sssd-krb5-common-1.14.0-43.el7_3.14$> n5@f3r*4>=z?zd & a .B`fm  ( <  5Np!4!{!(89:`=v5Gv@HvTIvhXvpYvx\v]v^vbwZdxex$fx'lx)txDuxXvxlwyxzyz-zCsssd-krb5-common1.14.043.el7_3.14SSSD helpers needed for Kerberos and GSSAPI authenticationProvides helper processes that the LDAP and Kerberos back ends can use for Kerberos user or host authentication.X%c1bm.rdu2.centos.orgCCentOSGPLv3+CentOS BuildSystem Applications/Systemhttp://fedorahosted.org/sssd/linuxx86_64getent group sssd >/dev/null || groupadd -r sssd getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd0KA큤AXXX$W~Xd0b8b0d3d3d596f37023d116695da256883369d1d269fde916ab3c0d725f6450d35b51d522c791b3f92597926e2d8edaf194fffdc9102f215e97f8ea788873c58ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903rootrootrootrootsssdsssdsssdrootrootsssdsssd-1.14.0-43.el7_3.14.src.rpmsssd-krb5-commonsssd-krb5-common(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@   @ /bin/shcyrus-sasl-gssapi(x86-64)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcom_err.so.2()(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libk5crypto.so.3()(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libpcre.so.1()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.12)(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libsss_debug.so()(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)shadow-utilssssd-commonrpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-11.14.0-43.el7_3.145.2-1sssd1.10.0-8.beta24.11.3XBXpXv@XOX8'X6@X5X5X.@X.@X)@X#X!@X lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj - 1.14.0-43.14Jakub Hrozek - 1.14.0-43.13Jakub Hrozek - 1.14.0-43.12Jakub Hrozek - 1.14.0-43.11Jakub Hrozek - 1.14.0-43.10Jakub Hrozek - 1.14.0-43.9Jakub Hrozek - 1.14.0-43.8Jakub Hrozek - 1.14.0-43.7Jakub Hrozek - 1.14.0-43.6Jakub Hrozek - 1.14.0-43.5Jakub Hrozek - 1.14.0-43.4Jakub Hrozek - 1.14.0-43.3Jakub Hrozek - 1.14.0-43.2Jakub Hrozek - 1.14.0-43.1Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#1422183 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user.- Resolves: rhbz#1418943 - If a long-running task (e.g. enumeration) blocks the sssd_be process, sssd_be can deadlock - Also Require a new-enough version of selinux-policy so that setpgid() by sssd is allowed- Resolves: rhbz#1405584 - SSH: default_domain_suffix is not being used for users' authorized keys- Resolves: rhbz#1404340 - Use-after free in resolver in case the fd is writeable and readable at the same time- Resolves: rhbz#1398673 - autofs map resolution doesn't work offline- Resolves: rhbz#1398169 - sssd fails to start after upgrading to RHEL 7.3- Resolves: rhbz#1392946 - sudo: ignore case on case insensitive domains- Resolves: rhbz#1393730 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Related: rhbz#1396486 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0- Related: rhbz#1396485 - sssd_be keeps crashing- Revert the fix for ignoring sudoUser case as it breaks processing of rules that completely lack a sudoUser attribute - Related: rhbz#1392946 - sudo: ignore case on case insensitive domains- Resolves: rhbz#1392946 - sudo: ignore case on case insensitive domains- Resolves: rhbz#1392893 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1392896 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use lib64 in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/sh1.14.0-43.el7_3.141.14.0-43.el7_3.14krb5_childldap_childsssd-krb5-common-1.14.0COPYINGkrb5.include.d/usr/libexec/sssd//usr/share/doc//usr/share/doc/sssd-krb5-common-1.14.0//var/lib/sss/pubconf/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericdrpmxz2x86_64-redhat-linux-gnuELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=8b35bc6fb91f4fa7b930fc1d0194fe2f485a63b4, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=e88d0f86d6574aded54d80394f751d74fde0f2fb, strippeddirectoryASCII textRRR RRRRRRRRRRRRR R R RRRRR RRRR RRRRRRRRRRRR R R RR RR?07zXZ !PH6~]"k%>eN8\7e|FOj-Io=LĤOn'֎PU5<=ǔRqk heMPw,#ƍQ?A: x=_s=Y4p%o#|^ᨒ2k"Ca9ؠ6 8(iv4)T^ɡbR*^䬄(<CJX8/Y)ٚa)5.㏟#kJ8Euy]sɒr?.y4s9I?ϲ|RPM\E"A~p$Qj񷹠&[ղ6{U`'( Kìx֏CǘDDS9p vP$Ud)Kࡱ74#'=<3PSI ^ӟ+hYp&r0/i'jWiШulC􅆐fR6kOtɎCcr#,xM9ی(ށ Ec6j֦-k#AF'3p^l]vdAG\Zdxly\裕HzWVxaGu.Ɗ$+34Vw 9U-}+Hh-iB5z{0=NʦQ&=@j1ޠ5~uOF;٬V/dz:.AX{K-i#ƅq8=^w^)2r/)įF-9jEK{TIf?'"jp 8F/MR~9f󔏋lZeP{҂Z~ ]Ȃ܎,a~=MAoa<~+nnf<2hg^KTU,,<Ā'0OZuɦ46|t([HJ$:TuAjEW"L=!B R6^RV,kP!Y?'.SO&"q>%"O"V3`nliI}tEBGe z߸e܎= ,"WxatN)тqUJh#C,]e~ zYl)&K;`oDJ 8>;w}H 7#4_73py{}Ӈ =mWJe } txoyEEVJXwO#3Vkn.֥_JY8ΉK-3 Ő1!Dpd.] ?f qk%$R+82wfy+ޤ'!SJ B`@Zóvݲ`A#0(5z= 1 NaCI:DBܴ>.ܯGodD'&O\$eFFBi{ H+e=-ꮤ5aZF܊+)jW 3qJtg(_NppaO $TkQXG_2SI7p-t+(ͷ/fF81V_7nXςIpd툔r1Gw^j؃5s5ݩ'0 P#y͟m}ztŷ8}& _4]Sޮ,cEm껈ظ>ĞtuFvVo eSOb^Y%.B#Y`n@3cH8$dKϵa91%[3)(CUz>5"&zz2z|rs<[0 [d0>Q<_v2q0P Y.4H}a9eqP? K$P73<ZYfֻO'mzE[4~e$awVNn(Ь_EZcn瘧L5^[~M[i TL |$9zy&I1n@mU* nE̳!]Niͽ8̇R.<wbHIK$-эM}K\}gK?a塺!`xzߓ(zt&QNqs`k;nr a(֍>&RQ6~̺.byX[IG_*gco%r6Nzmw̎ߠJ4VΆugٗm$.ϊ\&E i֜$H"񰜋:{վ!ԓsP<`CxBc%Q@CaŖ^bEj.P):d< fuJLAy%`.jYvՑ;!ƀ Njv֏@ `mȊ‡ZjjM$ùnBlSsKNƘBZ '"Y8c[zѤ<&1HbР/<5jkJ7Z̥5!#,SspC5NG½q]%\G\@< T}BSn+gT91͸:f=%o*+*,?xmYjŻE#dlZx{+rBS=@"onn鮛)L+ˆ{? ?mlմԓ(eRt?~]Z8e-͖HBm0*[u}a4Vԏ#j>rjn84LL~jҘLKC홟VyRY9*bY%9DTT$G+7 T;ŶeMJ=** b'~hHgBݯ\O#O)]ipӊ8!eʯ &yw':«d?Iy8p2: /;#}AbDrڎIo>.k _o~tӗV5*dFdC]c!3 2dp0yS 8f f5Y&"TouV䐆띆L`S }LD99L|ߡ'iUA X-\sPL,T?llJlݏVN[54Rw^nlb[:`Nbx2 `{uG PcJ%3 o9'xܖV<27?kI懪$I$ =:-K?45!|T^̚Ju*cZkl!֮}S (NIJyэĚNRZOFZ&BX(R&K#\*j+#4k=~vV#iL9E#6X Xs4f+aUxycdLչyM]yea</j=| &6}F7\ WٝgB$,JͶ|. z3/&p}kH{ч.p^7S$S'@RSOcbkBUCAcTcѬJ)J\̶+f&I<޴DwsBoeEQ jʁ 4Cc_:Т k%`b/t.9ށcE+X0ڬx'kXtd191l>EShٶ5Tw鹖15㸀\7zJhD4IH՞*9/8<ŷ4y;t+S|ݻϫ7S=e6=c6x7$G|Fչ/dw&y4 T+ ^U qO\6O=eܠiviq㶘|5 ˢ@?u?SA2 ?: }"|h"oF~`QE5s9n[=ptpZ9FZ ٩~o(2fcT-Q%Rr'4 n~PYN&H{Ze1mWz:N3''HxPi~L85d|irV%6ALƺqFs8.lͣü9=(>T6&RZ|p4XHdqŵGaΫZ+Q<"c<ë&檽QX{+$3§ \ 3~Pi"8"SR (15]HQhI{|5s?YpɬgO7dܡs~Jg5V&Ysu$Cbt|,2i7Lo.6K?t-y.2D;:|m!ukgF:޺Ͷѳ_[E`4`|lcE#BXnL~:q (SRǿbs^L7vIvރΨ͐Z?(1:`tTah>*8=L{8f%/Jh^/A8#J'L[6L$XjCF h P9dV:ɟ20h,Ď?