sssd-krb5-common-1.14.0-43.el7_3.18$> @={)T>=}?}d & a .B`fm  ( <  5Np!4!{!(89:`=y!Gy,Hy@IyTXy\Yyd\y]y^ybzFd{ e{f{l{t{0u{Dv{Xw|x|y}-}Csssd-krb5-common1.14.043.el7_3.18SSSD helpers needed for Kerberos and GSSAPI authenticationProvides helper processes that the LDAP and Kerberos back ends can use for Kerberos user or host authentication.YTEpc1bm.rdu2.centos.orgCCentOSGPLv3+CentOS BuildSystem Applications/Systemhttp://fedorahosted.org/sssd/linuxx86_64getent group sssd >/dev/null || groupadd -r sssd getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd0KA큤AYTE_YTE_YTEoW~YTEO20294f1fee07524927f2794cdfca513b228d3c32abc61c3691418d5df3f47886dc3db3a54145e126fbf6ca842434d5d51f2c61d68617ad3b92a44d7c28226f6c8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903rootrootrootrootsssdsssdsssdrootrootsssdsssd-1.14.0-43.el7_3.18.src.rpmsssd-krb5-commonsssd-krb5-common(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@   @ /bin/shcyrus-sasl-gssapi(x86-64)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcom_err.so.2()(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libk5crypto.so.3()(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libpcre.so.1()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.12)(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libsss_debug.so()(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)shadow-utilssssd-commonrpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-11.14.0-43.el7_3.185.2-1sssd1.10.0-8.beta24.11.3Y(YYtYXBXpXv@XOX8'X6@X5X5X.@X.@X)@X#X!@X lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj - 1.14.0-43.18Jakub Hrozek - 1.14.0-43.17Jakub Hrozek - 1.14.0-43.16Jakub Hrozek - 1.14.0-43.15Jakub Hrozek - 1.14.0-43.14Jakub Hrozek - 1.14.0-43.13Jakub Hrozek - 1.14.0-43.12Jakub Hrozek - 1.14.0-43.11Jakub Hrozek - 1.14.0-43.10Jakub Hrozek - 1.14.0-43.9Jakub Hrozek - 1.14.0-43.8Jakub Hrozek - 1.14.0-43.7Jakub Hrozek - 1.14.0-43.6Jakub Hrozek - 1.14.0-43.5Jakub Hrozek - 1.14.0-43.4Jakub Hrozek - 1.14.0-43.3Jakub Hrozek - 1.14.0-43.2Jakub Hrozek - 1.14.0-43.1Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#1456013 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1450125 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1446085 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1445821 - sssd does not evaluate AD UPN suffixes which results in failed user logins- Resolves: rhbz#1422183 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user.- Resolves: rhbz#1418943 - If a long-running task (e.g. enumeration) blocks the sssd_be process, sssd_be can deadlock - Also Require a new-enough version of selinux-policy so that setpgid() by sssd is allowed- Resolves: rhbz#1405584 - SSH: default_domain_suffix is not being used for users' authorized keys- Resolves: rhbz#1404340 - Use-after free in resolver in case the fd is writeable and readable at the same time- Resolves: rhbz#1398673 - autofs map resolution doesn't work offline- Resolves: rhbz#1398169 - sssd fails to start after upgrading to RHEL 7.3- Resolves: rhbz#1392946 - sudo: ignore case on case insensitive domains- Resolves: rhbz#1393730 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Related: rhbz#1396486 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0- Related: rhbz#1396485 - sssd_be