[{ *{k,F>MPLj\JϏP=+eR)Fj ކl,Xˌ\)e$kK_ -+@>f4B eIt75| M o>Rk|ĬL`{\<6 Q38#ř=>04Ed=ۺUQ? ̯ °y,}_1 Wf=ܟmr~1ylOA ]z`@Y)֑ѱM@FAkyt?n`Ndm8y \"+/~sNn:0(k$dxMz 2m.돻H lJ'XOʾ-G&IW+3\>l1[b_)DNE̤=VP K=C9|2ְB[ZJP#,jY9SQZe _"v'Oaנ]n\/?x-Gq(Wx5 @6M2]=t[P=s W1 P}@ ,9 q.HdIGΕnh#l.&$*z!6'ɪ}`T5e\ DAhшuF mR]pσ# ֒ 8rhҷ:Ms8XV?ޯT^EK}Qܚ07aX܇¦/e^`3F\T02 ]XX 83 75rU߷(.sYS H  P`& K!?u+UMg¶5"$CzJv9_LfYNaӓ)1ֆAADVC IlͮԈm5'$>^оez*81ޛ$?%7&0)bH/3zecx[c).͋?=ªY7̨-C^ /*=hmGb:IF&tNO,{K,^)zkumĿA:,DPk~.UZ/wa0'|Bq-# 1sU(Vo7q3H~Y?kg;3H{}c>m݁LΑ7yoB*v@&C `t NB;HGw,-O[U^H.{7/{D1VJ32e;0tUVuf (ڜhOQ qD" *$MPQF"lQ+Wj%Y43NYEȟ8~bF] w`ŞݘY$7$Ōւe-dˌlܦӨp<NO. ׂpdLr̵;ͧTmAsr+[:=QvjΩ!:a&KCBkR(bh @6v'N<*DR ׋\esʥ`MM 0wNmF[ )́c2(]/jLAA]J6Dp%Lw ]2n ?[sIC@U +M5ʠĘ*Ű/3Yζ[JJʑ I4`*$=0}͕6 9oD̾<ĸknvWƒpSr 87jStklI*jgW'|ͰH? E7W?&_J]m+N8}^&[g8o2؉pTTE hRLS.ǐZH,HZԌ [m]ev0wJ[ '[P uq1Ϧ@s$hC6AVHֵkgW ] n}0RXj0l6? d/w K>@=XDg̮#TqF6E$1zH52rs(B 7C3Ꮥ95^ZҮ/&{MsejRG0qc!ӝDɢ;$jt1"MG#2aO_,kE0&("oΔ hHop,_soT͐Ug>i2Drvx,N ]uv GIje_^$W]&`H$ Jz(Ի)&=M̓ )T3|ˉ|=W{~$]dY+% kLS8ñX)m Qp#>\6%tIMAYDժt)&Y#43!1SXrHH8)9֜ :HnїƋ){Ӆ#dZŒq]pq$dB?bj*?! #kcE Xk;3ܢ΃ ^9.KX]z~Kc%NFji`gZ 7k.- J$ĺ5tprAi}{[iAԇ \Z|"Lk{Cgi 0Khb.eaf>O3#Dx-C{,8=YסאlLF8 +~H2#NTGW Ob._+Z4 ]9t֪~}veȑ.'fLf`l[=` ̓xp^#V(fFv9Ky0[K&jkbP_)m 3H[.k*`>,[$".~N2qJ -2hE#α'U 77Sf[g'0{d/{H]'lO6W)8j[T%:o٠Z0*I_ dAҖz'U<6V&Ug\4 )4+h;o *h*Iqm2؎\ KH;,n?Am D7Ni:9%) ` ZPZgZ  4>dedSd0EC=v2\Wd*1!Z:X3AGpה}+nRB/{n=9kdA9=%#Nh$g~MJ bUeZ=TݺbH$Eˮ{!q()g Qca0>nO~zTĻ.y\E - Ox>'fQ0Wu%Mm|r5 ?(Q>#X>Jܱn^ٱ>c&xMã\h JN:H-΃&?j'U`K-,aC߃~ˢ@Rd|E~S_:l$JA'Y(Idةٌ] 4@ҐП7qķ1NΗzt\ޒZZh?(6`m9wcnH[6*hfߏ-ʵ/BMGQ +iq_ 1⹺=Q5.^xw /),YrjgI&Um`Zc>aUNn -mo-h4+7=b;`@ @3$+o&>#wC!v17N!