sssd-krb5-common-1.14.0-43.el7_3.18$> t$α1Er>=}?}d & a .B`fm  ( <  5Np!4!{!(89:`=y!Gy,Hy@IyTXy\Yyd\y]y^ybzFd{ e{f{l{t{0u{Dv{Xw|x|y}-}Csssd-krb5-common1.14.043.el7_3.18SSSD helpers needed for Kerberos and GSSAPI authenticationProvides helper processes that the LDAP and Kerberos back ends can use for Kerberos user or host authentication.YTEpc1bm.rdu2.centos.orgCCentOSGPLv3+CentOS BuildSystem Applications/Systemhttp://fedorahosted.org/sssd/linuxx86_64getent group sssd >/dev/null || groupadd -r sssd getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd0KA큤AYTE_YTE_YTEoW~YTEO20294f1fee07524927f2794cdfca513b228d3c32abc61c3691418d5df3f47886dc3db3a54145e126fbf6ca842434d5d51f2c61d68617ad3b92a44d7c28226f6c8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903rootrootrootrootsssdsssdsssdrootrootsssdsssd-1.14.0-43.el7_3.18.src.rpmsssd-krb5-commonsssd-krb5-common(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@   @ /bin/shcyrus-sasl-gssapi(x86-64)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcom_err.so.2()(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libk5crypto.so.3()(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libpcre.so.1()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.12)(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libsss_debug.so()(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)shadow-utilssssd-commonrpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-11.14.0-43.el7_3.185.2-1sssd1.10.0-8.beta24.11.3Y(YYtYXBXpXv@XOX8'X6@X5X5X.@X.@X)@X#X!@X lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj - 1.14.0-43.18Jakub Hrozek - 1.14.0-43.17Jakub Hrozek - 1.14.0-43.16Jakub Hrozek - 1.14.0-43.15Jakub Hrozek - 1.14.0-43.14Jakub Hrozek - 1.14.0-43.13Jakub Hrozek - 1.14.0-43.12Jakub Hrozek - 1.14.0-43.11Jakub Hrozek - 1.14.0-43.10Jakub Hrozek - 1.14.0-43.9Jakub Hrozek - 1.14.0-43.8Jakub Hrozek - 1.14.0-43.7Jakub Hrozek - 1.14.0-43.6Jakub Hrozek - 1.14.0-43.5Jakub Hrozek - 1.14.0-43.4Jakub Hrozek - 1.14.0-43.3Jakub Hrozek - 1.14.0-43.2Jakub Hrozek - 1.14.0-43.1Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#1456013 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1450125 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1446085 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1445821 - sssd does not evaluate AD UPN suffixes which results in failed user logins- Resolves: rhbz#1422183 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user.- Resolves: rhbz#1418943 - If a long-running task (e.g. enumeration) blocks the sssd_be process, sssd_be can deadlock - Also Require a new-enough version of selinux-policy so that setpgid() by sssd is allowed- Resolves: rhbz#1405584 - SSH: default_domain_suffix is not being used for users' authorized keys- Resolves: rhbz#1404340 - Use-after free in resolver in case the fd is writeable and readable at the same time- Resolves: rhbz#1398673 - autofs map resolution doesn't work offline- Resolves: rhbz#1398169 - sssd fails to start after upgrading to