sssd-ad-1.16.2-13.el7$>tlWלFҵ"fbgT>;?d   4 "6SY`x      *Hd|JJ dJ   ( 8 9(:ulGxHIXY\]^<bdefltuvw$x<yTXCsssd-ad1.16.213.el7The AD back end of the SSSDProvides the Active Directory back end that the SSSD can utilize to fetch identity data from and authenticate against an Active Directory server.[!x86-01.bsys.centos.org{CentOSGPLv3+CentOS BuildSystem Applications/Systemhttps://pagure.io/SSSD/sssd/linuxx86_640K.AA큤[[[[[[c9a268b350e4055fc4fd726a90af329db8cdc5b64abcea485fdc5267cd9743df64359a89931898470e24bb2d7fac5213527bb0200bb0f9f7d25e66798203a9e48ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b9038031df2353b541e4510094c675ea5941cc1e8cafde0678db40d7d05f79a6612e2d87edf6a824019d9ce5284ba6f6c9fc91d17053f4f5b97b1e850b06242ba7f7rootrootrootrootrootrootrootrootrootrootrootrootsssd-1.16.2-13.el7.src.rpmlibsss_ad.so()(64bit)sssd-adsssd-ad(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @ bind-utilslibbasicobjects.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcollection.so.2()(64bit)libcom_err.so.2()(64bit)libdbus-1.so.3()(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libglib-2.0.so.0()(64bit)libini_config.so.3()(64bit)libini_config.so.3(INI_CONFIG_1.1.0)(64bit)libk5crypto.so.3()(64bit)libkeyutils.so.1()(64bit)libkrb5.so.3()(64bit)liblber-2.4.so.2()(64bit)libldap-2.4.so.2()(64bit)libldb.so.1()(64bit)libldb.so.1(LDB_0.9.10)(64bit)libndr-krb5pac.so.0()(64bit)libndr-krb5pac.so.0(NDR_KRB5PAC_0.0.1)(64bit)libndr-nbt.so.0()(64bit)libndr-nbt.so.0(NDR_NBT_0.0.1)(64bit)libndr-standard.so.0()(64bit)libndr.so.0()(64bit)libndr.so.0(NDR_0.0.1)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnssutil3.so()(64bit)libpcre.so.1()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libref_array.so.1()(64bit)librt.so.1()(64bit)libsamba-util.so.0()(64bit)libsasl2.so.3()(64bit)libselinux.so.1()(64bit)libsmbclient.so.0()(64bit)libsmbclient.so.0(SMBCLIENT_0.1.0)(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_cert.so()(64bit)libsss_certmap.so.0()(64bit)libsss_child.so()(64bit)libsss_crypt.so()(64bit)libsss_debug.so()(64bit)libsss_idmap.so.0()(64bit)libsss_idmap.so.0(SSS_IDMAP_0.4)(64bit)libsss_krb5_common.so()(64bit)libsss_ldap_common.so()(64bit)libsss_util.so()(64bit)libsystemd.so.0()(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)sssd-commonsssd-common-pacsssd-krb5-commonrpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-11.16.2-13.el71.16.2-13.el71.16.2-13.el75.2-1sssd1.10.0-8.beta24.11.3[@[l,[b@[a[Y[Y[H@[E@[6@[0@[,[,[d@[[Z@Z@ZmZ@Z_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj - 1.16.2-13Fabiano Fidêncio - 1.16.2-12Jakub Hrozek - 1.16.2-11Jakub Hrozek - 1.16.2-10Jakub Hrozek - 1.16.2-9Jakub Hrozek - 1.16.2-8Fabiano Fidêncio - 1.16.2-7Fabiano Fidêncio - 1.16.2-6Fabiano Fidêncio - 1.16.2-5Fabiano Fidêncio - 1.16.2-4Fabiano Fidêncio - 1.16.2-3Fabiano Fidêncio - 1.16.2-2Fabiano Fidêncio - 1.16.2-1Fabiano Fidêncio - 1.16.0-25Fabiano Fidêncio - 1.16.0-24Fabiano Fidêncio - 1.16.0-23Fabiano Fidêncio - 1.16.0-22Jakub Hrozek - 1.16.0-21Fabiano Fidêncio - 1.16.0-20Fabiano Fidêncio - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#1593756 - sssd needs to require a newer version of libtalloc and libtevent to avoid an issue in GPO processing- Resolves: rhbz#1610667 - sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key - Resolves: rhbz#1583360 - The IPA selinux provider can return an error if SELinux is completely disabled- Resolves: rhbz#1602781 - Local users failed to login with same password- Resolves: rhbz#1586127 - Spurious check in the sssd nss memcache can cause the memory cache to be skipped- Resolves: rhbz#1522928 - sssd doesn't allow user with expired password- Resolves: rhbz#1607313 - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails- Resolves: rhbz#1600822 - SSSD bails out saving desktop profiles in case an invalid profile is found- Resolves: rhbz#1582975 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers- Resolves: rhbz#1583725 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries - Resolves: rhbz#1416528 - sssd in cross realm trust