keeps crashing- Revert the fix for ignoring sudoUser case as it breaks processing of rules that completely lack a sudoUser attribute - Related: rhbz#1392946 - sudo: ignore case on case insensitive domains- Resolves: rhbz#1392946 - sudo: ignore case on case insensitive domains- Resolves: rhbz#1392893 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1392896 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use lib64 in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/sh1.14.0-43.el7_3.181.14.0-43.el7_3.18krb5_childldap_childsssd-krb5-common-1.14.0COPYINGkrb5.include.d/usr/libexec/sssd//usr/share/doc//usr/share/doc/sssd-krb5-common-1.14.0//var/lib/sss/pubconf/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericdrpmxz2x86_64-redhat-linux-gnuELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=8b35bc6fb91f4fa7b930fc1d0194fe2f485a63b4, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=e88d0f86d6574aded54d80394f751d74fde0f2fb, strippeddirectoryASCII textRRR RRRRRRRRRRRRR R R RRRRR RRRR RRRRRRRRRRRR R R RR RR?07zXZ !PH6⭦]"k%>eN8\7e|FOj-I JݲAqqR78f"hmoQ^֨5ӹ)(1_9oWIR 5 "gc%*Vt4=&e}p74aTwkm{"vSET;K 'Yb'UϦ!џEIf"Դz4YC}}$eu,bc ate_DLck&wOޞ sf+%zB蹑D%b9r(۾Ox3faOKBnW>"3(kמ枙|\Q2iJ%>2bA;bz9Ѩ%o$׼ّf PŔo BAbF )c_̢ ew֫^9W(_K,. !_<7#䇃/&ŝ.74T *h"tݰvP] Qo"<#T648}+2Ԕ^+< }8֙j(Lcbܷ`J~eWtk|o 8NM-uο:ħocK*1 vPtMd~⼋nvG[_ڲWj`p7X+VBAAF {\`t|kkhafOHoGeu&oX$lHvmS*.r"UJLv *Fc "2g0L9M(QXc|-I hl9&E.N_'<87@SSUdLroYAܪuuI]ы8- 5hZ+9ʟأܓ""gMWtY7 -,w5y!En%/8(i@a& <~|)ԈL%_ߴ? Λ:;$4 PCuEz*7\} }gd&9mϟ,K(4NO7y-C+}fS,!rrVJ%Y7. Ie3E7c 0Wy}ԩlO0UMK;b[{dRH˿.E9dJ۲dE$x~*<g AIDGD#B&Ňc&YwELv#nj#v\][8v7+Ƨ¯;â%=O~ߴ>sIj:5 Jg S1ywsv|;v[t80(z)!|{ 2ZU64[ 6;X}_S!@zSeMVl!{ОܮJ1c6iI?q?UҒQ!SpC l|^O!.O6=ގzG].Jw }Ke*d1%SƗ2&>R-huؠ+؂r:)\Hb oaJh1^\ǧ{!xM}.2Ck\b&䦬%FNKKE;xZW2%ׯ}U˭>y _oέ<}T+CwdXРt (uK:I7&#lTgy]x{τn6#ZMoY)"TDFݽgnƘ;V=+{;LNPHt4Rd]eU6͋yAT42 D5%Cwܔ"-uit@.A(tOڊ@-۹XN\#0k%UQLC76cUS'rK.E71z{fL bh2Q^dɖL{׀ML0R_<&O؆h=A$o^=-# =AP Umx+NQ#_Qinlc#"w! _nC2ty2C.yQ3rW~7as f!۲Ćh%:mY/Q>o`n\Rn N FRN 5]baW]fk(ϣ!9z؆'9YewZ}E̩LTFlǰ2tVoDžz'^>HgX,4Zu'S\ɌhEk%t1+<_Ѥ8l``:X^a |$;6gblO̝ Ԗi]UА4ddJ!:*zge{C֢%٫hMsΕ0=FՠDbߝкH]4n3U1 u%|qNP.8wK]: uOyx>"+F&efJvs р= iѿ*ǀm!f5@)фzH#Vw-ۛeVPtAИ[Si꘯D m|XJ:~:SBfxЌʦZ@߃U%3}/CA#t&וwbh' ԿkU5hvb.B"eLQVb5c";Dl_wXVڲ+7A9<,< tzrss F&j"J?R}6%Pɛ힡QD\۩_0yzb"[ʼngMuD )1dU q{3. >p*hH (ca8Hؙ̟ITmQ/#d9WBjGh9.% #M* HG0 N~6~2L!a%>VԮ`qE"~䎽W֫ɍ`uUGZ.d9A2o 5MwrzRF~rUN5ؤ}56r!Sc{sH8z Z\ogo[&cBSI>i_JPLٛk+J 5k=:  Sqʛz?* Cw=/S棴3U1?ߢmh 5}>a͡5e|:䒏}76a56U{6yGqjWXC01sM'dRvENX%r[X=PK"3fqa ][k'O*u%`*^f tm!?>mdg`#fB4mY̢ GMewVdƕE=@/t7`QBtBWi|~T慣RoDjhj2%5yΝ7E ح)FH`* ! V,/ \`gˑ:*Insc] ˃P9wjE KR+ 6Lǭ6Lۅ_䃯 ׸f>A ȍ VG]8x29zD>k4]CeԌCMA/QNo$tu!,lZfa>Իmh1kK(ȐxW?df%/)1p@4u% nq"r|/A4XLѤ(Y&Ğ.H Y$Iݶ7y<=X_IN9m 7jp*kQOLr>fW0|Tʖ PnR%X8ɛ=hW~I<;6ǟaT>rl=G ٤!2~)# |dUoR\G zywBhSO{i;t5xuZds ~ͨj ;B7+qVmU\nGu(k..t `i^nyՐ6Ʋwl{.yJ8>Y2C+4p:tCq}kC!y1P n <2rD1bҀiA(&q/A<L^! .u0 QۦRUakNT[fDnJnb/<<_J%pvreVKY1y~8 P -ҹ/ȝ,__) #L#͟-p~DQH$IN)f Q9%9yARӹfDKVNH`re"bZAo$ S-0j:N=ê+߁&vد57 ڍ5YUq\uj(}UyPҴ;RI擇 /̩լI(Z<BeʃW`cbBe4w ,k;L1hw7Fd'oko3Cn =kM,b-8Լ $m\ao:qڅ஼M%|{4̳|.k)/_]q 3&] eZ:ܢyJ 0 5GKXx+rr:fВX8 NǦfuXlAnmޅQ%>+1yyWUbmVAY VSNk?_X+q]עX_Ae0'bҰޭ`֥1~b[6>'UqGy)ee YtUBcL`+ *zP5)уHl+U7mH 8K\pKDŽ2<[׎MHYF{Dwo)rHWK4fB&Bm*xl _dKF$tiV-8 |*Hia_">w6lΓՏL?0RO,^8D({x'¾KH<6ƙ\]U BPUI^#7ߑsGp9ch^ -pv eD=PD0Vse$nlDMy'P+ j v!