RHEL 7.3- Resolves: rhbz#1392946 - sudo: ignore case on case insensitive domains- Resolves: rhbz#1393730 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Related: rhbz#1396486 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0- Related: rhbz#1396485 - sssd_be keeps crashing- Revert the fix for ignoring sudoUser case as it breaks processing of rules that completely lack a sudoUser attribute - Related: rhbz#1392946 - sudo: ignore case on case insensitive domains- Resolves: rhbz#1392946 - sudo: ignore case on case insensitive domains- Resolves: rhbz#1392893 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1392896 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use lib64 in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/sh1.14.0-43.el7_3.181.14.0-43.el7_3.18krb5_childldap_childsssd-krb5-common-1.14.0COPYINGkrb5.include.d/usr/libexec/sssd//usr/share/doc//usr/share/doc/sssd-krb5-common-1.14.0//var/lib/sss/pubconf/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericdrpmxz2x86_64-redhat-linux-gnuELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=8b35bc6fb91f4fa7b930fc1d0194fe2f485a63b4, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=e88d0f86d6574aded54d80394f751d74fde0f2fb, strippeddirectoryASCII textRRR RRRRRRRRRRRRR R R RRRRR RRRR RRRRRRRRRRRR R R RR RR?07zXZ !PH6~]"k%>eN8\7e|FOj-Io^૦EԶ%r1j~N1iZehrnp"sxN ot2pH)[mi |KAz!P#j v3Eo80֗C{b%Ę]LL$&pyf;YD~e8,wcbO`uV%daL"cBAQlhk!=C3Ի6GǡnUrų-3_7 >h[A a%\o:snr^T(})dj9/ lq*+WjHz%09uI[x* b³vm4%6]&. 7ܗ.[&=7=Չ=$ļ'wQcauw  g)UÊ6L諒B,veaY]^G#f Kf2zFޟAHx)eQ5'> thIvHe2"sF>*1pʻ,jCD G(HN6.BEEZ7lMo=bKJ6@t n0ZDP/!Lnw_{`DBN߽0WݫGW=ll|F1#Xm2(ue-M>b̈́Xah{nX*ctjS{9Q֒_ْ*!G̬<붞{Ky1W}_"0ΪcV_BElgMx"Jl/nA|n"2_mFÌr8PoweyrKfaP0rT }\TgED*{{-D VOGVC0ػG\ |zW9KA6Ec3yvS17kwP$ǭ0*zq3?'}&Fd ~z-+ sPz4rC)̿iHgx3!QQ&sV& S˕L=wdezVƠFCyN&k2>X:Hӵ*7LJtyALҋ`Ni9&DtxcD5-/R!ކ42:iBuYޖ`#TmfWE"l^ ҥ:(4$oE,s tOlxP~a2Ikw$]ā{JxYxݣ{+3QidCv˷50&CgvFgTXzMPg'=6`Əʳi-=}4Qd4 H$uZ1 J1L F񺫹9n6&QHԁl-ⰎlI/rg Ą=k$5'M҉\fRooy~rN6OҨ`dD;pUxӺ'\s_8A{0_ӣjN T`yrH8|Sl.JVVG_\d3TRz>.FޏZڛ8ޑ;ѡ@]ie ߎZ5*y514VF1T$y"KOZ械#w3 afaa؊?*/.u|ya.TtjE6#0|f8{l+˪Q%ʆ%,ާu8n'45L*V^hr.}0 <~ ) e^ThVv$]l| HRB׉Vեi*pe@\8\4a@DM0CmjjwPq=G&J<"Pc϶"'C z ! +zjihZޓHe2g蕼HT ~Ev 6qR3g\>9/^2T1 &4K܃&kw\G<"h {Z͗#Of#B4JbfYOv߇?"nE[9>S% OŽ4lxͩjARf utTɑĄAKKHՖWGvLJ??яG[?p$m)TȇR..akwogmv܂ҙ%M=q+8$%~*;0;a=7yYXj5:5 7EHIBx(m֊~]1IN!Jnȿ ꐹ]"d2-q#Bw(3.W$r3Tg$+됱6ܪzke|p˅|[ 9 E)sڟd&=jzQ҃&;W REoy. >RD^n8"\ ce0Z⶧E`?s.v㘡|l' 4 *vp{ƽEvh6D[1^3WEN1 U.&e*-߿0*VG%݂E7jG<lѷ6(.JN@ߕ}(Vth%5{ " HS,~4b %AZg0Z/:*y s피=O8[6;wm^dQdh?GE7Flmr`flihԦh7nPۑ6[_ Ӎ[! O))n$,YjGwο#?]z"*]Ǽ`3N`Ex#Z"^gR=i,`g $OM4sI!~v;ivo ٷΔn@~gk NBNtO3FiSUO86!;f$ H *%OdgQ\HVKJN% dkB|]9vhiǡJqFXs|sJ,S[vkc9U3i R%{nJcp Z S|}i)1_#Rz]CgZI|}a ~Kh1<37ataΙx,ߑ* +prP̨Zܤ:쪦sX4}%0ֆBw@e>O {Iˋk{xy1/e8"^g֛{ ogs^h<#Z|v?/z^웙 1rf!5 uWM @M>3U q0+E+[ QFL u~"96msP`6M}NuﶵAY1q 0bh9FQM썙Mwwg򐠳M}Vc`tE_nܣ]".ae䲹~"e{?_"lDն+#4$԰p0|NJ(e"D5Y'j 79T~˺t;Y)! mj_C9o_&7/E3vVv|6Y f)# I_Rbl(] -஼u0v ~ˬ2犕W8ܑ*] ER yEM|"6Y1_Bk^X9wCqfd$FTQK`&1l<q`-1דս~Ö?0[U,\̩>_ݰt#F¶`6~G3uzqs#AʰoeŚyeM⟅|eUa̓?F_)_XĐp y߃ fi!