ټ';$mgDzKFm&d(@D\B $U q(!j@|mv6.e\U893gD7qD&z8gLѭIkHh@ j% g2I:E 7l: 8uLXCz1,bFXR-?,7J9V@'\k}97QPedmNN:Vy 1̱6Kg)Hyj)Fzqes;ui%R>4×]RIQK#".BpW!mחIԦO[\asthk7~,$ "V&d_bNy&{?/QFӁ "1WԎp;$%2oS=cpD vTuX޺ A< Qy4?}ۤ:ˢ4LqA JʗT9D|j q}݊zhg1 Cv\Pdy4o;n]:;^)!"o⭰X\vvUHW c~i}3oя,Fh9g=AYctƇn|U`X0M$czM2fH!|t|ߦZzi^C[ rpZTܰYd? xF!I%~h~""XٿR$CʂN;f^>DX$ w6=W[/5atHké/zQ>vJ; jOڜ%yGٿMef) (nnq,MR.+/J@5ȫ7#}Tl_5uL^'aVJ##tQvg Y]X 6QDg裩 k_wh%|z4jg| WoΈL bds-j9Lj.PF1}D. ꍷ\@bs!5o0{eTGL10To t(,m=`76km"ex{m;GM8_oN{y&Zc˱:[Qݨ$i>3ɓtL#3ں+q*_Ǡtj+}bӂrG S+;9!bĸ+"ZVƷܖp!g~߸bA|EHA| uj戇?PR2*XY961Am7CVƬr;T'Z(oR-SMIKJB:邈\/纵ް3_Z{ YUt%HmBYF)ˍ@Ϯ ,ԭi\T`ؗs\Q[ChG ύ@z; gd1%:SƠ BBOU>񡑃1FKǾ?JmGS$< #;SCZ3y@TO˧~M-q5rYG4*fb@"I]!d70RԸ|q @%CzI QүQs#yJa!i{^02{Ew> ,׸=6{-#|)hZ_ǚ;8I|ЮVLޜt|g?X2 TQ8Q!]ſ^c`??U,E`;%>>3MDj{$=!!L!H >&ςS۟ot]K"dUI `tCQH#k|p9NKZTԜ_W= W os|0Aρ6ӄ#؎0OǤ]81ڰ޶NM6Lu#n1\oA{LIE@*mpI\ _%;ʔ5g8ݖCT\I r$1QUUZ 57p9p)4)FmZHw@OhMau C#W׼C666S:ȔE5?Ne>{&D7đd?:dWϣ>i 22YT+6OIQQ{o_IeEHf.f`9TqpompN{F8&06Vs!pIJ.raM2rx'*&L${~{k:\Y X>p Gm Sc>CC<(εOPQ κAkT|݂Y'醯WrȄA_> l™n5Quq8 2aߓkHbHn˱6zLk;vLYBLuo'-cE'Il׬B"ҝ2sdm;l[hAq "rgUA=H{%nB0}B\S4f`n \sVIW&)Y" C]bA#a+ygPHҎډ ph5R{w^k.U>nF|o%֟/&!Wab QLs \>y[#`Bѭ:" G{=v!Є3RřGҧhɓ\%?ȢTaHǧIb>HmHeN72fXPVC-ů 4D5amFoER]v.nk$tS/'OuG-y*0>$ZY3ķflހ2[2)< 4sr}0TH={1M}%()}.޾O!cwru#:2jw^Hg9)<ӰYWVCe;8)V A2nMϓޕimTHqH!Z0-<oCL^` C`?^{SPxpFZu[呚Y`Pbglk]'Rp XO8U^`nmD=.xХ BNizYt`z1 h`@vcGIބe$ͪLf:߷+奄-mqg`'U/+=Vvu9)Q&ț $&Eh!jrSMNvRw t Fx!(_q0aYO.\{& j ОhTW %hw,"JAS:E[/e)sw'N|0y7*B| &jq @W$/j2>تYـ$l pE`Z}^Q;Tjȣ2'RóP&(^b'm$=p"* 늼&hY5#ͤѼ8&Aυ+{ki8Ed#0;Хu6- V>-ƔpncK(iVMmq H_U4dz"f3kJ8ϓI曮Q ҏ.L<~AҚw%*~tbQZ̷ N4ᠼDӌL)+^eflƺa tUi呂ϩVG=Sqr4-a(yЈ| -FS>b}b*y|VdEksSY-_d˝NU"k$˒vJ7x_-"6NrYdMI4fW~Œy[両!+3{C zb'32>q12 &d]}R+qsd/ S rB}p6fqx+`(B9â~ere(DdXfYE/VN2űv^ r;R"^9FC/H8$C=E!