+'v4a馭`΋k}GNoc^HϽ $<ڰd)4bJ'juH6m>vB>㧿{vԽTH IP\.ˆ8>Up*R>w.׻mi8f(X{w,D726.zn e2x!}'Χ{gcq;\ ?(ZѢCOF>B|djBol'2S4p_UOqSro7mB 7@HIj&`JTpk/WaazbpH"gFz2é'f/[dsA&Cpۿt8x [7FT0JGcxR5a[ޛ{#'91;;[9 OGn^=_Y;<$"{ +#LB9e= J8aKaV-79B5kSۃ`*?vݫjs$¢" h};cB%%o$~5]ŒkUG(&D_O2' y5-פ0D-z>>.iuZ>6WŽZ$|gT!?RB> )ʹG?JofT.$]%Iry&V^08{hj4}:Ky WFQ ˅\{ &ȣqlO[1v_}3ؙ&ḅ)FVXxܘ%wBK) i4W换dv7ç+`F+i$s!y(R_Y{f8&t;YHIJ7Bn)Ջikh8ݛVGՔz4ϺxǓmGMX&8)NpvQqo0X,KK2Ī!s\ͭvTh0C["> VL.@rL3q^9FUa;8io4U@ $؞Ϳ#jB1lQk'@h;v~(CU#vAhC+P"ȡnb*#O>% T!By`W:9B^oAfXݴ׹nԄoVR8H7V=rU?bI~T-ˉ\97ȧ7quWT%࣠z5G':&.4"J~Oh^{\+Je_iϛ{Y)eJUxe{ ->Y{]|`qUu麲U3U%^)RǪcS0O6O2ݽD&XT"!)8unYsYyHs:G mS,0Z&?X"n@PWyȶ%A1%h.'NZ*z8>߶;"9`욻J#4BDowFթbc'451?Þ{W`\W"Dexm b2'0l܆nҗXhX19e=$'@ijgk.dfB8|͉B$ %+/0fv:s4;>/2J$FpZ/`S步L0wS|; ,ĢmrOȮ&ؗA!_?ї| v%Wǝ=ەꛕӭDBݪNKֺ|aY,22C!O¿MFr UO]-+"3"_X]X/3kØwzBUܾ0&<{a.uCZF;俘qrI`)=~?]|<=6˵! sM:C ``LKwV=T&8WsǓ``crBC`thF0'޼XIj]6,iWr`{R{})E,6gveu`$"m;YfNViKh T(v&,(揙|3ξɩ,֩u\gi!G(Ʉ~Z} 1$9`(d ݰ[cҨ"a,"ްHxF~3J̟(Qz$ 9+juHti:xk^M?d_ٿ壒2Y~.:[2nJu魹9vHa|m'[&0o?MP;VdLyjtl8I;FhOod=kCڎьt+՜RL OF1rk%O6$=zT8 q\V63Uaa&qC ZZmon] @6n_nUX896ث*7{ /LK<S 7iF~P Mc0=3BFόo!N]wO(+Hȇϕ>-I}=_rUpL\ IzPO;/ZɸbB MBZM?⺲ id'ww:&\MW|FB&̅n|+q,rU M/0&.Z@Oڻ!gm@Pi-~sAO h(wPsl6yoz(_EL\Ȩ;P}w'GXu3ݴ{~C I4?ӧ-} LBDvZno::Z8-l2jw뻲69 ǖ}S/rE;J.z* D>gي͜3*.#ǐEN]6hԍ(!u՞_)3[b5 IewHvӲ}wި9x,\pT~H:z cg>py}'.x4`?# o"}=Zp&:](BNz|4hq2E@5%Pwd%|phs]do@QP)AK` #qX7&:՝"uIISS' :$9FB`Cɠ:=f)!CBvIl;o( TFGK!usB^dOUl3S4 PP&8vJ oϒ$ǜnhQ&H.}={C)8Ε蔦W mbPv C,9].qsrVs"L*lǗ`;Z"lFhFd0KҮ\eg8pEO蜧)LV# - ) @Ky@ T^ܥʛT=37#_Ca$ϺB̹t!uInμXSVp$5Ӕ!h4b9ù;+yWqSp ;?} D} R䟥yr93z':_  ]_L{ݾp a%X-iyXGrf9ٚwT΂l4Ξ 5 ?Uea-;(憰29T9W=B[8];GYKƔ6&I͐juu[G"隅DOlx״ ][*,͡D4m`gLBw&kr4E(!gtր_[aJ#jU)3(o_ G> aq>a-`W\蓻M%qDߛx\ ^0 <94F=)ұ׊`%=aɢָiÒ$k-4 䊭 #YjY8R vZD :M%`#Jc\w%o>V7C[eʓTDXUv*m;7{gz 6o 乍IV1 LDpˍK&]ڛeKxcW~|]h|zs  <@n< Q9s7Ize(>ծGu!ƀBm{y9Bf:JC3"G_y)R_1tXǞj{Jc/c5,F>,p:Rl6T4Ψ&Hσou˕\qޗfD6A0U;TѦlWb lU;tA? cSN_b7rn`4 *sk$y3ѢtjzRT3{pL!+ҽfzE6v{tNtoi7W-eXᦍd8Aw5bh h(>AZ;z>32xŽU&g4v73 2GSr5{ 2^om\ zI n%p)[Ң+MjZ2єuªqrFroBFpI. !$*Xkٕ<*Hq\oiuj\vt2s7s(.Th)WQQg39SpH/$B:<͵'F*e&뛧EL=q? US=$M)0\NF^3m”wWsZ{ 7;~O!1HCh Pu3T^K&wʘ2Y4q+"ߡm+ 4QW ƍ AU"M\Mk}Ϧ@r!}oLe5 x+؀q4BFz9:nU*h5tJ?[63Y!dOZ X$72\$ UapL=Rn]V8Y )`a~0GG6qIreef$.?/Xw{ւ~i&[86!KlU@pq?U[՛IyL @ILڝvoC ^$' ]<8ZU{v]e\Glo2I|!]edR7~`]Qh)u* \ZC:BW0d?qcB.~,.4{Rqw 4;z;!#_m?AJe7@JJ%q_m`yfᧁntr_fdx[Q=>61+JiTxX-o%/Dse4v/]w^fیB+%~%D/S|QM?;UWxXh&TpRT á&o=ͭFͺ/6LJ{{ǦXxr((nO'o?לuA e8]B B3M|$?YЃNƮ'if>NƅL1]:&+k2@"o&1 SRW@~ pT,O !E3%4Gp/J|M7ЀCSUlFR 6|8r.ل[VFDĪxֹnIEuVt7g9GeĆ+RNd ebL[ B޳~6ӂ;'t\9F LO֖P@Q7ſ:Kw#ӓM zyvߙ#'IND~֍buJ=AaBjlXu]0\E(Q'>3# lx(EˠHRjUNKB%;{;L39;-+gwŷ'|J"RBn 1(Hr||}*+卂p85eA_1`Uc83)Qigau*!Yu.G`DyXNVT3Sy|V?&CLۈ νPyo-Cfjk#7 AtyiODjA? |ٺ_)WxJS[Յ+>)nmfTƧHf ´ h.|76v]wr.ϝ2 Ɯ_EE缵jl\SUAjI~y(-82E>9ѳ <\ քl܍!ΔZp (LR R{T?J=V|F *84Yǻ*OzUwfWiDn&xx{eLݑ8%"V EQw)Cyc:]Ֆ̠ȭ2#>tNunjuCykNp FA,6;h6%<9B3F}iv_6 r"rMYU:C/ڒS^ SS*3K,n;`jeZ)u" HՎW3+x#!.KsINj6q%0<["x"kWP{cC$ĵ]go 6'G7 Ύ_B ה+Vw2sĸsz+>#v}U F%H:чOaI׳{BԄ5 C%ͥ%3#zn1DcBiZYv[%gm, U.={TQӦ*`N8ʍ=Y&T c\VE=aԩ|$J\Ql #Q:q?!z,|k&å+.]=8wQ]Y|R\Íkʊ(ofu٩[trjgrtŦR8T-(AtAHdmHv*<9iAko?5+1n>Pf[rGRT?|@e-tә~(n_cWEۀNٜYVe1JPJv)Ӧagw/j82*'1i 12ύo 5h?e0J~QA(w+1^<GEƾFǂYm?")v}tً`"ZuW7"Pr̜->!0#Q\]׈:RSnSηިUt{6cA ]fnǿfGm26߮xmsYStW}W{CMJU?'L8IMU7bzTDp/dv="mfQ094DY5< nXɌGtw¯;ptB% LM$uY=D9`1w4e7]hPHp%:BGy{i mIkLjѩhya eGou5 [b>5.~A) ?