configuration should be able to use AD KDCs from a client site defined in sssd.conf or a snippet - Resolves: rhbz#1592964 - Groups go missing with PAC enabled in sssd- Resolves: rhbz#1590603 - EMBARGOED CVE-2018-10852 sssd: information leak from the sssd-sudo responder [rhel-7] - Resolves: rhbz#1450778 - Full information regarding priority of lookup of principal in keytab not in man page- Resolves: rhbz#1494690 - kdcinfo files are not created for subdomains of a directly joined AD client - Resolves: rhbz#1583343 - Login with sshkeys stored in ipa not working after update to RHEL-7.5 - Resolves: rhbz#1527662 - Handle conflicting e-mail addresses more gracefully - Resolves: rhbz#1509691 - Document how to change the regular expression for SSSD so that group names with an @-sign can be parsed- Related: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch- Resolves: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch - Resolves: rhbz#1523019 - Reset password with two factor authentication fails - Resolves: rhbz#1534749 - Requesting an AD user's private group and then the user itself returns an emty homedir - Resolves: rhbz#1537272 - SSH public key authentication keeps working after keys are removed from ID view - Resolves: rhbz#1537279 - Certificate is not removed from cache when it's removed from the override - Resolves: rhbz#1562025 - externalUser sudo attribute must be fully-qualified - Resolves: rhbz#1577335 - /usr/libexec/sssd/sssd_autofs SIGABRT crash daily - Resolves: rhbz#1508530 - How should sudo behave without sudoHost attribute? - Resolves: rhbz#1546754 - The man page of sss_ssh_authorizedkeys can be enhanced to better explain how the keys are retrieved and how X.509 certificates can be used - Resolves: rhbz#1572790 - getgrgid/getpwuid fails in setups with multiple domains if the first domain uses mid_id/max_id - Resolves: rhbz#1561562 - sssd not honoring dyndns_server if the DNS update process is terminated with a signal - Resolves: rhbz#1583251 - home dir disappear in sssd cache on the IPA master for AD users - Resolves: rhbz#1514061 - ID override GID from Default Trust View is not properly resolved in case domain resolution order is set - Resolves: rhbz#1571466 - Utilizing domain_resolution_order in sssd.conf breaks SELinux user map - Resolves: rhbz#1571526 - SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'.- Resolves: rhbz#1547782 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process- Related: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1516266 - Give a more detailed debug and system-log message if krb5_init_context() failed - Resolves: rhbz#1503802 - Smartcard authentication fails if SSSD is offline and 'krb5_store_password_if_offline = True' - Resolves: rhbz#1385665 - Incorrect error code returned from krb5_child (updated) - Resolves: rhbz#1547234 - SSSD's GPO code ignores ad_site option - Resolves: rhbz#1459348 - extend sss-certmap man page regarding priority processing - Resolves: rhbz#1220767 - Group renaming issue when "id_provider = ldap" is set - Resolves: rhbz#1538555 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000]- Resolves: rhbz#1565774 - After updating to RHEL 7.5 failing to clear the sssd cache- Resolves: rhbz#1566782 - memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)uk1.16.2-13.el71.16.2-13.el7libsss_ad.sogpo_childsssd-ad-1.16.2COPYINGsssd-ad.5.gzsssd-ad.5.gz/usr/lib64/sssd//usr/libexec/sssd//usr/share/licenses//usr/share/licenses/sssd-ad-1.16.2//usr/share/man/man5//usr/share/man/uk/man5/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericdrpmxz2x86_64-redhat-linux-gnuELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=9512a6e93ee6aa6374b0352fb7d6a3533b7bc111, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=aedf39320b6fab4019ab5f32f83d15cc24b03020, strippeddirectoryASCII texttroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)AAPRRRARRRRRRRR RR>R(R8R,RRRRR+R.R:RRR9RRRR R;R*R%RR R-R?RR"RRR)RR2R3R5R1R0R R!R$R#RR'R4R@R=R R6RR/R6RP+)a?*c̻f Y-lm&C*,(pR~>a2ys)WJ8ZNZJi\ Z4{ p旴=N}!vk@<^XWJZcNJ5$4|cްVim`b".X lֲFsB?