sssd-ipa-1.16.0-19.el7$>MTn}Ge>=ׄ?td   6  ;AH   0 w PPP PHLQ(`8h94:r=GHI4X@YL\l]ш^byd>eCfFlHt`u|vӘwxyWpCsssd-ipa1.16.019.el7The IPA back end of the SSSDProvides the IPA back end that the SSSD can utilize to fetch identity data from and authenticate against an IPA server.Zϸ"x86-01.bsys.centos.org ECentOSGPLv3+CentOS BuildSystem Applications/Systemhttps://pagure.io/SSSD/sssd/linuxx86_64getent group sssd >/dev/null || groupadd -r sssd getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssdKV#[A큤AZϸZϸZϸ Y ZϸZϸZϸ56fc0f2b489a27d371a52cdbc5fd2f861f371cb4e84fc0741273d2388b9753339d56d864cb565ce053ec5dadb8ac83f9da0e43e7e5e10014b790edd9234ff8f28ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b90377418be27d6fc9967c351ca88e50a6c7a4b32841ea496631b72ec920ac75e947bbe5798233fed8f6307639fdd95dc55ae8847a0d8f1ffd40a7c6cbdf569e33f9rootrootrootrootrootrootsssdrootsssdrootrootrootrootsssdsssd-1.16.0-19.el7.src.rpmlibsss_ipa.so()(64bit)sssd-ipasssd-ipa(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @ /bin/shbind-utilslibbasicobjects.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.8)(64bit)libcollection.so.2()(64bit)libcom_err.so.2()(64bit)libdbus-1.so.3()(64bit)libdbus-1.so.3(LIBDBUS_1_3)(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libglib-2.0.so.0()(64bit)libini_config.so.3()(64bit)libipa_hbac(x86-64)libipa_hbac.so.0()(64bit)libipa_hbac.so.0(IPA_HBAC_0.0.1)(64bit)libipa_hbac.so.0(IPA_HBAC_0.1.0)(64bit)libk5crypto.so.3()(64bit)libkeyutils.so.1()(64bit)libkrb5.so.3()(64bit)liblber-2.4.so.2()(64bit)libldap-2.4.so.2()(64bit)libldb.so.1()(64bit)libldb.so.1(LDB_0.9.10)(64bit)libndr-krb5pac.so.0()(64bit)libndr-krb5pac.so.0(NDR_KRB5PAC_0.0.1)(64bit)libndr-nbt.so.0()(64bit)libndr-nbt.so.0(NDR_NBT_0.0.1)(64bit)libndr.so.0()(64bit)libndr.so.0(NDR_0.0.1)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnssutil3.so()(64bit)libpcre.so.1()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libref_array.so.1()(64bit)librt.so.1()(64bit)libsamba-util.so.0()(64bit)libselinux.so.1()(64bit)libsemanage.so.1()(64bit)libsemanage.so.1(LIBSEMANAGE_1.0)(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_cert.so()(64bit)libsss_certmap.so.0()(64bit)libsss_child.so()(64bit)libsss_crypt.so()(64bit)libsss_debug.so()(64bit)libsss_idmap.so.0()(64bit)libsss_idmap.so.0(SSS_IDMAP_0.4)(64bit)libsss_krb5_common.so()(64bit)libsss_ldap_common.so()(64bit)libsss_semanage.so()(64bit)libsss_util.so()(64bit)libsystemd.so.0()(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)shadow-utilssssd-commonsssd-common-pacsssd-krb5-commonrpmlib(PayloadIsXz)1.16.0-19.el73.0.4-14.6.0-14.0-11.16.0-19.el71.16.0-19.el71.16.0-19.el75.2-1sssd1.10.0-8.beta24.11.3Z_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/shuk1.16.0-19.el71.16.0-19.el7libsss_ipa.soselinux_childsssd-ipa-1.16.0COPYINGsssd-ipa.5.gzsssd-ipa.5.gzkeytabs/usr/lib64/sssd//usr/libexec/sssd//usr/share/licenses//usr/share/licenses/sssd-ipa-1.16.0//usr/share/man/man5//usr/share/man/uk/man5//var/lib/sss/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericdrpmxz2x86_64-redhat-linux-gnuELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=46c36bcae96dcc510c6b5a2b84ee07ad17519e94, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=c0c94f12e20fa91b1cfa4d0ea65600d006ef1922, strippeddirectoryASCII texttroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)DDPR!RRRR#R R RRRRRRRFRRCR-RR@R/R*RR R'RRR.R RRR1RDR8RER6R9R7R5R4R%R&R)R(R$R,R=RRRRR RRR;R?RBR:RAR2RRRJR+RRCRRRRRR3R:RARBR*RR2R1RRRJ?07zXZ !#,]"k%w+p}|,p35`7I iJD'/q:gk:lj͉O}H84Y!6P1QlC$&ޞ엣d6r LVssP2`G!Y}F eU`>!q9L{Ua7_4'RtDax>sbyNeQs?ea݃0赫0ͽ]ZItAo_ShzQpfb dOaozz^<}lA%@Kl<:^`oh5]+n8#~cjQ"^Zi=H}DxL/)=jTKIXW-@ Ag#laǍfDőV8Xjm}XJ\UaI$uh[ }Zqq8hV7nG(Q?zwUj_IX,WM _qzL|4oc:>D#$4,6E\a٨VcN0zz'+ղ˯g4KR#$ow$~KGՈy+5*ԬIeihitLӈ I^V:jp$7T;~(aoQfnQ/Ɩ""wgſ ?cq臏]5 k]Kp\қC[ ژɬE?>!/l~Q1h7CLu BhGk v9Xgf|4F04h,jq+S:/B>;h u_g[ã`-/;IEeeƾ $t6$ʤ`Hnd'![HNEQx j2ˢfEtL"Ѡ^okf]ex?׾i'ԁӍW `:60:Ӛ '|efj#it/Db-jm_B(.cM OW/_ĬM- XJ%2|f϶ihtd%Y[ L{+%QFKY#Ke#ρFݞ-&EOx&_;{YRHS"Vso8VOC:񽃃Ųx_ȐFf9)oW&gƖE1nQ//@` ߝFi~Uh%RS跮mM֤=JR[nSa ̡ݿ[e?-[3_I( S' T͆Afs6"V+Cgf r9Ңܭ=1 ' bm똗Z>86-326vi<h[~yG LHյkR/ N2 S1"&G'΢d';C{<԰1WO2_WEJlY1'{ NP350 /fpǾRM  Iޜ$wXٝZNU@6X/ ^5LUZ/fAxu dȶAj "e?S>U@W3$`r-5u< fV zv޿'!y 6^ S@}I⁇xr>27x6I†f~%^Ӊ)ǭ>l/Wl^EˑM-I6P Jcq,/ГMqlhF*9z(3H:m ҬE{Q©%+T,z65)l xs&H%1cN=xU]~T|fiYYcD[';}\';6-{ÙWa gUٓl]$rpQK2̄-c p2$,;ˋG94V \ŵ "[ K95X/7NLη"dA-N<Z2N<_P(ԁ6j)cB by$%N<sLtrEMxK}&^٢ؙqGqifY\: ֊L ;VTZi׷< VR=F.sֻDpygr;A68`Epop#q!h &IݑySbDS͏KaEz:iQj&nVjs(!=u2?Ńd2@[B$ ys~Ɇ/*^M6{&To#-<76&8ä;F?@L2Ff4PP L4U!!((q-~償kS!;KȠ{Y F|s[ۺ>~\ ,H Ȁt( 8u]¿7RYyF"$XNQXtLb(w9%XEW05SnRVc<:/O!~0g7E_bj_ ]>ylr6Ƒ |Oީyo๵@ϫ4"俖bG'dB=/Ske퉠.X\,0`m's2ۜ 7Q:|垠EG&bcEl Jn{v)uښF͌; !CaL3IBPal2v`ZM3a| aBrXS{&Hy r`XLPJUcz~4 9Un 0*,`C'(5WB %^:"#8@^Wjp}Ֆ<:ẔE˽x+e~d\__dȁ.[4 c7LewsK;2ZgmU>}$:z^V{D/jTRLfOS۳J7 ӡnmdX:&,[_Aig*`1F6!Y`9B< t 79gnhڂkp5Xe xSˢ{i<<'@[X8>4"7$gw FhE1 9Uu1.8/7?+S Q&6`C[&g tYfs&`~Yq0Aarb;E"| qAԴ:j]7Y00# )F$6 T. Pc7(RbOR2k1C֨kvFbPlB 7س0 n\^ʝ1"__0)NFR>bL^^e!L=+LIA4VZ앃KX}nV]{V5xV^.@?-[fyб =eaמmYko.>2#a`C)\ l2FU wgkpz0c6V!o@HPYחpR*(y}9_Nk#˷@Ҡ`P)'jQ8/{8L&]1WچDaQafAbz$`uk;|-z&=R3dD ,dUn3Erct.,KT S/;O _Ӓ]IN:2餓z|a`W95Sd%׫qo<7|)W%BλKp`T}߃8 0^ LrW"O:Zgv˕'mջGsO ΑyҨO!,nB~.(E;[ R/(65u`9Š' .r W(t-chC'YT) \C͕i6_7?>ٿ񷿏q(N:7_JM0͕&fc0gkl_#z6JoyCkqmOIV"fyrLa@Wv `E{ӵciY~%U1J/3i")"^ R%[$m:ӯ'J~cCL lv\Qa/RT,f%Γ*,рJ|\MYO0 IF_Qi8!*tiu#zSTWCck#zzӮ5`Lm^jœ\4o.td&\r|&]DQC8}ĥI^X^(ݽI<1K`kdMʐ7 뎺 LIR,nPdK-S48">'h!bݮA1RCH[Y@Q14o-sz<˝j lK]AH?m=ŚeȄsVDsHuê?⊌]T]7 NˈA'*Yړ@\C:v(H?UӘd!4vɎ[ƮucvQkx|1ߌ/ƶ@ , ϕ73{w{P BJ偗'lQQq+=X8K@}m9 `մw-vI[gnh/~!XriϽ0L8H%3 ~6, ߯Dv#PtJ~N}hARU0g@ʷfsV˵ڇ ;j-"C`x03?TD8me3S}]8:a` ~a-x{HhCv#7ԥɗAqT%CķU4`ߓ+z=CCF,OJEG8kL>%JmЏfZSrRl3#Vu-RU.