џ&=uCUA1+"Z枍ax9Z>bȓܙ9hvᇚ ļp7%;};^uv-X(PtS =qs5f1~pq\c9SDm_1o"X.Y$발Fk$9\E9Q[{-j r%ʻA,f-Ց%¯2<nagru?5{]_c7!ں%)3Ҳ;E9HTvnt//AV,^T~Z݋AmBqv׍kp[y|R0`T, W{j8y/uQ SˋE?L2g>p]12F*vrNˆuCpX$yE#w0sVNU?[,D, sc]).!6aC8+dʋ@QiGn/QvDicHF=CHlPg]Q V 3X2VQl죎9%f<~U;RJЯUl9џTjk0VF-@jk"%\C}@7 0 Dc66eJ3u a׼si+ 2)!TVcS6_ 6^$}jb2@6:㖥e5Z@Sv({"xW< M!^04'wV;ÄԨy)# -#: X-k( ? &dV<2:P* b+6;v7QWNHl)k gtTD5cR3L(Vdw:H l(Hx>R]g7` ,L'9P5j YRpo)]RL2::=Ϲx/`k!gѴT;p-DjJJgnVNR2bS!7[2T/̃f'I>Es;l01]ws43i֘C [Tw-jq G!cG8;R?&ds5Ed[˰5_ 0rŅT +L e؞әotw~r8d1Ǿِ1횯kWxjuCBeVӷ=j7>(`k㥧iK\ªM|HIV*TpR i*k(ݲUpt5YJNR.+M%U/¾,*,R9ZŇDtd"\N=!\cjBQ9'{)h!KB)BP#-[0jy.]Wr.|؞Ν;K9MqLpOCO) W<i*mR?@I_TR`V@ D#.9B Uv}z3qYWヿap3S2$RRƊAl^ث مYΦe< őn6pGoBMv4grl^]fxeE7 2>wv+ 0.xB­!3D1{@đB255gAhaiBՐÉAFf FV3dY7є-b)P]e\j9؅Ĭ L \&>oM67=nx9J9U6F 8Z|{at|ƚ|jv `. ?RJKu@̔Cm$*uMmwu]G r& I9v]dz\~ 9Qtoqacg .gְm/Â_tmV.lAk0Q?ԕTk('awt :PW}q'.53/*}Bh sE{RfG+D["NUR;>0G_~QU]L̅lt ^Wzk5C6\? KV}!^>gp1Jl[M@6T1;W395jU u[Y"~5[iRjr5IRg>2V ]) ^*S *5,du0 #%4G8QgJ||9^ "U6QT4 ?* :モthwM]I&n/άn3*2~=x%;Gen)%d"sUi[}"n1*r|􅑀đwF[IOᄙ[ކc'f~><.Y*TY *2 v&%?eEA7ջ&87YhN:x"$dWϮ;<܆M9.Hwƒ_zn;ЀK7;OWl R1*uW/TGh1 T|7ORa}n*ҷpHۼtmfO$nr+C_{GoTFIN`d6Jj30ճo(H%[mr(h\$%t޵0*/ C@0jrs9i/c5qa^L}h9cmA<_"o&|Xb' UbpI"%\t:m:N.)o8h͊Y A[W'TH^K_oDa$Η"ށ1Cw>7Vp2Lp < gz#nYspzqIɩAaq>k]S'Ujhs[^ E=yr|9$\ M~Qj{|rPx7hTDdKJ0Uj%&RhiWn4jlT۷kI@>ED y,~{5L,vWd^-=F<6kp4Z31/@pCS];5~FRltKȧ#Tfpz 2?Zf 韰.ѣTa$ FJjbJ[4W\ʹȳ:F$4`b9җWSGwg 9@ۈRE?$61isWvy~;+1?83RCek ScHV0]ۦu/U7#ZʇuȯN/ZDfs#lMN0SF)3R8رZfh/z6? )6=kϠ 2v&[t %7F[entۭ:Huj hK…q"؆|'l*&4_+շ8»˥s 1uD;ϖ{aAgW T m~C.IZmg yA~#/fR&3AO8x}{7~ ?QC‡t8_tP;䭰&hzXGbE.nNKoȣ< ]s(rR"1+C,6ۃ2c KV3k䛩1\&hpgJt ow~>.>ȲUm^an~Ol/uzJ..ݺOu- Ϥ;A8¿G,RemRXFSvpǽ|ejNGő`ͣ7($xڡ2DNN^*U%؝- L*UŊl0_@AyͤP& hQXGg?u0vx4QP-E׫!rM4j+̜ Ɉup^b IV|vʸ`^$bD8b.T_Gs[@ZVBIr8<%B1k.[(yηGEM*WWIb9W9çʠ `!(!Zi ]haF\"2 #?@(d_@v`m^>9\vMOdI} tBfXJ+tBR?#`u>kΫlPs֭1IW !7WHƛg ~H`a7~m@fSo uALc7ߟG*glQfsT;c];5gO|wf \}g/.1 y؟j*_թclE:URF6 JY((Pe39FMr*7 nmZ!PjIg7 OnpoGJ)4j8SIiAuM?,M|Nx+ !UzKsoסZD^F㴩&k>icz*#o@cS>pe'IkZTkt"X@kmjk0(=5Z]<"i4g.텃Z%#`Y#2Bܡu=PhK;/Y^Ӱy+ETxޫvCb#x݅K0QtL_0?[4%3u I5+bű1l,uo9{lx|ow}hF^ H}v6*j$n᥊\NO׏82Ske&p5ٛ*.(լ #π>n>W"]oRTP۰_u> DWW"V1Ҍw \p&[?L?k .? FTS*pXQ%:1̯"YkՑ W_T%c?H! 2 Kju wBZt(95+] [OHdlZ3BlC8j,mGv@qνvM3.4:XH $G$n%DZHU`Z8t>p=S;ڔC?ZBizDHblw%0>i,gX D\s%qCc>b<5o)FeYmN>{+zr)ۉ 8 ;eѨ|Ӵ-ćpv;if;@1wvd0ʜ)2Bi!()u6k'ꇹ+:P˙})^%|Tǐ/)]"u 'FK+~{|.\ԑ?O 56Kl]۫ FAM+C5#E8JM*x9Ro`˿KG`? DxBEs@m=y"R. %E9*.nĬ% û6t40Ivl˒cϿl̑kYsx=v4v+*ɠܔ6رȣGl0-a'ơ2oJ t ~ys`#B3j X?KjhvP4 qz%{dAlM1GAM~Kf" wϏ?qc2twbTԵ3 iRF-K{% g6>iAVϾ%cI.[(PhD.O -0z:Ey͟Bm$e{NN0?֦Erqɒ`p\1^qCtSTgΡNAR },AQ3$Z8Z}8o.Kp!&mXF!L~asP%3ڃK7 y"%w"ߑFPE-O,#+IVv:$c@9X\+d'Q*5s}¦gv"Jw(cABp!uNlJ+|c=xg[{a ?|Z\NgB8VaH7Jb8 E6xri8w$(WVm,w$ cD»W [pLtQc=1ʨ_`9{*b] &hz4cP2TDAiC~>gj/w.ܳÝؒ?VI M<FH 5 BضYߊ8Y)l_W\w2Ɣ[tn{IS9w">t8.:0#D%M#ySGĵ RKd>MJ|x_ L&PsAEOQvц-;ѝ5X =7y*̢ČP]Ҝz) >lhީU`UAm)dDQ;"lIMt7&'=)0+:_la*^Sa8 #4}Ua}#x ~A"6 !Wc8 <~k^gT)V2Ld ?($W{C>@ISeV:d&tVÿ3{ytH]GtEHX{f@(gK{j8 !["DH_1fxaoFuiI 8W/CB¬y{BS|fp̜^9Tj CE{yzsJpOe[k:)KT~/ k;QMLU$M|fzh$鉑/ I}dK)v'xhV{6@8+oM94?BfCѻGc5iB V )Ѫ2h⮣}Ug@|{KJ ל|Q V+י)" U'ՙu5%~UvetS;"q[dُpz߄,# .5dħjWRP׉O2d79H9Mh1:<.04l0:ViH88BCM'6{n-=](E6gCb9ƫ҃OrRL:+_!m02;Er`  ؽO %li_Ǟ!7Wcq^L8k XO:$BӦ>3:-mv* t1M}l &fUFjZj3@TR7^>HJx]Ak]Z8"uxa_d?GΒV\z/I;.[NZX%L7;"#S^Safz鿣.-}BoR2:ps= 'm#KmJ]oɖ79_UV3ٽT:z/ Wt^?W!1Nr7Ǹ41.osV_R .Xg{wIN/c Pq͸K U&y wD4i.Z_joCƱ2,T)_Ӂtv韤vOi|/tg/Q,}l-ð5koEDٲ~PWU*M$ޣM[K35#y~xd%Zw0NEa;غ?