=w1 z0hPȴ @𨈉C^<4ɄQ:`t  Nv_} LRX:yu6$t?HB .EXp\j8$'EnX]H_ 䫙/6668rQ~6xz^ߍi0gH^*ƮZZ}S2z*#}y{@?P/vI*KGp#H?7 %Z\ 0[A|=P:#|Q CVg1,UZDi]cpP` MJ."{Y/ME`':-D 9M 1LŝशJ\[3 Ȼ|/6W{o>OwnŔ㜹 j]sА nWY !PѦy <N3bG4z¯'JPܧ55GC H667f,m@]${@WҘ.xTbw% XCۧ 2zqPvl&awKKUuxI'*ZvXXz<6EL]:)$2ϑNHN}y*g~< Έ Nٟ"m)̯Egz 2|Ϯc[C\I튝+F3cXce-]W"~B m[:c)Cv\kgZ+S^dg!i%ǮB?M!c6?& ַvnazU7ݝP}/ 0~%n_3s~cFr]wJ*},[ 4py, Mwcmd& ȗo p)bP>j08m.VE9ό.=;b\gO A\X8 2Ehܥ(#Ja;^+N 5)@&|_:vd0Vߖ fT9Wry $Tro"Etx=ʼ_L?cйYyubW!=!IA Ofa9<9>@Cѽqk2jy#BK(V;pΊ., I;fje0Q ^f0\΅Y 4}םxR$3xD]#pi DD<0t= 0~ +kTLhRpm@Mf{6|vȇ-zGY]!}RKTMcg`j~Pʨ'볯J_Z嬘v2 1#Z9JW f@Mc7 T=VW3mD={Wo -qG*3"]i'w Yfmb5tg "߼2Hw96^G.h-|-.Rr@G!%DB];|ag}}VA!XD>4C`c =A )У^ cС>P`NS /)!_ASo2:=- (KψG0^3wWnIX5PYUKU'+WXXOu+vL9Sxn2?Aצu?6{{QVLуMbPڽGeɰ瘅O<]3IvQ!^u g%f8tf3_l9a6+QgWKC+lQ85;?MxtV+Z{m][/ Q"M (EP@?nfn]h<Kr_kBG!;_ 6NOdA4χ/MV̷yxlֽw֜h#vDže~2՞ 9$㱅$#+茹wHu\<8_Ou]=rݵ21g VKvF$ZÀgYUKXB=Hg% n_z2lF`*R";j+UA,ɵ+/%m> kڊͷ)kF.*K+"_waN^ i b2L'KQF'?jnE[<՘Q~B0˜vrRJOvōI/D Rdn>&#- 6<22Ҕqe[$\g x!֐bk߁$W> \MO B,ʈ$=SsjG9hޥt#r/@C;g7*U5%w rKݯT=ܼ{SJ{TJxuc ZG.!l`R3Lu:@*AO0Cad_9 W62>HTq&\ۄۖ9'r{1Mg>Z" 5J-A'Ai1  Tat^?z YS-_ @+sdR[d3Lo?##V7s~j]- AX5Y2Wh'^&DrA ޷ֽr"܍iٶD̼8sۀ)N$B﮿j/G)bM߈r?_rhpOX zSzc ӞO̐ڀB) k_]qZ8^sg#!>(*v$Fr࢕Rf!+F6d+?2<-'b.6Q)IyNXа#t]\a} wx{XXR ]CWgԋ$2,#=Bdw2逖1>ar˧GЛ5¸J~tItǹ`eU蓬֋$'mg5/`vـGr{;)`4S-̧.O\GT6-9vՠr 3J \?vZLW;k3a3f΋Ys9R/ SCF6j<;8V=_4u]O x0,npͶFz{c3LixʻƎ&lh p!y3_;@Սˤޞ]>r)wԏӻI5D")H` G;@v#n:<>-V=q7 zXA?uD3'(`(g-ov{dC]M?va |&E,uP-.fe=_9 ?biMhI&1"|9ꑍ+~ym[z/3uL5*\i] HVpv&e4T¢H7R+NYkr)A_cYϖ<Fܛ/bXY1P_fX|(Q͵aش :(B7&UTA/q R۠ZkvW^e8ֹ#l)͝ߥYS;o6t&|AD' &CaA_^Ht 7JE$n A))!_ͤaW%V~2lSe15@E+0.QC 錛2 wKĢ^ l7\V<1&ҨwCF:?osq:l0Y>C&&ŏ3w}.7R`uuU 3}&h{XDpXC>ٴ]Qa,T~1 a噛r눲ػ#FVmOyśCam,@.3EO:p׻ p'NQLw)^6ίqC=jEw8p\ɠ4Xk^@ lPeU LKSUCZ/w7hc[GLc0(<:`M̤%boǬMր&n%OU96d͹#ޠ3soYum*]by=/m b%FI̮oܕjRDqKDiB>iqF|"cnĭƋ?GM7wI%0Ӣi32\8:E6oOd$>wZM(׏`L|k1Z`$3?puN`XQx߶8Ai] ~MD(= 6Qbrq&˄^^Au"B#'Z67)`Z9>OPgoԼ_9%Y*jdq%=^<:vʀ'6x«G>`=dt"0bd rLqv[%w ǭ0j/DZä/Et Цyͩ6X. NM$ {%"`U *Xd|w_XDg[[P`,ǰz=v ?Yf5ԅcp! U52 |6\1Sc͗j`XGeȺbRM4P]oe B\HVl@A +/A,85Pp'YyߡqQWW bD1& ju\ )UvNqcOvv֒VDy {g=

mIs!O*glOT2C_E$!g׊O. z,B,JԐ~6|mdxfŘUKR/쯡t 8Njlsd0^ƚ3'7+މɁiЙ$) +=<+Ei 8A `Okp058M6zA@ T'>+|tW%D/!Mnԉ99@IŸ]0}t='Kk*bO~3k?}fg?xFgfx`ޟxNiO`셧HrXį&)8 8;H&`ٿH@M]FWY'ByI<cM>I | ( OefR B{nB@ϼۋrd*=\Kh) cvb7xJ#H8 ou!v`aJT팃.o .AcĞLmE8i*)u=djl/U :>Vp 4A0ѡ_|O; Noe K(F;pR GK047tG*h3f6^FWõ߅:ɿ,߿L"̴ ~".\^DOMԍ>)B]K C| 9㗙G:bX%I>*k]ʳ=mB"o*[k*?ɬ-hD~[[_̼c[${[se؆JMI|- )j)iTb!hC!{Of߳6mP"ĶzNۖrAAbEA}A^G1]\jC CUGEu_ l5] 琵~ ?C8HKp߳~ѦI8!~(}kV_860uRT 1q獢4 }GR=pMhd>l:زʗ\B Bs10T_p[P6T$>ZjY{$| jWӕd|z|(986yMmZA C2ȴ%Bl( Ud.9&:tmD}!Xo@-\륌p _ pWRS۱\`gyOm4ɘcOISQZ8evrdNOOLgJ[`~) .Kill?$dQ?-Z%yER%k]5 tuM,8 1vfR"~| _֗'ﷻ3%O-**jN춞YdGVmUb2jVL ,_1}G-ݵ [UW EmoNuV TZ鉿<y }3 ?5oFt@@m2UB8hAi5z:#V $@v~ MG-wJ(ȫ<5^x*NMt$Nޞ mz&rP|Uq6Phf1=C. !BzlHEȲ钘w'EWL7xv rݤɞH*N؅ 1B sB\TVEu!*HǹX\7J}`qa9\TuoÇ%Fi2mj%Zbswͫq\U ۿvX<vq"#yJ#b+ltZP;t05U^Sp5:%$a~, θ49`ÈQi!rר#,x)كٖɦ C6V-P[ ֺ:lcp~SOS>_t(6kj,Rݲv tsxrH=K64<ޛi/XeABqII7Wi!YA PIMQRqPW#h"cU1u8*hoB?-y;؅S}VnYsRuO0<ٍ>b3ʇ2#skByț/0(;%ދ)a̢~H]EB"Bv KI]eheы6ZTafA!cj-4^C~2zGR{/§ Rᾱ&-oP ²rИ3@N.nT<ɘ=)N߻{WVp fUܝ6^$ɪq? u9.Zvى"Ly2Kx\q<:_P u}:n@j*eB8i͌ <aܒW, <}skt8DsW< a;!G}? {,Syd!!q-95xc__k gwR>8F|:9FhL  Tki"E򫗗t^yK q7`áL95ly ]O#EԁO[qffWVvu [@P .LoMD ׅ&}<}ۄjCIoM;MWur]a`0\֦ to#9% eu>5UUx,^Lh``>)QA 㸶F;ry MձDն}ix͛(vN"\qXh𡄱TPzX$6ku3#_ҡS}ы[r9[x?Lsbb!nLȪ +9v֟JN!:g+n:c0Pe?nnf׶~7RQnv5 "=3:|yANiNGJ@KxnF R>NCi DAa ;L~[B_R@d,O:k Jlי!S>{;=\nhaJӪW䯄"dl@٫NC|^z ˝._7F?Y#'~{vVҪCM:p|TԋoC`]ܠ㋭Nk`Y倘iك:wx(6۾q!ք AǫaEިcR>H=E9Z_NKb罼%`2R ,xp.A]&[׬[>'|}A2z&H'4NPj 0"dWxDL-b1H\+dB~Oj>*/n&POzW(wgCZ4P䂽K7 =ȣP }%S2l曚3n8MMQ?mSƫ5~zyt-tTA6DgB.U[BY͚ThڟbOsqv D Ye"ynAvd3ӎ>t4쟠Ď*5@&J9 ķ$'IwzA } riTO]~yEנyu ~(( W g @ky,gk:9z}?IcHBP(O:5## Ն Vߞ7#e.RUIJ© b/zOHF^}gn&hΚKvS &W("_ jBsreP¯K!P-Xc#YjVhR)zߏE[h=jީq08bGֺ2Dw aj+s-1y-sӨbIL0d?c>P]$qTȆXO~n~{ DFP޹&G\ QDfkMxYI usmOe91œSCO@4l=.xz+%9 [o&uw ^ zM^) {<=R"Qp+Q{D8G%gVj"5c]-h.7b=2 *%;ɐw솇G46GKӰ>/Xm*MIذ:Rݼ˧D,,$”K)[띢)ߢQIpD+ket!p{YRȶ3U逯sIk#ׄ*2.n7dKPZ,Ȝ2N9 4dnnbH6&\,*|`l' m (@:K.뫳҆w2t"*RB"G= `DZG&!~,ܓe<{,zY%#~թv VpSgG̘4o$J#9SP,-i*%Z g9.4;X umñw=Z;F om4F$?v\N  v `twڬLƻ vk8~ݰ=o*%Uf3jKfIZ&z܏7dNpqB Jɿ@&*IwԈҚ?K./K=s_i@?