ܒn A& )ۜ03.WOO8lcYEƓ*O'-:hȊCs.ӎ,5 ^G gbQɳZOtE>'Z#=VDvold(?*H[ܶAwYuOh*70~Ic-4M7p͞ Ui}6$0odIO@m2-WKЏyè/0q|Q-;?-,XuӛEm4ud 1qPe۽]'lu~S3}E U:_blcLcL"kH1sx{D W;~:FΦ' ,2"84m9 ƝX誏74 SKV~|la '{T` ĩOdb^NzNqe$e"Vd,G>?-|[ ^uEY䳑2R,poxDǖ:Rm+- 22~Or Z0P%SHE S_\uA/f<),j#8):..z W>y=Ilg"Ui Vp$uDF$SZtz*89̨d.e)o*V㡍ցw~bJTkhi Um՟ ke;ݏo#{ )$e`ist(=$>&p,۩h= I$=իkj5k]!)eCBk: t[6?D|hx㭪Eb4svQB)Tuh&c-l@ 滧CK]'ǒ1TDϓ.j%z fەt:ge{%јǹ_Lؽɖw._ a]Lx </-5Ir*@s#6M}`Yr,(ei>L:jc2KL hqjZ75*{Ka߸MˑV#.WtcIힲacMR<\2= #`؃[c¼Tƙ2[6.ԤV vB)aQ 4dՓ 1/PV1/9`PvcG+Vabq1V R9`ãb-?wڸvz@@XpEq/Px#S5RjJFՂ)*7SX6nXRkHTj8R48ISE֚ժ$uky2`&H;EHrsw@?3֐9ŠIu!G{%E#]#x0E<tFsPcT6]2%iF;S(2zDW{ ԺMCG5N}] 0w䊓yfatKa,I#[kD2ybƻS)*ݴeo҇{(|U^f_<3'苲<F5(*@[Io,hI7!;h%3k f)ؠe}Wl`|&2זev=OBBG?`x3&&Bu*wϱ*N;nq Q^.!E;[Sgwڍ Wx) 20P٦Ώ@g.o޴P.!;VnEaZ;E7& 1q?#g^aXRh7Q;M0d@j"!͡?'X`CӱT4ÈzSɊZW>4ۂC,@|0W6632DC[!r5M/,h%n铽B`jt? PO|%\3 !='v]%0i~bI DA4OdX"$l6G$3JQ3'3q;=v9. Ps;$7-SAGDȮu\PY_eC ?\ݚ.,c@ZW奻0PM[2?\UJ 8 f0 "Ӗ%?0teܮSI=uŏgVQ*Xw01lr*e6 _3٨] S(yQu PG.xA!#a;XED22ty2_g&&M!uAfΘ8h[nVu;|grh`ٙ g׹:[] --_7R?دN 㩚')=Rhv#mX%㼾q51UMdCja:x:l0 GRىCw%rvD6kTӬۙVT"BzˁQ[ڕMB44i!eQ: ڔƇ74 '*1/`KQܡ&s %6P; JWH|SiC PIlu}2tL;Bx{>ɝ>\La^);(П 5xs4yb'=Sv%'qD7.mqݗbv qO!흚tB}U!L%=8  Cjc ^/̤`=ώP*qeWOH[l6Fz:LfھN,C+’ҢɃBđ/}Xw˲mBK%)<C, @AElcLaP4ݐoA|BDL.L"koV;'=$V2Vq'pSkfd>R͙j܌K}bxEuhZ݅\kMbGS 뜪bfCƷQ*Jetn>C%zS aVj@k?ƍ~Mj!†zxItqԑuX_u2lց{Ȕ5pMIX@.0Gk ?q~+44J0kzv)jUe\-,NvoF.Yp+;a'ɞZy?3#q}k԰Je, W\u cf'6S E%Va0Uڢlf o)~E܎ 3bqW:\5@ V<߬鏮HgsZ"r8Q\FU-hf͵M;L'9>1NsU!@zGUhֆHbw T 2fmw60YNe0 !䞓( :01@Eʧkp& OOaWmG .;2[F#GjaVh[aR>/xłe~&1hw'g(̸YOM y \pEŤ?oIUyα@iJeY@i}Y*oD'j76J£|ƴa# ZkӁi)H> FN;NﮰdySi.ѳ-{%5*ZUTxwkumDJ!AjePUgK6\/6(H<@7 cgtmXS\)l_ qĎ?dXb=b[ -Q0.D.db- =,*~]}ZA5޴j4 2 Z҃LG RqI%.