[ S_NMzӤوB^|Bc[\%VJߘg)Q '|\UTޤIF0 jzkMẁqV!?!lk.DVjj`~^XQb#]`B[a4vTMX'EDЕ'3ݸYb.XJu 1͹EsQ5$5FW}9zi Wfj X7[6UX$ ;:z"Vt"C0=F9Jgx_o7Dp HHmb%b="Ex1 yywWpXwzA1w-$٢Ǔh9m9ADㄆ $Wu.2#0m#^#'BbU= LdO<8E%w_ΖP6˗]u8m?8kX] $]7:`oqc/. &ad><+½˯7\VrWD '>;񈡯>(Lm iΓE{l ?jA0s۫>q 6򥀹3 R݇֟9Bo;p9+\W434mWp߷f@Eȭ~jV|oevĆx"ҔBʽSȤY5qKBdpfg\wsG@؇E /c=ui=jBNH!^PP0,!:FAWwkHxԟ5$A- ) j-'IP]fv/F-Y 2ftw >52j7sz\lԓ :8s[UlL깺V\R0<:(+۔A1O& uZP`Q\MRUlnؠ9C9kW-o3`3:U,2dR>Zq3qt}ڳ/giOlӦ5c9$DMQjNZ#NϨK J~3'ؤ3  Fko_/V)U@,cz*ѧ~,|a4's>7Tv`င,?,2AKA>X)XiFXF2#y*R41|xl0^9T &IXҥڰWk6\SO2F^5,M-̈1.u7:rŞ Ȑ͖>髠9~fGR2TE_OLE^ ջJFZRoџ)m zEd-/.8L[~vZ"֠x5ݰrc*[FCI|Y $eIevw?GodW3':b1M&i$nȦ,^KS7q &{2 K:c=w |eϝ3:rٜcESt8(\3/ʖsQ)p~Q3 $a'*pyޚ|X< R! 1ĽUmpv"yclϞB%s%w;+X9tյDj8)M.M20[=j.cܾpHsLc")uGpbIFVY{{※d=YMNSZFM(B"g6/VЩy y1Oz!HCaݧ4Tan+Efk/(3=c7S (ă-^^8N{g[<`zb9C`D,M!z}/ջow.-Oʠ}Q z'ǚ+vx\Mt[[/Ԅ Q6=ݲf$ս^9LdJ\t{%xAH\a鿘JPYo"C*Gn;&|:(^ܕJzT5h^ʳFӂ ]Rlo둅YdEZw__xV%Jar$A7S__JpF$:QYF{^Ұ*`E,_*(3, %r9g& C"~ p2Pǻ%vFx@Xҏ |ٷ1j'Q(X+CC !ǒPFO1FL=ppW+g(`Yw4Jm8C=ID&} Hlew: F/T=2X]q@JovuBiZ~dptK̀F'e^Gq*Xk5b}?I5:%dIOjSUd) 'J,}fAY7 "eQ򞆛y|9q"Fǚ])vE&Z_*eA(ۇ2@|>94q&[R\{Nxl&HSr#wD0>J<7[WTKA_Pst&^7r>>.9h}qD ݔpcփ]?#䩙] `Y|鲶%:fmdbi@?ifDule#||(؇&:`ڴY{4Zf!OmJT!՞te]m?xKF#ˆ6qΘ"GvEšc?0}[NF` rX/_(DkT0x& RW UEkꮈڻTk F[@v kWx$CjJLԁE&_ ѵN)ؖש_5_~s鏚)[26Rŗԉղqe݀ܝarV[ kps-Gg)o5Mq[gY8Mð{-W5\"} H̵8:SD|z@$0w NUT]Č=fx Я|r2Ϭnw3e&VI;)/?P`Ga7 pNγ\ThmI-| fC}D}qZ>W/ZY@qkƲÕ6W}5h({V$7qnBtRvy1/Br7R5{W+OuKYuG 6ٻ8PPLJ@FAidrz_7p8!vEvAm᧩=zgh/1 ~GqWGL3ֶvf&,p'~kPFoƠ8vwV]YSe;6Qp`ƓiUIW;O1jmC +_}pi$.Aqe>ͽlo^Q? UcL];m  [d 帄AT?+dv}Wۚ(xf b 41odAA&͔xڏ-"G}7+9ɢfI:Q~`S z4}EzZӏB󌧏j# ̥5O +Wi4c˩/P38tL?h϶PՕD~}ǛF_9aػƑ~|Yn֞ u}C0xŽNrhakiUTwqhآj3\1Y RR9} lMӰ_,G 2L8.!]PỌ1*ǐ=L_BTNfۛ11ӲIt@/%K"2b-v A#2=|*]ԐjtBԿBK gF f+/ `%`J]``,rzɰ⋕)p(=?nȋ^%ݽ䏼*v,ءMTm(냕騱zDa`|._èx^,93z%QX A9??Oq%Y4k%Lnu,"Bzg*5+Ԍҳ!}&4"d^_uYi.rƨMKi !2I@F6 ~raSALzI͊~19zVr."E_QOF邿$sD 1_H0Z w@.H :ÁH1"b0rZI ?3ApJtÅ7tsRToC|kY^>/Ҟuq8-8U 4ovʝ(FFىB[@ͽo/, YXkGOK¼˺+\ɝBSz~k*/]$VS77L ;so΁fa<<ߕ%Dfౢe*-xT L@MJH,QuvQ~ Fc4@YIsZ^A#쥛B ߢH[B#jy&V2򗺞 rNxM'pltW{.!N82y+"?#0 3P7r=Vuz\ӱn9xa7" h8{ Dsp5D"O Rx!IcI2qǦ>!~<*_)xa5 cT.;Ds%n\W6fNC-n#DZ0`_> KP^@g*NRq@b9,Z~/Q4o=sFTù~7{|l@shM*=0y` ǟWG.MH}=+_Ү~hX+z,XMB7]g҄=-`T}~V4˜XVzbt> ?x(ǰ^-Zi⸚7|Nhjۡ]6',Y!s蚾`h*A~\d3>&o+Cdob6؆2v/am=U*%=ـ1&4$饒XB醝3=+e_oQq+ߎ&=bYc{+]͟G^a%Tf.bMa [P`wBP02sIīs c.7l_3~Pi*= r9|+Oūź,h(E^M0%9i ]x?sɚJ]Y&h\tb|=i)m`A<% #1a õ息HW ÉK8 Q[`qpަQ#`pFʃDۏ\rilv^m(U xʹ-P^j|S)w2iV Su wȉ7 -GOq^ʛFkSaټ>䟋OqM b_^DmEO/Q! a#hˬA{sw19ܴG'z(PnCāJ& ճh Ibe?~S{ Sff)S,vpkh܈Α}> @[VƦO`ݾ$u w :ڹo,Kӟ2؄&,ß)ݢc z8u~{ض˨,(B7,w(Ԅ+ҹ 0.WYZp_L4K廬j_}9}G{1$q]T &ћn)BHu Ku;~㪥h@*1,b4 USdPFLyNs ǁgJ_ne|Yh4OeG[5Dfbs3`/[.iHꐅ8E=- lWՄ0(5+GvSHeSLe4[ߙ+iF3sd'J&׭Jm6PjkL%[ozxk.0Znj{u< '2_@*XfyG[f-*Ϩ,6+Liө|*ȖL cz|t,=kD+:n(|`DGAMD_@4ŎJwe%o lB>(~ټk[1"OcZu-)-Y߃RGq%c ғUoX?uHu*&-%dWYGmTT혷Mk(6W}2Uh  U8eU]#h&f}0zVfr ~rK:gy,  >~Zq#EzQ^X6='5P0AUC!7%>e28 _ sbrd(aP`ǫuz.dAzcw ‘rYzr=8=I|E6l777:k;g½ѶPe P%ZDbX{3^/*⛻+c?GK'vHN!B\?qI0SZ#P5g(?9{<)`xU2 'p{NЧ݊tnU=L&(:KJXw~{Zvdlo-n]_idNz̔",vAiB?h"Qw{yB) 2#KwfQS ,!_N`ouV>WBcĘ#@u<7>M*jwkN@r9IMpYuKɽdοTZȬ>&Bٚ1ʣzF/s>e Z?xUP2ኔ $wz`«)R!n'nٗ*,`$Mz0.BOxT^Skpu\^dJE( HC3+ syT=F&x4o4hwly`X+"&ȉ̘HJ\4\$ dvaM!n.1vFp)`4 Tkk.0ކ/tZ')@TQ$+$|?|ҏ~aE6uQ@R&7pb߄"Q+;`d冷\E2y}ƭ4{nRf6zzTBfʵ Qf)8[_/=qjH:g>ACJRHFb=trQC]FYKcOˢ鹠s:N&PI;z[c$ qff:yU#7av+o 1OlH>qn脉'ϳ>Z."st۫b0sڙ1yjR~F_uq2uLCqDA;tW)O(IٵEpOm@أ[@HnHPYƍ@G*ԩB2yVQ\ u_ꋘ@ק ?D9TB up!drG_zXv0S5@PTieƙM(mp [a;yήy*f}2{ئrQZ!_ xź?l i|Yŭ4|)Շs;ҫBQc6 It(gfa+eroک)l uECڸ 6=Y,n#-"D:h;=Xy2uu?Tv龾~Q#+%<&S^h. L|P+Zqi0_Bpy쒸.6z:fiM~Ud]l70|_ B%s\51 E_a\h# VwT43`(GWX; oJ>qGQ&B9mpN En>qL]s] ט~V:6Ip0dA#/Q>^r.ڌK Si 8}D°+6SKa'7VeXY"1;? #?Av3%e}ԋX "'޴% "ir|?pzwzeo{&{/M\ZNfcP4&;_f^rN³L`*@G\P~ԉ#HPx=tܮ"upL0}>ƘN;d`LyaF*Q)A"<ǁ\G-z j)]HFr768E&zŅQ>?~i5C} k *@ҳwN𖪒=U ~z'=: ,8i=!9 SY|챂7iFM{29a9wj{[ҜIj筢xd|eG["5 ֺ!Ak@x'+C ӗn$e^9:6R|uA\H-7"2;?(ϿEG,'ӧ\H%c)uIڬW D94J(o1Ɂ֚ff t +2a.ᦝ+j r+Bo![38>AFe-r(Y}trEĄ0n $CH$4 zі!8-DBv- Y2&ک B+۫؁~0gH}/ 썫ҺPA|0*w>6~P%yxCh*W[IwVdT-?+\vo8W7r[F܈wx}jh${gl}9`e#cS\RSݑ}^N>WW^w}'#tq/`.sëzbuqi9H!!Ӈb}TPGCuht@d7Xe`@ SY1H-\14uB9Tr$̭;qawq󕁎xDĺ `F|r:dhYPqH]_~~*xd1`?.֔oh{y<{6ʑ~=Mt~r}[*;JْG$ĭ>Բ"? s+G ]oOw%6}5i"}ǞJ}lQ|8R kl\cBWxVܺޭ(o*imJJR+|6Fju|v 44Yr{tœW!4ʟP +EYOc-ǂMO;=̺k`/I@>Ջn:mBcA^Ȍ=n ֮9k2V%˶c'.O^ ?3';MfMEU'-KSgOLrQ\ 怛آ\7r ɠ-(nXp%YcN`勤P5l2}'9;\z!08mv[UF XÜc ~~y#xI+2LJq7]zŁ@zENO&IISہL)EMG2`lyK}811b5)bDK23Z n.+p=2#rP?'GT )q$MOU$AVFͪ 8^AUzAZjM|iKGϒxQnC`!!0= [9tMA;J0y='18hځa(Gó%+?ɨ"2s"2}X]='8{үcUz\8z(]zm꒴jǮyκO}pSN̫9{H4& J^'D D1+1f=[&" tNM|6. $YVbK|`I+K Pt);U$t6μXt`,#'K#OmIS$ +QcEf'$4W^츂m/ւyj ƁU.0VA:o:(Q*Ղ9H>S*Ī̩Z @? ri"(Dwe|VtغZk'NW["az+ga;FTzstS^`ZS`x!7(s⿑@Sv:YR?:hԷ, J^?pwҺyъ8ĚJ=qP`Fӛ?>.0YoE;) eB"pj5ZY )4f~8jWhXfe3Iݭp}J NƝ6`phyq`n@tYkǮ.`xJJHq؁"?.r*UeSM?dV pj~,^&VY` ?BXkOѳD%8*`s$퐱pA1"s~5s^" oKd.kxfi1(=Je,[:0glwBcB,ɇ3IXu4 Co_*n_J>]!ł3l%O_p*Z̀h+aLڦJƵt` Dg <#&~qkޏ^kUas̅.d{&i,'[VbT03ɱ{ui{&ގ2BV [ {/־G؎ /Iv{=jH{E"=6|v+w@1}k.}+P[UiT|ޣ&5DPo69:nߌRΏ3B<*Ū'%>aH${|BpCJbK8(]rAL19v![JC@].7q2jK( |wN4cL@x/e< 1C6c07:l~wR. o2fX-?OГf=lK,LO0)}=+0= TUͺmb?< 8 D7i~˺~4:&1H}BLnSVc_^sGO{b#{3( l1Hŀd?5Ev?BZpD?d0r}W,B=ׯ:B_sfpF(eszz?F:jѶԅJ4t7WG` K(Hm:6Z}T#͌N W`略_K  Ud*DM$ 6aZDz''ϧѵ%"ͭ^e*bI;va D’C- 矜$7:IU$p|b*@3ń83T?P,LS,(J %J1Ji[٠YsZ꤆CDz"&Uؑ2cBf˄-z@3s9!n>-M$J+<"@2V)Z>z^yssfDK;Àc:t10֟neqPsEI>V+ _Z< Q1'9-J8?n*v |ܼԳ$>ܝ[{"Y]B4uh,(pOͰL<4'%L\.[BluDo7;\:iLӤSA}o$G{<8Jޭ(c4r{t"Ź-pzJF ѐ1`0G>fXщka7bмx2 =}g aMD*>آmNfÚjA`F1G&gV5 :#y`Vzd{ՆHRtLyg+֒!RlFdu˿D41яJxU J {S[%+F );::p[J}P *q]nb[ޥ!Zg\Ȣ:>Ugx]6[>Z\/cfOUK֙Qn"\:ctG?w a,l B::ԙ s[Q9=>՗V/M!MgjLd p9 Y?Z|Y+H3 0E吶ȯȿVUGC^ %H/PmFCqGқ~DeZB?\^~k-\"HF3NYٵ!3.r[M@@0_qA,^aDEI%\иsD$+jҖ;Ѓ$rQGR8 U*f<ʸE;z&[7*4w &͸4_ &x Ji^9m&}CAE.fOҟ#h+5(wa6T]Ax;r";)L(R$H`Tvku$#Llə((֕/?6R=ޮ2CΉL2VxK%>EeFd $# a@}i'㾯N}BR 䲣XDg8KlpmbrcD Uin^z F}n& TPEf{/N&ُNMJtar KZp#ߌ(G@6ߟ9=$Z*[%ܭ&Ɩp #pr0?㿁X>jb%I6dNk/;gjhKC׉"$"ɭ sC+rs]5n~GD&ibڼ(,kPO-Xu)"|fM3z묞"HOU5}YɦpE?F^]oլ-TȱᡱZ=% b>:>,= %(,ԅp: <i$N{iTlݍ>va΄IִJq"HKL5s47V@ʵy:rcm&Gx ?ulG!_kҞJC;7;P׿d QTN\ӿ"m U:nz?4,Ȃ,+ZYsޱdNQNh9LI]Ȏ+zDiZCT]VIWoV%kdR&QW> }:d>,qΌ?3RBWS0tvsR5"~YO3 FAN C4; jɿtv0'}/!8VIz"X-*ܖ[ ":9uk &wUo,.=S5Jp_^oc{E4y)'K׭x7>lO_`!