ߩ,TV>SCI6s:l|ĶT U'}k-JW(ԀDK+~9 '!j*A2Hp49ؘlǏtĘ]1i*Ks1Iya dzү["}`0{Km7,= >gΝJ^Oe4g;*"6j܂a<~=Y*-Á]mK@, 7OiXbZo{`fA:р7n*#* +I W t0o]\kDGΪӊ&V'1߃avLP)rǮ惹FvЎ`˗ƒTPLq?"J}{q{_ FA4pڔYdU{ J[7!+#خ5όr!%\;4ސqtG .fkf?pZд7gWCPQu`I[HkU3Px =tmU!T8a/-&Vا;dſlM ']}׬ U_Y`顈)T{'_FV֋|3;gP ʑ_[\RkeƎ$"w8l:l ۗ%}MRyٿLxpcs? ^LE+ zr ӏc(B)AC/{kJ9ipS`¦FRjOuޣR!ICeDY|N>e}ġQmOp83mqfH3,IpxfAуҋּǝe Qzԣ0UheEzqX _iZǮ{I~BuL|#P-SMJ\ %C8jIY` WXkgyjNUQ b@;tWJ%9h;S%&`95.iG; q*;ǺMf{[;_=IFC6ʼnmJ,ͫIfP; yf/dM DbbEg*ȓwZ{P;dIM7eVjΨvMV<J,zͩs*Phe2Si羇b-G\#"9'l6Zkٜo:-#=Orjعb~+jO2<&]OGT5 PkPacv-%R = a;f7Ӝ+b')w(o c@b䠳_& | u|5CBh?ғjR(*s!FXns 6py2J1^QL;z w-at\n`וB:ۄ?i[dыE EI[V)Kw8u[y/R'2: ,ec9A^䑪B#1G4(.e)IsW:obU#'Gxс$Z D)Hʚp%w@ꀵ2Ef08}l'Bk:D#c?\j6L ? O #.,W '̝uӇJm<&SrQIQc ]WV=,+y.{>Pf~ ,&S\{*r+ډ gPK*Y$V!c[}r*n/˭+q6C5G;kNuSn0ýO'd18 h)z>$SEG U/Iey[*P=K%^NL rwF=mjeNЙmr7Ԃ21ϼٮ'6I㖚ۡhЌc~[㤑IZ18ΦWނH XBui|splj VUG1`8m裾QaAhLrKw[x}Kͣ|ރ_R I4q{:Ń2lZO+Sא^?q'xBv@QW1*D/xTDŽ?F+̈[?'&7'LamQU+ 0_hH=4$Kb-Me0T}z$LjԼX& ᑈ>LR6\ʃILsaٿ) ;`[t?Чwo\즿:@әmqox IFjS@⇲ yy66|QO)yaƋ(eʯ ZuXs+ȏ_R-G>U02ɦܚ[ЯxOY!@˾s9f OOۿIfޛyۉWhV6ёҁ~ӊZHz@eʞ6pXe`5j\O>CtV|Hh@ׂ 8O~)pe!˧`F`^vV=j@43S3qBl8,_vy4 Y㡯75f~UZ⛞GDgp1̻2Hu2Gd6YCˈ E0{vŲR0(]1nb驏-ދ6ǖnӨNkgkRAoY8d-dB]Z}FqNJ yPabac PRJKz$08_(f|މ֟A „tvM5U/Ir}AȉLmQ6q>~<'NɝPS&^M3Gc8t1U) 9*Ir rixE}nMLtlo7N]w 訌 S 0G ϳ5LFXHvJsiPzbPe$%63_ߜ C9J7%հ#ө3aO!ݚUP&y%V2?8;IAP:ʫ_nZCs^- iHO9jSB9A9rBfM :.SeJh-]Ҳt LfB _AyIMx 0gV^5D-x~} PWjL#=JҚuvZX6j*Х[yKV0$7`}M+u?i8ɝb]ƫzz.Tui=APtlIfYQ}^ɚ"> &M žiQan8OJsCC.D=^J=rOC$CRˍ<<]k^^ ˍ6#Ģ  wP\)+eN_G ,doi0U1/p_a,=ζc ~k>)r*!s3PAo[){,ؕH@ޟi؃9_Ԙ֦Z+E$_cKeV`B+ 'צ0iOW8' zAB[\!&z0#$:HYB2L|Ӟ躔H,as$-Y zk݋ 7N)WʥZhGvv#{G틿Q%l5[S>5d*X˒3?9 qkmސ:b̑|ִaϨ YaHc| Ozv]T'dQ۰4Crth.A0:x{;/^Ui%+m0? zoBTrukme4S߈$6 tV3,nk=>BՋKS4d{qoc[{o?1jE\Y0lYгM=;׬ yRy8 (*~`۩i/Q=\EY$ &FN,^S8= T@~sډYp v՚B}v9,мO?YтR)G#zOb4󷝫b-0Hs*Pi>E{\1Y ei%[Å+Zg'a+.`pZʍ{Dje9n0tS\L/-cJ ]MQㅱ_UnL). m6"u6~h 174f J*2qL:N^Q>I<,#z:t!­bkyA8E ιPb,][2_b=I8qCR j,{[}q6tiGψ\znt.9zP&YzhGWWVo[zakuGQלܾ-x xS8AeHMsgٖ7ISx!Dira3޿ʪfTײsUhAY%4G!Wu > }VtAj7x/soT/͔d#~5_aFԩP7Tu>m9љ_ĒgXb X&4lؒ=# ֊>өfS|RuN5"5y>?oR[9Gb˃ #+Y*묖gpdyPLj8J; Ա;e8h2lE[y_$W;it[c5i/# ZewUJH3(cniܺ4a14 BŅ^;076mJ cG5Ɠ$Mb8paI֍U R0x<ޫl,U8qF. &S/ʛD]N*^uҧY/|( 6p+耞Tb$ E73qWx*«uw[*yv/x"y3\#C:^Ѯo9o*+n6{\Cm*"FOHlmB+O+,Y~eHvǏ= :@~3gbF3'W;"p.jrxl5w6R{8 ˬfR,{gbYP#yU@M_o0<}g 'b\=w?.'Y}pvӈb97ߖdZ0~];|{@ͅzl/(j}_zZ4n}A;g^o_3^dߑ@!/j**alnBvtwa@]TI & TWrϧ -ÙGx#Ge@ ZXu =h.VT=<͊>vz ڏޠ':3TA;Vnʒ()VaR4xOYt3W5U|)*o;QhPw糧&uY^>ơ66P4iT*5v0Hu:ؾݸ s7N $j2=Gw)iِVln7bkx.6m%kb  rGxb˾وibm O , ˝.L)+4 =CU'^"KOW[ 4'M:ٻPC/wh"l1Ler:]R"4q.zj vҸ=<3+!|~b$ =y}J?-X'rM;bdy5:0H FQMe9wԤE‡ {pe5('ql\Jy!AoeB e6i>nugj~?2Pd*OXA~=g#TaaaGop'Or@,̔"=N;{Dr|[#$ 2a26&j> 1gzcK1dRaTJ!n̝ˠTKl슽rB4LBq \@yWGwO=*7xAE+ w 7joW՟:x&p$e]os'%QNY`PC\VR.+kd/);2J: Qq@xȘH{^g9ZUkG7a~AqҹE=zlتF(B( Q> >|SvGJ !@o)%g[&%[̌ 2]2<0 }q8ÓԿs˼XjWat[!u"A,5XpLϼGˀ#IʡNbk#N;7#K3# Ux1LP M!d;K[Yx+ A(3~JQ!V$ճ-,po2 &Ep|n%h\Rʨ?7 loԣl]tY}AiT]C2SltVڣ8Q_"'+V=^^:CG#{r&Mc Qu{ԑd/(@sBMT1F% jKMjE Ye uyN4bd<$ё~ `8%Y#ǭ#>LeZ@xZqFsS۾jm邎2Eި!i㭍$a7u~cL"(cd!8F1< .狼$Ujsfìq`3Ukݚi^h1d+u9bk0eyS>fr3,jc)QmtDsS7 .ӮfkgBSQHN#vÚ9=EȘ)h㴣iItsKƕ#AjLp#ak?[}tSk)B( # SC\Q [cVj@y"mHPu伮(sPvd%0CT8RfmYG]%ԩ&?z (@z\Gum}h`v&\ƻ"cҝ8Ff8_GbϞs(#=Ux$,SפfبRA*L20phk\ڿF/lc >&18= I-Lvt&/ D_ 6,e^;y=.^Q:}a68Sإ!Rv}O˸Jc 58DOcs3T3 ,맸!Q@`_mH=^tho / 2d$`YSC)Js)h>sgw(G?&FY>B1 R|`:>ƒL^D+>ѠnBBCg $"X8.{  bg1\(ZK> Jl ͚`ךͯȉB:9 ^g旐TZ]Pg+zDQv1ƞ8K}/FW‡' \#wv(D3{~^~890_&XD1@aa];! Xˊ?ؓJze!'~vp`(y?hdjHbk)J,QiVZ%Fh0q7nG"sыB3XDA$y߶CL{oы&ktSPWd*QFPB!LV u?Ө2Kbxa ;_S3W ^4ܖȃ?!ڔ[;!pblhBqp+r닐pI5g ? x{_SV ; sJ2Ħ" FCY4Oj]0q2CO3T0X=C,ƔU!HkFr[<.4:c]re%,FUI9~ڼTlB/GWhYsX! XDA%r /,ʤ?~qA|m jˊ-/O B(]WJ|xM;[n K? ?uܷB|)^(?/A  ɈӍF-pXj|f_6H(|7o閥GؙRM%+xǸx)8=hko)c]cy¢.A)o"֫\vC;M= mR `P&raC`=T唐7SF Du=6Ng:Pqx7o|Sf/Q>,4n"aй]DTe%}f9cO=>Ʈ%}]Ho3 )딬f Mԡv0»М:|~;B6%̒it C73,IAb <|@7xzPh򯋡{}PP$-\Bm\Sbd's^ytTbX;'A`S$XKjl!X{d+Eԗ6 @vj[zWb%V|~Jh5x` _i3خ6 {.KXd2fMwV܃؋/Ԑ5<ҥ!-lW % fRbljA&<DR%W' O.1nbԀjPW\ӞQ'`%_jLFD0ٱs54W!,RGPm:V#`^L7=Q7 hW|wWZ}%A%yR9t||)uEW_bWq:s`X.WL~.