\2er#zڏlIssvgnm/nϢ1 < #嚨2ߏ% 5h~3؄x5X#d/Z#g^xæ%CJu2v #boK뷧Rղwgd~P:r*lO5! M., IUڭeb J}Z;cYwmSŹ%laj1.VbBY_N~LV:|EJ3;wB PρbbQO΍9, h(6e8 ~*$8/ԙ[n* ^cs@y`Xm SHet7TA{ULdw /ARpY`P=壉kmHtU.45fە`+P,x„vA.w*AEEF44wNӹ /B&haKu}VARJYcGH0˧Y:.p'h}q|!33ae(̓8jVa߱;;hh</)i4|it>jm{SpS*]%e{ ph&+q~nz4ĐՕD-5hhNz#X4U`_lÁ"̅.6Pv,T<N~-b<vJK֛*^ ,k[پy!a 'M 9ˏ5c@GhKܢQlg^$!߲h[#FoL¦A 5(V=S>hI! { LHG`}^ϝÀ" ll՞?k LZB:V3[vx4Oq!' H[3Ġ:Hq~nVhG7|os;7xΧ\(%$NK)`reÔ=}6E)?H55"k]tPJoFF&US̶Q6uY }DqjD!}.P+ze }dy@hR"3"7\tֆ^m+c% Ҙ.ȱH7RQ20j2uS$qExtR瀎oS[PsljTH UlvPRVBtD8 #bxX1rL,aS[Wo_ ^gE,ȵ=ޱ!^B~%J)s73eUZaT+1| ~3@&I0=?tc(6?-MRls0Ucw[*T<9cƑGއ,qf1*(gW9ٚBHX}1yJr\T;6MLqqrjr+5-[>B<)Ys-nyF?m !۞cZOX򏘡Ǝ5Qfu< oI|!̂_Q- `3 ˓YmW > Kn= n Ⱥ`&nuN X A);Qɡ#po`~1f! Lg.%*1\XFlXw7{ j3ӆ8F@{% r(l7cK\500vJ>?+idɶwH+OA_ 1P^Qu,Q!]s5Z`M&6Tv;dLiABj^(Pbng[qcDoLхg!>럯՟/e%uaHJZG2ҋQЩu”j:Ӭ0u Ċml(b(gHlv<'W/2̩e{[);j7Jɳ>(8G2'zOEj% AmkIylJyP7T' RoHi@;H&J&q{cJV\p ӈy$;dZ&QI"=$ޝS+18 ;h˵T_2.ѳ 9&t8<+van!y:xT-jt&bW.8n-WwM.a0|J퉊ؿwoߓxWo~|] m_&2mIw1E"|Oۂ|w<B7+~V+7Oղ1`[8LB`ғaQP/`qiR H .*f4;WGf[T_ATyr%862KAn :&B@0Hqd!K5>PÓvguj$xi_%E@:y3hcީXmpEN#φ3dYns T"zNaoXQa(/qWBǸRI:Eti"`,$>kQ9N_tO;Ll* VjWK؉DZK֓@ |Ӂǝӕ(J* ]/ p=%&S\ Ya8/d.v݊jg|/GJ٧RGt zيכɺ.gjq0cEU; AD)ڠSlaJþf|ԐM < o^ I7iJEݳy,A/U:LVFƳ}*\Rw"AO)<H_AFqH䭠PWl*ȦQ1-;i|J.R˵1|b+ p:?H,%MSc: `S:+Pm˗wpɺ^ADW4Oi9rC\9(b,VLycN)9.-m,Uzm2:mH7f p\փAOܵ1P-y?Hݿtۍ#F ldD1Iz9WU{$gDnV'sC8H1ԥY0[9B;) 1q"in;?uP| WH:?b 9do?EN߾=ټFUD}f)E+xbϦe>bRddZrbr~HilǬX'{ :V6jU.J(g)R$g8u(N"*b2 ¶q2+r} ^RZt 1#)W#pNY(".KPcCR3^ P\='w2hP,@F9bwFygv@9$U^;-u `'!0ѠkX˼Pf\"}G(e:j+z:-Ѯ8ŋ :^"Ɩ2EA61@ ˕V bz-?uò%q`oRn"Um9Ͻu}Se!//&Ο.FY%sgrKjm54U:NcN4= D&EDxlEh-Ϗ8<].ԏ ǀW]3U;IE^\|>i"D\ER&SۀE~OnN 5(Ir}ĪC4O%شi㎊0xN{#?D3<OCOCCߌuwweEG4F8znW=]2zK@]O]^IY.