`aӿ6Sc˃$'f2Yl&7҅CMu.U ~񳱻zPc茖ݠ =TP҈u{;!' #PoUsYow¢`iT,9nyۛ@b C.jwĆ)뚭I2}E(Ү56EϞ>OEՅ#eO{F} \x'Z) ~⻒L@V%=xRCrDV"ܩxߙDߌW1$qiYS/t٦wS:#ce,U}I/kw$,` k$ U8=iMo^mU Y;EhI ,ʊKL1Q_mJŰi[`t;M|:e`]dձSQɏp,WwVBPH *Kwk]J.6G{nt;^U˓Y'˜tRktXpM;/U [yceΑ,UyBJyI:o.u3q1WN#Gkkb:d@\oo'xueˀௗILOpzE *^ iį3|Uә1Rr/y7PF)ER.U#f0m歜EVV0s =lȅy 2~/`nz%skg%~y|L'ș]?'2$S1P_,k}1*yZv6 G:uAxe? |MDiAмakjRyzv>OvW>p!lλj!EAn`PFeSgoyS +0, 9J|Q~bՈ#ÝozRx&KsA83ow%'GtJ* YX0yHpyO6%m[c,,MLs݁iKySw1%(O] 6t3+j@ ,Z{ s9nf{bAn͗M۰_HqU9Lpz{xURyq`8+)Zĝ /l(MeK&uĥAweߞK ؜mAKXY[h*)"E J`aNOg܈}E&|^;sRgG#o{ huۈ:pOd;(eS4 yEfNsZ+ͬPvҫǖ^ c{+3 ZŞ[J0ctr@&6FlX2^cMSdP8Wyv25ێezu i)*ǧG07_W -/`q!'V>oP [Pԡ"5}7i~7R0´]mFtO9+.,45v\"kCTrt[˕U"#Ia#sYԨ(SS E I~xcufMa>ߨ{UxC*h^ 3 :)fPyƨgχh- .xq]آ7csusE$KJ Ϳ/[Z.T괂Eٙ'm}2;S!\FQQ#\u +!wFfJSa6\J2 `LL^$#4UOᅰŶKqt7}]|?ϱ6UDW} 2pylZI;u]*vZX2N3B61֭on22ݯ8 m'wPiG̓BBb{L |-+N#I&ɀ54 s}?ђpNS"i:|1#ȷ&Hd~a-t^ 5LF&![#ZdzIQQfA+bgvª 6R0!*bA|?^UePͻtTwWF˜ܹۭ(^zp7TFjh|kD >xԥAc ڗp^-3_^4n6X*,аC=I7.7JMʼn )54bv`w%-Rfpwyŗ~+"U@>q-ehL{ygezsJXQnCr ASr!/cKd(.-Kk2 LNwzdw4Bӣ=f dH|P->M$3eDQĺk[gJxQLoZ2G#j{Ds<2A)`h88 hoMq*ݔ꿈Bxrugߏ-rPHș_0`p9*l/iaYGCPFG#T%b4֕䈯s.?>i޷#g 9I:" qsc^fV6toB]pTtu:Y󌁸gL`zxcT %ّ.ٶ큡>D mrݎZڏ DKjq=`k'IJƺXӘmSwsVkbat6\3{xD>ߨ 98q`|eix" -BmTuO<ܕw+vV @|69.orylky[Hq紨ܩI߰Z",7aUo oZ䏖1(GDbZ܏Yw# Pg'j[5xQF7ЍIE̼LO(JZ]!M-lvYiIy=hʲ 0qr*{&͢nye-j}l=O-Z/Ȃw?+ ٶkLy,hǥ5HwRTgE` emJjG?8NGruTkqTCdx>_p39ůiDgM Ew!C y>+.RRA6M`3E(/oʀڄ8B@9n|E8 HBJVBV4؉NB(il 3#.z${v~ד<o}z}_DrGig2[fR x&^Sp]O[6@C;-*m(w6!'[Swperk_˺ߔs!6ZPk;o$%$PJ6P4!24H3es{Ws0YRtâ.uV{d+n'YFh'!pb$zsj޳r[1dL!iHkgu^={SsQNO0uC=t >r,Gڛ?;܁uF_uMmkjkxmq@ !zv 'YDEBHG}[N`L )LיW wc46+pOaT3]jtι0SFe6gF*ͅ})w[[OjʇZPV|/?<8[&7c}  v{& :ϋF5˫bKtiTfr SRYYaS rB17r(imңyˁ1Jf P)yG ÏVh:ݝ4}Fyؘ&U4g0,#Q ٿ͠$`=6HHKOe.;31Ba'Ydҁ,gb廬ZL"qsP66.D˫0h9\gด5Rq]lojѭB-[ZX=Xgv rz whhHDG@KAow!U,-/%Q|ufxA £E \lLrF)H?m$=k@))Uwe2'VkWB@^8o72W -aXr!yK )4gLgaY8CBi3oR?q|)&SX}WR^U͙(PbuQV!w'v=dײ/إj!;ru%{-藤;Nakpզ.XX4[}_͠}#`Vr^5 cOJR7V=,jt^ev< vzah=Jai |uTɨ*CLu2Q"ѽ*%Ff*'5Ί{ݞphZޜ{7śײ>jZI\>vo5y%(ah= t;%;GߨGcVD)[ {>'vp7GYHXLpy'sq\tOR|t?$쳇P (¿01!FzWfȊ|ov4{2NlEJ@w{c߾e\_Rib%NGQ` thjf)K}b[p;igZ8p@߰G>2K>~4j*50 k[ %M?7'' 8D=JS"4%ie/>dtu&@gSqyRb[Yȟ[yܕIWة cV`x[2`?Qe^/tМZ9x.1Ӎy NasW7}f{PM<ȱxJwKu-:v)YYv:,?T%ɭӷtI1UM ;Ys7LzZ`iOv@M&7'(1<j@"M\y%yZʿ.(d5EgJf `o?@Cu!- (`Wǐ@T&3Y=6嵜Ch;4WX.d0$-q@rHnCm| ShI oosp-`mO.Dv­=ף*.Ē C|m5&ӳl)OQEg뷦29nfI=4^8l0yV^-+1;jXҽ~d|&iZ*XxAix[؍ l77oIl lMFpa ypbjN"=GQKYTڲy 8NC=ZDaueR ՚yMY9t6/t+%FNW.oAI8ʟ#yn͞g/'%7zsscJ V``?2"NoԆﵠ7J^ q+J}۲ bzx9f>8ay=W{W7G#Be]Gx>\n=K:p:u:eI-v<&OOIn QĔMh $%g J>zVrcCw ;+l]K0g4"`No&5\%o4?> gĮ2#QHB4m HKnaS:P[*Ѣ32^G-(ֲc+ lKh{DY!J|uNZn9nFjs|qgV*R{cJӔRg0?Uo @D_Zր\dA<ΞJH6%LNɭЊƿdv-*—Vfقmگ~Ȕk=VNxCz0`TC ˰^q+`N='LG< w-)8/w'!5Z-?&J:;BŹ(;-i v+sSˬDWZBifCz3 aoE122F~BU ]IOF/Ib\ J+\ kW.5p2qVʕ$c ,ݼ˩s^gѨ+ 8ٞU9 9$/=K4 =rlbSz7*K8~ ߛn p8zC&ov&bOVܠO,+{]cx5'ɊKG}IrQL(Aյ#2Le"v3auMee"HufbmRn&um3" *YjCM1ǦZCbw (3cW f&qWq;ܦ G!]:i>(}U:by0 >K8V%R1(AʸXO #b=V*c{C(9_[p cJ"Y2Mo<&jWXEn4Y}LwԬʸ.'n*6g)+*s>tYk+&۲d|kEv-Y,,!s(Q﮾1>~հ-sOC6[[ŀggJ+!;Q%׌n Yn1cCn2  0*cˮ{PL2rR y`[ 4{\]+az`ӡ碕b_ nbTWV'5K!+0I`Y+ACQA4zENk0(S^)PVo`ꎭEҝ#'"A/gPYR dz(iR?{$I E(?ӾDhYЁ-Piks%1Pj:@0yrh[(ځ'N%R;%Z}?[QAF7v2:BrAEAUNhee:KN[z8uCU%Z`iz EdjJujn8XQHej7rIP;5ړ'bi ?2zڴԃ躽%#6tdX n=!̣/l/,#؟ۅ55_x'6/Hsg}ݵ#y ^/c7JC 92\uXJe(+{bP6 ^BiuO ~PlKz&Kv^XE;˹ɤ$J*dTЅJӔg5Atlл\)1 p̒Q%4pͰ\qpY d,4{\S!\Eh5d];7V=Csn;\Ro,aEJynM<=qudeG2Mbetpw<871&PAO-Ym/%!;GN<T=amF {i1W[Yx/ܞXGl{E~]bNJ-ѺB//'-I1z% t0+"|e>5?AwN[4֗6(#3^>nt u1??K&ȉ.@  jIGפʤÊ\0C}ݿZ?#(B2 }~$YSK32)h"NAY&uLp7m$tr "lc -O4b?gkF+sOH2o%ZҘrdhR]+SE )Zy||}O2яn5 >Ʉy`F=6:vL?