=[## 5ʢ2}vmBDĹC5zGax2$i.u#B81[|vXtA,g_3̡RQ*ð^DS ΨB(&JG0@@SH k*T\ u}w^01J5K:+}8J q[p€2^T)#+FD1 TWe6ڣ߼kƼ hxPXmp}$-_-r=7;+Y u]^EQhMAL + 'Bc?+3Pty[B+#g4%Ԯ$iPJ9``)& zM@x1Q6gw\i;TҌwl2,?5} 8\H;qR\D LXcSg4"n4Q:D2 o8?1ŵ.ο+pZ!*MLK>5O4z%^Jv%0e@J+QJmjB=DQRY*o}N=8iKS0 'R$]DEG /l-¶o) ,vjWM9}\Te 982Hn I:J9 VҞb.nk _ZSx_npzx.L$=g0fp \ޱv(5٧eJftXb_GlxkmȉH ros}f#nD}d0 RLqy9_'?6$YZ>5?b3oT;xL*M/A&qb; 0KM9MfOUtEnI]}% +SjAȔ!R}IP9:}MȊ?.u'پ)TE?k0z*xLd52(D#Z';0W` {.M.0}2INc)e%Di ((Z5v@%ypTjm{C[\0<ŽC!!XͽV=pAm1LŶhe^Ձm>!_s|4SV1UC'[FeumV ^*a2XJ>VJXN*prrp/uz4ß|qUzƙ?*ާcElZ^}ZH<.&TEP݄M:2vYs2YhkUhF<;2SCFF9qG.|cYyo^&,&q`fmEDSk߭Qk~TpAР+Zn.v->]k,xe{hPhO7*cg^0fY 'T^X"ݐWԇqqa}M~8"gu%rKWhhDFDg,AȋeHaTksu+ǷIe7u`WWHwnUk{:9~Cg;IL񯄃9n:S'ow3 ?ecZb޾n$&m(c*T**W-űampyRJHrƔ59=c(=LZv%3R< %,kt"9 wNؔb/lOd!JD.FNPR tv"J p-%~"[.նlB8օiW8H`w+K#;5O-bY2ƌIxz/N6Z.2Q8"|~A ؞3L,z%6C] 6ѪDV+|7lrJ„cnP|w(j=KpZ(~ |CY4]#ҢP?4|Y;w'.A7q ?:ZoI-43[򢯨D ǔ NEz87$}`2 [ParF0&j˫*0W;܅)o)"ZRE1dKSdI3U9^!#5>CYz5:Ajf餶̺([ϩ[nܻ|c)ªI)I&+= ?^99إ\%.aobwIsm"tvVg .\@բie(Lx["),:yy_nNCV*vHL@uHT-z+[=5 .sܓ.Xvs+fN%)[l* ?CmVJ8՟\wfϿ BO)==DF](< fӪjcݜQ՝F6d CB};x oB=U$1=G< G$g}QO!ߐbh8OhCA / Tȅ*'㫹#[gØBBNh@xKַ!Kf[f )wHȜ1ѻOb]R0f?z! eXB, ;w@XHw*um7%ug0zc#e0ly.x1!ʝ[!}&I9g[pY]{1;{};fp ӋMFJ8VxBc%qqz;] :t7cvgO ,@)qnr5n&M0s¼0`$8k;u)d>у{H4MF*E\2#oYZ{O1s@  R.}yY!̼lfY,e˓g^ӡUە[k9IUkhy-ôෲum%}RrrU?wX,^u vF)#wWšC󱿜Kj(n.րSx6ֲ鋫8ur7 C7@r=T1Az:L, u%VJʩӶkYfslR- THΚ,<뉸W)~uӮԻ Y|Y+~ 8@{Ǖ6]]5n$i7Mrbxh?(7}[5 ֗:rNSr!p2Irg=&cʾWB]gީsraQ2'8#c0B,C6@C|~qvr<kn9ҿ(C@ +L7t>T,7kXH`̣X TX]ĬÉN'C`T!؍aA!>>GU?N>t9wQ#`zD[^2y% 0OpJV`O-'QRWCbbsEV3!&CJPrCwuea;R*vv|P. &[JZH@ S6%k|Vݸ T(D}}"@RO) )1W+m|ΕfHڳ\ݦ=4_`LlP;7b;е۔`)nG)JVD`Z Y}Ze';횾 /ND4oI~tt;;r0nxNc|!$x?ho2&#"mIr0c tpW$MXhB-87Gy[|1B,ݎyMثf?Q5>ݼ?$Jg~<&71iw֨B5TCNNqJ9kX%?sP 5:__Y*BD[fjT)w B`ua$RA{SFttvѭ&XƬ<1p#XȔ{0阝>~rY/Ɛ?+sƢ|K};H05+u#2h;I=]e'-"G*Ic:)߾:=)/QJaDRZnh.9[xPM}C_yOkw'ݬ~Yc(br4X:ZRY$GE*G4h $Hzx}P_60rqE*WfhL2cOn]WvLF (7Zô4:޲sU;^ɾ6VOAp`tb}.(A,v4gK}vݘLVu>.qW LXljhǯŽ7Cy:<n= MOy0xn*jNt$rtiڊGJ8=(^ {H-H)7X4ҝ LfAǽ^nVbX(Th[M<ޛa@t0ʯQ&Fe$Ɋ0b>[l*$~=PlV>k9JV%Dou%Q`%EKY5gq/bȯyҙ >:D(Wǃ)W+)׸ڧD6IqC:`M//kLg2|Q\f'YNJ "A b! !&8v :2Mh_nD.1Ȯ5H^v<_ncP^#| 7,8!B/#OqgzdCado9yEA$:- X{c?iQ8mk" 0 Yx90su_ٖ2$ed$g4ڹ-Mh6LmJ#;L&ޓ{28\P\ljqH p!5~E(nE\D+ٔAŤ` (_E2b4CvYߖ:X2k St":O8(ūdև$}l`/C0 5ZlHOJUٮi3^; %XEC2USxu8e},g[qBhrקgQ|C:oKLbnz^"25T]@BO f3W_6oJe 6^][R +eο5~sU{k;h6^ /TW1AOw1DEŬq4Ap.zHgɝonNTl[\ mtƿ8{@Y瞗S2G#@53UЕ6o`M=P|2tx>/τ OߘJ'YJ}>1e5kOVӁwd>NWfh.&,i|㬬_CnAdqNB^RkIzOEyEiygC7% Hl\ rV!=TsZ0BdX5[(v2?tʞ#f*P$TNuB[A&io7M#Y/B b.=I[^$ "ϪVZp=R&o0ZoM0]y/J`.,'B; Mɶ.<(WpR{wO30'&~rMk3hx'%*mQlyH2ҹ?Vtx%o d);EMYV2I"Y;^e>D#8fCZ-X+},=aV,֎*P̋\$|Eq?k|S:qqu/L*]$!"Ntt ƟQ T>y,Ya!DC~!bNEReCMrWYFKG^34(ЌfKC(އE:<Ӂ;9~PH~>+>9JmQnD:vxo-luDQhyNI dDXY<gH*{b , f`48+DeTe5O9VP_{!Q- ,}O>׈$qܳխD*  t{dJ> BnT+G/|19n}td|pJvC6#sIea?7 ʢc(aϔ4C+Mؘb\ ])L{Vr36ύ6Q5@a"Ε;4 Q􆍎Sq%n_s@?"$ɡ]c#&=UjaLuV-^~+eO|o ;YNOϹ$ĺUŴ}礑nFصl5)+6Bm ڍx,8=//j~P9w<-"18R޶nC{բ=,Iꉯ.LWKKtWú@N^ll CyQX+0梎Q*t阘xjlƳ²\E7.zW~s#>jh)@ogkz!t}\S [ Մ]7%ߨ)ڠ?ã2be2f_A!յĄ¹ '4vCKE/-Df-zZc\B P l_┐r7'=M70k"XN`á -#"\Ș0'twнcVZJOX́q֋gyX!nRxS>Ҁ@<9ubnyiDRqroZ0VZ'}rjjS S3VJ6S-Y2ї֎"-  f5l?vGUBEXjeP:GL\;YF9a!i=|j(u{ (SGofrϔ>E6'w~k9H<9 9)DFUVV O멊zۘ 8ۡ"7 4w4w~> M#Y4%]]jM%u$~e5HJ LOv<>u򕌻'o5\&"ZԀp3b u%bGJշȖeSovS+ˬ=ż$qi?TxNQE-!=9ڻ߂~TŜvzxmIЃIc69{!=.Ͼ=]7 N e_JF]HWhՕϙiRRgEz/\{ ^3t+U6M^}LRWMgϱV6rCuЍ;fX\RHH )߯F"^Ƨ~3rc Z0 _/sY/gj/8µ[ؙ+)+H`T b2ZFiu _HQ AYQ`P`*\hî|h>R?΃RF]=r.+5a,X`}uh})<' G/,BHW[Ţ-Ǚypg̐KJsfpPӸ/2x,AnS =r-vISl}cQYXE ympFx :NuD[Y5mvE Hwu61= aTt__f& @Ag$|\'TZIg%'N{K./9*ԦTu: #Ff /b €mbZ*{𭝼6TX nq%E*<:AV. 4j1bh_H1Ƥo.U,[ZQHA }1)BJ1c":g;&0eû阄2`%q`77Lw+J Xxm ƤXɧJc+l-K3s\[|zoNejp$gPe*8!E# 7')<D@ W,~+j:K+_D[ Ѝ h@mPnX)Gi%i$ P];`RZ5R"UL^D EdKl~H2fYg{6NLCl$݀/&r(ԛ'Z k@qn9[d6#gGʰp[h^u=?Dojzqؽ) S(C;ނdI?uM݄E~Uɖ*eOߞ/(I'2:۳9Hs'HS+I oćƖy2o6xmC~ ϹpSB6饄WZv~4ыE⚄O no7VSä;fQeBUR@΃&a29=%ZwC:.od;WZIB÷: jɝ}58Z GɟnjaY$fe" Qia /aa _]{ oSP*:l>D Umr/?U5<:l_Eq0+;S뮐{T2p~Li8e1p{l \(V @e#BӮhՇ~(!Ea|7͒d mJ ϵPnMCe̐t&ݨ7+u"[^:DO?DgkbQR-qqۋ0u}QD93ڈJ2!.fF3Te -ftpS}a2%ErkoIJx<dG#r/?O%QlZt˃g;8L <6lҺ]}tL~YZR,!bbA38ϞҝW2TJh!Q~ zIiyy5<;JHK1?rTW$9f41#un{cﴉmXUosmsΌyv*8GN z;W W:&R {p:W{Zsvɞ(5^]Irw[75Hzd|Sr O]V9 o$B;qIC Op TLLXm%W\*hBN#1i A"݈Moc>0٬EZW_Hpc#ga[-X];E<[Hש4\l+D3 TDmBC͖`8qt:x6QK\ bv?T:?z@gOK>,4) *^ fQl||pV;nZ#GSSd#ۢub>P;Bv>8|^h[uu2%F@6 gp&fLdAbvH(&( $dJWN2\ZM޺["[3?ͼ#X_h(a"_W~omerU[SԽ>w }4{vh @\UmۏYK$o6M<~2OH'YdLT'-눪 6RPyB [=yb-T5ۢ{x +u' H[ ⤡qV7 r-)w(u(T|ҝs=!D7c_VhU ZJu`$|sP='/m:cj Wt>):zpΥLv܀m`ꀈwc 1[>P)on EG S&wJ&)Ϫ,C3#2@D ߕ3 -. 1f;G),x/V5 =Mj(@  bayz8ȑ8NlG瓝y=VИ )e|HK>9Qf.vưiV"Fs F!j5R@v&i sRH-{MSӧNv'9{/k<ZKr׺#txz͐$y:[npq<<Y hz|[ r{ 7n pX'2Q"v(wN_=}!*aG1| N~r\M54kp)WGLhpQ*rs$tGr(Gl#"7~u]y >x M.kh96t2FU%SA-:[IФ9nY[. 2{"}U1F" y{|[d=_cd0&Sb3!nh/W ˰f?= ,\U˝-ygh*cYwj h.3W<"$䛥nYm*j<,>ݗx[I${LGZ3l)5~,?X|åR =7i;7򶋤nW&=A hY:aFߞ3#`VﳔNԭ6 @J_>vo[@#ס]+bʗǎYܬş\"Gsw!TAtwףIL¶`'8ԧRqԅ 0^y++ݡ~LyxW @TI:MGΆI̊+dpf[3T' &hB5^EKң#dC!zCgj= g3L[kW߅Z jU[,?.8$RP N rפEPtoå|JTSSr(Q_{9Vu𰷳}bCsj}S*O 7CKFQMmػ';;2y}C3-֬xWnX(~: Ky ]@xI)_:Bhتuwq;J2?=sK  +{|yHG䜇1_նrG!,ƞ] E0jd&N<'|0p2`O!׳dlI{TzɬZoO؇HbI7m\I2aWD^D 3|xjŤ\X)Vvq4K3z*?~edb5SF_at*O0좊D -zȦ͌0Z˫=ҝD~ЁjwCJfm$NQ-+DAP%g^1ϦOJT,_Ρk QЬ`5Ei=nZQ7la[j]:]*>Ӂ 2 mYg EZĊƒ}sż/ M9_qeУ,J?k1^jhTƵL0]H;,t9YApF9%vjB̀oWȺEQn7'(!Đ 7SK\jolui8')؅rKܙ2fIg&~.04d%9l:\֤U7Grh&x*T\ ;Ȫ?Phͅ!˥ VU~nȗrȒ A2_nk#Ct<aB3;A\uއTWdDo$ma(mfd&O]lO \LdNذLCҧd.zN[}$V`" X {'e9e5\.ʴ$kt~\6hsgI ݱ(%҆ QVOr˕ɧ7I]S0?hNqgl0& ac[ RMNQ) <g-"k?cSǾ9I?HU1w>n7˺%Z.uD:*ZOMU3n!,RZY^eh"|N駶`'LL{ dB>wC5=lFߡaڧ|c0b;lwnS;ݝD aŻ 2-A"Dn9)U) ݀JH\Jh0uཅ_q/}spJ( @YdS -LzNO bDYV9g/`a Jmu!R{Fwve9hZa!mjFu~o'=fՑɷŶ`f@8бfm輌AOqmG/'Rq` iftII<յi@}tWH,J6xJ/"ڴM`˫(u o qKW79mGyHHyI=@.hz:-eKxqyz Pp{\'gض]tyZKEPL쇳3,fR"y8)4ěhPQ )Sӡ:lPVP}~2b_#r^܉ I@9=7|4bs1a:M.+سlZ}¸8J^)Qlw4@gJ4&UT۩NMNFEae>Z'Ú_xܓܺm;#jz=6Rv-[%KZnz%!K: {DR%vZA \m%َ:#<8M3;gŃc/]e~3yEVvѮ6 ZZ~}w$ZH'_4~"yQ4}bDDVՈZ7?grOv鄾K-yID:ke=@˺/iMc#E@C¤,mLr{k:M4nnƒi&=v ɏbxP{ )XZ0b6IךD9Bh8&J09K$iLږ7xH'u|k8C Z-9fOngu ,%C-% W5w $#FKfuiPqd{0ZTL9 f >: 2lx݈i?Pe+P'jIyvC'Me %YEfwXN.m_QkS|i!PNJVۆ\GGq׸i.