=qsEOM-N{׋ܘi=1}ԶZ#t2oEΕN/6L]#sE@PQ&#w! I l=mJS aQIz4~;nNОiHDw#NpV b~+3 1~M]wW\;7EwZg׊h1rՈ)"t.2%r 1h~{hM^]j{Qga ^iwj8 \ ,>/E*kR@+Q?GB ;JJA 2X9Z$4# ro R¤&uHX K%3ڙ?lףN ml!w@5l]U[ E43IUԏ>gv#>A]"Yـ}և9t?Rܳ @C/;Hb3EޭّM1A+0B\~]3īXxz\;&v>XX[nr">*N|V> ebāI6!R6*M<}+Γ]fMpWfD$Ȩ˜{r"pxg%Sq>< 2n@C9fO!r<- j#JZT9"i6 oזS`Vtl^P|ʏ[^3=xҬ/c.Ug=xԼEWI|F l av*i!.i6*ew`bMD[G7*2H7ClG|=+,+N wگ7w,f :TE8uBӪ[nq2rD$iK_8 U&xؠR; 9Z.*\[7 #@=_K} 4 h1p7E9 1.,RV?vT Z~(>kjj8]%ݫnhz|_,tL_Ust5MZx4o 5߬2Xx/?eTW򤹧%a#ig i/5|yx9b-cA(}!O >.sjqJ%Iԋ-r\1y.7)tX(Y+G*0% /S)B-řJhcdPK5_jH3 5tlޣJMh(N{ޗuӒwbAtDT6TX)24S \"aYCEVB;m3h9{yadz`G"};}DE>Sl ͧ)"Tb.s;K,HcE5S'O Q*utYduboMUƝ#,\򇿚D1x ǪK{*-J҉::iQ(#Bɇdp~IރlX{dcSk]E(Q@ܺ떙 ZBOECY2._!C2+՗0ymWz;RKuwzr"Kڇ^䲹9@tヘ4]_ÑfA?6FLz|E,HL̀ i#͜p\~ (3 ٌB\$秂A`N$ 1Z0/3}*7z\cSOa%c&(Nwu#xEC2h*g-V5g_%#{r*k/fs9mc:J ~,Pi"䊞Oc!@$U6YcW2|Y=Y . ">I%*lֽn}M\c֌|Ccy1A;zR3Y7pnMٞ`ւ㫐1R'Vn3:mf;kj鿤`^!K܀B-sa%vRO+6a`:}%42\f§'}֕QyJxL D[Yx>9mLw [i@0C #M.\0#)i@z;9יj7~F'NT%ŝ4Qf璼e̘L7bPȉwb.\%v^`Gk]ҮO{Q~AG"\_mdQrß؋$louS㉫ 9ziۘ,SejN>Rh._0mވf`DdKCYή\ wb[SZg@Y̘Ccr0/[:9.6]RO^:>_V@'DeTɥ#} qヸY Md@( ,y'tZ۝0MIy):;,<˲W;ȄG9V2YpmvdL6,iİߴ1 Z_=V U(%m}S )Мs C!,u8GO-f<ܞ#]il0?/ٮ=<λ1³)u21vž2Kf,siA"/} vlO*6@Q3B7f5^uxRAbW@>Dܙ&nV o2ih>Phx)$S.^CYNtK=/~OJp *<}gF{oqCϑ9H:!n ^+TX¼ZA16(¼3ES'$ GB31 ]@H ˞XQo[OdE$1 \6lC-Ʈ`4 (¶^Zub׻a̎9& IKVB>p$t}8<)b6W\l\@*%\2 -e;EWۨDuX4VdƆoG9`(Ws?Pd`NPznUvPڵEO]*`MR*+KH|Y9o[1me_Ճ˖Hq0H7U (e;u K uN-KO(mڔ z8 F8Aj-D'ø{Cn"q&ES7'D8kDb{@$4NH,ȥ& C㗡鱇.0J?4 ɫ8u9'"JVGtO_nn7CAYs z!glYZ|(^lڀug.B->xʬg @>0j"RDpmJP qx2vP+B\ P^L)2F/O֊&q/US'9F%5'0գ7|Q{_B)y4Y6f~[qȯae·-+˿e! {U#nR׸YΌ B֌_s'^0ImNBI@ C額ͣzr 2)5;]ގCUvԳКS!جohìz&P*ՃtL?h0!F#| ڢbe38ub~;z,L?%;s RZ"lL`fpBTEvz?)/l)wfP2ժ)¬$q1ZG']qvi!8}rd79 /FHwk g6uQhZ}CΨCfj>RJ+ .@ndD2B`{oj'c4\,~: Q@O],Mpֆew m%ׄ=5FYi4Ш4hc"6vL]fC(Q8aݰ]tͅeAO窾`C}0 T"{/sĝYk8T-mNJݓ} `J 7V۾ݚCoU0 =jR nz6L6 \%K;S_ 7 _#62vj5&tTK26 |¤i) H5 ts,EqV\ϡ02W!p챆r^m~63*j^앱g% =eA8cKr|x}%xvwKO獮~`M$ Up]oqx4Ava yNEfϑk[fB9Qa,ĕׅ\E?4K^TO*[.֌)1[mlL5R~=TOSC/\H/ {i`azYg&[?ل!Ѳpclz7\dlm C$n )l` D  |?M?dan#A^l*˶,AWl@ȑ5D+q>7s<)rHQhQ9%$^MLzԮI /w߀g~QzfE&H+wf$4lDI.Rx{0d(-a>c/|TJCL($֣\Y |8r >)iM[}OO/[Lz!ܘ%w ]*kod(d, 2hxmGN|#AnX3mH#ULVMs yL0L3~)'[,4Y)`6J_x^%? 0Qjq{F<_Oͣ!p9D.% 4F2(`mV-Gf,Itd9M+(bOI;<wQ=SC+M"bBF--rڧ0||N 1h B%d5DpO;_)-RJ rvWzt8;hU>-hD39,CU餻NvV}@YuH=UHDZ䱐 9@/pPh5Rx< zF(E\m%d'#'j*C~"ÝbEv5 1i0& ]B_a Z4KkjېP5A:{OA抿0^ρ*SݕkM0PN3^%w!"7]0)a S8[,]".'ji9" ̘e3~9o}'X)ȮbU>V-J,,0iW:<{ɀm4; I,upHޚ*'XFn` 죧ӪS#nQ+'a:໛K1Ŋɜi  K?a0/#.L/(_`f.?f۵PBw`0fֹQf%8CɃ w+.~(ZV> R\~٢O?ѰtMUo녠V}Xqͭ&L=xs]=: "[kqh MZs7]\S{TH|x(bZ 5KU H֓h=qΎKBNNrlym0t&ue_(@\9UqzսN o? ?t4f1Kü(1QA![IO TfA/:pX-/胧ed bI/tjIOj:U)$IH߆zl[Mu͎ 56_VᔽۊW׿"R!-Qۏk%}m$n[H^?z&W#~&tk]trWovP}Gx>9ðϋ-qt`n9p-?d\Y)XUj(Bq|ER[1e )GNK5Osn{7* l. z鼩Qw1e[ԵT7EE)|{O&~ 7jϱ;Ýdʌ[.z6Z̃04$?\,KS3MY*MW'ހfӅ-$Kvڵ` -9^Z6-(x lmG}: 3@ o\yζQuSs`V3F4R.1tEfz)鯛z"DWr>OoX^8XbR ~>_d-hWH6b=Egniy'SݿY~X|Bޯ!&)ĉV\Jjw]8bCaEQ 65R\O!l@=솵͖X9JjG5{pkk1G!I;risCp%9s!X/mc[*j;>gVy+6C p 5b( c<))sDԷΚdƥId |_SCx_j֡-5B{lkH&)L#9yD='ZhItvi{ef`L6ˣԥ)V%tO0vsqyyo/at2V{ۋGrvCYmOc!QgGkVg{2 K6 \axWeL\#:Sc 42yJ-):oJ.Gf 싛\ ai@->S|M1' %v'U<V[,f==VBZa(ǜo6]J`9jSdyM3t;7Q n&)=fsVR#N30x' 묍+Tjߚ^=T) NSj%rrve=H(Y\=%WaO'L G̪8Ipk(ђ^AP"E´!]gmv2zH@@]mv=kxQDci)jG8vBH53g2{*b ;ÚhџٛcX,.Xȑ@ֽo\7z2FtS:ǖDp扉il3iY¼Pb:|h_bd7#ɣ=mtqX8+#$34=NК-"AH]kc O$k P U߬ޟPSst*چ蒻%(sX~ 808:q&ܰVoŧڑ|7x@L*g<$\JCa1i 4RPDr=>-:1Cr{^qӌof"Y̥ﶎ$%qgY<ISOewFώ2M`jU fiMA h.]:P(J 4Ve{x$guC)'pv~80(2u%ۦ-ji%s(=H?KWB#\aRYq$'&+\P9dZ 1p'I: i \R5'M9EeZӨmx-tl$ 3!? ˖Vt 05Wrx'ĂRcols7QGx@yJ9m'OwZ%hִ zنb&WB~:[l'M䌴s8\'0EzRx'q=n YhÒ,D^[d}9Rfv@ Q5] (+ 6l 3O+B+_*t_xJUEF4 $ e wۃc5ŋwWjȰHRr9 x,}_UF/Ti^y`X]n[A@jeRn8WF C(}:H;5TM ~ǟ>>3.2cή , LX*3Zhg]Ӄi[-ZTwuH&4W ߇hF| )Ȩ=҉vOd!U{0Q}qM{OˡN`{L?cn5uBVPRljJ?`koj `:u55*c"WKS;tj OQ#%q.nJ Ēƚ|qbgʂ#x9ȡa!Kg,Ŕi: x?"ˀtS!,sM_ Mj&B\{%dyV$֩x) sy\!nl|kgPC=~ t匿.(d^We:y,p*OKc$˜lڝ"|Aҫ3RGPṓZ'q=DJNq#v3}Ps%Y8W5G>cD؄Anr((gMLl®AIgK Elی$w߁ +s`OԴ=srtrȪn[Q0'Dc */(nvFwJ6_MLpdKs_PD| +CXڜIx95qxތs\M !u^ p=wܵepc=|ol=RwwU4i { (#OfI^!bjA:|OCM$j֬*f~xmHDS|Z.AVB! gbLzb8NdF@[P!hP *g /6w`/x۽Xo[]C`&c9đÅ@Щ%hcIfzꯨ7P(0?٩S4Scu_ϲG5U4~r]Ep̂Vt./%FoNzp;?硭B Fd!z%VM&Sg0}Js'R96OVLIk{6(ڬGyNhc(6%Κa^5+/;Y8/&m Zl2jtssehMk)B.: }k1(䠍2g3M46|?xP_ yܑ5yrp_$'Ϸ%0n|QalN*(Bsg[efr]&_hN 49B;m= LS'?>gڏ G-?f7 VaxzVp]{VC6m#sDa '333on[b$(<&#b_9nnNR˖c dn`+}B~#&YTA,P~[(WPQC6$ۧ0κb*EJz]f3DO{N jE=JJ`jm4-'_;/'ٽck`"p2*;A*:9=lExn"-[[O.Cy< 1_dqy~H';ZhQSaM sQ̢^3+Qn^tEՔ ?