* g[%k87X}v?sqzs2SN ^1EPm%h^VxVJAy>p~4wT @6S<?W5/UxzX1p)qcðDKotAp-OU"aP.v+C! Y ṃMzZ*K^6*F l"d?Rc^G#ÓP2;B+}c@] nnvOzN.0`At%S/SRZ#)͋T}q/íu# m.sYOJrMZ vۏ[Hvk`9QO 䇃〆Ӷ=6ǖJQq4rn7u/7;4._uv9\t֜Y3OMߺ xr̐BfFHnebR^rvdj(?-VҎ$oZgD*<)`#KlԐ=rՓ?s+#yl6f fH/{-bG?+A^Oj,KK")4a/Ee9ɎΡ4eikq9wEdTL>8B>PWߦdbƾ<'!FAvS4HF![a);zbyH /NLs= 㚕*&yC'wTys!4G9#&F(,0zLws&M{ӣFvcZX`pۂ*y1߷(^Zoo'#Kwgm#":7;1.&*u)ر J]%j@=v9fcIT;CPUJX9M?>Z%EEʼn+e13kD&ODu쪎dsgot~ 5/{cdC}#7^BtgW+3'V]gdV;+W1rk'i夺 HETnRʁhQ?%L`dR8jP"BujzY@Y VEWo_\!O] U~ANA m]f䟓> ^cq#Z. 2͐{}tr{~GoBG }?pԌtAt {ʣnh#*gs/w8=|H>?׌ &(-]ڭx>}a>;xI,(3kYb$<tv#Y8.rGC!LcCMn j[K.G0笴"d6K'Hp !F/p _<.N슠B _vQ@j׋GZ߾~KPZ:᝭FxZنLCU_66bu 0M9o,tޞ2a=Kp l7nApܓd7`6԰>a3}?#W2B| 䂪Qf;hvw#͌rEi kbX.ۢU7֧Xd;XgM[-JPL#X"זfjo4چS-1DRKVgp%&Ť35ѫGR ؖz`v>_q1u1ol^!~Ru.icYuI) N N'ƶX:ux.݊H0);% h\x*'+)QgRcOaVH4%x݄ͥ,f)}/A6_`p)B;s)3K-f(0ܭS=?N&|)e_NAS7 mPY-ln~T.JQXm2T<.i")Y> ser`YBJ QBF`{]vV/&d@pf`,B^5ϣN.n]ڎE8٭қOt-6Tઓt.8\r\@G0:29hb'- { 1M߳moꀰ7Z2eFMCEUrȜ̵sjfj9 NѕSq?޴GL!6xV$:uK' mn:'=iShHb(1- lD+S^u-ڢ8,~FJm})Gz.-3=¹K)2gy ~xfTmddȏAt=SŸ7_mX6;z;6]Gu+-x:ϣM8r<̅ !I/ۖLLs2ȍnwk}d)o"ȵ^ h3=c>KEX-xWwȝ)%9 L/q%֤FJw¿:&KN>;`v'rdg+YӜ;4ր"];+Vvט=w ZS#Jܝs/ Dwy^x=PF8A`$Ls8tR)}348#?uݨ+\8\SQE8qYTnd&xjk[̘!o=:YS%wipn5hէ2M@hӪ N[uQ5~iIɷ-zB/HUYHo7 lz`pR#JJR$eJ|Nw4\Ua*`#y˿ !Io 8\t}1IX' r ϲ"QEjH k^}YV'g 5f4铠Yٙ4 DŘؽcl'sPy *c> 0-@y $ϓTˢBHvim59ػ:PBp!YLEb_o!Sn5^1]j5} ®5Zp 4J7<)e?oQ@.\88ͼT3 ]h&$ o.]җڤGxF\'4]  k7˚[H:^-YcyBG14]vgqSGJ] iQZZ,3`Jw_Ro\%e㭐eCQg-IĬ  .Pnv'`9"mx{Xd]{=ﴝd{ӣkB X7Zv̱ɒZIX9osJmFP4_`tN'Ap7ȥBS/C'(؜-O Y\x_Wg Ƣ^it9Ң**h>`紹W"AurgWU?Ow1WĢn]UᇹLi DF+.u!luYſm>H'["e;UAuGC]]l-\j(O#l AJoˌq|SXZsD*B8%maߖ:ٓk]Ժ(u@rt9Kcu~,JPg#ǰJT+iZu,ttAg42 S(ܚnQhBiEɵc(0;y|K)GXW_;\Dl"MQHkWw}D"[9-zv=E+AjM%_qlK2(4(L YD̍#_gdBsWeay塞ӢMyDzFdF_4ĭjӴ~FW3.L}M4սw!