#\ݻ,| rD溏kE$cI-_%6}$C_u4n"Wx^Mh=[j6[&N H+5 Uf_uh1M;o>eNh$gKo,WLK+W 2I/f^ʐbFDW8JcEUa(q;EFF[>Rcy)*ѓeFEa,42,ʉ6)Rï̳[ Nx"ܔ}:vV(|ⷎaGO?; S9=4"J&Mlj?^)*ORUpE DK<.2&< {p[ S8c1^y)AbmDj*mtr_nͱFꃎB]-Mr'J+B47$9^%)lgFqwF evz3ȟ<WzD+(NrrLWpkQz\-֢$)1CA 3έGDvQ>~F.VTVu8M6l}b.qxȸ{O3%Efِ煮=Np:M+=_ A誝)ym~A^j+R_ed끦Jzz395/6fŵtZefML7a*LGAGߖ_o]bsq s ]25մV!FH#wksvA$펌 {'DjqE9TQ~LK$/sM&8mX~q7BѶ0UGDZ Id&Wx^ǟX.-ݠ"<$h+#PKj59q My@[h~[&+g!;kWFق,:XmVzza?O8_xtQ˃aRZyu#QG+`1uCZ&7dr1|6*~6on,btR@[kLc2S%|TOkK3<[^Y"vc"8rpXψ)`4XOD  4ե4L2k"M)M dl ]8>L}(slQ1?+lw6A/M:S@X_`JRTQ+T)SfZA !uX!:TತxWR.nX$5YK6ӼwczAV\^u9H 8( }T~dwZErv[én-*C7e\es7XaZ R8Gtێц+$[o~6J+o1U:wfhR銡UoPQo@2 ŧAbEh}- RyoNCF]ͦt.z?/}vqaxb?[4Ba&ȣ!ZLNF̶M,ZyQ˨ryI |Q܈K,'&sAE}x}yJ (!W)He|XF¢eL[I~W),JZ^QmSe#{bNcHT`J)7s-N//YSu\FZ>S!1TUiɞóuy ޯ`ȽiXuaAz~~a-Z)5d`gKo-QCqWœ5gwd.POuPwJUI1ɋh}/ %*;%L?/ilV6%y;hrn! ( ?W /r~%̧|4Q~8^)}~`PxAO=*!?կvF)-(wÏXKo\̩}"(BɊRF&zkOP_G[/?$E0pjxEțɳx6xn=.Ǝ 1څhA$ Cwsyq ;2er~P!̧aG-Jۄ8"st~/-E#KR$)Q!\ߛ{kU%hҁCU$y{ƇIǙljZf~NkTCϫNe\Um?(-v~ ]X;w{zVjv |~w4x/\Bh|[)Ylb/DJ Z&;ɡYEIJ`9vfͥ/_Ոu~ =P5HG`Dkm?}hx[aE:;GҼK襳_II]b&Օ-XXY =+c 0aHm F~6'PMglp^vt $E* 3)`c|Y̎'xzxW8'C kdD}n?GBtE^o960vOvϊQ37ln%wi׆jiBrWܲ^ߧuMmNyK|A3q;L{!(`#= apYBBrח\3j W"eߔAoRQ{,vwu--a/tW~0x-(|c7^ucvKs BX }8D`@^EhvϨ';sP{=CBۼnEiޛw(yvK'6e ֍n|kmʱҵֵI#{B!'4Q X[y={sZS7IPB\酩h,&?)ƙWJ.AD|)4SwQ}8/h-i<іwn4r}#Eg%H;f+9!,DVvm+ZA 83JOD kwUe^P X$3+dݦHO RQq9 QN)wEpU7UE^)pDo3TSW'R_c!{ފ`"Et78baRLZl0HݟՇSKR # QAP̹ %[P(dpu1Uw^pUA(gL2I`H r}#PS  $dT}d|*P|<zbGm]u>n~fk( )@݌2v҃l,V8TDD/ah.Ӄh mءR+eJjfQ1k71oB@l˴fSgiťېRlj ׳) re}2OkS^a0kW* h"LW&#m/f |q⼛صHmz4-;8*,#NPSj߷@v(撴+Yk>Tb N[ d?7"2Ú:}ܓ:NlX}Spx΄H`[_R%س\KJZ0*SZԗ%͸֕; xwDSɹ i.;ͺL7[U_7XACMA⍯;fQڨ-BR_iL2)/-H. K|RGbOj|Eî"+`&BR+@ۨ;]ϻ%̽"e{tՅK bJ9C1\՟LMa|,te߂r^f#N`{8nѴ/!|hrFW2#b-23WCVEq=,h!" ߲'E8"-wf FcZȰ ֦v7J%ST/#qh@Çn z!w̼Ney!pBW9"V*XR' ҋ4XeH}PHLi ߅\E| j{|;7ξ}@|zLK+]q̧  ~N.G?܉9],@v"Sе>MFe>֘ШF=#Nh(,a`V_TkR'َ4I,p\m'h`Xo Aywe0ɇ\z ,0Rw S+ouD+!]2mA~X/ZD֩|Y28Qd}ke-gIB0>afm@9>PtMzKrVEá6"(t?ͰiukI6;KM*7 S,@85+-叾Č q= cȃ$:"YWs삌ћiF; %p.y}ѯx'h7cX.k%ܦvtQ¤{{)H}K[4ßzd@LҷPv4)L:T9c,X{m{fV Krs_|S \ L.a!ӫ%MjҺ8n Rd 'gH_ll<c3ç(ş;rA[e1A9Co8,-BRD^)|fMv@\`(J4OYazO۟'KH3 ص~@a$Lp?ڕn2^uMcu "$f|KZ}`&}{tXl{R K1o~g949j.PY'sg^A(iZ#簃HC#[z$A ..±sOL!+qm?qZuF_CtG2Hm/%"0^q ~ѣm7CdɭKT "1 b .:$|N$7w*ioڼ_FO| _Fbgk_;"jp4,4~OVRa:bzxk{]43"{l&t#/Ĉ~ X\d9T'|kػF/w--ɰoi w)b({ϒ6kM;3j 5ҝceaEi$vq4~rƭ3l˱T=L.|w)0 -ɗ}!_Y 4qee@8K>V9 <d \/"%ȌYIU)qiu S[źe/1GWq\V)>m6Y T #4 >o (J WS8 շ>Koࡋ 䕘^aJEWZpM= h8jj񒱟#aI +93H393š;D> gUNm.Ƚs(},,6.pu:o1{ nˑ$jeNT5Y}ŃV?/jX7]$%3Xf9?U$kBn/*p8뭕_H`1,1KvHD])2Ōst5C_zS?% ٴ8Ո4ʃ|7y Kޅ"y9EI!gpgI N+eGWoUIJMI*)gcAw?;c))A}D!jC ĞIbws49O=t Yf{) ߏsJ+ $4[rw#J\Yb}4OW#!ce1XcP6)i͚d+v=g;zg%|QEe= F{lū;d>+3Tx?c#:$^:HAæֺ鋠*WVq`[\`#]mne8T v:V{۠Gq?|f+%tV8U[R_$X%pyve.GA+/鍇 'M3ZH<8GغQl({~ZiEEriKQʮ; w?2t,,y<ǼfX& !XTԖ8wtɺkכ/!p< *j v* ^."Nkiuma[3!c){鰢J䏆D|nņQ5}9\NMwXYUc4Qk|fުo aLn+ ;*:! ߂3iLRYT[Njk75)؉ʄw ށ>:^EDh=6<&3j:Z(ɲqN2 /)c8K$lͯkKj_Z׉DQXVS4 kb@P;k1=,r|Y_xՆ7 U)GWަtUFMZ0$Wʖ  $5L57Xn*[}A?d\;څ7q(B F60V՗p& O`;'7E\V ~[bK1,czc[@3du;MeR?G+ƯZ(Ϭ]cM;03CN/b Y ؆: 8>ؙfLwH`ʹpm+X 2 6$-5OC4xGf1cYjxC#vu. \U~* >_Z#XczKIq=KnϚx)Plc}/ɦN84BɅܱ8ot=G-m\hPwq4Uc5DbP/n>*^,6%+'~d!S@ m nl;c yċNઙ[2P0cx?}" qXPz;MJ>k^ipTiuZ& 7mr*nΜ!S^]rQ;`1*MWr"VRZ\'o߿(O<шQǡ~rZhe}( X L c]\gPqtwM:i.ӜPsD¶ׇ7r~M}iVM@No w! ?P'ï)DS a $TYнCh.]Jpq-Y"i$j맱Y06AOK?Oڤ+NAq^qRB%<99関$t$6#`eDvXԑ^GwLJ ʞTEXA2Sc9Do5䏤R$,[r*TIj0 N9r❋gxǴ hr>)j*xޜ"&]7tr. m@-%X 9>ׁ6y#M+.87z$=Dq7cb~8ݝJ+Uk2ItClIӗ$oF&I/ /^ BHp L?