ݥ}teK6mKLlCPxc] eWXNFf9U@+A,H=CWPDH.zԀNTڱQU!cΓDJ}Fe:'.EIȦ{q^ {'$O(DgLjT_JYcX.B},:$͢lҘHAoGIIIa !#iA'(e_֙A{$gFtéǴheMtzx^nq`kJ:!~N@ 0|46̖1}byk-3S_OiK)ۅTi{p}zdb==gpź-9dҖ ᚎ/ :IO(S? vʥ(OIV =YӦ?&{xpdlcbqrOx1VS)pNYgaQ|%x&“ J=SE.gC5US&o1l.U%'5EVESQ=t4F)ZbJ-qs 0jaACpQYpc-@|O7| TFp嶣ɂ2K[f$&[ץg"۔Ɨ%͈ʀaAKv(}1)!j ByMl8qZ7/B^O4Cn*)҉9/4Zm=#pڃ;݅cԄ & |9̞EH]Ӎ2u0-hWZO< ?XhK^C^p5%5ھW@(/Dzvk -'})rʆҍմi^Ҟ-gW*O=Lݑ>aKGt/h{g=pPBσR])=?>4GaɎ*Mr/DyQҠ[yZ?s5NQ\F,ˊ#b8\ 6zl|gА* ӄM͍Vdnt3__;/Y#m׭AD{2LOlh}HP!8p;*pN 9ǟҫL@]族9x߻&g]zP( ch4CeS(I!K3dIT.ψ"  (I aS*꿳WL=.I=2:8ZVCcttYuaV!g3ѹsKgBJPY7:cG)gO@R׈#m@}:wJyQl15c!etJV[>BҒV 0w |j{Y%z|d5XZ/zcoW"С"fUG|郊V9ro@i+%wp'6#Xl[KZìs+Ɔ~z`rko O:k,F;maKBTm~ZLa(h3 cJe8>UxdftѹϏ Fm}5;0dDw7+l )sIПg`@Ɵ"ܥYTL +vc+FiR\Oj˜1@툐'< мkߊOBRAcC̲Lfp?# %poO]y yvZQ1\I W6>/*pA'4;P 're3u>hPF Ì̲'SP|~w{ ^16 ૈ^N7uZ:2db+ުjz^T|,[_h/nAY qK 3W~I-h˕p:Q0uϫaoŠ(^Zj錫7.e >"༩$ԯO12~nhB_^{J⻗兂Q4ݷ |`Hx9SQ5鸙 adzvO|zzJ˄ݘx6k:G1Pw+o3wtCr [KvìI>&J팡Yv{m1\^}>Afd-- P1o?߻1nXUN$qtg6̂V e-:J7F,6!N?WM/*T9 2arGߺS2̞Ttr!x2ِh?iAxcq#h ׺d{ݯ^suZJ^D{J~*KC9.֧׮#|k GJM1ؖv;GȐ[ེ nAc9{:HNjYռfIz o xZ(|Ao'1m^./hXB h/u_3!{KPnue]a|j+h>S M&*a}ht͚/!3UY8>kܣ oXӔ^mJxT o&jwJW 0cH)h !ua4_tݖj(`4Mq C-cP-_愖J Q5o &҂QHbuqR`vfxY;rb N*\T7.Ϝ;ɝ?Gvz>b eH|=?%7s*"\]r"8T; NS0#^ +|T4]YU4YQ.$<EsBBn _%gƨ"H`P?Iӣ?Лj7`9s_zt+FJ\.WEl8'^|{H֚E7MI{5cڂX7w (-˃ueM,NγU?bGX7r^lmw 88kKB>*MŢq4i8/&xf1[[{WN(~k IϜ&8f[zϓ:`(?7J*2殬ެÕÛ<)p>?H8= p!g̜5џ$t!>wt*]_4|O3*|Y+UdB<:@LF1bd*tg xIDkUUt5ai.vAip:%ȲXUmĝt&'A-=9JYYm:KEN2*eYL<ۊd?:v\4Q1T&#Q԰QG1ofUar{*p _U$37k}PՀ[f\$e &i;=k3?;މ5 FZ>`R`{~jW8Id{؋ +WPn’/kYu3Z J tdF8Q@]Q YqέQ=EI0@@}hDgA展r?Y龖X'0"QD __d/yc_ ?$ DFH;e;`;^c'EJ+-G&xYpI&;f,p_ /bU@i® R$\k+eM[), 0ep"By,ef^|4B v\`HYYQAtٔ/ZБtװ,FnlHIYΈ|ZR+75gT(*!'drxxN>?QLAMPYh O3MkVaЂ t~t)4 raLeYX.!' V:MM"i%(:_9*"/Pw7 ؎`P}LUp驥0Bz'*w:S8 aGZ<iGC%O^?$Ȑ2Y2^M2`53DYyՅZX"^H? 9&m) pI#!a|itcOE[k))k+ _SnhLJ M%ݦX&txRy윣GZe# !'J{Hv*\rqFcT3\,_4<\&:;H]Q>Be\SKC+'I4O. /Fpy9`6^ڍQ[#&4/Ѭ^t!^7ZD#PNh-zm5c\N~Q;I>:rM+8|Zҋ[n66Ȫh< :$u(̚Z.\Jh_Ɯ& F$Qєzx Q6]eh0Aj  Nx:4M.RTi)^l@t4A(Je2gXX#O/^w'iǓ6&’߿ZAx}Qqm.!e@D,)Džf)XTVK;tzpq@0I=xc%K]!D B%|%} Q)( ) 6 ϗIdT_jn5oYMԪsSaQJ1_);hF")[)p1Ԇ84v CC.|&o&\ Ό.\`ա^'gaVhr)vBɹD|=(Vqe' ;rQhFm`q|b^/4Ȕ4 QZQ x)ѣ[V^ry^[@Z$yvȵ-mJ[.cVAwH'IՖ8׷W/D[$!86  k:oڒaбkpTu+(Io0P2,ƴ}+Ή@g+L_OUYΕ6r[$P}U_]0զz_pU^"״1wϣ,U>#2gErc7>]#=E~2M]qO+^⻴d]$п8I] L]f@g\Qll~#cAzD@xIG T8[~x*u7?[cߖ7&uw cڄyI@dEr1v{8WvIIHqA E'"}ϨR O%Iqκb&1#-sR&`>*Q݉0)\jQ3{r~ hiNS4`4cz6a54ͽq9r$8ϜW#mzB53J8Ɍڐz,u2Iv5A9, pP` g+)u9 klE\xܽg? s Ũ4Fm&V-[괧`y4Nw;b ks p\ēδ ̔njέG /0O5oKiȨ68x% ȼ%!^|$iic"U3(HV[}]fILtC-f5&˹V4g :f';-7~Y 1fYcYTF?oz}L:kE]2Pv!wr[X?O#ـ; gOש.ܧ;RJ i# A w>D B${aC5 >, Ńzcu)Z<o *H/[Z+B[~7Ϋ}-ΙonHN$SgKՅs}-ÿi:mh ϫ!13SZ a Û埿K},7ҠT_N{]|AT713*`یKPyϐܫg?l_*;e#}mƞkEV'Yl3]Jn=r%ejՉݵZrX{ :3Vن|B3(#-})[ZR5-`$pڙt/K[& I(KRԡrA<]cf>8?GhL~'kR C:uM 2&fs7" 冿d .a nJ\IU== O@Slu7ڨi8 Z鉏 8}=*PqUTˍa;:#@]ggSU{nXu`zV+G"C02Glmg }<"Dй9Q1jU[Q0o9à p5b˶m]S&EP4 ]D+[bl%(uzN %;RjgBK#֫:GF K8y'@岑s*:a :poim5\s_+b*H2`?gz?JifNl6S5b ޱ?" ɼݰ"-Ղ0dl?KV.)Uϲ ,Wg7 lC@V=xaL2UZb,myt47Yk#O''itzPTY: 7+% ;K\J.hqfx,Ji(t|AmAlf?