`a}TC4\s;ujl/0E}Zw[Wh$8᩽\ouZX>(Ѷ!HuM3Ti0/m|7cA3[M5QM2مFJQJ}a(ͣZG}* }Lbm8G210p!Psͭ%d NW#7#I:2 ꧪz3PkRs'J=Q.2<'atSlbD,2i |Y/)r~,+!&y]1C$XtP&:ECU߫F< PNؗ J|6+YMx!)G} ǸIU=q;(xb'=)/ mbQZјXMYI=^[Xį߀G27 5i_Z{a6 kf8p Ҥ4m#ci^﬽qrW"99Ô U(:*AklvRiY1/OzlNǁ.xmL-AA-YYFsb<ΣX[^ Ja^mmL!udfCt}!* GD5$ ϝsT{ţK>( ~"Y?amذ&g[4,}8A61>9¶\\ $3ro&jq nK0Zg2X|+XN'O~_Aюڨx}W0VCNklnLAXYb3Q;\?Rsjul`֏kX/OyPѣ/tOi,ڗɊ_?xp ,m2cW:F߃af6#9 uW5Qe5eNzD{3,2{C9h[Nˎ9*gX&ՀS-4O׏J%_^:%>D7 mCvdIObi?z#4-th.4H> UPʵpl|Jij>YBOsp˭--J^i BS<&~4C lBR#>B?/ϴ2M!BcjQp|踃}/FS$s{sr5 ˁV=0AI)C޿-joUNsoN3F51TB\2:gAMAa*`P ԕ-Q* *dm⌷s4m \A9\/OGz9yUXC kLc.nnfŞq*] 3}P5$|$V#Ӓqng V݉CO ٶ=OCF#l w¼tJ1qwi'*58 A (xPC4sY㪤rb&1QmVRrsRlsd%_;[c3D[XRC`+ROiA8G!7DZUڊ%)!VBo_x꠼عe)vPpÜRq9<..e]ӳɶ{99/('])o<=8\Ek$r4$,r%sT@U\0M8;]T YFj`4Fj7`0%J+Or6$|':uMxf(ġ9m>P9]fsK6i ,$K^%!W];Cډ}o-(ج9]$0{艍2YiQ*iX:^G*V47`yvulJjWE=)΅&R,DvNr59إ@} 1웍'SC#+)є3Dsk/ &gc l>^p&H VH_`=E-e(M& s?[;$X'q݆aqɩƣBNǿ; ?y]  ĆE-Yϑ+:!{{?A0`e+209^3bpilƠxy E)_ݔg;FINiz+ :W\:å.ǎ972| ';q@u:>121$;DXsJ-(Y񗀅eDeClPh g\2 6le%Oo9h]OZGw(0G pڅM=ŬR{C(D0$Wkf緲# KlTY]kcFʵ A*GSa"v9Hx .V!ZbOy BzN_$%s%A]5X~r 1sT1H?份¬ѡA"Gio/aC2p@H@#b=֧`9Hȯԗ.O&QE9+Gbf(C,GNM;͚iՂ5cGX\壄bN^8ALJHOA&CT?9FȓfoU!6|#dBʆ(h3M}w=o4M?&7i׸yiI A'rfN~J7`S˜"/Q3w/kQsG-S3 iETD&1;6%QoC}Skl wqJ>f`$̶{ UmoASXv [o"<Cs.魧U#7`ޠUHIjy\ 8bHq)?a0{ULrGRLL+^1T tlj/}=?۟ ЎB-AX$\r %[bVkn%!SڄޟbCHc.i_/kT-\u X=E7/(q)6ⷺ=bY/2CHوl Кv-v'z@a-68l*%U,Fr_~)`NMbabD=ICs2:(QM5!Rc^,oesԕSnɇk\7k/ CZ̝l~M>c]@UWɭ0@IT-ZJ&#e耣<_s"x2ӫRhv1+͞};^SU:_ 4 .-WƐ$LX4]><}{ZfIDv8,-{K@Q[L}d&6q~,'Փdf2ₛxӤ 16+}+yK(R#U턠>|ON")q8t9zC[dc yv\t\/CI70, +ܖZ',y ]34diJP|>0^^缦Y<}@"1QaoIyA bcȿ]FETƽ(/G0wNm>sT J-Lt)[8`½ӆ:cq>oF )3`Wz%w"C0J x[/!'gb ^Qp*8W=84vې)?~fyC5Q:/VKRЁM6m-DLTYW[/vߵ: I% ·!T/A *lsV|O4`]$ UJP"^#;cɓ]Rsvc;h(^AWc:RHK x/ɺPqjӟ #\YGmEY \5V 8[p;ር5:/DCCo %kSW7bo,!e4WXh ?ߺ~ޤ~f^I(=U`$ծyw5LCPȥ. ;324$P!iEt_YgY* WF2E(lx{V0۲F<$~$zY~a @;揞[l0'>߈2!+Y@;y/}3͌y3_.JX8e|~>4WQk39~(m lHY¦[=r }J [s%~(Ha {jj!]-b9 Nh)k ٓ 5<חhnUx^~=ls.P)Lj! (6S>;)٥,s6Hj-WԂ~_bK}Jq3E5WY r} !`DGV&T41r}fN3隨2v3/j7VZ:%bAk_J&-ҧHIַ/h ^9 h Bn{βWҼ @U[:4愿o ír)~wԵ7_T3cNHjoH Ref5U7JD?ɥ`}Y5F%wIsh \܃D4"mz8r2J#ej^#~ʐFHJDuhn>"P^H m>ͩ/zl&? wqIG$ڧ˖ת()Q}*gb|"Hs;PNy152xkӓo}m_S LĢj` S`XF 肧wuhC8B"UPhP{t.f)6Wr;|LijDeG . bMPaЌ6Sߘx&g)-AKSih2rc-qe{ R>-?8 9C?Г„ю9WKb>J%cU!;sL!>6i^f#YA- |`'UǨmss?"JIj$y.M841ZSx(Z~Wv`Β3(mC;[N3w.\~'n\lkzsxݷDpG]$[y%mB*85Ł=qcLRvG]{ a3~S{9G(Vj6M~`M L"(csO~x*stri.lDDn*:^u Yƻ>MWEKp>ZKp4}9 20xC5 csK$iZc0lA&Y*,ˆoPxZU:iDSIw5PKL44Kh&&j5R$"n?D`z˙UW!5Vc]Mg_ň:9C%xHrcj8TýgXt1E$fz(_#' HP5sPRE>lwg=RCDP 8T J8^,h\.b@g6\ =P y)yȚ t=׶?=&<FHdh8~i  !֍ h@EHMˎ=׃[m8RUf2H54Ew Bh/:'eB#>.}'b{ ms/@SYzXhjIeSfǢۓ3& {{HJSW6,)ड,wt2@k E41Ɔ6Axz 2Yj_l^\U`y!.wd,@005'c,.HMŘ=4;Y2;\СF\k)[Ic- $HNw:flBԋdS|n暚Ս(D|DX 1)q72ߘ>Pu-ʴv)/^Q(t"V8^,VzcޮJsFe9bж~x*zK\Wg\l{R5j5ᚊ'QޢJa.k5 pU#a.L5պHW7,Pn2s\%_ēj(F1O!D3́2;C#dzoTiåOhTcu R?)ڝaNZ.ƉY*:d=38.f_V/ tۤSI0f_̡ه%ɈubSt j*ONY_93Vv-٨y'eš/&l1W\KV\Y!vR*@ςp\>(0ڰ۲Nw~6J(K$BM~ZSTKlN:{4Au¦R"$t[+>^h@H{':WNHSfDe==AobuZ=ͺYh8cymyyA`nLC 1s wUu*8(d I KѨ)ŋaߨ o\*ީ43jxtoݰ]nޒ}v(\-ay# Uvt):'a@[F]򥞉}3;AI Ŝ;#b+92! 572&5pR|xt?ܓ2<ܭWߟbNX">-3h" ~"hKSR܆f݄crץR Ȳ&Sڄ4':T¶sة^T5apL6(wj4RѲymi]БA,=@i2^lJ.