_C(歱Jf4;ÙWYp%ֱ[< '# xKjGrʳ z9I3*Y֨Ck_ĵޡp÷ CfL빐_P\>6si`` 3+"M KڔmӘ2M|ЎYq|?`UG1~Ryj="4]r͔4S'CmJˊj|bْ PZE 4D 6@u,E kzY2VӥWc{ #=u§bxŔ?k%u2\qyyi AW8Lg?hfoĢa1CN x E^F<ܭiPÃ֐C偕k|?-ʐrZ==Q[qYWz%fQFW RXK,kϱM,9DžQoLʇ j;gGRB eK6=*FW߬aZ +ὍV Ηy j2ܾ !*Iv󠓦*I 2!ZW8 -xl4c.5)15cji]=T]y:άBR>,n}$_Z]j[θn f,Q՞_<lM!z ~R0zJ8@GQ)Ӕ$VnOJ#m7X o2ag)6}''=8tdON?*~:m1򲝚F*նB\0B0ߕxޅ8 Oaq4F!,ա C$>PW,+s k]:.1/r՟QdY=m-_[ʅpbΕ̖HŮ\Iяx:~Q&V䝇DI嫞 x&w ڬ3NklY">վ;/=ہ[VG yU@ %W/{ؚƚ~{ _k\gw3B|qMW0Ty(&\uL!CVgO%K(Z6 +xM-M \JTGPӤ}a- :dd,5#2D%B#\l*QH-)`| .YF2*0BMXTI(ʤЏB (l*T4 Frm!rDXӆ)+n]ªWrBLy!;pzn-JnGA~ jЖڮ%.r2*w£uUέx~ m7{glv!cZ;ȸH:ɋꍖI0$ʜf&XJݐF= GxaO,^dσVIs@>qH$ zJo{t)ٚjɒ[#jw-5%K۽X*1]ҟb Xp);PI` ǦYvKxh{Ӧye:捹if%;S &6w*wrfRHk%hy0b]UnGw8NUGx(Ff^T48sˆ.J}^ $]ʬgm^)Y,/} ] O/&%cA(v/Hp6x#59&Wk05K+ZvPtf\%DX⼅гͭ2@װvnŒ3G.w3xZ2!ݚ<E8~,S*k-XԘ }ruTmDֺ~ Z7ЪDŽsqŠGQn^^V K3r=yPN u eS{MT= c [2R„5ٗ+ϾTV OHj&1fJT$[ ׇ4pdOqsLz %(rxx{wv.捚Q0ʗ{j)GMo>Hc{*k~yNR4۞?JX/U کFӎhRbf9y'=x6Ks6TlWZZxZ~ܣAs| m ^sN= 'rg*.@> K{,wL(2aۜK`]qOLNC!(73gX78ɗUKMbhWpkFINGk*7n P=G-p撶@5-]9^`BlOW!O4>.)nWfS", I36OMhRcK) -D3ih\QR4mj0{XU". DDxs=0~yom~VDojQP>qc4sd0lJF+ gdZ^lbG%Ai|W2x5n yGk}B{;Naݳ`[qe~ 7|W w"׍˞soay{dWz%FupsQK8XD*Gn3f*yWAP816@H;ݶ}..,v(]5!Aa "{<9ᦇoΎ19ɌwILQXYiyկ/%;Mlb*T>EvD6T^cJ=s\,\/=*k<_j%2"g>^]Ӎ'Cjo֔l{ʅVF'' Z\1Su ԮZXhnŖr7?ce+\[1B ISax0=V( ԱUUw#DYE>%adKZQ~f"= 鉚 =d9@rx(B:61ɿsݢ+2[VR#e*ªA{B?̮-Gy_[@LUIټ*oXK@_\ KW\j~G㣮dm/R9:- ՍYR_rV>/3M2H3THs.'m&kކ+ n\6g&1u{/> D c 5pGS{Y,7$BhKޟ fhiL:%((Ȭw.;z. +'!&̀@2b8(!/`h8Z9"}Rօ/B#B؈{8S]wX\Ox&LJ.O  \!' ^vDM4+5 `Ռi8| 6 ވO"oM?h2_ƴE:[$ʄo%ha)8..&BzGspOsmH?pܓ>x7bi.줥T VidzZYB:5 qIK#S䥚 3胚SDs Y41n%>gG!ZD=JHvbz!Ec>"2V rI!*b/6q8*Bݿ^ ON& טڻ!o[DMiD$%Kɖ#IWάV&~&?4 |'5c֓?]v׵%qZ)5ZֹeTC)Cʡ쁝Qr821L=խ1[!h_kOUfhܞDdۼh: ^< &<@TdZe d?b+Ml`pyGsRB#?'v>[aEU9ӹSbU,j] 5NpxW67,+ᮆm:%7eG[]D^2T”P' P-|RĽK7̠\z &@e pJvjJQ5+KdmaGK_nL+ ;C;#N Q%9l_&Cm !vW~SWhjΜpțqGJoUWSv/C5 fr0xai6ē?ڢpt%[f  +&廫\XPBJ4a˃JH]ĸd)nq^"Cs4#i:{Wx$',40g^'ok+$c?Fr t3PO[;=5Kګ?E0-!%ٰqT5oic7*_i/pM"S'*O]"ԉd04cswƋİ3_JSYj6pEpq_ US`D(< [b 9Dx61W29 BQ9žߕML"Tze]X8+&+̧nUgPmY^J{*@W1"?پ^_efu\B|Ha42ف 2dFw\E>ʭ.QMF@ r*%J NcMf͸ ^[mY͗m=LAñMM er_j$ cˋuw"*-,-s⻨m.L$IedRc[Ksl6VLя֜aX?cзC@׋3oł6NJ,<1y? "vt!{E,vo;(vGs[3N/.M;絀[qewrqct1j7&Z8T'̝~vI#ziMkK\~d*|xM|>0mEiQ3eJ~n5ඦRk(=QB )\hSvҡ609#/q`OjTYp dE2gb[;9zX(,/kLqVIHZ5VɕmV{H}~ngﹿoWu X641c`Y8m;vzPMw] mfl @_SbaEjӔưX_ PۏS?3FӁ -Gn?"@6!!~d+PܟR*R#!P +d-8W`YxɖhZȂʊ\OV$[]zX*ŞyMRȉ?5ti_?Px* t?bnIITD] ̼!sאPL 7 Q0%٥b]sQdJ.^ 59q<(O E>3V+CJ0J(0]+ִƸ0sV6 P]1%h<ٜrfV= V?:[~eI=uE\ eLdϷK_8Sn T`~t54 S;Lk`7;WB*`R~c ),ߐE I afI|s!}Zx]LA D˯.z9$%_XR/[ 'kA a4ܑA9#zOPA{ה(N0|(-?&y*JO %{C{;>BHC5ߺ,[~E.5zb~K eU&FϢ']#EJ.\." >M:)sƬ2L棪{ԭ78Vr|t[k@|B0p\kFD}Iy$L 'W" zI7uk0qvF+! wP:ө;D_BG#8)žK/N8&C0!j}%qMMfǎ(}݄ \j56I?KAȁ̡ B"w֌N41OLS1nli&OVKn[1 H,r-#w\ mvZkO/uQ8s;;7BERqam"".MiA?B=lbU s)3W[Y_+&VZE*^9 7 ֙2:Fl`anj5GΏ BPl4UX\0s|2!8QNLT,Ŕ.˽0* I9K/p5$FD/JZ?`1c8c-R`̄;eN B%2lb4,2B$d$ta<;rg:BqufFWP:Vn댦Xi67 sc4 J$Dchlح@&w2p {-&/ )Jd(.G|QmZJ]OA%x%_j/vP1Z|SW lkB-pd7ZJ~(P^Ԍ&lzi`a/jMlRxK o*ߴle1)<@yd ăHE]SŽj^"fȨH֙4]äb޶Jef;II Uޗb#$wF,>.{@J 6F% Y: p\5<>Y#v/+fu1X**~%Q}979n6D$t_}fv,n"Dr#?:$WCE6۵G~nN2$%!J7D9 oZin5jNt69*UD@7H9Ht)@^ҔO*&UF ba7,aq^PҔ=hC΀2*b<oj7 \0ϠF̬@ժ簠eR[ZlA`9BQ V  OU,I,r$Cxv.լ2=4, [#Y3q0JO+!C,< TG68uWO=}3.oW\G-;VZ7oȎQ% #o0bD?