|:IcWEBluM9&c\JrUZwRܫљc˖EUGy P)A,Fsj (q;M~H1kcKfVQ .DG@]UIխ,'OƫDOd +m|.KeУf٘dh̼U0}a`UN@+Wee4iϬ2hwM@p =w>XpsRr;cZ5Bslw)a}ݤTC rPA+ukz"*o ޷oR9g *PلPXkF+;&]9P!ר2AJorCNԅeDC4tϢ &x脀X*^wxuὒ{QXM4*];HN(kd6[0*Rd\~@am']gi4]I4G^PtJ뭱ϨP]|ޥ@[(A|kh &le= $)FdHn° Fe><G陼NOrrеM-l${>@F %io[5N-q,]SD)sP/7ʕ9V;,˅4uV! `6`#7 e̖I>RjQW2ݰ#jNx\Rޛ.ٽnyyMmSS,7"ZAOk}i5sӹފ/h`L\Q&^|ٸ.R!otwñuG,'( t^\Vlք-5P[S=T#I65s^Pɔ$LD_:o3Ƒ Õō8{D`~ġTDm+S.1uV֊;. 8k=QO[V+nE ܘ%~E q&{ ʠc99&xM.J2ځn}%V _Z 95.͌(8h74<0k[}YDS`0E5?|d $.y &P#ӴzZ< ||BcSnvdL/=L)HU}dkÉb/aɛ44:^TK&_'Oq ;l1vaM[V#A  4rm[_y6[_ߎz,U4w8i{&yjq[0Ve)@uXt}K9@7׋dɦZzk#zyٽH[Hdži[܋S,_JaŔ_&֊g{O7̽<˩EVRV[҇w_)ᒸ +h}OaqZU`0ѯnq3fQXb9nY.n%:m6f~iG&o*{C ypzj0Pur4/h5Z[\3 o!IIRh7eC1D^w[jDz2&vCRYW,}M\%.y Usn"p|'ύ&L> tK=_gB9ښZ$A""E HsnDqoAm( u'0ӻLXj]Y׆-)u%)e|_'ض(#lhƹכ൪FEijlzk./Y\/bOe$4 FDDJN ODuk"Vr @R̿̉$iY[ nheo*uբVm]l'-c}n:*v WN!0(n!{V.tEu ʻ==k[3n<6Ke9Ὤ("Z5hm 4J`M1l`ANh9[M?'c`MJG\T^:,L(4]9[5X 5Ơ̂wJ4d4ǖQm};pȍB(v\˂Z V2 J ̗f2 Kh1*Cx&Bc 7/5(Gbr%i:(*ߞ}GG+`Aꤔ7A?y}uɯ,J8[De]Mr0zO>\-5}G&FJڏ)0ƎH!RJ_͐+}hOnQwAn<8യ8ڣ]צT޸=Ӧbrv֨9ԟu.Ƿ7k)`}COhHB[ g71CInt?Q5.[M:Tk5oƧ*g3mu jˆ.}=+t4bIyEmuҌ7dD pgN!"f|oqҰzEgT~B@u}0iȍ/{t8<ę9)x=N HxrMzkLߒ?ķ-⵿^H\3j+{' &Li,*3/bF7Mfk2 =bȂڟ®dXnF6C}4ͱMMWjZ1 SUFȯkp#X|Y,k'?NOAYjCl?ZS>T ǞC7 V=unUTO,1}XH1Sێ;Ҙ z.I7{! u =T'j0 jbQģ.k&;ZSe#UaVT"&.ꗚLq>y1?x upcQ%3kMbt{ݍ$zl.$E;i8=lC 86qŪ!۲b@T+R1%Dň\jb#캔ru{a*(hMz!oy`ن_hnj7MK C,wrXiJq1\͸Ε@ipmRey;Cn7q !C[x7gG:Mo|`85RNnD95 jlUO&-Syإ^g᥷\،䌯qښȀg qɣε:d|&cF~A4+ീJ{; k'h߷eY)>/@jLL+735j^< ŗLEڜ- (J5QQI@'!=kA?FB2N w}щ+#:zNf:;y|'<<V([+M#RA>#RشTkEa>Ay% NztoӼlL.Ѳsz~!).Uyn…m QlLju^C[Z[ /s&Ł8< JFcg?eP'#h˷ $Q&p)ms@Mlن al0=Cyf{#C ^xHbOI%,b۾>dY 5u5ţ56 &WkG+)"r'I8_[ۄ@Ɗ]{xkҍ@ԷN6$\rS(p}gMx^&[4jdB-1+:kjBkd7~nYtj|SZ"{{l 7o\q0BC&l2uaDYͼqtעb5fn>Kc c>?J \0]RO8(:L̷%@~ʜ<זfX?x X؅ h#ЁDr,vDT7/d+8o^&`p)Q[~s^yA- &&뙴J}O:T}2Wg:Ʒhq'߬yv䬗7hXQw. Eps1e5s&n;j`ʁҼwA kdz0N-MD=i&x N w\e9ȱD*&F kᨅu*z2.d(l-rg%fփZ+l{.#D|SMQ[E A`;0bX'MsA?{yF 9ѪGrORIA5La0՗S4L~w-jx̻@uQ nLBې^ic.[~x*+3+-$sxY 1iDy`Կ%ՍGn=p"'q6v; ^iJ)J/|0+\I(չH|_ H3K8 U $5_Bfl\{D^e5U62vELl-fsJ:$=?U.#\7b6HlJ7C3$D,2O*w@%)!AGoCvj|fT9t`y *Pdn-,8H3$MM]t2)H/6Ua@qUBsv-BKϼ|ݫRTFu\TDe85xCJ-k\HbyuzOPnM:u)ƘG˟(_ynp<[>Pޖ9ΈYX [aP' 8r__o]rǽbs1ttwH!$.|s [`Rxa"QЫ.ĵGLŠ(4z=Umn:QٶZěG)]\Vj ٞ'IK;~x;7̯HHIϣ,j>gYʥ@ %jgfM rK26U ; XDrA_PᘥH^Cׇ(2lsk%z?1҉N; 3f;-H1KLX0,maMu/);\2f"蚼ӃΊ#FU`+ `)RD={|"+&fJu%)!Qֱ 1?yl@}4 fr;U64 {yƈ'AxQ9a|Zn.E4 cjWo+.S[%kON3wc7 %= AX}v/esMj ,ו..8̩AM: Jr[[]d'`{}O6x_YWrX<|+E|ѧť#S53<_9$R(s3 ߔ$//@RȳݰRɾ;*;,VRRMQNwRӘ\I\ˁȢpbFنkq4pu N tsxS"ȶAPMRgz"}jӂ&:5<Ž3֩c%%ޥxݜP+OLx  Skv:e8 5s!w!0ے ]-aU3i "ɫ՗:) 7 cӡ=ءΠO)'P1G=l?()!)s0#6Y|w٩˔ًZ_wRw"c՞ :hC\tz?ߖ);m{*0x(2I'zq;Uks89dbߡgN)&^D5T״S\G#^fO8IiF{(FϞQ3y u.?4oxL%Bl ; >-^4;I< F9 ڞѝC G&l l!<+[ȉb7r\<ʠU\Lh\%PXPN L @tCe"k\^6 uh/{hk+Jl9)=l MsmlEHV{ֆƬʇmnA8;L2L?3rk噅FL_1]8EU7z|kԣfUNPO4EQ<'/&`) -'lųfC~E{3^7Qxi B}d0 ( ;7w&O/%8 %Kt (pB[#C3F{.GFۮrZrJyK2A/a2] Sc E3 dvxA ,OS;Dt|=Y1rfսi›| ~D}{hNȌJjl  ^+r d޶OXBdяLMyeD\gdr]}eHJY:X#5hT0daz>tz @3YK>v,{hm9Aqs08i+_E* {|Z)aG )j$xVV_0 $YN(?db0K y#)D AwX O`(W݇@\*u+k:~f!߽ۓs~1#U0!k7ER!2ٍΜ[6H٬Bҝp8A?+Fbcw 6T `=vVL3{qJքW!XV7@bhӊrŊfP 3{w$yB K7,te ~ZoUj A#vAA4^G "hϘ= Qnl[ 0Mg|U3YG:PkVL*)7c/AS%9O![kaBuɡq78]bvZQ'IMET:[Yeq>Gc_IQ_cq=SEݺuxIy;Mܟj v&EؿVt{s.WNMKs\AsSA*0Ey@u5|pNK7H)+'Gqf!