=V)`8rݾSG\pY(|>;«z zxNvg;i}75l0vUS1ar tIsv M+!sCd⛢"oQXsegOf] -0brH1]DWf=J jb;Џ^FQ]|ydd(l˯2\Bmݗ?3n=NgNж1~h_vr_"0o s=^Cf1$y`b:e"DAi=X\X±fBe\RR!@aݨ¾N+osCc=+,΢e9fm.D6l(PjSY[ڃ] l[k|KCrCFZ3tdtZ["(wnBbD5csHCeg¡BE`ĖAhU'9kDLaJ ıQôЩW˃|xeӧ+$q[qY_˫}Ku}gB H@ØD#n1tˋ>8T{ùhjfrκ_BRR265VYG ''7p~ЂeX3H{WABܢ^ RRCо^&$bԑSi?Ih,`YO9mJܹTy7k7)zA_/CC~cMn~= Ӈ7:oMM?yj۽D]RɄna,"$OދJm}b9 f&ab6 >/؜hGνMc iS 495`o}5Ȩ $?>f"j};ΆPM>P7}jY o77nx3fӭb;RRDLZ#jIM\0 1,a7[xJ1( lCO`Z*[2HI_,pLaȈ$3A,A5 /RΨar&cQX?ͻ9Kv隙ѿC޽F mYFrsvWߢ jdO( u܇+IKd[:%U..PҖH5JRWWEt3/:??G) 3+4J0PRʅkB]T"JSYQ? A[[f8-g0A4[%7mrHh >E+S ,{ʵsI7=mȐDeeŹkgy4n{"ilOCqfԛn쮋2e@ȢXgsp`QT0)޵?"l#=Hc#P*W}h-1A) }T)OQuXLl V4*'9`Zԩdf%/qPsBfX tL!nG0WK>-S\P= RlwWV'1!l$c&jujfUWv 0Zt(ONzM+BY+x܆F'Fc+N*Lٯ?)f(JwO CK ;R>4j4S'1;bߋaN?^gʒZ_i%JrkheD,<[_zWYK(,=8PAuv!dTK=ƷfwX|1 vh*.6[찤utfޮuqcF=l7b-dGW*!Q5]YrNQΠBUFeh!M;wGdH`do aVuRK8ִ}m)b-"ƣ#~`xn[R"A,V5.dk?q`lfr2OfwKj9Ќ"lĪߛ̑?}ݻ.Oڻx ,J}a4$oǂ !gJ /O/7#=Pdc19>ӟ;}kDXTLPjC@`ZQX]$:72_jR_wX2tl&_7hAԬvPFwY5)B ~~`@^pk5 M%`oqZ΍<Р35Ȝ{#\rϖ|˟'֮Ci!pD7S\w+Vx%iڼʑ}Oז!j(,PqKdc ^W8h3/u,j߭" oCnHnV?_r畷 Y=XeJm Qivu2`o f4Ozz06 9SZϪnT ~bl|՚D]}eA^ Q;=T`.N{thl^nHyib_+aBw!WXF]uj({Hzug?YF>rܖ ^H|l_N볅-h:$ uI>TS鸅gbuz_9%1K?\BnXpOV d{ԏ帣f0z²r K_o`{\1Wxg(ŐX􋛄:'pbpS6&e^io_{AX4]871_9M'>g=Tpz!Qs vf+rv@ #*z;\IsڽqW%rMaϞSKʮȖi1VBridܓ )8'Sb8qkښ*ԦIId"%@Bpb4^lT{/.ZJd65 קci&ˠV<--pP-MK_qB~&uިHs*DӖ(ZOr3̪KbE"H2!rw XY7sMVf0[XFo$nu0ZTe1YqRM'(K6nV"{ ) @he,frk{dXn0$Z'ZuS̴vWCೂk##<$p=8gEeFNj3R T =7A#X#C <#6@h]mda9QcGԮUb7XWX %p\m׹< ^1QiJF1sKG܋b߿(/wNnL1%7Dšv~q{E.d#~V=nVMcAsWցv8J;g&Da9^:!  `g~ԪC!9zx 5>?ffJQN3~gB0vܵXRG<$ Arz#c"9y2upGߞ"W7 ^Y*yі<,E_rЖ*Ӹ#ՂGV+[Cg7VaD"Fr/m\]6LNm\O jm35mq3%Φ'(O] UY[pkY4ĜYВ: +Aʗ*@`MCtIm 9Ի賣<9k1ԔeΎ޽e6ԈLQeҜZ~G;/1 @zyQٷњuKU]q%A3Y`śMz-1O .dC`A ]|m>Ñ|q@2du;y-E{ӂ>'o$pye`Ԉba0rP87kq[^ sh0HY{e|@.X!- S{*KlDcP.áʓJ?fV|nHis&d onHv 1Bk蔂_SUy„ Ћpi"?Yٔ攋SV`} }!_G"D pRl˕+B}$&&tUpѠ0(t8tZX7ꅹhn w\QW+ &yҋۀi7(Qњ߭׌>֊y5\)H}[kkGr?@!"0H6^ .'sAq<\XEZNu>YLFE<ۆmxu`W<@;ZF[( z+/j[YB9%<LX[K_0kj$Fel%/T5v-H;i%u4#tn,):ra6iu B7v7udW6& -H@=SwDӁJǏT0yEW'}LמI5?,b9;ҴR70+hyt͜[ϭf׼4[э8 Boq n [0 qֲy.>&iħ)!B[XDu^#@縙YNzjݴKqu߇Jcd bD0!'7WGrq*RR|_КlpS bB@i,vQYI9 ő4/V 68:3=ȨPllY90x;oq2\ (bNQsZR5*bԣ~Ekjr8 cbI 0Үd&?&mZTzׅ; .º 9. V*OU27Ry!Ehah6m"뾭a&:T9>N %xu{3? đH^[$Yww'uZ Q>l+ ~1As+(o(}Å{zoaR'C#i-vzmDIxkԱS )Ip_ vJez W<9OIOT:ƨvFb8S,uݷ ID<7?*u5rz$kal\b4`]ԺwC{UEq%B K%V!񏮃Nȕ{w!Cqw^5ж;KT NL)tQyU,[h &#{Z±X@^c=36XKrS ]37Ja!DAvM.E}ۚ?ph$ZH/M³\!ŝ ij0e1%.[ o@e//MWxẃeyYoRC6QPPQ2lnKRЩc/ dT~~e\ӵiWߙT'@uV.MK6_H|ҪN>KlT˔s_]WtR#?a"XUj}PD]Z. 9gxRK9³DJyq9'/xJ}!n36M&9mM"𨱦k^m -gJGG'6m,֩ d*ߝoGdBCDӝ%I}CUMofC@-@e: h\C!Cϡ CrȲ0M>ﮟ&]іCPk8_gdPJtw wK,v' oBi W7XIeg4b8(C)id;h"XA\q4]iY. 1b‚^ Ϛ4 <g)mTjQX!yjRXך<9:AUYG Q̽ί1`sAx>trA;cQu8(*u +J8q9:U<Чv $7(qTa^˜`x\pHaD9_" [3,cP?=Cofe |l`,8ζ`o "yiOJUZ{)M81Ctddqڶ}*5y2BBBo>M(e&{?~~d~F.Vui8]aI)s.n3/Z% a&:S# b|`\ZHbꍪp'dP~xBOz1+BDo'|8 %%Ӵ2F^fU԰&&LCG dgvf E(iMtla: 2 W$+}\- ]:ڎH=)݇97/҄eyk{܁!Y¬ET ?;49ShyVu/ERp; ULDTܡq'^ȮKg&' XZgMS9vEe;E1J`mF> 39vjKHQB4 4,  %Y'.y儮5r/BR1 C!*H7Q,TAB_0bk0DrNiSFNAX(kSv*hd`SZ!HeP2c DYFeH|m{ .yK}k^Py;`) B(PX$h7VvC!xh$s| [Ygc'dw+9~1( 8g^%}Wv'aճiC~xl}GDm-ࣱo_My=IM?uڂ̴_ LP-_OQuLRFv@qC $Uq_; 8} Q)!,4N;,ak*n|5TysޮF4,|M% n3m4(r uY$p^ x=4s*%/QW;h[E] rJH$DzN靭C-kq2Otۉ'QO%jIjzᚄV:L1~B8KKpa#l{{PS &+3#Hs\,9G@:Naq`E E$*jrt'^$,[:]E"nIa;M _~u%l^pplJ\W#K:8js]m ĕ"2ba 7>*.ej~͛cW֍H~ U2i%XFI/}BsU6f JꏠV% jOK_"w0+]T}tJ&*o ֪ؓV?bC ))Xh@87#IT΢ #wG_AAL2[eygZ]wOO-i'`gg7"ixVFAF zd((iMjb#Rƭ{ImK^0NB,$֏Mj~mڞN?&P$xfP>++tA S$!p+졾fl"փe[qcׂ#jwEp/tK5oB2 F86F3 fc= Ch3zo<|7XUQ@ ~K(CͲo+I&'09@+P̭g/д' KnP7C RYYs 9%Z:+HW )|-<v@x;du|~Wh,7ew<}"^vEÎSoX 5^Y$p[ NgWVݰ Lc# nM{pR*SS#`r}΂dPYb'AoN&+Qt1nJL/o'YA x^iA.26;tVg ꡼ؠ B)~|FC&G;P543])qe25(ceэQJ_x7w1sp1u/xM~.&: S3VBqTNlѕ3 /# 3`@F_֬Sjz[FMfFrsiѯ("eaU%ks/ۡDT }Bt7%H lg0sAi%V^y0/ ~!hH^7_rwTghDV6wMqZX5,TX?E#X~@b#RD۴v|^R/?WP!O2Q]o'!f-'DjmK? =eCe9 I ArN& ÎʭI©~¬)gg)zzOFL%jZ!SA =ى\IۋMxl],{N9sC.>ƮPWzxH2]9A/ 11P=fj߯ g&~c!*8fQ,JA6{M$+ 5;HHv[w %ɘHF# nhj^΄X& #c EjG1O0Ҡ"o8@9Bn(26Z4Z*1b#64Ck/%Gtܝy޿;=ڠp| *q~YnSġT"Pfܧ|GA7}yA0W12:ԈtR2EoIn*jDqZ X5ÈuY੿9R4uUYpN-e2Y`†OS E0U*t=jvh`!KsR7% )_5uno!& ;-pD쓝(MI|*C p=$=1Ԉ?U᣼E# 7_^/,TmOa2-;b/oDF%1HӸ>BME̊>R;:1ୟ6bȕ: kW^xW6Lx]1x0IHdodJ1B;hZ^_-E% _Z1LʮdgG;ѥƸsegbF^e=$|l/Ob &ikv΁J]JTT踪 _Uل!6r*w6fYKQ(Uyn$W1VIl _mXG Z&-8+w f9 z׆>>/t\p+)VB.