|TOÇ% /1Sf."AQjz~7+|iM~2%%MZ R Cwb-2#>|{ r7mIe.Wք!w89RMӵM;o%Lq|O!AJ4_#94Z}|^ufm΁d:j(8ftM|_ٟ`ŌL~BƤnp@=Q6o@gyhᢤX`8Qr(0"YVa5SuK^-HQX8 4TWe%ӱvFsQ#a}!E1j{vv JJ.J_J+Wa墨e@ơFgI]!OC 8b ffkzgt`BĿdU$pC"O)ӯ=怆K%Ba>p _l={tCua?>sEŀutY.(VX:Ǒ`)~*2q1jP= z*|٩q*LfGUtqۿ.s%Ww&oBQ!lu"R[>'4hb C +NNHm6HϦ9zΞ..ÆK,"bvxcr»1iDrˆ=5jihvۃ|ָ}wVaHms;0P5Ƃc2S[]cXn@0dFLX(\a33n\mw3_Ţ;ir$nd1 z91^"kT3kSpCP֕2P%=V, `z/RDtaNpxVIJJPh0cx),cg#clCzgK7 z?WHZqVpoSxx`AK}#I7DQI+U'EǛuq>jP'@t5εYX\"GzPs 6ngCxnS [DET-g?K硧3ztQ"+\lQ{s*ۯ_Ќ荁AWA^!^9W<(H-T;=J_䔔ߝ׋\Ȗ:NN 4!&g`56#&=poM=:Vݮ^dN{CUhw'~ߦi,mP-݊7|E3|i2B+&M¾xـI[פ8Lq?9HQ\<߂A `eXȴVĐ :tjOE=> ͎֪O ÍFy\a<0Rя`ٶwuHf(4<+>.$yk96f< u 2 7l/zJHšN{-[bϲV]+,Ze(7O*'{>vp~1dcJ%oתs-?lHQ2옗1s;A؊a*yP^ͣGg)I fdB`zA#č$_j;/$蕳 n*o{&6 j ?g-wyx{\̫ ̞(3+M1fPZa&u ӑı +o-T}om-y,kfg$M$ %Io2*4 :? x@:hqQpW"2QH7QaE =!ٷ̒y(Iq906gNU & > g|ffl^Ȱ9y+h*y8+`jVgmPRAs‶ þ/q0A|b,hz 8C_ZܱKt$IRѐ,ퟱzOOHE*/ҿwR`-f!>.ag/7Q  cdn01wGP :;&##i03SgVm$ (cw /uiZD-G>bR҄eZPFF)\P8c^{+F [.viɕ;rXf^@&P̒=؁qoWz-!66SlE-q4D`'= D\+  _FK߷{wy#[#dU^cʷ~?kvee1,?{n%bPg+޹mߕ=ݏ3C-oZiAݎ\\0qoځXՀ2Jۭ̀-Sbx~@xZrj}7w^myi'(H\0jfшbIZܻNZVBYߋΩ 0pFdg6EW?F[L!Ek\cZ3xw:*0WO-[z]]cOX,:=Hj z:\ &LX Dj :MMذO 52o9VHV%i7r*Y@]V$*bHn|thAFvM᳙5j3_wn,Ouw"1TRZAWS؈*Z(|1 *g,TSrGU`cD(ܿ$X;~rD eTKK$$1|ۺZdENԨX v/Y (FL|-A{µq8 }ҹ:)c{":\IE~{ޤܭOㄪ-K*wAL xD-TzG?S *2:F~j>5j%B>jA~_]xnؘb1j0f:$BG GG?#zLP0"S.+h<2'}7(,whǃQ"A6^!k{Z1{E_[FhK_)yqwC?5omN%%;,]wM|**Vcߝ[W xc)&@GN f ⋿Bh rls l(HXF҄x qL#1Je>$ )~mFtg Tm =aXdWWZ#wZD@ٔSr?sōUQP&ߊ/ӧ{#}fe³on%7M'lDa_cv}0EEF!;! ﶙzk_'4j lcgG.l&!Lw’E黨zy':J阬 v,æve BH] 0y]nX(t.wP$E+V][vZPDZcn4m:Pk@b_"S:i3'9ub AwkOP_y;K?U."GTZ|șu) DtVzHSc]m͂zV1oҧ4 _p&vR"rJ$sɈپ&n$EvRpqv|m_M0VƅAܦ<+%:Lrd`Uvll*<{4oaT'B[T=+S ;3r r-^.Qq<x Ƽ?G!sL(}tY`Kٙ_S up"/I|_`C'|5ͅ 7hd\{ itv49PbkH ,|fWF<$rm\_zz-YcY'k|!lKl.3.Ś9[۪59iܒ$IQd=pͱgR}'UE#Sf|VeA`lFN  |<>?L0n7U0.d*%oSFKju?a8UZthuKm{g I,b<)BzlRΒUr'&ھz}MCVAD: 6wbyMxf"Ø-S QE5G=B,ޕbyωirKT_ɏ E:8'r4~FO@ Mf !mB jDnpl[&İl@ ڒ5yO#ɦڈph%hA4E%dep{>((-D;*qMjF07B꿐ʖXUH}_v9j#?5Z*lV PszF#(51q2<8qO2_1`]g`!D<8 K sAސ_5E-t:ثu|q@e*g ,q d34/A3UҬfiΞ uG:x!`p|>)$b-s15њӔd0!U'=uZzl׭c*@MU<@Vw7cYףkj`fWw<*u,%<1 n 4 [dcFM%1T~#X$=2h#}z1D$;Q9OYu^DƂ'!`O)qM-QZ-Z!V_m8/!,E[y@v!޹2g>u>uPֺ/@g&*d)#l_jrl/[+,FC ] H,I@\cn߾LOT4K`- .݅Gy&Ħ{ثlk}0,ߺp|)Cz'^nZe4: 9$NBCy>g K@Ri7D31{XGAKܘ89B*V~77Uq2p.֜B wxi80C2ϭ\aԮ]C>M[v &f4߹ܪ(ʄ-HcDq\._>)}ܧSٙWJp0Q@"ə9j}td^/! cXJRlAtm,il\Gc|eĶ.'(~&O @wwe}JIlya"b&ΕI݋T8 jSeI!{"Yr_zj,ylOiFa!6{tG&j3|ҏwR,$u6%[ޕOeh{}=nSn3lQ0IFS8KevH"4@Z+AQ|G[U~>1,+=7` Q ee#ā쌧 AG flg_MDܳ Kn H?R ,(S(.9_r8iiºM"[H?S һCҠw<˶Lh ?L<&VH>}3x?Ƹ&U-~ ?oW!1y u7*e`EkR|&JoDRGfHic/{,`8*ToO: ]s|ŖQ@BȲ>Ê0,\Dn̴p+45Ћ5dSJ!I/\1՞H.QxwK5/Hjyv.3F$&C,\a)NNJ+wgcDEaL!-# #s4N088Ogg=W,DYJ0UlKb f󰤣=!pIC qKʢ|xWՃ1A𝿨 ~;m|@*?;h@$@4cʗDӃYK8|&`ث| 3(eW|:[c:%y-!y.4u 4ж.pECKD Փ?kOU;XU蚐;؂L},X[9D,pI-<fhNOan-HB .o:yJx ȞIZ[7*iq&/,d jx kՙsz9Cuy, j_KꊵxTgn݅_}ODҊ֯/!o;K1?f@//@` xʦ뵓&{j_뀊`Ok'N,[ˆ>VHəl=XNS] ƫm[1 Dz1fWu?N_G62S Փͱ!Ftcl|sy/ZtO1ڦ>o+2 `T|LX4ƴ/P^2MoRYCqx %t ?<g,n'r8#yKgwЮɎ L2D凰 Ŷݝf5A[Ipg!ޭPpa&W-As+(jz-XbM\xa tqU䪒_w#И] RQGIXfR0*GIJ02~wBdg_! $+kYw)UGy6&q*XmZtY S}BOn-&.ZF43kk ڴQbM1geUP}fJvsjh6aW7U޾-1ۺlTcį'P+98<:7%@%0݄LNHc7BޏAs+^ r[p/X% n!Q(@`4jj4s1U^S@(UN9ϷYY^ bK)nSޡDhN@_#cȹ\<|7^' 7Ck *rU0/hsVOĝ *ʯbȪTC3h1<"x -,C#Ĩ#vV4`eG$oNDW.Ag"s%zAnd) _CCpƤ[iwT%Ar֪a3oLl5Yf>cy5C34mi2s:,iRMUĺݻ 7Xt?): y7+v餽" ~}R]9_96NYuo|b=Z|f)TGY]_ w]oGxx^߁c U6p24K}:d|V1mOhQAb)s.