+6J㗺):@hhY=`%:~2#s/3 fHѬBψn w{LcZ[KbY.ba%cQF2B]hЀ[>ا͸->"MC=( +)?245Â$;TeZwݮcV𶦳QQw(1&n׏ҋϫs mC"'10*C9TvkEF͹"%q\.6NLGy(JnqMf6eZoinei=ţCH sYWQueߵ4[M nhƾdvr t7jXRh8-3W^1cyr JCPȢBV<Y&9>̠Lzm4Cm60,eO\ [s~4'( +EUps?fٳ"[GBSAUQ8pҶV3<'d=sFlz3GG +"{|e$@qJQlrDK#x)7i4A;P|8kdZ2ޫLw)?T, oO bq[/Z 愽6K[k(4Ӛ^ ?AIH.h0`HeP1kc@_mmd$ ?&ͪFz~*geW@%sYONfxOlLnYb`~iuIA?AU_޲|Q 3-e[ JY;J}cI4 WYJjffXM b𣵪 <+g M?5!$=BY1xGʩ{}v ۖW̋0toq;ך \ M*ܶCfR& oޒt+odBp5R/LKS6F5B÷%AzIU|b57ye8)0mϳ gPoE]P|NCy59 +! r,{ʂreon'#K@-ҟn9AEpCqzv/|bשO~OF,wB!OVugDxJ<`b-0KˈЙBB{yxyhiHz. G3R6ole2.mbmõx;VdFsyZ400v"=M%U0EM#_j.ǒ|68CNt)H˼3UL`/ *$H> sed%/(,cX%zC~&1N4MHsᒶ{+\;A h2RZ+rU[kκAnOx=SA?(ND(l2[u *B'&-;l܍KMaTdٵYȱSZzxrT3vL-\* i/_RJg ;_KȡїqHѫWVDÆ:vhbPs=3f(kj%q?/ǂ9!qyd~̬>K hZMȸpo 7E݇ݡ8&c>Y`lq2y&<7䝟u*e+^o1K9ε^'V3ޘxƍGzg;Ue&б=d+{`ۦox7v̸*yM(dFa3\||:9(8F8ѱ9aիI÷$ Mqb}7.Tq;|ޘr~pWDHeS *}Ӫ +}ǏoI{r4p4 ;ŝFoWnиW?WML+Uh*OQ ^d@T`6_~Z1U _rH @#0 q`S9F0K=~ 晅Gmdm3G)Wg6v΀Trâۇ'b֞XqH-SBN6P*V,<a.u<(͕Ցr\,0C˜[Gfp rNP?\;H_Wyń^,2Hͨ(勷v'cO5|z2 {Ѡ#DVh;)\ŞbܧF8–?L"n:s p2[o1&vU?֋ORLӐ6x `#ü#Xw7ߍZi2 $;,X[ΛkمTVh C- I|ςpX(3Z,$ 9n>&Uofƛ+`iZoAJQ6'}pmͨN7:adepc=o>jYG6{!Jil÷ފKh_:oVf$"tTG=$1=E~;^_|Qzr(izO28{9{hH0{HB Mct6)Zʛ }wOEhfIt SAe?# 0RԿmFdyҨ͘( A/P8`Y}Wh+nb[Z61V,+ Gqݔ"n0> }t!K< P<댜/e]ClaCݡ @I^ूP`q}B50̥t(.oNqk:h-WhT$|?:Z/5}u*3 N \)Л/ecȹ _?*MhN>;&, M|;Z.r>5N,, Fo6g~*L58Y}PKկIL dYQPr(AoZc3(2ċUnP .g 7ﯱ{*K>ʧ3J_v_zfF 3o+-_Ҽf7< yhB;uE8 7R}hRy5 Z7>ZZC-;ھY"!?E\mtܿA& ׿7qB 򋴄\~qc ȱ/lI7rqOQ tۛr?|DtݷeVvn~/}Uu]gC]UG(enҗW,ek_$ڶ*BY1eUJ FZƫ^:ș#Fϯ8n @fJL ԍ3nߡibV ʳ7 LM Q1 HN1hn^ЁTF(FF6\O9jR5T+<9;s ʸ:PЪ1'ٶ?TF*["Š X聼jˠLN\κg9ӟNa>Ňr &B]߳n6PسIC$Ɲ/xJ1޵@P*uoKfK;Mcz r0> [z^Z7_J!eǟƔM~V 2%D't"q)jkԘuT!§sλRAyǃ ۅ:TĄAd-\?k@uvo~ *hbME\_gP ,w"*7#ʨ>"*Gs ̽c]}H* 7;qIJjaf+$ SԈK΍1ՓicBy C5]eUo{@>M  bbk3>If} !&^|͋ZP4ZvRBgLZ>j|8JK:cybf 6Q(Zx$8(>޲Orr:F%0tvBt;R9#up,Fڰ3IxMj7̵t78#hAn3:;Eqfb7": y "Y76oZ+؀8^v.ѺpBp:?CLrY !L /b)EpʋDxR`uH^' 2 \:g h4< c{J?ύ"#W٫Srh.VS]!u}4Yi^f@fױr6GXX|NbR$x|9C}ꆉ?̧jtQ_jZ|ab2?9!u<ΑELe'ݟ'8[i 8ʽ?!r̻21N +AdP 9ZDXaDyt'Q4m1 "sWm }4 /`2Zi!C ԼD ٌ2=_OH)I Nk pu+Aq:6a l'CynwMuyAl*C\0dV>|X/.N61Y:Ǭ̶2:Hf+M&~3A[:0BsL{U3_ZEU :|l] s0xrh*q D'?K"m7\S*>ӝfݓhuUYWU>r~v KW V7}AB.q۵h#.BI$vN'zM}JBJVɂb-*}XkJd+oNhw$,Cj6~}f3Eڌ]~$|Hmnv@lʈnasKEAlu2{OzS&QdSM,x 7Mͧ@Fp1իO:.k^svGѮ4Rf,~x$<>ġN&FIz4>{ib&꾼$]yʞ$XKˡx=x1KֶFG}l{ԫߨ3,K6f,YTXFZ&m֘>>cfU3JI K@?jͲRTsNr?k5Hm`ڃczכkk2Vʢy\D?OϺXZgqmt+RO,j0"8UwU}a8Au_YyW6 &kxOS5?Ba٭}ʯagsY:)#_ ƆxG,Ʈb@| .?n%/g^s[;y{Df?P`ν%ʃЁ;TشZW8#Ҙ>ؾ&DqLVR-e-iVB;sC9#Ѥ$-^ہy@3ls)EI~!YL >N-UJd@) [[|g!&2v3R^PȹP|V&+?ߢIs]߮(`4 ˜<׭4!ܙ[VG32@ jt%[)al(&{vQe&yԛNXϙ 9+hi ndW֤:6{P:Pm]{WpcƄ=1Yn#{9 + aX0V˥ys|YMD϶#Tykzâ*q]% AдRyvD*EtuZ"F\@}Ek}FZyp&=@}4BY` p>C,͙:!O`ŵ+rGiӞGmeкy _ P oWWV:%ʃ3A}Xo%->mWm)#P%Ͷguk=́;3 ǒ %i $T9y!{}2WέNbuʼĪyׄ=n.'$>HHU3bN$p=񡙏XRanJ PJl]q|*9V@$OpgȨiDDp^Ao'BLi@pmN!BatK B欩ܺR~@*'-'ö`Ǭ_!{ N˗69Pϡ=v7+ۑ {T ~l{t?\}]qB5n $QW݀_SUG.)sE1_HE#%^yL^ S?;)JD)>4-($0]ʈMwGX?f5TX }||5FNrͽ|a'V$)z2EקE~%Z{9;U@ԇ:.(o5VWR48|`Z Mn0P7kۼ`ɲ)uF*ec[q* i8L݊a>Խ"≞wtL]<0^Oʠc77ք:h5m6GyV4ɳIBF̫[CSS>k)LۛjrǚgM쫘F6xy͒|/M9"_ ӢN3=sAd1y_fwJ( We/Q5Avිc&mH14F-QKN#*ˣEdлWiYҟbETܩ1{T|DPIvv64-.A_wд=#ވ )S=kjKZ={ p7a/զ&QVpn`~=0U넴cm2*n:Kvɸ%!Z"E@}3?]f)%'YVC0IF"ė<~{W+{Tc+XEXZ›X=/_ 51ђBw;dpA6ϸ';<ҝ¤.