ڐRE6tXt~]fdmc ʨ| ͘s!;lg+VۗD81?4bnwR:AVshNC%js %ӲsdϬyV8HHhldl =lIfF "gD(X_6[A@Nl;ﮱѶdȣFULSS^eUߎ4wGLi"^9E;g|NJ~=Up^ BW> 7D hlNҹ찎V#]vpiZbK~%άS&@ T]̜1u[BF$*am5oĉ) m]˙eYEM٤4ˏ4thO^-%LMf X{>Qc>x.x6IIbF?;xCƕRp^Cה)<m>q7zL@`S#7zfi؂"կB*r";%]ELa JQVE! zSP:IR ĦxކpSmٻ"DL8lЇ<{ZnCj#Q@"b\Eȣ@jQ<$݈̎.0\p  .]{ap~IZgA,nG|TjkF 2_wU:?Fp`iM`*U]^%yYVJU#/Vtw+b;$l2)t{zGL75P}]e't/BmE0=vʨ+ܥpi0in ѽ>hu\R*y΢@uq'bAcqa$Z|WlXfJSzM/a4cRFC]ͽ΢^xȶ,3'#m j%G]F$B1G*z9m lKb]hRw=*5hIq=0iUY6` NrCFRPM OutͷzQPG4&۸ ~4/$j8<<T&] VoRW"_kJyNٓ%SOї-i.' +yz(P`y y\vR1{d幋`mh֮J5 {HiLZQ쓙qF߱(FXӛ3?w4Pk.RRNjdq^iR;CKQY,< yqQR?3{w%."; g1[fazBuXbwq@} fCM/`emlJFHyZThkиBюW;]XQN$өzڽYSڣasqp ҟ^,9(tT\t&%t0l"ن3 W-3K=VƭL<ZU&tm~ehg=GOlѻwXlzEC;R> К-W~֕:*jA ~kE[Dp  V4[,{ˡڪ}OGA߀p F6A<U?B Ԯ>̌<8<0TRprkP~l#s  cp%|NfC~["ԁEEY'O+A <|scK[C%f>"v2ԋm4ٮ֔FM^@Et!! |'ĕT }X^k8Z XwkgQe}D_!vWAj8z/I 4ռ޶|8,̃lpBIlHuU2KRi][QXWxN, '`(xEek~+~\ VdK7au'۝T5ҫ4t/̆M+"=ic2Ʃ rec1@ X4*Z |G "O'AS PRׅ']p`w]&0[q\ Ք)3{hy$%;]c/=&o),h+8kf{ ;د@w$L"gv Uc=M`;͆j* 2Il]?@qiWGO?Q,b[lO] .~&4D 8:eYjlX1zwRv`ZU+{8W99T5GQLİdeLf?՜i|@GVsOP&yɂ4t+ ٬{7[Vja#/3T㸞'ѧ~Β0#DïOb[Yv̽ͰI wiu!HSB+[_+H(^ B%׭ƕJc1sptzW߅Rbam(7آ(ra4@ 6 >eȣ|V W``ꮿ_,pFVoЬ_3Mb3͜t]7Ngy#q+7>{DINaW'icr*麁2 @*" {$ҳMWK ,'JRBgJoZRLM#rO>*4 JϤQl}sȬ>9 5{\5r[\"+Ui[[:414f2%5]-\X>)B-Xq @[{d ʾu֪աXf@;F8x$ъ5 EM䭖AlDsI?(>CNC9^3[es40HM9dKU>6iKg]SI"U_kE",d խ$=D[iE?Hgܨ^,έ N83X]nÐBM\qn:7\%6ϣ>@va~ nr:*mƯPOV>XS^ +V8j-9Tu'5>;kIGnץhM"[ٞ~CNɏc= ώ8o=޸:&~9,EoC&wzFA/|4Ӯtbw:/lA!w|FEi.ZE UckPȖg %dLLW#[rAϩ#eG>BpЧ#`i]G".s*|tO?Ju61g`n@o Ɍߑ2UQo-/?+a.}|i q?ut$1xI:py@\$,IaO"dd锳Wg)(5P:gys^wi]Ɂπ7K5{\?9%Cn.Ԇf1ĥUjŗ162$CqݜTٳ5U!T {I!b.