#WOA@jffz[-q΅I6]mr +ƀ_mɞ?CBHxo4&eFt.Sbot/pm(R˳P@+R*֍ $"5Q)ej|ChkpۆNp˩nJXP75[ك! ]Lu6jK7V*a-IR^5r~2 XuJXLVnfi/^iʳ}!$Wc&L/V%<]&! fOk?17\u`:h5 yU!ֺQ] / r\ l6_wcGT)jDPdV;@g#ē뗻Z'JDgnY#ui! to@'X=죲ZÛrm0/ 5lS)@Zi9a3FL@J#L5&*=Yz6i tVQ,J:śydY4}.5+Bw{U~@׮thbgCË9}S輕?aQk h4~|钀.<{ k5vX.]6G*r41+'Pf]mdVU!zu$ISl"}ϵ!.o*K]13raQ_|dAZIYĤ[ciN|oqQ`/P);U/bpZwV՗DWF C ;}H\ ٛA[kr^:ݻ:ŸlLʣ^~^zRz%:~j"޷uhRK6]Pz7xZa >ɝcȞKόFΗ*Y}/ %!kJEnd-=+=p م"lop Mc %ѦÔ;ɚr—/5LU7gm|V>d$4B J1@(gOMZ̥Es} sy%T Zq^>F;3=L_>ȟ苦NFJ ڜkr"I(žM''y"IE("y!H>kzbWeu-(Ŀ*2qH#Jhdª"8=FvKc<Fqh$z8昭ԢI,FS ~_5r"@ӱ3>ŵ.ׇ,2"u huY8hA"&йq)Ε!QQ߱O+H;gimmLԥMsr'ЎZ쫾9wFW^@OM{ )w5@~$6kr[ikcs$Y+O pH@ϿDOߌBz\JiK(slwf;-YE $w"J [J؅4#r*IueIo1`qA(]'\PQ=:f_JXmmgͤbBhAK4T=T"{^B5s 9C\9*]/RXH_4L:Մ_>(&A@wp?/`IϷҭ/T EX$o\̜5yrk_Ii~@H|DK2uJ P>|}I}ZH+f`C8ySQkbb`Ҟp,–~^z |odut0sNNi}ixI AIEm S!!YW'}~^4B')!YAnL@ ? i#4>I 9!βH( G\zJ?x[mU=b B QcE3+:$|h{[KC%%q9fMF`䒞g㩺}5!Al0N񸃌7SC\ 8[fe?e'ǔeHfkhAղO_5#~I}+廽Ip|rN)uAX7o6WpS%тrɛ9MB7;"4 iz`켘ƺmn4i3•f m#4rc SKZ7BAzre'BU' Lt uz3rLD;s.=v@r|PZ6|H@fI53Q 'mmd5JS'X ÈF]]dbB31>x%>L*emd#p!-H:['cdJ 5qCyg<>MlqnzbIsIkq(T9 #l7G q*KLMY塞L?.,zդ|9Of[D `Y6؄wu$$W(겚eM2i+j^/^ZYD6.G:$RbMI's; {O髰VC2ѧai&N2y;qM2uQ*wM0xBT ,v%?-g  3U0A/TN_c1Y7$KZ (rN8m)"J3Up%d,(n1(sO= h,+J1 =kOANғ6y<~2" fd~E%if9S屈U/IbC;*:Znj8Vd;hhwsKdS:Kb_~ &QjJ6!3;g9TsޔЭb o\gG(Kv!V}{ނC 9S?3_y=:N߾4P@؜cnS87^zT"d8l)f* *j/ ~Yn.x0 X Yh<=&ƊE˘/H"scYn 3ٜ쬱Doq8–,dDJHVr+hN7".L+;f7^ܦ]up856ƚ1k]בZL0~oi'ewЯ&N6*@#SzNI5W"s%q5+<7W'v(9,Œbei8mɵG/=3oߊʗ,!cB!l-y&_Dk%T4~ZY%-]wM,#Q8wP\DB.{ܜls9ceV$K0p;KKS=zhr4- L( ǹȐZ)iqTDۯ|;RN=w};L4hzV$Cס6:RbqSÐr/rtثNJBU$sآEXNڵX4fȒ>V!JoJ^p=ˢJ耲Q, T?&iPr;,NU[s>`w¨&Q%:R!КV],1 RN~27K1&p znq^/'_+VxY#1M JS)kSt{fE$CU j?M ?yimr}Zb}qиNbhj ﷎/[BzPZg|:d*Haك$ S&*6_"t-'T$6ܪ|҄vF~(uq=j`fsGI;Ճ*H1hc j-''pzm,ے%#?tH{\5ANi0ɣBpY"貓qmf86P9,2Kij ې`e_@x?^zN.:tHo2BvK#lP,j3z.HV[{(}%ٷY$DNt* I{lbcke -:^:nl [m ?DV;KxP/K9[}d_o =7+Pob|TǙS4bT?@ .;?܏uwKn͘å=Cʮ-6~n-f:z"yN!~Md}dmfʥw*,:CO$mIO!n_449'p?A{ҞMvrV)b`Q B =j',.!Ρ*AQQoY{.AD[]]DӀOS>x{/#uH"$A}ya|&4n\ՀM~jf6E[(&aC>$j/Mu!!SkyCH 82cΟdPHP :mҚ],`%pUr-~qx,'>Jyw%81E{M04hm@)1𴫂XF־GCJX!0nĸf˲FL H]XlwnSp'AsxGeNʽuV%j׌כ;܂Y7$Z4ꉞ[6d>U?a.z0s sOv+S"ac͇.OrM؉x(1>U++fZ| *Ѯ"PZ" ŮM\KMu\XY/Fд<&I!m$^DwߝͲӮ6%BGǏj4_n80&Ա-&{k.}m| "=tN:`Z BHGDB;%;<~-c:xߕ7TPzO+N4)s|m:1 :h'`"H2sds^5*ty)Ai35o709 dB$fJ3u` 4zS{{WŤRVYM\ݼ!›wh(eGEJ#y{'Y)N2]-f0"Hb%gl zA&K8ifr~]1z\f]~ t n/*^HY:w LJv=)/!~p8 c`9Ϥ E7}$ZV)B lznؖ.IbZ>U.a̪PL![@ Stz&erA86%\W1oVұÅo|bO}Q{ R2n^33Z^'z>uf?k#x:F~i݇dTFb͗î:buWKC&ᴽ/H6^!d\RI]bZݠЙO4FoN1^=}EbcC u^WղEe~t's3w\d+BT!vBZeӈzB3]aA(Vt2K;fDFJ!tФfΩ>՗"%KfoK6z@Ln(& ^Ώ{oG^N3AwJqu`|ś?Op$P 9n .)Hޠ T.oOi+~+;sKvTKDjZz!8j\VwIͶkx"`ٟNtγȘԚ5ī* 0Y_T@qS|;m=C1RO?-2 le0JAlXA=N=7etZ vt͜s ҥƼo0E2c=$|Ѣr5cš. +e F.KE0a-7a] t'IU;+ȥxc;s!=0&30%Z M`..J}_W޷M Sѽ׺ },lOI4=jgxA߳ fr$M]4()*IYmn#i,7zGa0 Sb_!ՇV9a/\c*,pܱ^g_Hѫ[I[,- ~`BK_]%c'6QI{Ε/k-0bo6&霔%}/ǗzAWW1,Db uq19;MNojmtKe>* %KnCʋ>bXҍ4ְX%i"~Jo߂u7hͤ!`8"6eܐ>1;KdAf 41] U]oωM9:I).cpYYNgR`,-1>83+&-X#&->l즸 QM_ |cu|cʯZkQ So1N>%?!Zs0`_]MAboSA@<6"i0G:ܚ[K-98Zo[@"Aɾ".Q'͢U7v3fdӀոaƕ(I=q`@Dp="#uC0w-XB #Aj~-d\Z6H-{R=fY2sMxb21e;Eyo CB?NXwRhnI|oúp[LA:~behlR&o¿$Rx "޿XB_E]s(i|̛|!h*Ni7[:s&TI+?l[PCy%mӮrBߐɼTtoL$@&/ ո>ÈL@@TBÎ. Ѝ/mQZ?jjI i^wJ&H׬ݜ;+ 4l er2Fgy_jz:̙ e}BRՉR>ثǕvSJP*#/KD.laպZF(X*s;*ëϭR\q? _vx"Xd DdEÀ߳~#Sovi&U?.p+Y3{)?NlWyrzKAsq\ D!'C=ëb~wl)(?0vy5p׶Wh ,wh[ByMB\UJO~ fүz1hrQnHW|y xO7SR6k9z7 {X箴q:ׅsv,iܻ#=@&wA>B N ,;ayTH(x0lA}P6c{Y2:e'?8`~ݽS7o$޻LwbS ATjM5@d^Pr|ve-aƺs2t>25VڷL6o)ŀj˲T#L@S޵lΥ8{쵭6RGp?