~/%>'iuV.6,WRt$4j0ZQTM&?bo`a:36[KX x[GJ8\I*;\X ^*JNFqE!}=<ĉrJv4tkHoj.0['[hKe-^l2m.]п,/17^\Gm=*WѧU 5?clhlw lCsW~7Znub! *%gCD |Mլg/!mlZo>MiBc[uw= Mg ` Rqu6Sh,2!/黂𨈦ՏDDd3>*O3^U0H#-@sx$#7}AT sOs+l?cCWצjΔ97^$jC_9ua,TRd0 QzpïvyXM`8QѿR;266bG$/, HBPR1bA.^kϰ-%I ZĺBQ*McZ.>Cгも.F '<0V;E?~mоx?zrhζBn_,rd.>r'bAwYjh3mWb봸*r31gɎ0u7W6`xT\_oSh *,7~n?~sM cw`=d3jl=r%۴{_"-W4}靉u(^lSR0`!auA>&W ¨9 \oװ:Ru"i'rSAosee;mT=oc} z(dpdϨzHJF ' c6 nc OzTCu瞌ay&*z*/qpc3̯Kz:)}{#ŘdiQ"E!6rXLikJ #ea~,uNJ#)$N3=$GzN&d) j\O9g0 y*`m:/|$Z&k;wjȳÎXHҒ4+S[:21)CE3?fC#Wdn8n04 eN ;0ǀ`ya #Q@r οgbv-x %,VnvuqWjpu 1ے4=*L ѡʏ@=p/t>y;mԣb/6)2>cg/Ӵٯ>XOaYCG7{kVp90BN!|g;BNa^ 7]"`%/ZZ2# QKR:o0ݏMBj%ΊDy tk-LzOpQ,f*aZ =-@JQ_%kg4 09g!8"<sâGmV,tu ~ᖄw_&!Tkڰŷ,ľTshqk]^/S"8=kw6~H"ԴUQDl'Ԛ(]Mo` ?L"q Lɖ^yČ%Y+>$vU(dY*Hdqr=nACj._ٔU%9 x5gUX?X!GopDghdqb2~,N-%R.@gLA]CDQL`f,L#=U p"s>Asjڜ `[ -r|]KK|T~ < S _oi*1M{﷚Y.3X@·x2hoAƹc-x$as#_<ܱ"}v{͐ K nٍ_ ȴAmzYhF#YEkopEt0)E-=@1c-3(zX*K ([$z/>L^)MQU+FTL7ї!+o5>HN5]ɱ~5D*UgUNu5"=.Z-cswax s 1mdbΰNT#4bݥY : _@'Hc't{8 NUFKDڃ>ijbͤqwev&ODS 0R&@#z%ʊx{lf¼ۖ5l𗠴iH%YofuMHz ,tV\]B;B^PzϿl<"e+>`lR`HW 2L& KJ{P^Rzt #JJ}aQ;Emt!*EM7!]j5H%G;X1Mq>=` M}#ތݍQ?y/فbm"kNV/#M UuP^\˼fԍ7$7{IKxWI'~,: iDPX"O@7^:oŔlUMkHu4(71#h%hhB /Q[ ixteK w4II&p\" I)QZfZF_ 3$n<pG!XE>`Q Ba07߼<U oP+prF 9Yu䠽1mGH9OѐeߗħU-> H{U!aՌWp[0'P 84^y$2=gg @DYPk%m:IZAB NT@%_6.TPb^@? 2QEn[H캷qGoSD!A䜔ri'3r|Or|$dzSn a*{D@\eA&y<[cbLi4ג""1NjyZ2^$42- $6NS9IQ*1уtAhUo5LHR/'U!vC/FGi|/5lؿmJGÿz}*-t^ydN΀2{f]Wcg9"Bja1`/0l>P^U|ĻMƮRk"!'RIRr=Uz汉7\|@7Sf%Emw7M-'ͼ TAQ6e&d#W$4UyvQ1iPe:yLLC n7{ׁ)c)!7miTx)\T#㿙znZ:eXAy1?QO=UwOR@e\dc&C$̤_P P A⬵o"E}N0Ɍh, .$U7]gĈܒ}' k!x cv=-;)҆;)W[ħ[W!+ nm$ŚjMH>;H~'IߡPF r#lms7mk!6<&e{{E s82UVڞQp\ --N{xi땀Ep\t~e)@'s}1vr@)(hҿ(&R.rLi m -;iR d iui'ޜ> NJA2T}ޙjg፨ 5aY-#e(yEeeT h8`h`h4yjg63Vu>x̠$B T:\ q_}9(IAroi >/ )ЫePn [{ZkeR {EXlA&4-$CAƼ9ݑj;~ܬ:Ig] >]DD'Y|5Ϟ̆sJwXRR,okvRR YqBwY d33  4y;KH}|,t0P=IBfm,GdE(0Tm@OHY5l[&YmG/$Uh(+ #ΰ !@Z=uB&^Q%w!ugM?D~!?m1Uhht04 9 q_8$afP8l?6Eĭ=A MZ(v*:&NVvPkcwpݿϭ 8Pt t!h[{x}zsU ,Sm'Gѷ矄ps(J k~F&C:ijg1lz3*LEgyL'ˍT''?iI᠗p4FpLHsUH鴷i2rl,&Uz4KE oI}V9K$ 1eEBA~lL1BM xAy$B%?Xik;UqFD8%^G^:N&] N{$In=\swx`o.qBys7M7 2i. !p]4bոCgn FTν~V1!Xu:Ik)eHu%ֶ~D[ߎp{9V%L"ܯ*c fi$+[$]/Vg16JagwvUj f]X"ri[$hC-`'oqYڱ΀,"ZA<`tZt/IЁ\[#&ީ:FS(ۿ~nAnXmUF'P _-x?}\:'ZdB:2LbPazޖ1n" ^F'ZAqfKzP)*A8;|Cy<~#\c_jԜlQA@٦qD"ב8nps' z~23֚5 Jv.܉"=,sA I9[5Fdw=˘x$_{BUٙ82s vRkrAWJshZ*gGL^ 1w^e;gJ:3 99 J(#~GC6m$-kMU#$oki= دԆg=f]1@opasm-bhDrJp}djр("@f05+ 絾?cr#=8L&[\y x8riδ>˭ᏸoc+)K!!/&{aZ3nT%f)xu933ײUߢ6c췫a.1 {Ea G!ٸ[CKK֛7Kɺ35GQ7h!Pf,"S:J1Ǻu ̴` pIպ1ˋ("bmYѥ }#ɎAwV~1Rm5Ͼ2X*pmCR{sjhfM+_۳ v^fm~nzG3&)'2:lO4z۩ع?I2/&r2NNRҙb٘bHe IW~˜فvtr+Y`baŕL=#^Q o,<_'ɥ<9&Ҝr(=5ob@2zV<RyiK =rx<6!IϽ)aX9Q^gm.#dRK/@fPMbPоJюTsEGb7WM!Pm&lj?Hz ^ПN/ ovW>yo'CأPozm~oމ53`l%Myvx^w+ jO^l 't&}L(TB*e1+U<k@h,XrmlՈC^F"8UT ]!}| 1a49tƺ(ކeSw>׿>V',3(僥Ump>tߌD_#IޢZà&4cÓkTaNB1syҼ8Sy4T[-$Ҍ]ɳ`dpvB] Jv0l$:)sGxu,֑9#ǀwX\m*HXiR -05E3l3Ό(ڇi$U8G*mLDBe!ӁA>H-e1T`-trUi9Σw\'~ULf4+$K8Jpn9hcbÖK['A혤ě (/aBxzM o'+PŸU6ӓAfjTD“rO@tqITRn~'ª7E<2j)d u?¿F])oϻWBNnUؤapA__֟ .sA{?5!8G@bMBCvtP}\DDz3 qюuJ8:}e2%+qn71*IĸS\{+$l:=VXBw2ŵ'2nok!Pjվ8g nq(5&Ox9x ,B4|Ɖ cmxzom}=x(V;r>BKhXSBUۧ-wOU)^5]*1"r}g}Mz։͗.,cEw] 6pLApfrA 5EeVO)fÛ,Gl;B4ZFtBDϸ'?Nd;12iXFjJ_,~HjG[LȿyOFq`{hB=%a}eMRЃUExz}aE:N͙ wdH>OMg*3XѶzX <>~2Fd>H]X/zKW3$IC{]!sdY4Ov&`TĿd'r Шe돧¥⡾"y+[iBC.Y8Fh7_t g=e2bϱnKӡEqbt6s[a̐1'`9N֤p$ͪ@m^'"Ύq:U^"Rؗ^sr7s#;GP{)wq|g ;e3En:6g5>!]1Pd0Az*^q/%܃ETjoH[s<$DGExPb["8zs,YYyH !-mC>->1'}>Nՠ H/kڱ폷8A/5韘)@B ,7j]J:? B@"!v})'7uGQt/'B4z0&sX*mO9Srdg.aݗ P@ J%dؑL\z4?vOƭbMWM[ϦL1vޮ@R+ Wʮ^h7[Q|$om ZgKwB"Y2 wA/#_*Ev="3Y|-wU5 LLB R vV?l ]ȖS=8a)r5*H: UA- [mpW9R\̀&>YW^HoT;'j ,?a#/W3RZmq1OMeGg ZfkZ;uؾ'3ft܀Qa 柯\P-X5*No g4*@P8ļ4"0+YU4=|]ͫhu?l~e;A^xYǩaLKǏ! /E[!TՊ,6Q0Րf`"N0cz^8',A I6}dqhxBnoj|n~ ʉ;׮DIwz_Ru8kmjP# 4'v\>c'p?.pHCt~f-%yabg-N$/?W@9V?Q)Tm_=4G.I ;Aj;KbCu%&Z/1Q-v҂x+AO)}J3S~' 7Efo{f:LTj=s]ܱ/$ @l}]ܑ'sv|s]REu7zӂ!N.]KM7(f2bbŐXKOtInv OO~ >6L+s`}`NN f&C7 A.\<<-b뉔P"AkW% s*{ ^C-j3[ML>,I{Okv7ҍIqv''i]ǧHV 7#gTŬ݊d7kO?5%See`٣3Cx 6LH6vV^fKX璟*Vd.kN* fhi#ke JeM7%+4XerlF?*MUi?;˻kG% ^|x.\gW²@ʘka7 U,o.h(@u>;ao*EjJG%5V:̒B(Y[?`ag~@aoPS{WțV?H9ioHs04Wa37@&ȧlutGV382UL.6$O>d"hKzo_&[JPU\Xd_>bl. ՠ`nD Gfovn/(|nik5+͒L'q9W[`C4d\"KyoffǻqfMat','V(22 YA`l묵ģ*+?#<F$dN>/IoY5=Y}f6#!V8I9pe06mdћT໢r2ire [7 )F{81&5I R_VldŁҰVbbиz$ҹجv*Q T;MwWQfM$<TWrEb> a5F%:"DWPQUndP(h꩹[Dr s g]M߀8g>]pd~ @T"Lܑy(2U#n?Z,5B?oqLvd[27]&:@ddbuiK`CCs"E2\=\;\Hp l#.NLxՉޑi^֥5a%<Ғ OFkޛᏲi%ir@h xNL@ jH#_$yX96m!jM0cjMжW\wm3cX6>>P1^"X)r5\ \?E(:(Bvƛ/5%m>uhubƮ&lԠk+ar59WѹxY|g jmQN:?Jٹi6Nlʰ)sД>bѴ` v,Dm/9Ԋs?\V#>3abIҳǮ_g*4h(inXxRZHXZ {_/@#"A%K&JT&U[ӄsLq!s3Ae`0b:\#,C'gPB4rrdu`}k' ldT)O-2Hp3x?Uq, P`[U>gr"obQ9l/< %AQ$[R Jh*mBr47o҂$Pn˨2V /Wyo߀ń%4:̌b<fɯCyޝIM7dXlEу˼YV_hlrk~=큅u*[,F)\˅Gˇ/=:qC5w;٢.{@D#CI>WMa϶t[]I|oHWa׊IJJV[jO!2jMd͓|cK| iVA߰( |d7γHZc,ىAF)濫-w~Ѯ؋(a>D:VnPetip=_{euD HDt Z|S SLiG\wMCe àh'sKMA'ݦGl%_hjOTf-KĬvN耗f(VBw-e{6|p'V{)@_TDo"?+:F / N= Ժ̛b+ƒWr9C=0 CJ5N&Em:=zh.0ŌERt3meFھ*f1? Q5y!STƉ=u)x #/YQ'#B ,Of xn&;&DQw ( QKƻ:'P*+u0D>*ViXDwDHv 'V>k)WY#TU8E*2U0z VjNdz/C kyRls ȽT0Ù{zMj eςSտWu0xCzIcOOn+c)* Jߞ7roliLkqKN_،odOўrBZ3+:wN0F'VZs;[{j?"9 љ eNYr9mKB0EemkOhƯ":M;]=IE\@ F/:UsZ/ At◭P]XF<PNgʊ~ |tՏ{1deRjh7$@J&a;FHW8I:QrwqALB=oN| BȁM~ DZzsAq^yc9ֿ tD?L;_K/9D53\g`|jA5DK:13wlŮn aĄ[[h If#!Sr=m ~/J}vd(Ǝv; u,a%!̱ И7\pDtkpъb[0w \n|a>)zF1_%EU*o}'ø8:Y7&sHq\ճ+iLͫ (2g(ZMef5D.$s~lXUQlJ?G>{ Q9yD@ȨU=d$M璺 =ip[42,G]U-)N:c` XR/ C +q7#mے/tuH4ov捶dgO 3Rw D6~z'3I*z$ÙL,-E:ε+JJ缠J֬ܦq\ y+g…+UpGŇ7"aA*-c$@T{E0z \wFIHeSe_)8`KQщxEN aZkNi >9@{C*rOrYUj.st~(%Pb&7y]`.=cW-gT}9pܪ ^b]7^ML۬IOn64Ms:> xiQ(SD8߳;JNq#u4`lߺ,)fѮk!_4ѱLD;:g]77O#V`X8 wV1pĺ:p M2+JtrNF $"3Eٱv։*Ǔ&e -zU /𜩪~<7Sϫr76/`~IdDqOEFLm <:WbT>J>zi,D-R٥whrk n Xɒ&VK'QRQ#~Qž-Ok3k r'DTwӽU/46>% 6sI̧fҰ˚cpf/F)F˹@kbQ7K*Hn%! ) wZP(ODW8edgmbujuA+uͼtFД'&'4.FO+zשcCZKL񚨔/cIhF>J[YR<-_=.̕{ 25P6GGEJIxnT7Eg-1S 3/V WEPd߂E-MN8oX6M0|5@LJTOjFnb/z]!A~Kk7tp dnz֛Z[cxZYsrDaplLXuyN@ijGarg ǔ 1(Hҕq/Ӿ*ӷ9M*NcTFQ AP[(2ON"h&ALh4dǂs{P-Soa)~/'04)]&U=ٌ7EA YkdO(EmZQ~_ru01NCyPeʅ4@qei6/PE[lI/Pi`[9H 0ջ @=}ċ 8d{rdE;<2;;sUVi1+m~}N㝓N.zhf-Wx. !JʇF^X˘E zay ӗ5d9.470,6O:7FJCLڊ/ r ƒ1$+F(kK%5L«^A}=5UOƒǮ ZdVKsw~߳^j9E5%zP  ʫk .