{Rp(f*X$z|豊L/}н|:e?KoN&& Qbp~ob5B`HjY0dJ"#of%_R !0OI@i]*LQ"C}H_:mFS@W*BB}Djs}+g0&QAPPʷȣغ`id\ʥ[VXps$w 3To& 匚r)G:!hP:y/|?vJ6yl x\5.b &j3,Qٻ1k1d>. {g'  @aw7+$l-B'Vme__I2r䡎{}@[~t9¿myX_2wjkPC#ggdVtW],ao 4kyE\S5זX:y3.YV)^ j)=j1Ulka\R (^"j3h%^"N _\}*B|o* ㉼l*P '2_ҡߠ !݂Kr.]aCs*sX";9[nOiD8s[,iL;PALrLV.o*+pJIˌy% UqsHRզ L?y ɂZn.#P FeƟІ'Շ7*2_ʃ]n*\:/A/ZeO!F.QD*HmԠ3AX*3Jq X"׳У`2)( a>GJ䄖+%Nyf3uUœD)+UftuDci f{GhB⪐t'5'(<&pbj^]P-5?j#M̬%Q6L`)T-#v̋ksӧ(ri?zّkd_mVu (U`Gqk9&zJ3ѷ{z:m=j8چwD)@ۺOW˞Z,(#!JۃhNkl(*575=N(Z p9E 7$*NѪ9tL˺m`]ogzGIѰ2o  26>i\B/~ԟ եU2v (a><\ꞏ d$ae㙯ZN)hx-a6{n(`q}~JWx2 zfN_/|\,Jw>~`㪶O.}%cl0%*BpأEr|Gw&b~8[٧%Qk1C9  >|VycGT1I#/u5 AѪx=[ZO 6cT_WڪE/Ԁ7-2* )SHw(Iɉ/>dv6ydC5dz Sz[,שw[IW闩sq+5W4(ָ, lnJIB}XK x|(9qKJ(á?9mATh$ H2Ta#vud8iJ<$?hx!:k;[vmՔTEd [AjAt@Za0Q|Rߠ㉕)GϜ`ޕ-MFDC~ JRN=J.i5 +7GYWWKXݵݼ C|BJLо@j`ŠʇYߗ gh=Rq*3Ռ05|KY:s;Fx⳻SWZ4 dq`soƮg'[vu?zq z R*v9m|a(lsj'6l/;̲mhea1,G\sHhnFQ)/J)P. UwLIpgKM?ފh,\@^E%ª&-Ew[&0/ c`v~VU['-,9hSt*!)#QE/1Ay A,~JG­~}]/\kG6c 0i- q9.Ϧai ߒY<5]ءC" ĉ95 >@t6պ UgND!, s>5wVqY<]ɝh-&b 50|˜UK=Ain UJ># pş3/] >+6;woslו27.شH-#1Չ(LK6CT׭|uɬ+&ƯMM3AV YImR^5 4Ō,uh75[EKn#4RYQɂl n_ >K)MvCy&Dp0yTb!R]4WfMFg{ÙPUc %"-X,hIW8lYq0|E=s?_UѕP&c\.BCy t"R[MIF5.4J.uEd㴄mi<`$\ֵ.WUšaY$:[F^үo}C8u]n }P+im.,!pC, idf NĉG$r!-F}ϧ5ݚ/H`œh췸ggDK' .Zu5͜ aW{Pjk:FbSJt#T"YYj7 v[:Y-FnVV$ִ>husHy 0O)²BgXYRMv Ѓ2ajWwpf;KF}4[\T0̥=OzRlC>31IK!t|أe,Gu&w?R0sM'Nk1K~VeUJֆهZOuD&;;!#i`1#4GZ΀"e34;R:"Ɔ@+׾[j}' id)阑% :OjI/ztFQx_Ҥׯ&4&!{"Ѐ½[nDq!ypP}ZTnT^;ɹ>Kۑ!a 6sPԖGJYĺ( KS43 Ώ|F:nq(NYl @rq(;F8{Z$4-@iyȳ]XTg!9-PQJ#YOD̵2Hox>8uAI3녮9XAԋ07r,7nMq߯tJoJt㠊-w6]Qx}d[ ?U[O[=fۏ~sI]s5,<}a6 xx+H p19>ca-?<D(Ʒ2yI/$bIm3Ęhftg7p$릋ox} ¼:qyOZU&-5Sw"HnZh!͢~jF#|'N^ " ^H,ӣBJb$>l e, #? wfh>fKySp32zg>QNe&f\ˬ9yZ?UۋOLV{2.BBdiلLHZQsptIv/2 G&L-u6+wP o}c= sR#zUPvCDpҕY`[Ay֒TPqS;^&  []׉TSl?N+5ю5Ri+5 9t>;,>^zB2JKp޺z4/ LciWve# ̓a2\owk~O'^ij{k'@.ʔIɞYZl( X;O!; c"/'F+*}"t-NB&I i83,[dEw)G ;w ~ @ޜ*Tq[ydb`r" Ե}13{;"M G#t%g3q ?K3B B,(N;,} h-GT̂&AfjQRQڐ{4\y~.vWu.G#H߂FgGE:g"rΙAtr E#v]?1݀7iά$캌/ >!꣤ETlŹAqt)D:S'FQ8ajCw0lNJ:ުvVX*-uBȱpZP``\cUHn/զwm}lp^ڟ`iW[h$>I &7B\%c[t$PLL~ !xD8p^=NcՈ"=d~J%b`qiS :\ߥq82wa>Þ7[9KMw{JS ~+.;䯒;鷓8ﵲJ{hE<^-- %̶>q;uAN.tK 4>nnM^y8~/Ӽ7%m%90\Ϋ+[ivASޕeBGI|tŠHnQ߽g{TUs5km{T-~X̫uBMd{A(G"M>TIQ8llaS hCg {>c:3VXݍ+,:hY}HqާЗckxso!2OͺH 01rb;o щI[ZzU5gStbJ:Iءӛ5<+$ %m2~꫊LTŧ!sbLO~3)@uVCvkuDˆ4/1E~.a!*,Y3hgH%>-pBp&7qXRnuSSa@IܲղLDŞ Bx/;zY"ka]_9vzmUG+ѧRdne͔V3Kʈ?>Zwgd5AJK.bi=)jjEѯ!Pf(o>`)n-F2P *{;[s2׊.a?ݑkP^龏I `G/2?b1¼J`4g{YÄ38UrÀbfpoȽN2?j=lgˍy1you*l۲E-eMKlF MhJMXM6Woc{UE&68 B)$cx/prjjgkafvܮ S׀_ra5م3A`_i5.`Dʙd&xF;Jx:aH2鼆WCTVސf ;I94K+HK8ի/$J7}pijtrTk_m+UÜTLO!y Zv0R3˔rE7e#5VCX͆%ZROnsrN?DJ$нY&YRql;V_7YpbF+ۧOktx];c^3 V' AW%S*c6%%4z0/O㾱8{;(v\@ #\+?8~[1g0ޚFFl:0Dt&⶞}0u3K6GlIpf9>5ƌ)\aUW߬c#k"!0mcBRїclCZĈ `5x6cHb~A;XJFEpe@Kk0:ƅ\(խ|BxCVհLM\/TFVUtd~ܹ_ܱH"~h&ݱn[Cq2īQG⃤EhDMu/ {ACJj-v  k AB imLJwSR-\m9[VĆ- b s}pL~i=`zh2/*5^n)'d|^EÅdhD`|4Fl%!v;:8>>6hI ;ՠ䫫\)e ulsƯppu[)Aa060k-XZLnQ͜ծl~9O /xm_aOkg$>eA8ga3aJnEPu;,"80܈{&Uv832@{:*Uz͝yE= =79O2փ"%&6h)a*%q1ibLdɉZr.xU$AiBvD&aRϴ| կ6C֡c6RFTFΫAl5' 3:+wR21gVՀ|L9^#lg6U.\3Z=́ Iqu8eqge%(8`]! "|9 {br+4ey$e w<щ wx'euu[C-fBV֦_֧Hnq\ЀdsU2Qb,F7?w<@D]_e;)H&E '+DOy&b`csb5eff1&fqY44C44d' Ƙ3&!]1A&v Jݧ#I/sK)v"JOzޢ ԩ+> y&gg#~7Ee]Krڋ j[&!hCFtr!`.ԑDKLTr3um^/ /jȱ'h e5zEO3Q6O IK+{{IV0W,tn$7AUYm0l3Ճ}a=GI Sm/,* nePH u6Ęh\/ O&H"vï7\靔,ggCX}i9Kuwș̀JڮU6FS}7pް-$Nc r?PYYQʁs^ 9Γ39|m{cFH=i}b|i:Lr'U0NF\Z۴wl*#fa1#.vA% aIU}trv]';"ے+zHQQGKC{$ѭ,N_p}iDvJG'{ fjgPve¬:x!a=W+˶!$L?(h[9"&`*_.D$}hƏ1^2i:U 0 *5ǚ8/&( f