̷(R` PMгD5 *^GZޘ9F:pHW͇G!IO}j㎋(#YW5+zU0e>EpQF;/* \GH1u%;Pv Nʦ $oUqw}m #vm'̾xp1_n6:`h@l/ 0@Y:6d乂9N_|stI}af0^LդQGOS秖t4<uȺ-fWN)@Yv&ym @ [_elj{,Tw2a؅" 5Be2AsptfB/`rixΆLmֵ*66l?L ]*vޟ4j0kĚKuMb 3)":rSt@Dlp)6aQ_47QU$G)ʹ&`[X'8es"ʫ& (wiOdtRJ]0'«/6?2ړ o\(ؠUglHe/J:9VO$fx1ŏc"eڣMi~l>/{Ts$@re?F6NxU{r#Hd0Q#gBh /,FMP |+Zg9\/vaQ!q9E jk[X~pW^һ.5JjP>[R&VˆuVz[tNmpW+cy= M]6es&Kk7^5] Ćɢ`%yfJ>w槲 3~,4! 2*`p_⫼2j+s?nR|!`U8O}PS{/^z>:NWV" jEІ!!'e,k& e^ Ec78%#^V"MhHr=%34hLl YHzmo&󘮓D‘7n (+o"C<:l%Z*-)rfVeV+!ֺX3Dt"Y1"$^NvAlVp$>DG}}V\a={7BI h8m >3<64)cT1oSz )j'n%hIcV R3-ѕÃW8P 'a 5W6rQ eQSO#m2XB5_u~~y>0"z"o_as4tx>@_'b8 X)`+l8{z%*y}>CZa\?OU׋^CeϷk.6-,2g3ԂowPJ΀L&mdR0s)KF6HRJaj6y50]jyG iFz>r 8>enL\bE6#W"n>p(Ry{h$D,le45s_x(ا<+ǣ,q/l( s g G,\Bo" N+@B\k!A@P֏h?M7H=]xӱE!ߨ(5E,ns/l^3DÃ8)Oqˎ~'`nXwy`-2A(^VwYib5Q_ UkTN31RQɍ}v',s]f~s%=CDTѹV=.gZ%\Wjڏap"D0#oJ;3)ml 9G tt8k e,'#'>cjHHJ ,hLp]Y2ՌA^ %O צzYr+$0Q3z Cpvb DW3okeQXE6Wb:B:y3LOC_}qs!xYN?}?Q1%tc,^8WK(moPMm>tQc0*w8EEV=2 ˧t f+>% W~WrW Fb¶3k|6M²$NF.آkL=pWڻ/9`&:1J(Swq7˓c(*729I6oyZ*kg\eA#w_/^벶*Ѣl扤ށ4p,{7Ϳs5.q)I?[i$Z~wM.Z®1 s=bFL,>O@,+hql 37]'h4Vot @r4v줌WYpF,qIpcNHK(6SY{^A]@38;7e| Serk*BA yw}@EK0E/F1.Ս" zS1`Ư %?䴹c]o"䂚7\f\0kpn= P&TJ&S4uTG0"^Ph#/HLu8d8xc3d(< ~K t䃃ĂͻW#hq>: D-Oz}zL|Mgnzo$s HjZZp,Nkgǒta9*G޸\av6XXD"Cޟw~iLPړ ~Z< Ͼr`kG/]NWWW \x> z)bDrt$" mBz{l]WMMI6JD7gGB9jȠ[w*jMpDOfSZeZ~:/~X8*;$!(`ҷP3}ɌwL&u"}s7SMMl^F 1Vܨt#Ί=dg&M>BB$]!yٺyQSxO-Xm[1^\0?v8Љf׉ʚlV fty l25&3*V{ ː'Q٧ qCx? {ψZ&eccK)D\V!JDa* ]h74J*+jxS|1r2M!W+V=9KuK%(<"Tw{XJN/Ef?נYjy):qs(w0MenOՄ$0 i{/pJ6+7Ih1corYoT8xp&< Q 3u}_ ]||zoZ:7>6N@7g$6Iej~ܚ NJbjʐ{ag|;% MՊ/+=:ÝTrz.-Lb,z*[Adfy.78cYY{] B<ٷ[bv5@yo! K|pAxZ,uǺ9A[nJy += 1 7F Kǩ|5[Ե1 IIyEtR (pEMF6˖zdQyK эyGg~AnxG/}\+kcgf-dvEY e N-seJA{H8^n|Es\|rxm?l(.odncQ(V?&Nn8Іr2jTJ 1?F?89 K0t @H,gmJe3P#ÿu*babEmvS⋹:/Jl"8p25(cd}T?L6`q1;PtL $Ƅ"m7od%­xPׁ=:Nӑ PɠUU-V@rK!;dV8$3b]z [v[]'=o9AÔC'-f+hQ~w(^f>MF?札[2trܱ 6ϣ? ]YqCz!*"69&JX(Td⩇˪ܕ*+Pi {-0=y?]-Zh:}9w\9.<ɑܶ 5p+jo8v -[ཝn`2P;W]x7}(, j`{$K'C߀wR~W=> N1tAP23t>ͪ9#E%4yݔBPnF$ިW,pI||^o"Y gޥxGKk}2MS*(M;{2J .;Ɍ+骢?S@WK=f0(v̞mcd,{si: In94v"Nei6U`C؈YӨzm;;ӨWЀݕ\I )4fvRx ɛ\ kHI4ρn*)/]DPF0"АC s=Qi*w;EqP;T]"JwB ֆ\@fD'ѭrDK/sΩt  /|(iX68 pͻ_iq*')r4̷Y1+`PQg#*zB:33`gvyޏӯP+<̨XT?4G`T 􄋎 gВSj>@z>@[Gݬ 9Z=q!]TY=+ˇvbTZn49fiPZ O \hpn8 ֙@S9Cx\F1mU|{KTm9cEJd2hPcy'I,&w-Z#a+yL-P5,#sU;+ /.Fr*٢(wko1A Әp N*,蔨2@?e!~|!_J򨭭.DEmdE-+!] 9kz/1Tp}MKo*򢷳U넺> -sfb[ ',.@6ٱv =ukdg{R?7@GuGF-5{JrRlgh_*~ ZNe\eO梮#]ysox\YYU?Z4i:m׋d9{H5on,y9~FSKS}PVdNyMrv :a>qZ-<^sYCYb?W ᖳ 8akueG`L&1Y7ȁ]hY?:J8ordHP :Ug'*L@B8:-;qEPlx(;,|ڈLkbuJ9z|y1|" o˼8wy:: C*ᒅ?H CSI #L8>]m?OIm"ܗ̾eԤ}KmdYʑ!Hh7u(@Te`풪 zh>%D-Ohu! fWz7[WNxzۦˏ&$-(뮬٪#י}1S8H2n˞tȆɱ5i+M5sJ0$bW:Dn m+C+ M{ z_@C:MX?BO5IBCHjS΍d]|_HJa6Ǝl4}e<,-*׽(6/mz$mטpܸ"‹:@_%F&СICyXQl?;6(ƴvj9^{մpj ൂJfzC#Ĩ@W^|;{ĝb|v06Y*#b1S,},$G4i5tK7J~tĮ:GcMr8DTq7K?M /_ƏĊjS|JHae$;g>(&(S S8{nYAeF1S`Ж$d?Psr_o( O<4;)qz@`Os2fURUk̀5'w=̡o[CGpm2E&+"U-$nr [!xD] NG~rԃJ预|n_ytZ)ghކjxn_nV%x}b9:?S8|0s}G-S蒦N͟ 'ym&vo519Ho]7rD 49\&WۀM0`q|IkSiIδK'-̼UU6F&Ǔ<=S#3҅r]x ^Nt݋y0KT&˂iϗZBqjbzRXlt廛{ yA z1L?E Q.$+ca*Һy2G.~ QK_^R2j$2xf4悆n<ۂ d>mv_}o(LaK5^G[Ӛ*b+0%[kxr1|ZrhfZsad@/k_y=,z+5-ʟ>$B5ӉkA*pC9"`^Jwx4 C) ӴIfvjX1&aǂc˼_Cx=wv2Q5F%-6u&/bH2Sb%"ŵ9|HJD3¢)!gSg:PsCْcb{^ѭ,[1nkC# @+YnWݯݔ P3|M) J"/j/̇7VOQ+(V;lttWJ,Ayh@8h 44/1vjHN+6`[ ڤR<( .T!XC=ݟCηfȯKE #GLӚ/8p b[ )՟UO oAbpРr'λ(,\U"5W< AÓ1oyUP.& bbqa꾄͕"fԲ[WYf4ku] ts7%.FuNif2N~i76b DTV4t5*]J"3b9} EgG+%N_+&')bg NԤye:m~·=SPQR& S)+S "`PQ_>0 ep?k9D%_YY=X.kRDCD41 &o; ]׃ڎ b+ e)#>'G9C(+FŽ<"RK0yϿ_Dj`]haT=AQ%֘zILp@7rxG X̓WŶԚ|#2uf8a#mq! td5_vnYĭHI;c^蔭b(;yA"< $"'&#O4z"V9FިvU̲/p-Y'XURit* }T?~\~^izOzZ \yu&T.O8z䬏}>M(AE1t#/X. i=,y{kŖNNk/<\ qʌw%aߡ+]+:qVڄ) 4pA']cw=^ sM)w/:_/}Jd x@>1+o167,Dڂ(0S &^]((":#GZt46M[뼢[1́[p/2tʡ|c_й (J.tn<I&xr \ znRP P^&~Xf`^* .Uyc|(p^Җ}~maƶ힩nWzkM6jCk_]imP2O ; S|(Wc%ofQDnprbս.|!)n'>"ZʖU:(ȅbCuB4(JjAtl̐ D +ὊFxtzΧѧ+TDt`>qH 1駳BkBh٤󕜨%{v$,UQ͔ܽ!M S>Ņ , <ыnKH\ +L6"Ixv9H6(g}VʥeíOM+Ǩ'(xs2e8!7SCy "%pp!6zQ%oCoKr~ p[p<ģX놑X}&QЊ!PXrp5k\eҮv) Y=Zb.~m]w#!FS? 'fjSLBmKw. KpfJ%R[e6 +/x}&qR( ;&vO^c3J|KJJ묂.6u gO] 7D9&$ bh3")$tGj\HVKI!xiyi.AGX餶d7#Px) ڑwCˊTXPC+;rJ&vWu.]"Skr5MXJղf. \ӹr؅SgE#!djVP4D><&pt-ƢsB;r}wROU I$%`(:ݫVZ[5H%Xɨ} ..Z- i~S  `tk%/b݉yî?V 6gВ 1k.