<@)ܸn~ԎD\_9A!i4ʉ[a^ie`B{e2[>sUxa͢٣8Lrw)oP%X"6 䬟  #)IOOkv A6 ݸi0.m$mz(A%suI~rwF:}R>iӌ_t +xV88( eu)?j!iR5 BգQwQ3fڜ.=U7uB2p\jCo_6;h8(&-r,=/_TUpa3HEnuC5z 6uA믫ȟ@,;Uik s|ۋoa=t8-ҋQѸA0 bMCmRE +Iٲ ,m. L"5|SX%P^ Dg/WvCe\śb q+y8jsH|9?nns ۳[ܦ޶nB6אJʝm%Z.L@/8.]@&9ӳ`kU4|!Cnp6B/ k` ¥BgJԫM4MOyG)U\n1]G41QrFjDktnNW1<* &-XVȌq`*.25ZyWGռ엹[+DϻcZ:HX@8fd '<6ۭt'wK2{>M@R,ioƠN“M'!6;&|aT\M/ um_Z>x&[y餦 _R,Ր%^EF_귍oS/:1Jtu>^X2|zɘjRP+ck 5@QqYĒ7:Oj臈=oEkr-6sQg8QpQg}gӈU <t(g#dPQֿiqQA1Sƹ\//MK4y+0T`EL|gQNRc /e !EOTʜ@9Wq&(I7(KH#!OC}%WAUwg]FYw ?QQQrU^ew/SB ʗ61^`JgKo4w\Q~-Y<2SݤM`PUjZ;4Yf}Iv>"NbM|w7YqY@Fo{(S}#6Nv82nZIC'f 3ݏ<}#X& a~J$B|1a{ \w/?p=)tB23fؽeQ Fnq%( cEo;1PlM܌]sOO{>&鄵 =Y.e8 @93ߌ8V}mR`D8\v$WM3y"oLb.$TmBIrog1hW1SNRA4LQPh|ba`34_xgLZȪ(&; ~;~+R Ǒ):O\XDPEht"G`G=J/vMSwW7fٔ5|A׆-}qDJ% &GH'ôhCd]?~u2;0q#Zgɛ[ oQi_cxmf1 +&kaa\נBl3MYb#,B M'$I}(bmE_UjB;{Pυy! ¹BC⅒sT.zMt2"ߤZk ޭ"@+'E 7:qv eyzh?Q!(Wb%u _Zȝ's H^%j?iiCl +6l@ D-Bd'S*2=l{Jз KOSjBV@7/c! mUgv$ p tR<9vin6IhHV1|G&. 3'hśFxJ!JQjY2;IsP"YI;r[zi9 V"o&d.]}'qLl{"9uB܃)Oׅ xʢD+*fC7-Z0_BcI<& X3H_ ؍t:Wo9̱t82$NCnX;[@A8wzf"ā\P/&YGO7y.[V0G(HO^Ϣj>!Օ?Rl|̒D˞e,,sKlb&Ty 6=o))&p["Ozx*D\u6[s&(I.]cM}AP~) k^cmv8k hqPVB,C5ƥ99ꖲPӊX4v:s.Jo[WgW'no7F.ThNoqQgڧx@b`5 ȾTšxgZ•y<X---L؇r4." Ok|ݱ U@/6L&NWO:$&>Bͣ1#ʊ\Ds,z4Sa_H]*I5tJ)#$CA EHJGʙo-"] <2O]y/9b>Ѽc^M t=_5% ϜiW2 vh3Rv啟nKC3ϫ \ Q"[%9CRV7!$Qm" mR6,F%ug]u1 ŜiƸqHn-0yn$5-! 䟽KA9pXzOٸhH@51u ɼ#T&n ,[.:Fk>Ż:m00u\iS$ 6J[8oS8 g h&cbӸ>ɸLtƜ(N(2uT'q.?ݘq=ͻp p5rSFQa6^j~MB1qqC T%tbҦ`v!WOur7Sbƈh0+?cXAKՌ$ʡ{o)]r(X̾S*כi%:ꄄyI#L@ $=މֱiSp^mAvQP'UpS:n9@ U։ n:"Yh1yÌ|F5 "P^Y]Yi \Q7i;*f^|qAjkY_5[7iqؘqB~2QyC8XM?lCs[!/w =/;}PNOtc$Y8j ΄\b+T2~xʿ 'w%@[74m1\d}<0{(6jN|Y JgUz IaIN _IH>z&+vutz)zw85ݸJ>*vbE@{^[jyBCER'o[V3nw=H{ ~(c3"yaqG՝tя%s%;j 50̾荻ʋg Len*c,J@{F+2a~!Yʛ#}sT8ѾbE@ӢƍzT>/ӉKGj f3 w<`ɺ1/b M i/SZSNt"?&?Q$t8|HfDoU:TJ;QϭE7H ّE0x<~(f'Cɚw# +w'Sк~ĶdrǾ"2͜wWb3@M'kZ2`HنO1i5VL_ ߯Θ4 RxbSj9h#Q') lPT Ǹ h $ճbvVo".5͸p@X0>!/Q8VӃ -Xu6ݍ)gsۣ+ٛzpΒիdp\&Bdi5Bh,1/Mg)blxnye;g(9ݵ;6mµX Q#9mݖSBȷ5ԽThuKf~hk|^϶v=) .$ mX>#6ЕF;T;y +0Sbo_~la/paɛ=CoNpÅ2g[%wr='K(W"4AE!H2t˦]A "-] )=O8*,m5ۉ 1sɊ\G0@%pV"H)ۊL>m $Bל;]r>m,aʼnw8]_~̍yG-L0 =ר漭\;X_匆u39Wۡ>+!s8iڭu~bPo9<9&n k:^ u)^Z"0-G}%p6N-}eDѓ95>*h~ *(8vUczP/Cbz AB0 :W 4*jbdH(>uld\ra:q7$1][)wzrOikI(a=YjOgRTgEt꫼]VI5'gy=`j {{7٢O$g'hɝ,&PMm. mR(I 4{祅r+1UIu:r-Eu`hY^TzR5k$b9 w-*d/"#I/85ٰ"g=}FJ_Gz:ti:܍\?=c2S,o*$9?QufQʎָ{v:BSX֩\²>gH Ih}N?OrlH&EM"/ e.5HR6Xp#RU`?Ϯ$}b}+}R -:XWBE;`B4c#RQ[l&|# # b=wfN$ǔEhâ5u ĭ q1f{sEMGߍatkގ|7)3| xOIadu{ |rD21g"QP;>1PN#LL$خ"2R gG8@b;B|僆TPffr(5ɽӘތ%l@u3ʥ~+#/el?M ! ;l7(q^{FIHg|-og)2ԽOYAz F[FmTD E!"PN \;PMðoxvU{O&L+inTE6E[/s/)2 vlL0f\';3_OEd15gY׾lu(alZ,-aJ.;6)^_Sp?>RMaNc**c`R' 7V'9wmY3I7'id۪GK4Z0o k#(.kB#L ^'\PAďDl|,Cm\ʢ!z-g$+ۛ˱R5MF1n_F-U =ZNnNv؍ۻeP hyOp=} iv}tFaL*Hbm*x|Xx}d9¦޲8>|*&W?/1>7RQ?3b뱅!xg&vv&Y@+z!T-4ޑ-кvv;]La\5%sÈ'mJ/goʹ_w~Cr=uIKA*.m*DQ_nR\P2'GxKDDx򖗔} 6t,$(_#SWISenټ{NU A2tE8r l?ΦH,LrK5c9!IyM Вe r6\v_/bljo`*[z>FrډFl\&?Jfxe ^~c/Yh-r"tYYfaxBIJuH(; ߆U@I;d[sAkQ&y_$CAEӭE mlr(O$~ {M7I&e{ \w b.6+UR ${G%7"L {1'3ڥpPSu%m-p}ޚZžeWs299\1LssbKxG 3?