|1(DS[(M\=Qէ2T@l &/ZBYm"2 S @vJR1n$+ 5؛@?1 =?f,WxxE?pz<_V%j 1ax0/$whn"#p1(ڸ\"1'%>,8l$&EiԤ&ɃmK (Duxp9s'g2f^84O-Y n(ɕDrku$oEOyqZR\w)Df6 E3qc?B\O {=2_ƈ\lxNK(=G]x^} ]վj ]ȰYvn`!*i0Pn?cL/1e=hp\KnZ&طV۬LG2}ҷdsX.B0o&b d ?Ya8ٍ>qى%Lu(ۀ4rnI&uv, ]h&v=Zv!0,S-o<Ͳk()'N71.,e 0Fb)rW!2w~k}W ѥ&{o$9* sˌ_3`S2쎠,xaYnJty!ʲGf\M|_~%gFSDRGw#Hiq(4iiL-\s;3R7nhw~ #кOh xԾQJ=!U$/d `JR k>64H-|!AQIZ=3\<ըޝ~ӳaL"T uzI,t0G)xQ.WDFO1ox 3h/|%ARɊZ4ǻ7 _M1/-EQl,qi~Ơ"ᨂɧ.>i}S.VHﭪa~Mܯ-slL"} dE^TƉ},x0JV`τm i9hXSMmw;U`Yfcnm1xhfyH0m(u+}̢d%t2QRWA}=ctտ71'&Ƹ1#+O9i])H "ykV̍ W}kP׼/0,@֢%1$BNƋf5R]Mj'<&ZU*~ruRP9p&C|j5'+ 8|Evکr׋ŃDS{ArD_ X 8PƊT4w&؋,wWZ}CO|{zA$z SR6>[ *PBrvU4b_{sDź["$YWcmxңh͜a-> wavU ĝyR" RAa QDyZ]iG5B7 38Zf]JJE)8ǩPwK[+,71DKTy(6l=-V>sjug#|ny335AҔ奡(y(&W/eT貃>hܫ W㘍 }#c%z3$W%\ʝ1Nq8GIe&:ObUv柤c>ұEs)7 9+=S nKE0/F¥ 8a@tKš_,3 V} ١#̇%>B;{u.kHָ{Ꭹ#VG E-ƹkvݬ!J/ȫh`WSn}o`tEQv'9t|U9Z:8v7dQS(\@~ &' w͝95"QrTh /g_@h[4/ {Ų.h,)1h&vr@|` 0% AUa雈K5k|mI=z"Lguɕk'jeuU//G$Z\3R!Gkڟ{>otT ^ޞ]44D[?8} 6fH[g^٠Hf-?N袟^'g_+`̜.1A;U c|KHg3`L)}c(3!u]F>Z!cbsC,Z[ qmr_ Dm_3!6A,fa1mWV+QG궢  BKP32_o_f}7-󕮷S~:a/XLyuĔjA Fl C[S=T_ggaF!M߶l!:WҵUL \Z6c!r/R2Xs)Ie6pi^|VvBꓑYsH;pEFR6,JDo.ICt(O W!gt U-}ィn˕IY4ȶQxsxPrs P`c t#~Cް2p*ֆv$d-F\\tO8u11CsvQHfg7R*vaemd2ţ7[5`"X22լ\$"S~d (zeҞL%%Ql=:SU2&,❫c{>w~d5Qɋ< ]ea/ⱒPaJHfɸ%Ĭ_a9{&_jn߈T}C!/E}G,A>49Zxmĺ@ౄWJӲkW3B%2#=߹vO2tΦ>{Y<. 'mYQ@ #w,@[vG|vQQ Mb=u()IlW$(=odET$d2MV(p5hL ɕTm0Sg$ 0Y,qNF~9 0vUkפ5$IE3ŴISRVViOe>P) ۄ_]-Ah(dlkTU*:7A_(}[8R3"fY|3 f+j٠J. 2|9)NOpӜ~ բPG:Mi lDA}=4XM gPi&_SyIGWe(H+\LjZPmTzwez3DĤ]^Y_ hU蔄aI]h7:C? ܱLط` r}Kb_ ~2i1Y9)ξFk3`#$;"`ProU! xi.tA޲R~Y+`F2`e/w+j6FwU-uҬ/h0Zsp$K",܉8I~Vn>c"FQ pfitzݴ(~MWFdߘ j@V@XT抢 kh%b:2W52ShrGjM >B{nՅ}2pmz7R`lTH}WZ;_pOb+q>mANObW`V-wH{=bmetY_žڹђ꧍ߢ qd4S׳01h.|,|FFz;jז#>Ab#c./nuGudSibC>"$S5=+zukx,g/AMH(lmYRnW0; j a}ipk;np%eIB8k==v[>LFtD$om'Ʉ<@i{#&b `>^~UIt᤻7LiC2ml7Ξ׼6Fߒ]<*DDK$qO%B^+"-c,B/TBreRNu:T)8`:'\?(*+=K?Pk5mPO7NS|ۡݢ.ϥLMO$) VM.e4jTnthJWɛ[.0S`4ֻLt 9ҙӄVoQ%u[Dk9c2׺:pwLܱ2#qP{IXocsua,Iǽ {$cԲT:f;Bl1KSuv3LND?;ϲF[T=)i& o'[Ag GG\Z*}| MCE;[ѹ.$a%K&53jo x*}:WldwL CbتDC{`Cʳ,z1JP'&-l4YNsl˵I/|]MC\‰xtBhWu:Tfj~m& f%nqw ڊ@hp?FMscw b 3u57t퉄 ?}_X+GڢYdth"PiijIYo-b fN#md7{cϚ9:tx"m‡)r w). WtL_o!upwkޕJP.5egŗ-äbC>JoF: Ua-(6KT5"!Z9>^$153A!]` yR`{D$ЛqXb۽PS)l֯`3|LrCJA ꧃t݊>(J̈ϺR&#T2no Pm>_=WC9ءNni }S̿&Wat -x}4,dDD 9O=Tcj8>V@Ne&RmfBV0Z朼ơ_y%ddȕQiִΐSnKh@;OYjv )>R+7g+>YKoPl-B2u"aBF[pS,]-H$L'?b)O,K`|kh{@)/׾½[X^T+Y5Z& `!%ME޿~ Z(vџK{^EXb u+`Pi?8_E+[xIj%=좦X/,ӷCa|и;q@Ƃ,b 9 m?-p4cE+v]J̜RmJP-խe&P[5xۼ*lV/^u&%MV]'C{)ȝ tqaI;*^eP;EWaThNqd [DҶWs8iE H*bT_ &~i'$ӉB2ucx'l}o S )z?\b.E@#䪖zk{JR)RO_;[pl%\۱)"Ă`o^Cj+b/qNpd]\ &wX{Ż<ٶ>[RrX ď4h6;8'1gS0J \z(^ ʠ=e)Q {AW5jvķK8NG1B)[Q7ძeHe7IJFqIZ3''Mt nvw 14oӕ;\uA.^ \^Qh(؏/uD6{QD&!VdE'1^.j%#)m 'ΊF6P\xmRP}aզǻEwڝh:Hgzd5, ')w qe|pqfޗxt!i8 z˨]GZ A@!ϸVgK%g^Z5?Z{SȠ|&O'oV,srF=u#¡%I-5`Cukc$bvN@}#//f#@8_g1c,8S}m+d }@$ҜO\mew=3ԇ7K'/Q,U*-,Z5(#&n]b;gA+;S'oV8Mگ4`ё~S-VHv\WW ިc}RNd(֎:ݴ^ku?5j ؿ _M7;oDRR/)Mݣ)*WUl>0d)xR:.] ,|Wp-Wޝ'F1~*_(rsOoI* T #lzr_R(/zK4g=AMuk8x McDBXgWeZY[HnY`UvhLc~"p-c2!˲C5;*mr&5R;:}[2h^4by{)!b.EBڬ/vOI7Η3ݡ GSLY\MZ&Rz*]4:* 3Zbn:>P̈́ H(bӜ :v-;6ETϞ'UcaWGA^QS2َ$k:؋v$ 2SCeӻ[Ů4j%v^ i6ciI}nBX?j1s4P TVK k%Pʒs(@LrK8yH4ޠޱXD]6 ; w|T#zZ(`2+x̊,۵0h;ĿRD kT:9 $|i(i~CXo!'"y߼a͖ٞϲ`hY"^m%B?wPmν5  2"ߧTIJ9]ő!vE1˫{%1T(SxウFaKfe֔3.9k<,pH&V;WwKRM9S9]K_LDCkXE/p2K{+ F9 zoզ55<:G#+ZDYצ tfL@1z9XDV8eZAFɾ3=ixvħv-h8ܭ_!Rep U,P Xʀl]Z QnB; d5yx04>3po$E!:R)]kl)O߈4eYT?D:"=76\b@̏n.!9zgB}rC`7:hmⰸz`|I2I,7vmp*^DpATWĭcΖu#CLfkݏfv>  |d_(Wd^{q:h, \lj=љdՍ+^ϚcwPsr1Xy~XvH58wbDb]Y\C_&鿷Tf\cïV?k<)ܟ=^vTfy-D5 lnJOW*|&fTNkO\4dd.7}r9P/.lQRjl?˛0*;"Uɛl&G +c/U\ i3_*;sQVYWB &62/"-e]{ȅ@T)ש$In3r\ZWbVmpln1 袌H; tAmSOfPo[}$@'8Oh#9M[c_qlxVnHVnW:(Jk+OPʼb)~̏Uh*ցa禹f? UlsrFIMϷslt!!lPG|*TUNX+9c6.򄇔9xM@<T>~VlǒH>WlO[uq+ًoJ#S _`> ss&ZEKXb.2vX h/N%8ãR*hn;27X߰\ggbRlQ&Ha%>o?x@َF$u(]T]7x%匕J5j4ɒSh!}DY""[ݳ&m$vԫ=?A$&҃C^wc SA—8G' 1N[ff4#DPGopEN3Dmϋ }گ*!ވhdJAuFߊ  Ź*uqhnzհ4,Gxb~NqP"CE&XͥIp0wWFegyXZZt] “RHE'jD@G$zupݞwh  `ܕ-p*<^ğb[v* X_K5<|o/U] f4M㲋XA<8w8ޚI ]eM8TKK4$׆3z9T&haO[&5e}+_њD]uNas,Lw0o:ΗqyJnpkVk7b^ ZhU8pO*XvNr!|VxQc,{c8=+t?M7VIcŪ_Q.+ LB*U*\+F]dx`+lpY `gkKphdi淫i9_ﻥ*cb4?i?sF^]rb1@`ЍJlxK&,m?CzbZ:uVA#u;Zs>Q)5 rtG8wJEhU2cǐ;"u8;TDp)$gpPۺMpڰ;EGˆ-|/he}"}{Ė4`e[iX6pۥ{/t—"aTkݑkmgcāusmtfwr$hEf2 ʹɒ5iR)0B$ʼnFHTIZNˋ5"w4"alaAz?O[?)Ж5j$M`353+@Pr>n\ot.VU~ /Zዛi}R-Nq2Ȑ]uԥw 1p1kK,YjL*y{%yGRƗyT0NCsN c{a'>n7Dd]"qF9>g| }\.U:Ӳx?O C}рlf[*mսVNυde4bwk)5­j?Oe!.;ȧaڳظIYW39*gd=A`1ĝ?y>$' $$Ø 1  >$pB_Uvn,jծ2mΛzn&@?++H}|.8j-y4N;C6 a@Q x?+LKGTYՃX)ꁨwoF%=C2gkI67[ /9@% v}U/Fۭ|j$MVB`a">mcC.d`-ʁ!1x wTaȅ7Vpk"lWx=@f42 r|RywHL*QxY̬^@NVՇM#Ij&Zqrs[fM WtJj\Zp )D,̯k#bN<4VPZw3] Fȧ6 {U<#_V6ZKE}f~btmngH*u2`BLi~ۄ;,VEE(NVԄu שuGD\ /@8cu;WBOjSp#7-M3A֘JAA#er2la>J9.G[i"hv΢9.5+#Π?gi/QEx;>-q\2Ù풦Gk̥1뛯b~P[!/g kN 9;t@,XꞿL %\z!k7>u>Fkj %*zJᐠd\EZoVzpP~:ITpU 3d48)>dq`Gn9+cʞ<=yõG+쑿~k Xe^nPM WRCtZa3jf)?"Kp]5s yt!^W?I%wr_Z$~Yy*O#S~'K4T,k|8uƓC*/ȰV<˓R@H3BdZ@"X< }ʶilA|ll[{n#d?YEjnk (w 0׸_Tߊo|u4Z7)UwRY'1qq-^Nj=e-(,{asD+Mw'3Ɓ=rĚ~?fz25?eC°Hj`Đ 5=ǭ{A[(@B1'Cޏ# S Wf{ʩ)2q ]lt=[m2Ǐ12_Т.B1fAΥ= oZxaŶN`AKd*"h ^[aFUkGc߭c73`yF@lT사J(S 9kP5|osmWgF z~3B4VOc.g`x$iZ -[yr .փS($>{ǃs mu, G$cI@WL~XD˨v)#e.7%6lg4D˂> [{@Iaw lb\41{pdtk#3>`[q,OdyS O_<_ܯC 3JBm]۱XD9S֓YWvYbJRjI25zOy~m5S\Hu_\72:5Rzx և y7}U\k9"h3\>琗nkx*QX3fY9 u* u+A$0BF 3rUCp3;Eb'šNU+ k0\U–7LuzP X25 ?һ^9 x#6k"4J2#2r,ʟ}5y2FϲQ`oZ&GM%{&Cgl\mn$xU5f5s[^U, LW^1T_>˔ۮ%aCs̫,`2V)OfC"Gv!Aҭ c3zQ=ChH\wC`HῳuJoIc[gdl8`\ׄ[$v.5 v47Odwai`r-̬(Ɖclh烗OV||ql#f56  %qPXAD*]a.a?8Y-C`$neO'3vx0ŧ04o?wh"aehMm5<:(xd-0Vw3+vɛLj%N+mu}ZIʅ哽 ZEuHq=z?xk6Y+(Tp !/"ѥrVh^kk2 )hwzdRpGIbAװ2Γ"׳l4[ ^U0|'V!K&e o&;)y!jޟtޥyIsE%[N Q cYTS#uP]2 c|"n)l[B|vݴmdf| kU\]F-ʠdx7+ ngS$XlqZqwV$g: F~΃pj@ڑvJfݧhDdP̍^6FM*mnpxjFKD+atNwNڲK:Bg.uZdT6# 6 4vSy~XGEA+ /Ho A' r+bs4ILcti/2!{tzjz[RCiꈞutI;O>↤;@#Fi Ptq%]L_#1ЅtϿfuFb}G^ǹ×|7bIQo"Op@Q@w^_?D cUI+If>r.+,_ ]v{ f؆ǜZӧuK?TKZ9c~\w)H^Mw,m-_Պ1dpWcJ( \M-bodVa#Rж(GmuS̩6iGHEx\:3DRQU :~צ ้Z\ &q/HFa`TpLE|zkWɾ;$BTc<`kɣ:T!