=`W.F7ߕLShq x̂:@0BN>K@ڡ>"?CrҶ[6dtu^96GI>$|q#ԞJVs & a[j>KsTWsoT4ڪ^w +VX̡OWe #/fG }J/kOƱ Ujb9r(eonwEB4LҹW(>*`Fgf0CyM4,] =G ,W.eGhQ<ĩl |!SVx=4"$$;\,CN<i>[@2/=Iu|q1Au3h0;SV}t,@=+q쬈CURG+Br>L}ֲfoQd'.⦶6s:-[}!,lЍbf6N4RT5O |z/JhD5,wt^(W ef*hK`#ؙ(BeKvrYK i~nv?Zwέ6SG(04$|=S@3l @.h+1!퓰Z!P)ߒ"(fWpԐ޸иK=oRAf&L()e)v`G=iAۭL5*%"2$dUurd*AŤ䳳Fk2Wc@ߕp~D.Nq-.Op^O^n'][.hP@sƎ^)6kZl}PLf$q!d$)5N jgF^[4x8Z ]]{S,Fz^$SЎ?;#xg1/%J0Um&RZkL+61Bdۢۈ4nl?5'Y n4҃?q-~R *t~q1%],3Ej(nF (R$ vR ³F97S*s2*)'789?~F,,xO=%OjVSRr w)n1Eyk' a;90OPOׅƉh<}2Ky+'xE\yƟu}3pul:`<,Ͽ!\Z/mHA1^iT )y} J?'2peO4>`"{̀#E_/+$2TЫ_1Y:29p":t7g( SJu :Z ^BDT5Ø䨲#_ZwyCKiwiGɰdKD/;O9 ;9s݁FkE"cC@:pcN5UV` KMi1=qb)j\`mKu慿(~)fNāj*ES1&v6qܫ{Fj*Y 3[WVaЩĬ<>禍>D'oI-}LVI bI= @>̒Z:48ftbUݸZQq?VQzd7LF H3 T$35"qB ȞStDu-^Pѡ.[)FIǔtzDn d(Q/Gu;ӫuLl Z9*zl #C$3ЛS&]#v[Jj >kxђuKuҮpDtD\QOES @y`Kt_١ΘNLP=_<(n 2_wƁWYvթB;"dT o;j=B/L\oKh/Ԅ{0N&ȯfUBZF3{S,M\[ɡlv'@u/L:6ߐOq2sNl! uJw֤1⊶S W oxqtÜeڥP_6B~t'Y?}gü1SB+:yP%eQ?_: T\gUnĝrUN˖ J/iX-MJ9+R^o Lc$ 햜6I?W=Nj,RňJK{S;/hO!E 쩚;TzH`-:s J<<evNəVJ˸sI}&09ĩ S<:vU❭F0A}}R gIiF NRcvax!X2ʼn[3ow2y`VlV 4OT v7VNFvRD9`hz:dI89yErr`2-7F-Ù,_0`Lr2@XN/߷L$_ܚy*VF ~T1jy/Ԁ+QcAM .(IEr{JA<{NS8bDi 96$K/ ,|ҟ50xVQwh7ZaS`6-ÕrBo#HdQ 4W޲aa496oą `qV`7>SGi?U㎈w^L~);͡.Jl rNMx^=DRM؏$czJ)n#rX#ń4LCeb^gYvy`DUx$Cv( kB6xfli[gw76O? 5U_,0||ߎS`2B^NR8%@Z>}ZApL}ZerPDt8}J"DXp*Wsn6 *;O)HA'L&8MEW=T(}oYdQX[Vc dO6=sd>["qUGYE}5ݢeOlGt` |,yyF|CZ^bsŸQT q^X.#fZ#u(~BKt gZ'tk#`y#P}AA(̲+~FD?$Q@Z)ڃ!K,@?m9X݁eU+2c;‹qi1Wj cn@K8ȸD|+s6ExWYFsdN?-گMm$w*;$rY&&_}l)q_{8=83MaJ$4SC*4-rFPp]|o[-ƛ_Sm݀nRj=lv׾(~bYP^$1ohk$QVov[19Xh_SDzh}'- ым-*mmCKM>kKS"Kjvv|1a //5Th ͍JbR'cjAդypTOuyadS=|p >\,>dȤ\sG=n,_^vH_ܛ' \{'.HoĪ '=-; gWŖ'e8'v's4|91ea4;yϢӾRfիGR$JZFgct6xf"Fǭ'|) =hE࢈%KA_wǐsb.:F2n ;̗ܗ}/[vg/܎R^}~;׹k+ևdeQ-]*w!hlU_޺WfN!Re_ەgln@7kp~mAP/ԂV5U TVB6;WHRWjsK=0p}``+Lcj((%k<2hѯat:Nt֌Iac5Ʊ72 I-ҭ/^ks6鏭+w馮ut]~AWA)j*7@"0'wc<ښAd94Mc^㱒Uz•4XU] GH©/1G =挵fʺhi'I=zf6L){0#f-~2-ke;[wIo luO}jQ+[Yd|dV_cMW. ZHLbZ]TF%_)PsgSbm&q A$qQ6iGyDQxrI܅&']b,_S>Vqln: IM|Z*(+M3 d ;M g1<U g WT@*\ʾtΛ7-Iw&&4lێ,k9c P` }5ÓTbo.3/!`nOAP䭈UpЕ?O"c/Ok.\R&frL[m_d "vm"b:NU HNjN'rk\eRe1ӗ7'sd5i89F#1M(d%؝eAù5kF?OIhzPLt#Zn[Dq L'{X!P"gʸd#͞1= Lw;}a_?9Ȋӱ?HA٬ʡtW(R{#=L`Xb}N!{LS-4j$`CKp Ӡ"% u/GQGI{&bimbY *KC0{]JfZŸw9wA+`;j}B\DM)ˮ"~2D\|֌_|XMp܃% u: `e7WC"M goQ oJ甒]ٲp.Q睥\$)3UE:lvq7ٮh"He;E_Jx'"Tb0/xmfr{zr[ h9*QMi O&+G`Lغ$*)ТfZ'Swyۼiʦ"q׎[5gJ`,#"'^!S5.D ߈f'UXڰvuŠs #e2uڤ]G#z-YZvpF?S¹n3$AW@nwlL%;`J456ta+N3-]R->F+6HQ;AFq\[B1"" {Ap݌4@)[QP[D̩arSPeqORsjz/p+m o=4QQT$F 97 b#Q _r%[u-Zʴ\F!$ĞfebO=l%ڨsc@fK+YGy z](8ȘQXVԞu-eYP(1X]^Cwi[ikyL;! Li;ܲ+EžFjyYB*^B;'@Adr }7cwBB4L&,O7yUm|H' ;QӃH.IPM@Q(BRsԱ 1]ǵ^ /;+ $A@ F'B$ @*e^3}4$SRbKڟdpHQ >`4f` ,Qh9~=G:/FϽ", #G^l"J}YRxvYTB JpFD^/ۑG% _۵_ImبX]+T4 ըY40#VCat#Rz`R4Ї\c- BL VoMn~/,v 3 cZGc]h;tasC%I<^ovX Eϳʳ~yoF0ՙ#-GNIsڛs\#ғ˭jK 7=ǡ%>B!WػGx[T.yN%8TL,˥Ԅ9ۙяjBKm?BؖRӉ~WrjXB38z *L8VӍIÏ :" }`Jʀp4 F|"{⭵|[5d Y^K#t6PCC%0|>lFO7pm69'q 7,iv~k h:rl{y !'c&:ߖ;o?