¬dBWr쾮"n9ӊlA6Y0 F*4%G;aā㥾 H ^G}$L*XiL$keID7ÛDWԧL/Z_pP)~fx/]Z'Tn dX0N/s ;61PM8ԒTC-7/.Dt>NA-N{@v}? ~Jc4LX.k$a{&ə 3Pb.LH{VA%Ta6ڪ( xR6'Evse?1;e ^,SZExÆ}.[$R/{P .6@N Et*o^Q3sq$^TGa'0u~6>qq;𲗃z(i>=B3yW,|Ъ 4"=^9zT3¸ASy$Ix!ӝyt [:z9p稟qN[uXx XrizLQ[_U=lw4tU;UT!SH:)ʚ4D†]uQj=֡ʪGI*ǰeǿ_͍Ei@,xQ܅LYpf, mA4`ZNt,ʵƿ'-2F!Q%+J+e[ m*5JCdUG9VQ>* I\6Csg+w#v'te9$وKɤp{sZ8% ^eZ4L=tgq/Gup"Wd]>aWe-qZ V7#]7 RݥKx_\;؅Ie$S%y<;g2@n ӳml\Y=T6eKpUJiDغe2>VsmZ&\BQ[4i$?Jfܟ£8Dc[U;#tyr4[=rA g[۹Θg\|cIȹ~E\r {sXR$V؀ HܷaxE?\{tQ$Mx3 [$OPT5صg%(K*s ba{Ovc+xh@&xgDa- - ŏ\NLR5 u\&Q00$gQ3f?⦬5UJSR3u:XLK <|ɷT:lATz v?0*}N\)&u'ᚉ _"oV$ 0҉˹,NP.$AJm 0;~7 X wSJ ZM/{`ݞQe%Y 21y9$id/`%b,k* ] L9dk!W(M.t%t(WiY#IZ+5YDC)@`J{Qګőwϣ4N9zpTau~ǵ\ԯB?A&8F#Σ5ٮRX1Wh$1]PlJ~=@z:V)r7`鲩-q>)|b"@x6W=Hr*{uW R64;]c7RP㊗Sʹk?N} T$HEoB",ܤI\yo> oRфȊFks9mw@VڅƦI1rz8;MHθ |Z; 'Z5۬#5MHNqFGԏN_He'3(ZbxOx \SvKQ}1a1o&MߵE O;d?Q%Dd VX(j.0 hE] ΢Vq=;}d:8 b?Q?#'sd:OoN. N7.{2hG醤dUW9T GĢT>"uQ`F>{~>)՘w1$4p5t ֌VMyïvM)|AuKUc1 }U Nɾ7mZcɐ(GPRR8Mڄ]!A3_mr|+n#m=$Z5pDْ ,pcR\ Z1\sƢA*X ;W 0? j'_V_Pzn@ȳUk8WkQ5ʚANNV* ii ",FnV,+G_ 3F!NN[W }v>=eBWĘ4OdOT'TuLX6glu\ՕÔp*Іk79.Ge[!W!Sa(K5V1`5rL8 LM| &qwU'TAwCDX?z[q9odbՇѓ^Wpo|/ - <|dRi((9:\M9jS.C NSES.^5ɢxh~H 9mIcQJGG?\~ q6AuRE7w Ȉ 0+eS73+6?/MnY/FT!0Qٌ$0M_1EC "?X *a3(aS>6W77^)1l{9|`;gݺz"]"aS_ [Ϗҥqϒ*" MQ^.ust. m/y WڃJTp^g"\tNx~}$~KX4w-ۚiɒ!ȣ)P7w j =%2fz溟קRO*³c%Y9?0m+x鉽(VC ~Sc#㉖>ɇ1-eceٺ$Z2CZ=`&ð^D \tkЊTa@h8}쮂۳Ϩ ]IbY<~ B3Bڽu),7ϳ?JVN?_#b|# b ;WՏ#ɐ Wpq o_f'֪LH 枪e E<[>cۊ|`^ @ƦXW98h~2xL:A˅hN.zO" $G OAb(egy];>4/j`{ K2X%$ 8'Q}xf3(̨rEC @IXZos>=2㗘L942)OsP&B8W%@I$9~q)M5|*CՑ POP';N+S'@2 >fgbڙMXoF- Wy+|oz?۴6pCVXXs5-4:Brޯb8-H]xr((f^:-eAК@NgLyg[_^R8t*p`8FMrhu t%v:0P֒4;c 螛Ƈ`JRneɗ+>&~E6| n(\W JlƸturLTzG@1+X Dko`%WA>2cէ9q Z0en]Qm޼&{!y }ubVC9Q^k.e~ kcfdg SR_~7ТQ :D$.!МYgKd 91T%]%̵"yh$?o)2Ofc."Ru.,= T')'gImG\`7[W0 't!O QУa/C[ L7ЂrlXXtlTWog,9m#ʙҫ{b ǂ1a6rRw]]ē޷/p$Z/:VIWY.hs_WsE=p(.nvè;̎ OS~\0kjq k~8o:^ܗ(t{廾”w\_{ Ay [UE0WL|1W/sjEޱkj~p┪ְaH+CWU ,qs& s0xX)!&qV}=pDF%1C[hvYSDggЂd)cmNT5Akae w H1QA Z4JmK/;u>:lf *DyYEw)ݞUA 1OZ! i`ZlS\.dw[+j:Q2ӝHbv4VH\~'83tpWTsL3c$˕g܇FUݍu͋O> +䠒 /]c\ِ,x9%&B)jw.l>h魎ب{SHCFylXDBmr]Х-^_&7U V]UeSV` !_rnj. 1#?vtW1&J v2»ɆOԶ-O.]gmDhzWƫ̰u<)^h:O<+ћfg3Bcvr2JmSawH0n>߸@5zA$&HϛY$EF@^fEb'Σi͇6wm>/VpCav_}X93FhݝE19%g-(g^N]` C[;,/~I\DRaX% &;%K YE] ̮T0S0*,¹ K,#5GQ {G3oWy)-.Y4p Y yFb[V TFIߗ R!֛iF{nA?1\\|mG_z8Z)zSu={1!x"}GV=~sX}L>YW*T xDȂ!Pg/;N%5SUqmzB4!pN2lˌdxɃt2dN,2r`6 (mm/ 6fZ5Yd!1h_nfV͂p6B-܎IܙJ^=TcA>:;NKݍ R@nTԫT"$Գ߾D u*^0ΝQ]=(J H 3q<ֶ7TV]^x.K߬x1_-5ѶqZvsBN<b_nP@DNJh$w`31l bF!e3 tG0ٹ}ew3v0;,-! 3/!ɨzk,h;(BkQoݰuyPP!^3_[1.6*p?ѫs x`-3b Amq o6BJ 5(btaN)X|mZ}ڡ h~]r)/6NDEK9b"aĩpe*tHgVsMW2Q)AEbUlN883,iL+|h)r># ߣ$J[b5Nl;`5cSm#>cA&jM_w/bNOaW6[e1v@hD)zc~>z M :.JIE #ף(e$ꥂtx@3?h;4j:!`IJIPy|KgXeQ;MljeI:7l}c!@G×Y2 K mlP 7#V:l͊ТBPt:|֊._wd܏w8guLҠ +  *_xqk+TW6" >vT@qpN"s@6ͧ #Z`ފGXɎ O9^)y=2rJR$hyeY۱񶓅&P7lN]Sw$lĝSozR!Kf*/3YjW(0;L;[2Yg@<5,< 5ը/i(#͜<]/^ňak:T~ qr߶ⰱ20N> mZOβQ^a&҃7ǫXү:b+,R|G5qMKˀ\CQ$F6p7LI4 ]P ũ68vz _cOIM$_[iSi;VZ\ ~39Qt~`J7xe*Ҏ o Ic2V⽴b,c0/_!}e٨U#D8Cw<7vФ[[ⰳ+Lp gHZu{v vB"wՍr1LZyRbT&;d3%Jf orZ;# [Sϸ[b|,OfOԥ] (LnTHvQP4b> ӠڂY1MIFV8HKJ=heV4=]VӉ̻G)%?.K!Y -@_~l.9,S@diVөwO  @K;J[Ns3uWA#NU'Gn#"ib5o\mT^ L]SM ;l_J_ }Iec0)R:gnx̍)W b? } I{{?94ަWx%j4N,PȓQst{ӹzoy|l~CI9^ YmR6%Oc1) ^;'ujDE*!