ɼ`ДzM;5B[moG(nS$+8AS$X KƴCRѠ-W*Lw=#BDxy4lln#5WQUW@Ow߶Wz(`/ɡj"tqOM1M?S]Tj`H',6q W.eh E9{W1|i +)!E!ld8;gw/ELMe@zksy Z=C5ȩ+D3q))-6=5 $~Q:H4M ,udI@Kb+5l>w7Ap_lbEwLTasjT#VS$1}D쾔nɰzuA\tAM[ 6l ېBKlٻoi -bSmGYBq Gα&0̞'e\lmzv8MV-֥ gn_{7BVQW7Ms?~'X**ZD"lqQttP %LѪ1k-Y|ba:Iю+i~ c.mWA mbL|O5^>ә|=_MnI}Ζ2֜$.L L~>1艌ya2? wxƆ:ugOp^q(! JS.7ktQ{Л, ?щ,saD'Ɍr@~_.Tެ6!Zȱ>8Ù r^O?H2d%Jv nu@o@F_Tv˞+CAJ_k"(Z2 ?%@,}n]$FG;krԏxT'4*ť:Po>azXmeC施X,x<،c8nFy v!':be_8 ~#I0rՙK~V2Z$ R +S衯ٺX.͹ɩ0d sAGچ*&9#) z7ե # YarbM VBZͰ"wt=F莧۝ѷ{ڦ"ژXShOQx̜c0N=59o`Wu[w"IQF "Վ[n=;\WѺKT+60 1ׅN+<ӟAKξƤ~ɭ>$sN_Gj7]iߞ$ 4 ;$-7JgoZ[)ޖ"Qa 7Vv_;1Vy ]"1r@s ,"߯us9XJ>ύztwY2Ӧ)u 3q7ƃf*4cqc*@reӹ7d1XCm,Yޚd. %ܧh QJ:.xv[ 繗08d$p'*8llt!J.9QWrGh!A~Iiw9)%o:)PL=M['YIQυ$O(O8)ȟd` X G/w$}ωnIY !oE",Lkv׾MBFͺzTaUj>x_,$vjyO?aj[E2\hذwmۼ(u1Tb ך.kr4)* $k`/N@ pݛ-L:5$#\~ǦlcmonS898qXk:>3 Bj (8(X*6HF#䊄vmux*/AY6 (LBW"ҝ'{_߲65e>+ ?tĸorN\E묪o8Q %/e9U^ӵPAݱku&,va𥵐VXb`S?yGvۿB T[7Tm.rtR/MiOQ.d좜:wS!7sVЕ: 謮s|:/M@{b͢4&pX&g0rtKusXu:7Z̑U6 ZدX/mt}m9b/f.֩2ږFlҳyWQhdiKqo h_'~G8L܄2] b`H͏AԹwd?yӁsQ  ,lߢmHn'd={SQ6rckgVDv[8 RTͤ q@Z夛r1J!J <P'P6:!َ+,V'RRyID*:sN 5/̦aM<\~F`&mE99j2x1pOK^sP<ϬteImp@ i>!%/7wke KoGPoy57|tX\yb";wj l Fuu傧P: T#?JQ@I,֣@[6TB)zْͰwV{2$8E}ùI+SAhES{REA{dZ3OwE4E8Z&"5#PbckA}˰VV~Ipruabe,hǾג-X;;kͭj^m9umd`kj != 4,"1gBRVQniђ.Xpy y2K=~$Ew)\]<ӈԀVʼnAqWe@zh&)86гQnκhQk^pD=JF T*XEF"I@pтD)0j*.Ð\Xeo7r+hGс޶|YF}8%}Maxn ƥG@RV~r;';џ1ZfFϫ0P'Pa+k5A%\U#8% HϹ=zGguj3'hKY,HcWn靎y^'d>o[ M?b?~U;qM4H$NUH)F eLTR$l@zz q?$lJvQCh4^k6«7:\{4kG?lVj{M-qDǎ15otqqG}oG}kr!sGFy5aJػxꀆXY ,>|Ʀ@p(]Ў5&#=QBFVS)tF#)f'\ U^N2}U?sײϗՊlC r!7M`(Z0RN$^,e4 "A=2Ϻ hsV3]~}]9>q^!]8SPn 0i%{2~bp`$#Xv愈UFgw3xEƴX?kN`Nv/r0qbY/3J*N6u2Sa)Jn[?)2Q"[`Wjms~-3EiƮW}Ӟ%E1ЕRdJWT4a Z!ѯpP0L\T7}.=SKnb[)v0'BNpBC˰z l<cd@ %2XZ`K2Eł<j5+VcyWa]H\ Feϔ.4v }O#,>gvr˪7/W @A]鐫KIZlΓ ǟQX}JkY!,W #(YOCJw\ʊs\?Q-Ng&쎾A,xD'ba#h eo!?zULOz~> #/b3$r;C^) oFFzq`텃OdJ|*=OrhZKlozԠ ƚAOz;IIya=-&;jR2G}}WGL:ͪ7^"w.u;zIL"hIY٦!,R: } IS9An솘yz]?ZfY%B.v`?D(fW[5.Ȃô=Q0| Fiqz$Mv%BK!vTqśhWtQkUګDp>d=6X{j[W/`sKj;$ágUOϠF2hZڒISZ"GD\ GӚi0#nրxK)\|{_HNoDo}'RR&Rσ;odϩ+bc.@G@MĈSrAV4#v=TæF^rYItK]P$hp]n7R.:njznF؝;ᇄZeV؜k,}IEHY2tA %~C7oўshkYY]SX/@2R뙽Cܾ.";΢CM=a|.dS-gWt0Q.l&> iL x/Q(ئ6%ݶg5%mzN 'ԘI] i+a1=BvLʘp)ڵCJe휹NI)"ዹ<:kO!TjP4??@U-DcRz2%CZ,5P<^oasKIrW Pz4:xז=}atTPʛ_3wg}/fj%#5VRmn{#  Ѐj9@u賎_(¢loKmb:)tgLqא:;4KP LG`COS,"6^1&N0d Ю)IqI]Ri7Ov -vLF(9`Qv DiBr@RU#uc1?_et[yDmfzxT銛*A̸lI2KۋHgs~Erz*19U"0 +rA_ rwyxe䜇gL%; 4ԓeZO}6Ү7 0芆AǕD6Dޙ_H4ʤĈ)@rL/hnR=DCY_^-%xdfW&y$sstp?}]*}yA0hlM Ukn$]Ȅ/ K"UfB?#7A߰ZH널_T ߍM  !Naƫ,Q'EV0k>5MR4uw_}bW+-jhVLfbJ=!Ϟ:1q9E9I HxlԀ 98QE騘̗p.TpydqPIDxzjmd2S<ۑ߳$6BoZ6<צ*T &e/nρaA%Ĥl-Ŕ'һxo2*CIDt[5As24mR`MpKez-qE w-?>]=Yxֈt|"$!ƚN k;/$Vt\"6k,ǦRiJ`j)nyɑw$)*7_R'jPbx1]׈6C~XKG7 |wŚDyG’5s$NCUbhNАjك,s(>zcn ?0Bᧅ"i*.hO5Fo4 O[ 11׏W( Uh-HYZ[3B`CeV)Qw.vtڳw=?&q|tl̰-S?)^|!㮸iPuDMȤ=iyӃU֝S_m wROnh[_cS<\JͩoMVS#z;(4D,Bʰ;ސ 7k9@lC|eso;kߐ!?%r㧉ካhj/?l+ed=fB4h䨅 X%[aW޳`i X8^gS,^qg֟;YD#&tE. ˰?hHs} TwB,yR bE}ڧ|/whR`gvL)8+Ƕ3QV[y ,cGj v;9"x1\E{"0raieɃF92 X`9KR\8&[еJ-4wk72s#|fGi\Cjn` N)%7zVr7Ѫb$ ]CUt%ǎ BiTnH*3oFȿTQ,;+K{2˖NV'cyu}FwW80 ˖[{ZmM lE8 (c6U~)XKt ^!8wT<۱z]@&@f.lEFR-dQWl^_7HN@Bd G(vJ_>Iuy-*QT1eM) !j"6` Ӄ\w/x8HxP9ڟ fﻀt<6ZΙeX F )ļ$s `q[5l ,Tqd_CQ$-d#z&Ё)VFDV[}jKc;, p:jr ` ;`jSӦUٹ;?nU(OhHm{̅y /(K>H&| (+:Wpߩb ^;Lp5-Ff9k 5ZQ\z; ޳K#F^G|a*uwN\{R_IfNf )=+ʘž"Z ͞Z> f?Ӈh]'BPļz:[p&'a4X|j!C}ޱ[o>9=˄dџ\}ɵbB(d_<ݢH2P݆>͘~S/" , qtP6vqi`DoyEՊ.O5aqo~?Q&X>К ?1 D|xM @RcǬVG 0FOɣ2⥇[+?ձd/|O/Qh>D&!'GRfr{& %]+g(bA0e&4Cc(2A5$9EtBhd0n[.xFQw;ޭ$W{u;)^7 k^'\ȧ9As"E=/YM [K$>ZE&Wqt"<`oA>ʝ=8u`ʯ3>[֣IFj_vXMwR'91ל |F 2>>tŚ}຦R:ZFw(_K}_ڗD 3Pk*zs~4TI[,} kY\YT\:orӔӀ)5lŸ2ixɉϨ'eri*_Pz7P`V]}CYV<'/i/IoJ6]Y52ap/h j:4<.x;Ÿݧߒ]C;m+)?xv@y."ZgrRr{!By3RH,sR[_2isKA o>NPXπ_2W0Qi\KHӟYChNZeiL< b>BaKD8:^nt\H6DJh,XÌ<3|圿ePn"xOT05c1 G? #|A֮>HIY ~~ ]8tʍ#Bޚ$ $g՗6?a& !H)ʛ.O}x•.94%hP"2Kobo ai1_0 8&b $nqbD!Ny;[cV @5(\1#PY@*?6iwi;﫮d99`. DC)9lq{ybC6ĮU$iFY .IjR~dBW3΃-04$z_ %D]~`Z_e$SMz`cBKS%J= H*m)Nckqږ˫u4InyZx~m $xht>z.2-N5uV$36d-2zJȱ)P?>Wb^DsB bk3xŘ "RUo,=m#NS*Z.װ}Ɨ~жYnnIineIXӗ!xǷŗ~r8[.H Eą$u$5n-T­FtCev/{~fgӷ9Ĵo*xen lDX! j1jp3}LЊd{ K"D iZ9%2s((VmPMNtŨl=?!-\bbE/< .q^2}觵])5)Ū&_'n e\@lt@Q>4R,kUiatVCa($u[ ͳkgyДa@V wYk2EKfܮs^s+E 'x۬4Ο6]V2f rH䰹'ibԭfG@Uz_ ]:Je"m߸ Z u s7qJmf??&|lK޷D:6k[ͮ4I)9$QqT8ֵϮ+|) U: ]PH荈Y^:ˀ ]v,sz5q'R̿/89"$Br&? `9rF~ 4|Ϋwɞŧlꤒh/[ tQuתsl=*amU tKԺ[/ea۩ԉ?遘L,Ck|),082>ٍ<|q+J"`x  ?Zxnjhx}{.AU]A@il@R M'3kf3СwKso=֛߫E@HOkA~Am)ccYgG}XIxP̙ [K#۰ʻ 2mc $8]pm@HKXg6ߑ=H)%lhl o q$2@R,M)g-jjDNM=lKnL ^3,86ri̾cIvWaai v,Yj;2:$8SEb,.; sUSgsIYf8wyXE\5KU 9R04n<=*1zB֎ "Y~=w„A%dVZ;,} x؜m&I@="7>P>>/(K1j9"=R߃Txia :nɲ1nr^qPc,06 ϤgԺ3L\TuQr\rsxS?u&p ='iڥ)đ$Y9ASO\X_4ST{@mZ/A}+yH;[dp.oLQ8gGv2B ;5|.[sl}d} Amx^R#fżjf%*憤&^5U_?e~"#^)<8Iy׆KD~ݮ7!k$-f*>ZRdY -sV[wYfY/ b^ISӑ\fП"'@Z#߈_e<03GMڹz. 8 Mg )֧fK}:]Y5SO gHFCGRɹmkV 䧡;K)+j%I$Cf=H?} m|IhF0xԭbΉ-zw3vguH g= J % a.ExdPejy%;nxtqXkJ잼$^ ɨk2{+[Jx\,_l蔶wg\H'CgDdG;؄]Bݫ-0hdap&99!.?D1cXH4jl3GųOU\( _DȲD5Nga\]nU@n{.}MvCY s]W_Nyu 4r$WF4ɛ"H}7Cʐ*ʘQ D:L;nKLXo5jQLߊoaԐB"&gsTFyId<]|%7pq5'G/ z:xoN'+qm=w<4 ks]O1m)A՟}r<$u曫}J7j %e)~ @7"(# YyEiH jq{ަaԧH.cH ZVtF `xgq`C>>G6\TH&4iձ \ey/nB kݍ# _p?O/|,'Y'RgԲ+bi lo\NhEy/u J3hpxjFsGڋ kDne`8N|rC~Sx٭!\xpӒ>gz)e9}xIFM{Bkb}B5uYdrԁ yB0^uȇsy+Y!m[() ZYde0 ;34kN3$ZUv4~.p t-r̳ 5!Jk `h76lc E(Zͪ%` 3d:gݼ:X=q]bc bHkm:8*M6^!&ոۈ[/A2 ڢj_UwHO"hJ_DcR `ytPRbF3x4!Yηӡ}=3Ze!0$? j tgWeDڳ k%2"&;qŃSv0|MuR ;BLzhYdU! M g@vЁ&)0@L$^d@@'cІL\س c&q8/ 57Y [Kn$n+*||#RXql1$OPx{R/^"xs= J1rAhT.Rsiv oij+y4~dHY֯#~]p(^WB||h0<6X9 g 7knd.#=V¿dIOg`dffMV$bӀX]힩8GYVa:nEO`Y4rbXm-67}p%iy;ՠ&'U`6hsqE&5)gx6m*8qg]J1DfM*0X< Fuu`W+LйӮRyf)tB|<3ű7;ĚtqJ4ׂy8i*RZDK6oZtPY(2aB&*2H֌i P ey5F/"=<׆CjT a~FD=Sz3#&3l <[DFS2kp_Da\:wuoư#I" T뗢虁^g-4~Q@=*bn=1B3iތiDDVi<|.–3ZG97xܤ>/(kGS WfEzr{YUSt9GfRA>=F9fӶ +?B. ƖuQN=Hg$j{e@ո:`έf kr[LK91~76hĻ+l?*OGꐬǨ:n4M42N+۳fu,epkFY5x0v? ǚ̱tn-PM?ڌ~ gۢ% b1d4 _h !)\D!"exOyŋZDfy 5ʗ~I`B ?2+ &%[r4HX XQt7Bl?sɁ':Z7?? u  כ ?&>pg!|^"L^,;u5q&*oH1>N{0P{ uEԗWT[|J~1HfZv۴AfD oJχʅ^"4/Hj\Ny_C^-_.!TRtJ@edNGXk l$2K puD}Jg,<%YʒW/3W4ͦ n3+GZ# 0] Vn3&C;##%bɱ/CJb r %<CяJOcU־E'gC$]"S?