|B~g b-N".Gxy08),OW֭: gRzKp)&3qȭpˡOYuf*d'`g¹EahxE{p* $f}ҫs GOXߤ6-b5!@%P:jdӜP28`mL P VQ%N:G 瞚m܉[_?[|U}@ A$ fTb]pcNB4z>׫䭞9^5n)lVȱ]^~.Qmz8 [=2 C~zs#\oV->\Y}R)~;Vcq;Cr1jFQY6NGD8o깭$"Euy|SnUfᶷ]!\O> ,g0g+JZ8П"Y廔|p7)^=!7K-u_-:W ;xąt/ !C+)Sh Ȝ%5b2e* r <&:2LZӈE?.*3:hGcq2ZWlbX|Ia^Ҿ\Lg]:y;0zNXAPO NqX Co@7K( %$4j5L;3߬6CM ؇/-ʼ$E'"@z ^AN^v 7|B`^Mv E󹥸Us7 3S+XR߭z̓mW>͟|] t%.dgF(p=4 (|1ctz iJ{ZDh5% /Ӈ ePZvF:N`rҡy Ą|JTyu-G.0Y3:P-,Oq5Bח/m nIaΖL@t(Ǝ9ᚠpfs6lFdrzU\yILHW >a[;wBRkT_t-۬' [6thQ{l+BD6 0Q |4kr`g`9ﬖ5Ors;N_Xk[Pe:l^ k! gjүs`=D3B7lҾA9w *aRssTSێVGfZC%IW~0;*؁B#&|8V -# «_͛ d./*Hؙ'#nf^sY i>zOTY^^4Vr>⊂PA|=\@4V}CIX":9A(27><#:Pa-m|P@=:e 9/9s'5QJzŴU܊5 (IY>t4jccoV򌊾Jת;E#(΃Qt>؃n%z+ĽЕq3̌ef:$yo jԔ?,(c]nZ) Vk-PLTl'>D^>nz1Y- r3Ա6KU92VMv) L,DZM];q$. YpjN>ۣO`A\o9 6h}NzU,{{ 8'3h}=~|=lDu!DkʤJcOe1;%#BQǻ(}|g]K^48 16A2 5TO~H#MT0wY">2.z/&#DVPa86昦rqLŭc5lChy(T*L[W>I+*8-8`r'5 cj942@I*l>v谉bx`(Q2fʈ*k6 ަŶy' DҦb#4l! oX{w[)M⭨Dv7F8h!}FE! Qu]f(|2G ʾ1:e|c'C%/qOFQjxpDaUyd=(~6`>,8A?&0|)uAH6gSή:+t0):̘5UGa0ǂ1P ^b0;tz6|HMKYS! $G @GmK>nOA.zB^`UM{#LlepWoIvn,#PQándխPަ+^m7$z?I]yNhnLP*rXK<{/o'UK&%,$\RwY dK%%9J-4Q?KX-k2* A g&cւM&gIwBa-ou2( t~/dVܢD0BxOh֞5f\^ҩi]lf_)& rfv֕ |Ҕ*K*SөXk䃏\ a Y[ʈp}PTܶ7v0)C5 mάr\t9c+?V(DB,EYʗ6CЃol]Vi˦ q3Y|\oSܞ6;#w*3?DUa"û\NMsM`hbצ]-R<t-lkyL*{`7^PA \kD^c`!y8|U0VnսE*vښ8.z6QңeHa9^8sQɫӒ WIH{%j0mNsBxTOO8h=cAҤ41:w [ocݖK/wdkpm UkDGe$ߒaf 8 `ee}:'RnGbKbGi\F,te{|ZcgN~wFMBAXta(j*gsE(KYZ>Z}7\&YgY~n#HiJml)l(tWҘTlT\LJ"տKv"w'33_IYRGeĠm !5Pc,lݷokFD斥=)O zuȵ"ZdiIX?kL1Be7|mUxM=7ʾŒ#i8( _0/ǍWcXgT^O5q8H( ppC }{@TκA"n 3rf% _@S+ؐ9vHpyRlOCM9]-B[{Ayne &%HaF`o;c.Ё?S4Uc?* ;jj!-ss`K/Ed]_V]1\͊•Ȁ:5.3d䏹pÅ1K+`Ss=C2]m^#8{v0o#)Ü A_pxL,y߉d%apuT=noa]nKdNY(-b,!R|VиL~Zu ˤ7\{lĀ,Iy1 {T8 kЌV>kZ}f~!H]J(OO0f{t(a +7kQv>l,Z{;uK${I5\ji&ϔ=IʶiYW;,aTN܌CC ;s[6|BǬE7zXz Ws,Ăԏ lE@:&{ s[|:&<6q=2d ?f\ڢ(e/j [\x Zxѥ^"Vjn.xex1$2 ֯ԭ$zG'Ew\&fªf\9b8'b)H>ӐTŏ]5[BvVQ0bgZCo`Ѿɯ!