@'vcn3'$I!4U H6 2ԑzQMUw[Q뭕4De֛_Ţ/gr.3O(K+Vy|`W9 |r@\X_ )L{Idt{L׳X 5m&jmjcr<%BSe׻Php7oOGȼ:V_[0aQW$RDC(8n|F5ĎR"u0q=,eq9X#$AR[*oc̥gȳKt=)6&#D~Pf MF搣'ɓ"j;5O+$yp5}st%Z~3Q/.^"YƲ1cVfd;\GyD_94vsHF{x?fl&"(='1N2CCô|}N+w d~i=nWԥYR!Z;g^x8*l3hi[L;،_Ueb$2gKȋfܠNbpkH,؜79DD6h"BF~CUND{9T0zMoEcD .[YvϐY{nw@h0k*#MdQR6hy~{O!SLh(z bQsZgMr^Z%1]ඕnZ@ȿ%t|E 2ۥWvtEfpE0JPó-px! 40iWAQg۶L#njPV@dC(~FbZRsdZL4ܼqi/WUmiHgƕbkԅXN]h홴C ,a-m>7Ք?MNl2+"̕; 9ê(?$;p4b]u{wMb6 4^%vձ7av!FQTӝg3}ʌ]=>vul}\#*>+ëRb$Z_Rق{H iTtر`_%.dn5e w]âaL-C{FನJcGz BH8'𐔶zl 35"ۉ^7?=Gpμ"bOs=Zc\Ŀy+u@&r, \JzN %EZ|&+,?(H[a+t=˻SeFz^i{_u/GPj}QI0t[l)Xl0rr|)yY4qI1FڏTT#u]'+DI]sLh!KԸ&R0%ij0L7oY|L-7@|9Yl8sS?Ʀ61k?@ #m'$n!*qqcoN2o"lNK"ntUlrElb8S,Wn? c6\pZNrChIZ;xl2 x}YشntYH3r$nl?2[;S:?pP̈V=pwfeoT-ì^-V}v;MYx]fsh/!&1sq_gY$.p*s#EvjJvj:u/}0ʀ־Ed=QUYic#.++.->y]|+glW@q1RFr\)OBae'\-@ g!dC`^bw$8z pNM1jR%izQQi:kQi;-@3M_¤O]֜X@YxMs \t#qE+*<>Ep.'N۸hIB1F ^|:hm΂PF$هtJӌW%=&-TRX\(L+1ir%j_Fx?VBa6<[2/K ;4ńPVb4k nk-ݱT4 MF/R:CX/ 7ӈ cz$=לD;~S}ba޴Z73 Q#X}e5$:TF2ɨF1W~}qh?6 w'-H= l2Pi^>+Ų** =>8%Ɉn{OB!Z p~" Uk 2rV"y9s2t%mЂYm:E"-TH XmHrNeѽ(X Kq&wHuzRVT77:m!KZćRZd+0o`f'!G=y<GO?Ak>EB&Y/Z+NGH 2]k!wz ti_%hdI'jU]D Zih%ZjD¦WoT? AnqMw͕*0J2%B. ez}O/޻u[o@ao@bO}+=>~Hk9B~nÍ7eŊ<fDGGXR0䬬/ n'Bd/&Е#&+djՎ DE8hחAyAJDS0GwzΤ{un:vUFvX63U[[,~gؗ26B T?BW=թ~\dOr!C4+8['&#ۀvtRRs6+Nvl|H~Nl}t .#)%BtG@Q,7c.^x#i,OʦJCeBPm=+94*J9Yo 3vQ65:ܫ{?XAcʰ6X5~ҹ{ ri*#u@0iwLC9sG&xXdK4-9&;BOׄ ' L$jWOy4V') {=d=Q]M~% Kp|>SR-WrFכ#T("') $a|pzYYO8N9t" [;v Xר~nZ;y_g& ["lΘk֮ 2aI7gPn>G_M&P<`]"+;#L.3iC3es͇q'YAUq r!E#9Mu"̅iL" Qir=p?9kѭosqJ@^;~T uazZu7-,Ro.L:7TXmώ=&7n({ɦ XW=v3`̷u8澣 xr7NY @id]Akj / > 9#QYo+MYnߒ+ V\쥀ƌO$˞t:;6vKyyQ lpo8fON])F^j̶a#f WˬWq%hpkss 䔙$}gce')7A UM,6H,zD83YL=$nOëȉS Gyz ~p02s Pi(䶂hY>0ڗR7]R=!_wO?Ѱ׷H08F[8 xD'^>ziot ֋ ǮV@N};{D׮:(FacX{0<[Ny›SUt;vŖY2S x-s` fhvϱ5mSb]ԏRd]Uj'N1eS{fUd)٫ݎZ $Ǜ=#`'(8%%a=k6b58))]Y Ii/dn#rZ27p"Yۓs[/ S}NIS"DbYCDD=9ı7JFb K; gVkE2cE~pL萲aM2ȱnK}P՝KFhjkۣL_>Cن˥" ^y"U y`mWVn M#ڛׇsu 퇥_mk_^8WXJgşqV~8K훬0,4o}s-!e`(i1uR/\+0qE-+!tNHL#ARqJ/Fu]@Z`s' 0FrpoEדUN%e@\zχ3p!)7FX0}^G,13 `oLi /Kd%6􄸨~aB6fh YgJr+~ r[& ->|1:-_J+ffs|SAGWmZ+Hdgfmx0yN6K [y '&+&:9+lB63j7 b"Nt+:VlC<Kz> %JoPzo7y%{.@c uSR(|+jesvo)eA9bYӏ2Z e\p9O_Ŭn!۾[5a%]mQ2C))hnʌW#< 0AMgh xH P=3֟R?z)L!e6k]-.eӥ*j4ncaq#x;'_\O$1x^I&~?(C4V&IdLk<꿢[*%ǻJb53F)YHq4 HQetk$aJ o/rz\˞B%YFR !ibp Vr7['QRʁ̩~"ZllA  iExK?͓ʹZw'6PS]U76U3ٸZDB+}cIa n5q">ܔЈ'kLcH) ȹ9 Fv]' .!@kwQb`!=Aw SA0O97yud)p?82/c  u'uNq)! OӘ˻ڟPouPy_ʋȁ, g2r_Vy?-& b`&^r^?N7DSzy AFͱr~Y E1vsÌُQ](`_<| f{iL2[+&0>oG;V!<[#| _W #C nɚ=/MSO ߰w5n?FJѪ޹BNPV9}'Ջ)h J ĂdTWfgbSEgKA\Pm4U 0 Pl(ʧabj 'N!x\" 5r 3|`=3 4:7sjBe.D7k/䉇+5,FR.zUl<|ᱍI]MM84=}%UL'hcxox.5 Q{!W]{ˈM 2~*׻vrK\:A@NX#e:1gxC0HsVn:^j_ SRyق5-'4%UkiIOBt3J|!*"J2hvRmXé8}=F!(λ& .Nߣtm濬]_xlž^5HHdz}shU-8IAy/QrF3{A~V>)-)U8F*+Y;F4k2eMdo% kuQ? }+YT+=+&'ʳf:bS+'6Gok늌yFxmN}H921@؆X>&p]^ŀhu cEii']2dZH5N7H8(]ޢ@,0#`(Z] =LD,k '.?oַn؏k*#UeʋC*'pD QO}r_=%Jk𿀎$ۑ ~R{HIgKrZX\J?͹OʈoaNdؚx}~LgT=DeVĞMh#: H9(/v6(-G/j}HVmd>儛g:ygF;^ܽLv#~se%[ ʥC髆 =>\\>Mo-ƄװZ`J$&|50h= nDs_iBv`5+SqzR"* ;~XU8TjAf@xLs?׷{n5sY-LE@qDHi&7wlAr)gvղ,mӺ?mz"F _㑂̧֞x(Ȑ%LB!:FH=mձ}!13["x}!TzW%p%>qR`ɫE܊2;$mT~}9lrHX%vNEYvR c YZ