\+AFuTC{w+_-}i69px/n|rnKg O d@ÑvB,3,Pa(FT $B=rsIL8MW% '@_*QjLK I)nogrwۑγQy'S qRLjP8_1zW#|@.yqO|TJ3 [oS u1 8;Y_YַyWICߐI9&psYϽ+)DzQm\y]K 6LKQBIb1VX$XB'TdS=lw:{*$!0]?٩| d&G!bf7 fTQC}(jE͎!Pc*~<OemY2\pCLaJNLh8Զb&hs/-LZ@A'lžщ0yxCs%zJiix_X=.aAxHh 4pVvtg$]bLhOE3MNB%xDfm ? ۹CB 0e K%VF&pİe$B QH[Jyol QOjwSԣSx,/z >.O-7ױ¦Iη#+@E1M"'+Wh^xY-@,#yr+}SodZCGoQ{2؛Aټ JGVM#jX&~2"쾜nSf8L9z N[֨2T5z*dt>oqDEչ>,: V=Pr75rC6[mÝ!BL|Fc`pIAݲ*p7i]hc*HMc@:[SЯG:|=%p2' 6V+)kYr"A91u-Ѹݐ 9⟲ YLzBzz63; XC'ƥ7o#| ,F)xwPo}_t8Sw{GN5Ij953`gcӎz{eyms,]6~io|XL[RdۿꊬAMAsi#;`eX  şeD9&GOv"MMS/4ǝIE2 <=1u6Y棽4-(mwvQB#?F]d@JE`^x UJXt3)Dv)ΎL˹t^ $w}xzy4Oȶ]z(r5bCI,|ܟ ĦM_- ڥԒ\{EN<.wfK1o<,D 掺=^bεZ t0K#"@|Yv6' oߏA٧ N{ oʓXxuԢ&pz,6&ˁ3`%)E6+Ik>,72l{U(HM~hyPngD[IYVnTufQEOZ&8(*TADy:J%8$\iǘ-ݭ%jt:)wFѠ:*: [ω^ rϒ@b4(h}/4;oȂ Ł|KګlyDT&4a2!gF[#4Fj5'vO(jTfOW@N (Zkw{Wv5IsT{ܚk̓f0<4x7ȯ<#(3O5" P 'aAGu M_?ML( V'9." Lп<vW8E U Ŭ/ Ľ<$OWRV ȯ(n!xl,9Lش-!+{޳+UTj9=w iR~a]xt ǐܗ]|G5BAԺ~g+ e򓽼[ZXen[kbK=v!ט!B Q#u1co t:35c0wucoaiGX^!p"(8\LUC!A6C&>j+b$\XraRLoduJojU5℅óhV0ߦ $ [9N=OQ1ny9ƈU3#F8p\ĥ~lG ·mNgKݨ@듩.fKs=Zε^6!a U!{s ]Ems4k KZBB(7Yiŭ w;^[n a#߰改zݭ݀r(O)z싌Ż!]5XHXݐ5#-cCpt?բ $ Uz~$Ԙ@My3٪^dnDIyD?5M'MEuR3M^,nQK(}q\T%̜ۥaXThQDu*in8@[~emS9a/[2n%䬪)`ƅUk 㪩WHPzt]v/"JK}6!T%o3Rf~֋YB (`/V4eٔ - M6]@ӳ< B(|,Bь+tm3OO@c8_]6!I#ofڹkJ"!T|֦ *ˌ`I1BghT._ k2jQ8K=5t8|B^f RfmcNsG[CbU}|aE d^w~/wK>{TBKT`k6ƺp~?M_0ﻢ3)\HBh Q\riZ_ $ ]%/M-2%+GɁe;decS:Wt*Ȋ *p UM8D.O')>@y=s3Qِ+MȁD‡,-9#`JbAV;ݟt\$†RAaUALTޟ;V3EtBYơWk.炁0A)/K7q]naF2FV]gK)o}5w}6U6Z%,)P 7{x!oT/o -1ɬ[+SR`r9:d4aTƬ%-7ZYtyf2`Y}99 gc=bB )˕^UH</i]}&/BEs;"|Q wi#UjR/;h"[CXO9UŻI4R15yˡZ#9+ IF`noD^XMU$3]9 MܒGiKLr%nu%`xi'$L*ZL9,r&unh yA=EjTއIwNDOj`]4lቭoȫYH;ƅYoc@ib6di]ju_K->љNz( .?G&%{@JK2>e"cM/H$7%ͼzmTd핟a3 -aB<w7\(&χndTsAyMܔw+ }r+czI0ΊF5%aH<Α(&IAC-Y!&LòBM &ݸ%آĒ$@{e{j[DNX+iX>; kW2s~yBAi7$X!nUYŀ1 O6è=%z!qsbk|:By ߟqL^YGoHT9/gSƇƯO{4~%A`@/ k4K yy`/Vc(-i[+dCenr$qȢkvcBB(ƒki!o_PI$eD]o(u>BG^Eϼ@9؋Thcgmd4\v҇t :U qS+Jol5+c/J)]}/x? Mr=[Y:+goc- 16I"I~؂YWe*C@ƿzQt={xrKsC [K`_R^ٺ!HD &\ķ%6 OSY3qM.=>dk֨$ G-Pp1кSbVfGgU-p3k,:#V9Y=i7}/ڋT]ջD^վnle]Dr%%@LrI% ?f҆d 09ZPAZy]/VF+j1< no2kYcG= Z;o 3.iU1Tۅj 0_D׺Qvvyo+R p*A&DV8s\'ȯ6 %*JNdfLS.#“Ξ.+k +d4.X){v)ܰ'?A+7Բbbxw+XzL(P]_ljwQ&fo,_m5`/:‰\+À7?f9P}/XoU+qB/W#{[cco lӻ&֗zm`;z&h)P/(8\T>=rrY6c B)X(; {AM$9m/!Yg!tMa0z3O}c >]P<9zI/+*evKmL>A!X7"%t*}v!2~Uf@$4phAH$T^7ϗ~*p "J-&SgANlA^&J-{I`D8!6o)z*lLt0$ 7M/iGtA0DO2C)O}3ǛW r98zشGjzbnB7 ( nRA"`zچdD l^ҒrDvuCT&=ͬ ih΍vs=ŜZǃ9{!,0c]TvIT 1hX2VKuSH,@ryg!F˷Zd\uNAmn me6@rB!LIUF\4xO//vwa#~?1Yb|Fn7872Lgggt}Wl(0f;⋨5æ1D p^IN%i[h]LH!Hq_Kl~"g㯛s5sB̑7ڀQp?qF̷BS ^їT}pX@>ߙ=s ɠM-jEXĔXkR<Wx4[Vi><lނr ^^.הTBqf7Wu9jcea6o/q'QgJsޠZ kݶC1褚{&$,ǢǯQɹVC/X |+Jxh 8n)Ps9( eɍ{| P5 ԙ8ثB;V%sځ+KM mIOr DiO񛂉$teFOOOrcLq nMpfa $a X%)( M3x?{d|݃S~isW\Ŝ#Pa.f+R<`gj3ً̀W/HinPZ'D{AF CiO{7iᓾM x-͐f|Sx㑧2piSF@g3I F-p'NTo"euxAmx L>$FU1h=>B;VaI &5789(Rocߎ˚/eej˝!>E"/?^)MEQΓccnQ!H#*˄"!z/fwT/c@scDLȡ hC*"g҉iSvx| u GQ kNIxE7Ĥ!ssqUK Ł,CWH<"Hd"C< z¦Nt e zfJJ,EW>t:n-]3d_$Arӳӝg*\Ăg~t&t'}`EXG@_aE|Bp-+as4њL(@O3,߂9@v$Xrk Sʯ*fF,d]T[}#fX!F@-18IO?