=s-/PfrfsU`L,WnTssJupԇr&Dk 7w V΋òEQ#sYO?rU]\-W};NJ;@_ N["bƒq8kHx~',]=3şO 1nZ}}z)xtPQ8HUb3Y%F`KCa W1e&YDLƪoX{Xb$ /TLK0=j.esi@zxϴ w :l11H{_JhTB;念ЫVG7ƨ*#%blw"3QUDDo\6WDA&ALT}&j%('G"dT8޹47րnUçy/=T6h,'͜rKRӏRZNQZCI"t>4FqVVDA?W%>礇..~ g`ۑDf!|mL(Y*rϵTC$?EBOYr%$"@CҤbvE)_ v9S`#䀦oyhaxa؉u\*jz:OsCiWtOu~K9b6B1X¤XIkDKL3x`j}sF4Y:M0n 3V=`u-aaH<6Z/.?\%3k|glX}r$n@ &SNКfowK-%gm.tEaebv5E(;2X8&(jB*)XQ*'6.A-"a@Dm=/:[D#dyff=G2}C!\l fiT/ٯs$42ӳ.%:({Q8Lg*x[PɁR_/$ 2x[Ju1(SyJx\lPN2-9smȲ`îQgoFV27cɜ"q^2XaN 3MW(cXfٯ!7?ZXжhY"G;U 7 l;5Xv H*:T M[I"' t-7wYIܮi?H-K+]I[Kx5?F)Yq:Q=~Ē$ VwApCOs(J5|-\;+q1sѿ+F,MF`2OBUП JHx+e0j!SYL@,(60P)Z! X yUTXU>W)7L ;0_#ɀ}x 3$|!Ւ1?Ay=}ʅ.{w3Kik3ePCP&Niщℳ#ri6|A㘇 a(-P#ZH1lJ dkXG7So@oRm)P9"Aaăq>v}އ3}f<Npv#p-0\ӁkƂWf'}N%Hgʀn *p!:Y}}tL3zn% n0$:'߁cNinqBR2UކSkX6S̤` g}Y.BPغ8_hM0HnZbS}S(DtEӆTD7u{25[gmtF:>NBH5> 3.u(4W`E$t5rrE@KaMkիk#6i %Vؤ4'i8 GєKUSY?YB[`򂒏́DpBbI]m0ic0x8{{DqRO%+:E雴}$8׽`W u m[ź`4z@L6qdm]I'܆ގ6YA yB&e`.\l_VyN& \#/I0^VꥳGK•ÜtX_^fRA7gXl,N?̳BOP;t|٧o b:(3j0lgF4NŘ#Y@}yrIhmID3yjѸ 4:@|Aok#|b( RGW)Ȇ;l{7Km( $.Pt=8epNԎ_X,wyeJ/ϡ\Sy3|GO8bFyD|ų.$ uCW2 [(Ȗ I`MJZ,mA#3^!c--/ΞbvQ 񞍾JnKa0[c'U^L=.BAm {[ǦPF8fqׁ@%_^:&ʻ~:jK0yXjk\?Vo:, .?b衔5;D2. 䃴Ru\ GOh(XLy2t =NO\",wxZhjiKsE!nX{YMŗ] zro<${XJvuW%@i2"I Mru \{љURkG8)(]Rc<*hW E6ͻdfяFvs\3O[,:g[\T>bIe<6v ?ZRQS4i8En,Vx >ʟ)2fBVu'ՒC?d 0PQ W+6[]ȟAon<>Q~*Iz`3 (}} ۟G.KGbR4s/!!O\ 7aNcL/ V&Z$v:n+R$@!"xݝ`W O"J_xpdY|}kxo!3 ezMoKX#Ìޖ3/'شx2{L`~9]!{c=Y8( {4If jFRhv򬑚By7nDvxQ'ƨi_b?H+$7[G $2i* ~`rsZ3l@)#,:pέ:1)^W ٧u(>ꐯ` _F uΡ-g2~+ cHY36`W;z\'SN:lcT$MĪBawSn ts% '*U@k6#MOĜ}yCiL1HuP@>ϻGftE18~~e ~>}0|_*Bڋ܇"ꔓwlL)PiaȔp p-=BZ`vd߈>}L~y@='rn$]E@9([uR g8MM=Iy|HduCþ>Le3B38o!$l0Ѝy0`"ۙ@EQ}<%t3hX㝙3/zk"QݨRx)jͻHn;U)]C78Lqϡ˭$6)n jĥ́^'- %) H YmQMj Hc< 3sȡ CK|H&lH*rw"J L¾ Dk:5cK xހTLUç&{9^wl5vz);N$j_7AK Wv߸WM*򇩈xO&Mc:{r5=6 *Mmӕ̸ŷhAz?,x-5~ J25ODH51kA0>.-NVt3{yhn3XD$w0a1lFz kb2Εƒq+w#(i VeяmtDJ2Zd? loK42n$ytJ>"Qh'[005Q~ǁ%LyA8JXV17;5?27*n 1{RczM S]HP[Ä& : >ڪqgCOu# υ?ƪ戣>Ud"k/hZTHA+fIct.UGeGc.8Z#׃$U C]?z0otkͯ:VWJ&j4LMQ\QD^`GvȒ^WLFm64:%#a9dӴzN1sa]>*hWXvH܆'eڤ!DйZ2m$QҼ]Ql—ll((DUjX*5D_豃 mIiLMP-NxMz%9Clsa[qH[+ XṘu4 <A3Pnvh_<٧;!G$i8Y=I1!>fN_`QpCsqGY|IK/tWj< *H~DK6(7⳻\^)OsLH" =YDNۜs f>}ߟ`GBo7uP3*{eL~)ýbJ[dgth:J|5<>u {AHU{L}>͕0 'KŻqdikn) s\w JDWQE pF& g ,1+^8nI^^BrNA&}-тe~*Fߏ==+3ߩq'MJq^-+c7Y62:_Y=u0-.vPLPrT\!t[h9)dG1UV|W e #AEw; ũU9.A=P^0Q(Im#+raM`y*dPKTKO> U["ez==`Erv5u4]Ok٢I , ]餒ڈfn1+CYCBN7p;@ސfP+ 3!IT9%vT,ƴ))R>Tp\iꂊB1QTh;gkӗ_Aj\DM{yy#}4K>V B@Aއ~ٵQMnR;)Q"Tl!QSpc. $ X Ա'N) [=/QKĹHS9:s0N(xV.G O'%!M6r b{\ϯ5ͷͯi/<:V:ks9@ z|8O=4&ڒ/s|1XB6#1{AlTXʼnAԜ.Yl]{(߲5,Vjrl/o5Х/w %ꏢfN=Qw/i:3hPr ' yitv`/}jHzq]C 65^jğZgp@(ƫf<ĊmhM1rR nNjVGxfIgBoy~E@$*P ap?9twcXYP_KxMv_WQB~Ym-pROi^L܈p'`dkK8() HT8T7 E i0dn|2xFɭ+X&-r ['svбe%LUu exh<uR,VNƎR::CIPhCЌN俊CW{5nW۷ sR s̽ov J{-VaԀ>툽{= pq>hͧ&`%T.QMe،횺ۧ/>BܿxAv\N 9$`W6!"l7'bx/om@P_n8o)hNǩp/l@d8oq ɢ|i/H]>RM(e:C]yk{ %GCn?X'.~:0=`8I |Nة+p0=P:8<S5 fT6.esjdQE:WuP\#]پ(lŇzǦν?{yQ┉K8Dm ~\9ttVcyA99>a!?2= 禙ѳzzrX& ac|=:fXr8YsLDۛHa$ó5h3fNu͆4@iss⺪ SrUj͎Ԛ ZzT;9Ğ+1s/z)&ZYg8=Bs _Au)+j~x˼rO#aJ)䌫^D,R'X3gxOap<+Zf|o+@6A\҆ ~>[P.8c9N|J=UY(OL6g x4UMvF'`nc T ք^cG8*cIjdʒQeT"W)Ó)Λ@1|̗G<ִ2j'^A'` P|S U\CE|ecR*i+_Q-8H<> )?~FR$ hS-)FMծ܌-;ӧFotB d:ȏJ& nͨ zoIȨ Z)Ҟ<9V-!~ lէx YḯԃN(7۞KGMcjl`fbэWo>ܗϤ|'Z{~iaT0Yk,u< :Raf$|Z'Q4I` Lcfc m5tb]$k=`oA6軃=)ބme-pRj uÒyfnI2s6po$ zHnX9a wJyEd#J_aمVFhDbUgT 3]D]|Aۮ>]i`ǜR#p"kGk>\8z Ghm 8W^MRH뫿pՂ4~W>b%S0?焌S+8S WXN^[ϛ_mzBDOG7onfyRl띫ۈ[z@DZtl(&qqВ"q%'" C*Vq]:L9ͲV)銕^~cw9{r G"CI1(y^jRw 8u=.>܈'Mn`v`;z9_DQTɝd2#:v~OoYv jHO,A YDxc&_#}*sHr/VkF(dIgNڈ $VÓǹyħYOV6WG.U_KM1ITJj+]; 1%@+xH'I\]BN33E8ŵ}JXY\K8f8JN]εDqWt#{[;2IK5ҏ|"@ͱF2kѓ/NcئQ]_, rw l衙w.HU)w`5W ?^l JAOʆhw`R%` B~A,7*s"A_} P^GuNi+Hg8qm@v{ V#rc|*';oCG:s LnďL2;P 0Y쬄m1(sJ/@+wfhv<FIFybKvdUY,eJh'FԢ>DqE%yESdEOH6 {V6Hc $$+z,BVxþ#L^{_{?r+S7&'ڭ,uT}?? 4@3KSVԃuҴ pu,O;D$A&RҌķyVB_/.Y\a!@smmFh;E㴝ʑլdfx%a*ٶy^[6Q%)}mBR:βi֯J[UYoeC1d3/hq3>cDd{Ҕ:@ 7kVQZp=\$%٧2 a"wJnԝ!<^0imMc=5en|BTtNF_9l Q>*ɺ{ѹ]aR-8Mem" VR[,L[NAD됀Ǖ8W_א ˙p3E*0S$ޜՆpWz8T!*Q5JBʏFȌ F.v'YX9v7Lɫ{?& Z걿jquS=7&]~x}@'’4>"Sj?߽T=TobB(8 b^Ƭ)Z0!m6")]G;Hbi.'W4.@%޺ n\AƢ`Qoķ*S CYbpX-命mH别\:;ȧ>VB^:Ҙ1\F9=l<囈$fHЙi{} '_y7F Tp1iE[Bk5j/V#P1Ox\CzlZ<-ޟ;zc%>v GkOU((X8$] fa%JT#@ػ~lJOTgD+ME)TUkCNUQ+#=H찂נga=cm?|P vGwӡo 5}m*!v1px%^ O`:#hRk5܈l6F#ԅbҔ%KJ !1(F9ʵK}Ŝ}I{AImiK:U{mp({X/\ %~$ p5cO gKx0V'`,H:l=P. I"FZQG TXEpy+$̢"$D0e.R} AU*kk46`*;T[URdPmaX̦nb,ܹ0( 5-};:q)XJeсYPvN$ Ƃ;3R)/.laQ'+|f[,A$nddFܧ:2" ɴ:9 ~s -Z*S3iudݹ#IUMT(2POQOKV4-_귺cvϢș90a1I,HͧviνJNud:O_ H7a ˕i'pf$<ʏ[gNTnHZJL+IYA]ƉE"޺Ρ+V'MQf*QKI\šBUgaVc<-δ(+ I@$!<`\ 1ean0B*T jJ.bу!خSSY|ڮ; 1tw1 =l \„7e6,@-v"Z䢈B94HajA,:>P`nDB, g=IX(U,Jug*Lctdєcr T/Uс.CL3?cEo.allZ`-k o 5dqkzJYO t0ǽ>k!ek?,8/|Ɗ6:"?>t3N_5mA7|cRb&TtjyfCC.[f!WɽʪUJ2%q5 0Eis%zsqmi\^uC68P#BR-XtQq c3Ă47W|:|R$W9TW[9&t~FCBKDw顥D;iΏxC "1)H`:Sx*p6zF #͐>"r Դ~:θ:'-E۞ڎ1$c.:gLcaW ~#pFBdRY뒰3m%`l_.OJ@AW(ZX݆C |(>3 Ш!פ>Ӏ^PIg?|f7䛘x~U<#NE }*QSJg#_!C6 3#Xj)}C4 hf\d$+U'a Xp_gu&rl,F5L^9G)Zľ8Pn lOҬd&U<-Qv+磭NjYOGXߍ8W Aح`ZGFBs5[nb)5V,KΙ &|nTc:J~#ť7P2oX zAE .8?izs˃-818Hqp> Q;Mhs6Ǿ8|NXWSGLژ4ȏ0 jvzٜ3'9Ns_c2m@{y,K%ⲊVb Xw-#rkur 3*RO fM-ZUE^L?A}))LK#qJ'mpO/Or -듿p0uEв-j$Ԧ ]R|ޛ^D?~ j"jakϧ6cPuU^Ysd ԔxC}+ aYY#RNS8` Ƌ*R3>aSTh{"aQ 3c6(Hj)}@4#GɶB)K}2ۛlvΨg ;}M[IOZpv,\ACt~IfE ?ӗwvQ7|γ^Oޛ:q4uXFkvÅ"‘ʕoIov ~2s6*dpNDPdM(ΒB@t1?u_E+eɞ/GPi0FTVfX;0MiofPݟȤ8]CleuP~]7?޹pה;#T?v ]Ԓ㜧}MpE$ ҅K/B3 z)43 ڿgo em&dԖ+İg`p\t]tH&L^^I[3y h]~I%/v(يp': ċGf}n(aڟuՂA5v[2=c16PF$Wc+5N(%Jc@b)a*$I?r\@- !NCqp 4p͌=@D f\Z݆)rt]2["ܽ%D7jLCcH}9L !TBV8[Aխ˝V8G<):ev䈆<1Qoէ[(3|ж̦G+N<j@R~5@Ҡ>bo|˙VbppI2jGx5MGh-WEOaq.=9>#N1V[؃懥a! u˟QS[ubycתm5rfK yR&!8c^sҞ_" ;?|<:?4N@> &UW rCTLM*أEų+2رVL Z =cR!S," bzZ-]ٺKSY|`(zKx9RgYSv?/ ˆ|Vεzjjy:h^WEP=Uv?+&vkMđ4q!j6QJRΓIGz݆=Y[퓚g%wpk0Cg>,#.6bO74[ӭv'>iV-7Ver'worGeY8=E@f&p^ 8*Hzw2fZ~Ra*<Ixf&l#؞ ! e7 PEsb}5qўHUg}FM^'~-#Y۵21wLUUb&FBS|Pm Thn]'p|ךsڝ˓ _x!7tМDDE:S/҅ůŸu߳@ogB9JB+ u;QŲ0/’Ds;pVrngm4O7PecW򩂽OTX+89C]_͒>+%c}"//-u.&i~'Q/êPW5lԛI7kg'T|c.f@P#b0qpIY:C_ҔsRc_X2ܩW<}EM&D* %^ 7ao~EH汑`^}>op W_..D!y4]i\V0*৉Fe_w V2~;&9Hx-7V9M#oiBڹ)^~KQ 3*wq/Ei ]$VWAO!G |@U* &[pLEQ;ڕh[]ké_B8K~Wa`m/붴Ѝ9"s9)\6RbVKHIwҽ̺X x5u nb𭇉xb'3OH{?n ;coTkCTQs,'syD\oS%j6UARY߇dª$Q/ݪw*abGP˂5 9{e{1ި,M.