ֆ$>ER޵2 R Xy%+kd;Qqm(i)'Շ 3NbrxnY<ThઽC@b3qodP#z{N$h udZD6DbLjP1 Ty^nU,9;˙c,RJ_)*|'w Q˞$ >3AOe Q|5#+?]1J_NhOs㟏xT*8lj38}Uw~bߦ?M*7*H6 ]vP ][-K|h GN fU{FE:HRj}YIM@cĺ!!'ݢݶjw D;ZdV 2kƄ6K㬩MPϙ$^B)ܔΧ}ȗfy-Â!vm{6ʱMqȌ=5J;J -+~_6#>)8˕_$ ׏LsԻ.֤tF*9|N/|L;Ob ׽x'3=#{bC&Z`v@RY ̧t[}yϔ֍c5g)^Tڷ6Kk}ZEYb/F/j7MM  r ^ޒU(Hy7.bܬVdu {mʰ"zc|N:i|"lؖ1>N/ԗV,SEQcЎ+k[E?acQua7Y]^QrS tj\eڱ4N HȈl?{=jԛQ&%|ic4P9|ISd~Ѩ9<+V]At\pV.*CmGn *9'nlF!g].7g m=(O4@r0v"ʲP5e⸴AVEc?sf=D:c _(r 39ōjrG"5t2[[( P_0&}.`WOhJ? Sd)zDU(oI`U.\ȶTT 7^n2T@H P }Sj 5G]g&㿿PɲL0~ZRGR橪;U^Uyo+T9y4Ҫx:5MښiݛvzH}Zs{{Wg(7iM]+0Gan%VmL5W83 (Oy#s$8}xUGX|ˤچr9 :ݨo0KK !O ,/ېqwoj3vvJ[:ёm0HqV{l1Yp(UI_Ah̴I*r_mami6.d^$H;LHRQpdj,b+y/~E3uto9 U}>l ( i qUs|`YXߠva\4w7R@uXJJ1cy> $+ h3ݛr`S-َ DhE4S `a&adHnmougnܑ 9:gY8!L/:yĕ8ɘ[-m_z%R%sZ"4{45 ݖ5[ dk[b w,T훈R|nW/re}6B1O›[.J#02kp*QEmÞ!Rcm Oʫ=ҖzY~W'A#iegᏜJo"v k>2Z4_,4hju%%7p)9jDȨ 8p$ν S(ԧ.Ӓ .]I2fmcêSoBF Aw?1'@{Laߎ:FpHn$(@e#y`\ L}@*YzEM7Tm}xZZMZ){{{{啢5򝒯;a,/d0omU׎x#FPHLk ?Ii;ˍ)"6Z@ )$"Ϻ`Q!66j.%}ۣY'¦FsWT̹M$PUx4vKjytv1~,EO,|p:4׌C5g'Lm;6ēW^zcϨR|}^ivf1Dth;|. KocN}mZpaL8-y-j`_IۯP &F-w6@\>!Sc ,=ra0`PB96Ƥ /tdCa?w{«8 yZC (cw'AAr.]C &=)caB²fK !*&B-@Rox_ob8OUm*&lvZAnFf~)1F 6<sm݇5ᬷORn>Xi; *Ŧ6izgȚuj^Hxk323ͺfKGRJm4(TFfN,2Oe\gZۗ0"CU#$b VXJhrwycrOp N#$1QaDO-?"\p(AvrW#B.KnU8\ڸg5"tub /jpb(@-|m QnPu}:3e!eOQ?rA C.ތvt%'3jSl9i_8G,*[Ďb3^1c6kY(,tك'h/uZdN#/LV]oh>|I= 3b& Lh{+>ӂwG `N+/ĤۖY!~ _ Ktq?R5 2r!(7~j宜Tf._Qǒ ! Ynq\'7_a#2/W\[`}X&F۶sUaX [ѹN2&tY[WYs!(6^i,:0ۈ\>H!"dZtWw!0!F%ƕfGp=0mnL FjGMݭ.WAp48wрT9'ͼ CTBZt-M+"B񑴩}$-󯹃}N| &Yj y6O 6CVj>{zM5LWv:wj}7rw.NBkR}'X"*'ޝ9DrDBTiwoQ8Vwrt{{>CPhwz<7iDߥ>V{ƵMn