/#Ji,jIp^-smz2IYӫK&qZrQ$H"uiwN-1llz0G Ձ4'RQST#d1mBJȏeȶ*cq|lI:{Ko6>žH@وe6[xLLG,?7X LTJySjM)'|{Z"a4>`Ӱpl"!"Kbq&%y28Q$XVL=VKez I\@kN$JIl9NA~(x_,>=*iي{85%f5[A,C?x:miw^D ڂP:faΟIϏ_VZ[l'^^9Yk4ɼ$Ka Vhh(h~rr2(P#D t6;/Meѭ0KJZheX;$K^aG 1H\9KAVGPTRڱ1s U jʹ,&[gLjNՓC+:j]풞[@׿/A`WӺZdִoh~>WHѓ{9r598}jy_j}6b9r\@^P$РJNMP4XDVJ2 ;) FAZk2L,?IDw) Zu r0Y|-([;E4p%H}~n<{czʬ*אS`dPBPh[ÓaW^}A>Jzh8D t_Z~qN8,"-,0Ng*ewX;F(gI!>ք@gGڻEӪԵT{Y]ݟB&y^+ev"2Y٤3鶁kEdpzOk: cci9;& eT @!Q/4xU⽷O 4Qf82PTV}g;ιF|-g>q:t߫j,K$1{-o^{v ixAn-ϗSqNL`>BUԀ ^#F&d6K$߫* <兔\[ܦ75~i -ȧAkEk̈5,pM~*71್9P}6&KèH-\ha-oёrVBA1gtMhTUK2K\344'D}Y2; S"퀰!*!阑Jody''U!*_yq{O}{w{*hK"ӃlpaSZ݆8! |ŢPBe)c =|-ivAcZ:sWd>`%%(/2,gܝJ z+B/eƂilxk9ܞc Lg6<9WfC.z+#%nS, DpNa6M[g}Rʎ|O-$nkO2e$8"r,[1v cb7 NH׳0obvИܞ}\M[G(@=*Y-G~Ep /!wl?Z&2`y44%%t5ދNփWMJA}oCP,ǫúKA=D^lkttw4dU^_Jxlpx㰺ٶѐCIhqQ6JzjN!l ^ac팏6}4-h(Tz-FDz0߳mqc`}q-UK(]Uŷhb1!3I֊z3~ EXhܐ_˫B&Kxa?QߛUAHk$yV:؏#u+\h#:Ckqeza?ߺ*tb-P]y:0]#-Vָn}`zb{2\<`M( p\H9fq9hg5nf.[ X@[]Ѡ3 2MlD0&b |xI^aĆ=[# =Q6|T9p;P\N-Kϳ sXlWz%wc֪W}' R7h{<_o{{“fW 'tP;KE\$:7PnsMcPQLf >^>eXIj\Fá Ń6gHiJY~⚢4XD"- ߽EǫrtBEV~_D=W c1Ƥł3٤&LAW6_F#6sut>"`1AAD_$-߂Odmz>@a}ggd1;TZey]23&$nߎutAU˲6d][t x@pMYVȣCɲ~P`3/vKUG񱜫'`a~|"(ȁ.ÊYxK oThl ҥ蟧Ao_+Vm..O݆ :<4ܬpmaz'|M>z"ԟUTK %ى shO oYfbg8VǦ|ћr%+ق7UC# 4% r&~)AE`W cr.dţ@c`6KUOoF-hݎ ;,[KLUᅍ 8KR_:Ӥ0{œDgEnceI3V'c$@BƽOOe䘔RO@J{BQ݃Rbd@<ֈ`)E\K0fD{8K~ R,T @v0;65)"fjYV 0R7gMv5F4PΌs26Q%D+3m*ih;<ӸGB>v%Adٚdąxwd|LC*/T1 N+qA2 ^*;0>2 q /u3t@Ca DFRf=M~'2Ys!UcoQWYbMzŦͤ}x$߬"b n1dŐ3 70Ù^L Q{d֙HGh{@d#.'Ywjʇj9I$w($/iÍiCׄ %V jE*o7$Vxy=P,|Fi "%QR}:!بuݑQ#-cb2odMHѯU+`Kse^Ό] ;)r<Щ/P^? ^[j;InIJ,l~e.6Q^Ȃbɔ|%!_J(=\am[a#6ے=W-jyB^nE cy1t$jȮl198Y .ޗ[מ`VX;Ը&) K?)2@JC$x5s]gLmH],VTRE0jdGCê+dvHc}zmU %T1*y^ƻ&|Br˭>mpt?z))-ꭞ6+" xj@'0ɎS%'qIfwof,䅂S!4 קG u`-Cj ߠbr%{e7PB@B',K/P nP<Nn[D/htpϽh@1% <Mka})\#e<+)8a~շ[Q(5RDÙc3W]GC j!gzm]XEPI7APЌyjUAcۺzuQOѾVL/ ΖZPXhFe!څh0uΤ wrOj\'dDlm|LPa%[)`s{ =@7څn& r)G[qZx3pH#I{B+xm6eJcPgcZxK?WazL4F:板5T{|0![,?ΪU!L,t-}! 174|w5/&yӋj.[|G#Z]YI@ Tʛ >]//@ x%t:LN ŜL1sJ0`%vad8W$x( M)ջ9MZ ц7~d =U)sW!C ߓ uJ=`ͭwi/2 mv߻E7@ 4fT/>E{KdMtOJX6aRIsZy-t'Y[IaZב6ZZlgi>~񍀵]>MO,/PC @X[MO{fddVQ7x.mnW#CtP:|P u 'OpI7*t'郗PsA< `(LvkvS/丏&ס8ɜ+tlGbВHS"[O6ڲUBڭ*=>!dC5=~^ *B* d?Hs#IhQ30N_@ Ѥo'߂ioE/z6rIe( 4?xz'uji]?h^0 L*8rK`Zg~A;k\\Zw_(fهLʷʲ[cCtJ*`T9O7y 7 dS }Dqw֎=ygɪEp8߻VE>D|R~$wxMs٨ןJPwVv$*v,e uDR`a,"ꦹzc>8kOΉ,4 sEoLSl{@L hND5Q)ӭ7./5|I3AAYSH cU~LaR?k ؅?̷rlF!?Orv|6nTɦQ8|S|*zq%K9nOؿlR<[=N_>3%Hf1mPdm~y.pJʄzmqZ3K5RaJ߀߿.ZTueyr188[ 9tJ7&vQ@lnGpg>{m 0d/)yi%12Wo6|,-]<`Q 4P\4OyhD3,9\uVE]мQ97xw'aJjL\=oD]a{ XMq,C~P70qK :k&2@LgNTG WY%< %<7N$̅kUk}!]j s hvkaVI3A|ATUNoc\'0Z".MAιVo'[iInڥcX w)쇗B&=|jp'zyR,\xSf<7ŧU,ah=}]jyzG縁&ͯkws^=ǰfa rgJmK6`UN/L, 9L5P;aqFIK9j` y4 ,ERDaϹia *\6rygºK`tv0ߣ(³%]lqVtq9ل\DBL!#i *َ%S53#W= N-MF% bͮg}}ӣ%\`f̓fƀm&EJ{ W:;䀳Ft*Rwhy" T=Leފ#̴d#t+yv/@w~=#s5^JVas*wh)|wRMrЂfū<Һ)NvU#6VxA D5H]7?rp^P?u뜇oyDd4<R Ʌ)lNƗ+`HzX*%=_;9n &fdw*wW fT77c_ ߓquAWЄ˗wD*X{I0bQ u[^SA{zmDG2ga4 aAT4$; uU#{IgsIƾOpDbcN&{Tuf^pog~Z? LXV-`u׀Ű_$,8VFMB[vpepַamǯ[K40 ]Uɕf#h~{||M1x+95+By{y!z/_Xv<ߩR@eBM[ȓcܦ{ĹNk* 0_7|@2O]Lh!8;i%zy4eIa5u%\U+Yv.E;MS,a !A}#L\R# ]O 'RmpXRP?`3'u£PL3J-]}>[ ?zLj]Ӵ$ B,.#oYx~z3> _.ޯ,Bd&}0[ 137HyU"7qӃkr߳z d^UC搴Bő:U<\3ɃdLTy=KC4sAikxD|㋩dKof)Z*ʅ]+s?nNk]Y_2XYQ5lOQ}$\C"Uv]tnЈ5B̖CnvͿI U̓܇|TB@$B펒b&3ʓ}[7LGxtчjC!AYKVjkbjWH /ݶ YZ