$XKxRaBEcK5]<=Leeڦdp*_}3eSPo2 [S^o\ѵ9u$a+Q1f 7R"Py.x`o {kնC"Q,t t4T(scH%hh/$D`R"F3gbf\O6 A`U3^'+!ryDZ,9b`y-=~oa+FA좧13>{ɲӤ$3Np' Fzcڌʚ͒3 tOQG 2t9A^9;!ܔA JaC|ለ2ִ~,̯*táX<k(%yX}6ph} QP:y2HEhHAc?ScA_W[p` p U`Bʓ5selinux_child.debugwʾ7zXZִF!t/]?Eh=ڊ2N\v8,eUVQ,0B7/)?B? 1NN7`E-OsB6 ֑_yDlVaZ{){?]3dƣ ƻ@`w AW* =馶&Q*=#Mrl{EXP8\ Lo)_l65=M3uR7n#WAM_ V1'4XC2o l.E*Lc-An]X)9 ˣѲ$0DBTMv`,!:{#ޚ-v"TO&>  7\[9cXC{=c%!ov %JU{zQ95,ow$kJ5]NL;^\imܣ&g[%=DѩDt=9'|7X *ǠkvJ1o_}6v[\+$+4eŨ|chd] `G1e3 BcɆ}cw! (^8iIEPun >>e*ru] ٻ,;Ư=r3F+)W(e#v  ;>#e57zyohwc0^m'A(BCG {|Dg +@3* %^u}誙חWqG"7f4-?z04Դf ϡ];ׅp)! U8'$| \<,B` _sP zΣU`nݐ1CωrCԦxjAʢ £O|yP2=Ne&Dn5x `pw׃pഫG\?J+E|ՈL+g\3&上,`/ R^nmk,˽g0-'}i &gDcCN/ +^gYZ.shstrtab.interp.note.ABI-plt.goݓe'i^zVMc)ެv4 J\SC՛~ M[;nR$yCQ ,2Jc⓴ֺ|%fk%酨 SJnĉXWUa^rUjS|8T*e_oߦoŴfʬ{63h M2UuWwϞ}~y'Zf4S.7y,u~*չqNu]F |U<,5k||0dr=:/և#Mi?PI+aFB\YZm$yĝCXj.j|˳oE2U^ﲌ:]WtU$|ӍY={1 Ty~4\al胘C1ǹ_<*!DYgHs4_=qjr-*ȋ|ퟵ$Wq$c| *"SI%6\y=>Xdwɥ8/gb:̦f,|m ×w(J}ƪ/lru r{}}0[pES@3RQ.t:Hۃy=On=eBHX8bay%DUC2TQ1 -I`x_0dr.od DZ!s<YnE1e<4{Q])("W2N;`mt \UiwA?4|S*Vud|!.ƯGi(#4tFat.DzRgǢי:䆍{:`"t۲X $:ޯ@,s2 H iEV?rJ K[t`sE Kf>=H&hk}Av- $Ed75 W҈HfBi'cULD+7##9ۃ @rqEl:>o䓔3QM+gjϑ`O?[Id M(nJ리O(;ZhFO*$CID'B1e8֨ UifT3jX:ܓ"_TANXvTcGW?o:cEdNg#ەciZ~Mo~dzWOQ$rR*`wr6`M2T,nj` yȃ@F 3Ӑ$i8OV3Ah!imwN겷rxxǹYE $ %: QIo5@R²N3-x5e< >]fV5R݁쒨T d?Ntcc+1^{[Њ˃~HDߧ Ύ,Dx&+<j6~%+3& |҈7;/Zޥx^!Y ؚlo,xB#:*T<Ny )_q!ThcR vo  Ϟw A1}8RF`H̸a2+ka%N3p1T|eїlKn҈o%w"Nf5$uQz]<)Ywb?-mG!頜݂PAPA+b<\U]8Due3v ĠW"lX!ygN B[~/Fr+KόYױ @zc~"2mNϗqBV%[%^#SƇ}v;>g<"{R}IZT YQuAn`[)"ɲq y,W|Eks2`¾Aӛ[A oTl=>w=]`LSdl Yw.Iam:s]u>HS ^XY7H^Vl+xN)ޡEGޟ{~mB]2t6Vnm|]UK]n`h֨'V:AfN⨱?ErP"UdzKI.d6ltww/˸y1Z|8f%]q 6eH[#wϽng>}-.K=Hl sM2v? Q=cF.^EFM?6&xqc![U>ܥyu=T,<Ew& vng]^Z7@ ?$'0a b5D 䊞 ׆fMe2D ^鏖Fg5F #lliY[멄E"ì?Tb(TcLfkYmcWgx*EaVHc֞qQy檠mpY"wτ=+s#9U/7.tg1?p跭u;'.3[[9. |2_iݗƀů;<zzkПtFDwLH)w9V%H|4u d޿\C}i Xs2;^z(X:5ݕkJ@.fvYÒvzڍD79,- ;s1|W_̏5^|1vr|>'k/;4d?FӬ .f)nKJun]s ۸6XW_ADR!g<>h6@ f&5l2'&[l73r}{.˚L4L6l?br8!EmnWv]4,X;&7ؿY\/Z])5n7*U{ֶM\ c|n !?Ε(YQ3FNӟ1):JU'P§pk甦`M]$J#qQV#=}{ J"s3 k 7sJ'&{ߍTZ2ç`W؜`[8 qXkBE{}IڸPhR}_~kwD-{_4BݵG e. 僨fl&u+S,РsK-]yР+!xAT(4Vژ`= }$`|/Q`q+3ݍAܥQA5#9ҡq| Vt_KE-~ec?xt~hU%-"ӲM "Y]);EPvHgNێ^M|l;l@~!BA3>R-:l35܀; 7z7OZn\>?2n,"i~Gl6 N\YM&蚸9]b!bKzДn9:W膇NO[:Xh Br]ـFmі9 ,E?*AsC! Pz4w09۽p`N&yXoI5W4 x'.Sor[dpe{X7r5ax\fV7K7X. :VN6; SC =bi WEaǑ,͔5"7tXbȅB0%̠a;մL"g4sRm;?|6v 7Na48X65SC$¾ j09vцVcAkR$߽qcdq)p J_zM).Y=kmVgne<6=tF.-=Mc݃G[E4cojׂ #[?*]KP*f4x\rK#ӠVm!D[ .pΠyn)Ļp'5^ —&qqgGP|6 SD34Z,#Vl\CS{a@Mc^޻&l+tk̩f 2wC :qΌˡy@JC;w]RT> .uy}.sT~;0 f87.GE7iy5L}M|,:#y!zv; 3\j}s>a͓3-(qKݤk֗;o]0I[Lbu`f gUwbHƽOXgJ%>5Xx“Zia£}hAz~dsp];QƧiLj-sN|n GEv2k*^2U` }A/>G2['eR4(>1jHOYDi']S;%Ggon#λpGxO/  ' Xv`c@D#jԞ{{! Rq8ޞtccDZߣ`)3]U߻fwω8^Qwf/7{no]Gޓп`W\snK4n; ȝil瘦 ^w7rBX{% yS$K7]7♩_:#am777ހ$O9;}'o9Aa 2{eXfzq ldS!|;܅gNTqM'X8 b{qM;!Ks./t5!7:iFyV\p^8lF3^$hLC(x{N0F /~/>g~S A>wZ[tI˟^FPp_&On O>~v\+\1LL-z,_wM>ӥẕ"2vQwNOD#ZNx1NQbgwEst'`l*hZ'^ëѧb©7Pn#-'Zҩ).c[/-^}ًoϊWfg\43obnR>y_+P$A?? az_>} ,}X M| >1@¯[8 Zxpޤ<)ȇ2c3~Dq_6 k}C|OO5^]5LtjWS8| K)Qf0;mY]Xo,]f׹೻<CG 07ZBWoPw/[Ú>:S[Aq A8qG73.IpJVq`x^ WjAA.|W݀Eۈ:|+uMtKGq$pbAP: n}6)~i3^2x{HGͿ G`#4+L'ޥTDnCaH{$ "m}!32 !PDyv{RhNG"ޔ&Q/&#[}:]H[,D-Y'܄ 9/z[ h0yWsӹwa߱0$eB[UL48wb.Z͍c'p> I&!Zਓ')*|! CU:!E2gmd$AZE)yTxZeJ BRZZϿ*凌Fˤ֍(96sVh Q*=!Ljr\R╨׃z#TB ا;Q2 v tߙz>"bK+{4]7UdEjAA<D}xEq%GP| !%M(ʶh9Œ6AQn䘺 y]$+Vas}qL+31ͮ63NTR^KJӳrWߥJ:-!nn A v߿K;rQ6vE7yީ]W[v DH۞0fn-<)>,)\QK; қ*fJg㌖yvY.YM2tiLOHI.Pi 4h xOb!Z4L2=6C = EfZ0;pObҠɆP^ g5o{k?KYE"JN),y|fa ZNn,7Ij QGAmn-/4:$ukxЬTj@ r' Wwk,G^L2fD ]e-֗zW;I \7JI0kb=VFCF/"U[տ-(eD'ťR{28I\x{e5PHؒMC;&,a ;$pߖJ)33s3^7AK֛_fgٳu Ti3#lȼSs5mK]b' 1b m$%wچ!ŕ7.)[Vͦ\@RmE,#C`Z+ˆXJOy`Ia{:`Ԯ1ӴԦ_+cȮj+ukn(PY*AiP.cJP*6"ĹPRɖ<) cr)? CǬ(o D9p͊$A"&{]%fg߬H#l$LMC7||WjI'G5H!AN-A!(6/giEr^zخ`BvASfFd,Gh"3!M 1X,4rt8F?si ]z[,@¸P}7O8- bM+Mmu\8|d%J!=@h:5l656 dDC"lor!iRi _hYGK̆i,H1,ƶAS;10eVplc0#my]o 3uZ9Kg[tillu~+Xn)t Xz]1^Cα(pZm%ˤ5챮kH˒`˶Kt|<-66sws#̕K^va#h>_xaptb1 b{@BA LqfvNfk,fB{ICmDnܬzAF`,71NzfI;#E4f>}b;<=5eGs QA@RضVc2m2ɃGaw X)`( !vlEIAUQ dnhV)?jbvzP*vVI4X iU6Q>˳W/P>)J@X즴!i}b3PՂ[Ud4 |?"O%Yk=Z tqQ6鄾$!_&)9Cg`2]BG8edC*mhrmQͭ&qQt 1)B<)g_us Yёh= d[0^6tVZ`T$Qͯ "KAmÚ:)SI4\xL֬e;vJ37$R/O%z$2[1#IӉlM4eǚx:eu7ڎ†lb=FSDD^P}7P삷'X^*.Iyx>.?$~Z mIh ; =]-~]r6 4=6Qi1o_Ϧ}wd,Gj{d2nkg p /U8g%;p38 &2XTw9dG 25v4~at0Qja'(yLtFJ ݺwͻ::uq>""b$bnîO{vk ~b;pHߒt`cc0~y蜢@Jz프}bpO`RrHyBVe9{j_&\ ZxDLd$ƈ,3L~)3\iUo2!Ed"N v `2k j~>zݙGMhYp# BnaC$^nrëvL[9㻱pPuKt3{8UًuwjlԖa|£"Xm9˙^bZ>>툸FhևD e)TytF$G"n pq-^]'v0Ծ/pSsקD ̐čO $2:@܊gB,?i01=vTYQr൴4:_i}Iwdn P"`_@g,;#ѥ4aD0l2&+$( Sptaqt5icް)"_&M~GD9`fI%"=^ ֺs|I`NdJ) Y*Mg~(WJA)`2GxZjKBI>"6?5V07D$.1S=kjy2?NQ3J4N]>0b 4 ʀK&UFn 褙Gl:wR4I#ǒ7ςz9=y`XQǜTDUxg[I(a$:tDܤn P @*hFLbs 8gۚuٞfqH03t/R HBEKjSb]ާp:ajVv<0׏vhKGoAUeVF;9DiY&Mg ;i{ a>v2XA{w HTpn ,%)Q)oN Tq3 ײ4⡢v?(my/3yg&;?~PL$&όM],Ks9މ\PN1ՠӚW2dfYqfqka|4Ö[{m-Lq nV۝y߫UVmJ[m! ;FIg8Y/_ǒ'ՙ1n&yݩ,c!Nt8e&p͏{Ə)妾LT4 mpa`C3<ZնkMZɀٲ'fQ56CcF0Ӵ%v.$$BG[ؒ¼H.pWd*0> r %@gp34?,5e)Cn="/v!fcbd4[Fu Kgq" `wA#/n0Z&A`h u#w2UǼ},g}{ڝUTʗU2m 'OZv^UZ%F aWZ/)K55.urwMIe˨찈`YA?2sNf&۪@>k3ؑxv{٦C7&nS#4mA).*UAnv5@2\|r%PtVn,hÐ=j7씺:ns(Q`ߏu-EZ-y2ܞj G/'Qblae%K3R XIVXU6ItOD+9*{0%4U0roڹs?Xd/-wX:XMb]n)e RZe%m9gZSt5qT5>ٳVsgrJf vݦWrrU}Ru4 4BeOžeR>' TH*"(ӊS '˦lZlR z|dK qA>hݍ A3a&C 8GUɖgh0^҉׳0=R['JeA& YG`wX#$"U޳lkr)WDZ|8xQBqn1% %z ɑR\yfj}$VXzZf'ռFMAVU_ui_b [מ;m.P^̶ I 9:e{mfQ~,Hp^f=i/0ؤUHAq2ZkcW<$ΤxkW8jLB/kqG'+lKhaϯk7ZaDox" /mwjMu 'ka9f!IjE'Ή->X\hݍ?_{6+0Z;.yZa/VnN1-:qq ^*Rh׭ywZZ;F\&_yq!;Tf_;* V4a -Wn`%a(~wscUnÂV\w; BuW%Ey1ZA\[>G̥CЂG1W¦4ŏTeq2Ý,m@?5컈m07ˋk k9AH,jrnsvWQ72aǗNkN1*p *߀3qhzl#Chy Dj24KgX/,d9sW;SyapMʰ * nz~q"򠀭#UdDp8dN(D $dP;p;X4LnhM EO7^JDWyac:3}5cqRyn,9n5l<,-Qlra\򔷚׵urⵒ[uqu2+̪wCz*:{@PŀԈ/|<m(&e(9I]:o_ln1=͓"'Xj](e/bmGҊrMdL7D}4s''g=cgT݋kS,mKfњޟ!o/?@J7𜞁2ma]v˾ti-Q`].ja *]ioХ]jAt˶N}7;;HVhHUw*^yUqŗΚWO{ѫr +n UۼkޠކAqFFvúD^g`Rw.ZGzd}[.u?ϚL+F̟`)!SdJ3N[@X.hQbiߙh-ɛioM5ӏZ-}`LFn-|G֜Zӵ7U%|@)}N^^m4ɋ%yii~h|!oti>]7*+Fն>Vܤ0֯K0p5Hu1P% F;EGi+r9LԮyӖ8ֈ[S(JbZ=\InsG:j.5ƤfsmH-OqiK=-B¸,]iŇx<"3[  YZ