ҚB@ 2C;Sk-oVtnӯ-tԌºd<]$4bQkqZoZ[#tBã;FAh8'HRٞM[52b#@[ǭa^>Y"x8 t)5 MH0! γ4̐50_|VnRC1H׻XDn*|RH8,@U[϶+aںAb!b~H&[#Fm!:]r2#gEd3TKU9ѹ2wJa%5kyQ! ޡ=kYUPQB+)|mgxQͽD;(,/~Yх*`NJ̌;N w \V-h ܄ &Z 4u?1A؀׌K#~>izg$|μw#TjuM %p_k{w*WP:YE&!-,šg()q=Mmz暛ҟ658IKmC3_A:\WWua:.o~KjYCcF%WY܃׋LGZķ ?Z16˚%Xsvw9ZjJoo4d6М+bdC76X d9TXdSK@!-瓹t ˬ0{* H4>\h|I -Gb|GɲO\vBbdV|~j;\GaLPs$-^p٩ě?{=M*4]u5p<[4[jֻUk9Vk8+ة9}R̅M6T [xN[o mPE/Y`W7yF۫=FóI?"Ue؁MB ƹ*k{W=҂Eg #nDp>ecux6@}Of8"vWC+_A藻_, M3Ol^A vJIWBZ~7,tuxIoxѡ6pOu܋, ޸4--_т)vDzpdLD0JO[! B0ad(=̽|vvD#]צV\ I@%i2y}!Hm\Bۇ {\owAyc* MqC (ǮyXE2n h{JS-5 8P䍧}|-7_rq;qs$V7wM0J…o-3 /P\J- dgb fn _.wH#b.bhE*ؙ(HVi%]!(_\# ٿ7跽)}K<3WQ@wM"zˆ8,8 \Ek"T䭹TQ- G$rɃecřDbtU֙|COJǚ h<Mq 3LKfac+ڕ{`z(vOdxn*0gV0ϒ^h 5ɹ,AՊb90}~ Ɲ;-fvWgp>m^U%"Ly3olpԁd7k$}CkmG-ژӠOI_1z 4 jtPb4/x2>t!]h۠ϳEr<. zwa܄L,{v a4m^@yvpO"~ȋz<b&zC69/{?ڭ:j,|zb5Pf 9rdYnҲ?ADxrZ]n~A?#۔?u`!-^bz#W Ceoc p Ur,_e[Q/)Hggi3zT~Y 0o*V4'Ks V:N&Fd5MD轆]D/>DӟgJ}F[Wɭsg( t[V~k UM?(<P"*,L!oqd~/}1nQ_ԙ✫죟zrUqmeL7hg#|[sL9?wl1Qiʗ|㜴L2r㙅MoEŽx&S N{IR3[,+s ʜL`6Yz>5LG ct>&r|7YIsg ٳ<0U`Rp ~y>)Eb}dF\h<[IHjHRl]vk]gՊ4C}>~0L9O`jz (qQ>gL~6+^WIо:Q>]`HV1(1O;xlL<j}|S{Vr@;<$?Đƛ6v & ̆CJzF.\CDs c}@E~*SL !3pNR-_\m)ZY;$uS\=gt(lbPq]YlI(@Y$w 'u#皚2r0@$.ɧ\|:P /Oq CjN:WS,dtG4:̈DZ[kc+һmGKH~Aӽ1g ZOcIJRIUZ$r};%M( $A-OQϤZ hF. 0t:*~ޖϨy:M|Qn87f.{6ο01L,B VR7Z-IuzK6 Cq Li)A+Xfi3qW"WXV(jh]E8tvA9! ^JKzC¿$klqɚ!pP`oK>`cjv$IBezcm]Xe_OW)7.Dcc~#yCQ۸s[ᴹs`y@*!,'t|'EIKu$Ryko C kY Wg ۣv?$UD+US>Wn~I/\S@n#w#GsѬrSw)}h_1T@"R/\]s#23tԭsбUBG#0RESs jBtn68$<êfjg<]y&sI'bGx" ~2L%2Efw2 My5H4ۓ?JRT kbAy FpMg`=Dg RG/jBŠNPFWܿy/{g~SŞ@4wvV>YpK}Gt(KtuP9'nǴtECMI,,a#l(_v`HV*IRL\Me2tjgi$GkfQa=.nqUt;%v4 G<9F0`IVyI˺&TFѩ%"߼EJLFKx0gG_Lt{ MWr ߀gDTP(Ha>ǭ}T:#tyK#,{Z&iѦͼJ gՠ'1swqOH;Y7}qu99KA.TR)Z2ntj1LKPgqmL{Z;h^E̼(&!T0_(#<+"h%F- 284@՞V8#Ty7L ߥƀBK2 pgUFkF5cc>6o+n?C[ܖrZl-)]JIqTU6ߩPrdt]"T [5D]?ID;ޜ(z:Y]v%֤5ة_vE;,p-OH,4oVD9)wc/C@@`(ƌ9wX7f>adnHY&1j>:PNIFW} jx x>_B#mS [7:E"\~ԟ2N%>8%$FF-cicҹ #Ag m$ܪyvj6!n,2rҴ0!ccI[^z&B׿?\3CuJğ7f/tqme6bEZiA uC*yN pӥ_6[[rf8i=Jh=c\r}k7ɏcϔ*C^;Yat7Ќ &vU x7֢Yn|Vтo^Axq7d%K87²m8{`H1Z!"/pN>'o;a-If}˩Tw[s>4I?Q%*kaQktIZiOP8!c*p64~4Gxn F.O{, )=j95Pba~ӝXSK -Y_0FuzI'6ܻhraw0HRpΌCpNpwϞcV_&Fa#n M8z!մ`(!JNk" ix +gSL+1 ^CAGQlo0vyb`Xa;u$uWV6pDX .Wy/V z6 M$8wBBI 8k5[>{Y/Z4}"ϸ USUO+d,kl6[)=ӗefk x 2,4iGBNi[UZa?# T9wv~0U`6Uߌ{SNY3lU ͔lcy50ǥ'xjImÛ8JZg0ƆldD5yLa\U50zmKkLpD9- մ*ɫO* ۦY+t<ƕDM/@otnjk#T\yKoki+4ώa bXutPo9'ND,beݜK^^|=P^'սo =0%6ߐ,M9eHrj`X~U%"1W35W gH{0ьTu.sd% TE@r G}6M4l/a)rYʳǧ.3@+Y1w5hck Gvu:_*lwؿL=T˔!%xe MkáNxVv `Z 7ٕ<632Q)`a`t=o[tJ04b@${c}XߐWC{D7Ѫ0CI|p`c:ꂨ+?bStMxazFr _ȯ|+iei09'ujZjេ1|簼d_v# |"p5^]CGC:|PUIGְ9-|=sFǣ(8„ѥ#sdIHu!132V3ͪ޺C8ue2<9+B]3`ѭEQ<0Pv_ll,nG>W'xKW6O}ɢwSp^n_f>C:?_ZIa gg Λp·MP޳!'纝9a Jڎ"p:1CpJGԉ=~nq~f#CQ29u>0*^C3H^س(%E)R`Ȃ8Q/hbO3enm;T9~\~2s!/X=ߦ% 6mSV -.j mK&`Bu0G4Ǧ>_T$Gͭej[2LxID%Pq'xR4 jZD:f]q$cai[:.cEz5:7\' mϠnz >Qh̰mEGeME&B{Km-K4&ZJ'(_~N6 I"'l#iIʫ^`e|+oޖO]9lxWs6O2hqz aC֊ TΛ:[!/e~-`UژHwd5aIN?lj;m%[怺~fM9͘鷯'O*zYƹ4 ryozO)ҳ͌29K,tҪ ԠwMxF ?\LzIw;fr^YJ}kjj6&B%f_8v><,%Gx|Ӱ8U&&J b^WC_̿jB,[ ȍRF_pqO%-krCF)ԅeϳR[a2IWLR 54~WBkuoxkX0;J߿(pR%]۫Hjw^En )FcvZk.2cn@#-]ehPrYQލmY `tN-`j7ݣ%1HT27$_E!`8sd5żc=jA4n0Pl[V ϼK܀{nj&5T/ Nj! )꥗+6g;ǵ%+j"~9H}Y[|͂#K:{ ٪7kn ؃넁@۞ 4Kg2R]$y7LVoA[Sś+\Z,tc, UUЗbǐu: L "+4o7H[lȞpK.J~D?1HVUEDXVw1̀yC V6C3´ ^"IQt$PчԮ^V ;J/y^_k ^2D0?C#Q\g}ߛ5#6%Ȭ{c~տRa}w8+t4=| n bʁnQtIOfoLHjK{}EӬ( Ĉ,j۠*e6lT; 2lo7&%4>sVlmƴnvce3벨J7T؉8rSBZFsXo6T˾t>W͇{ Kڈ]R0gg}Tϧzxr GhOn"zr՘4P^c&m$?Q}FVᡳy Uk%&qwc2YȞZI/'ByብyFI jVkwOZp/A:VNtEv6(Iuky7_IL߭҉.,sejt0Th4CGgɟ6AtJ#@'\p#BsZ.GD#ʟK>ͮ18!I_E/x,8zfNw)k]I55Ꙕ6.mMgF S#4z[#4fXԥSX>A[rni&#yq|jx)ͅ7Z;e&Q)9BTGeUsFΑ[ M=DvhYSVdIƦxCu =4̊W4ۣm]]6{1:9,Ev/א:ml(N179 ,$h#ő]5թ, 86׻:ݣ#FިOj#W!ric! Ӑ2t3aX9 2Q wuV%xs:] 0_'ԭK{眛^)g; Sw `}JNb_ּ Tg2ui W+BšO"ܫ%={Qmmg1ꙭUB9]ѷpa|hYw4;oErDzC;M6ۆ7uW c\ltYmx8vFz6q`'0X^de.% aQN)qvQu3ʞFX/ e<߯:[r3s Nأ?~xNբ[eV9V.mJ$ ڻ׭mSb4щ(lǩ #R U|c.cm7C>Azi?z_AQ?>NÒF#gD`dbJz]mT7N=4N}|%΂~%~m'޳0+eπ& Ɉc{c]Pu =Š2^QJFYěؗ'jZk]y:?sUV A\Ӱ:;7|{~ m%j`GB.z^zw]C,n V -y%⑼Ec'|@C$iZbWlWX {RG u,;SD %P"UPU]~|BFa`B'Eg<U4t#)骨^R < ;;bĆ:SaߵX7*u%  dsҗAֶi/(Gl2lLITu1,JXJX^#e k=OZ'ΗaGؐU~ )`eƂ/To [oҳ= J5!5hYW.a&g1;h۬;9G9y˳1 kw#)rQ!*#+N['[.' 0`{SuŹŬh9x^5{-먼bgK񾒥8\޳uQ2" oD 1C2U[tLLr֮P'@Ga{ b 7n;)s E P[L;BV._#rLbkTn `eWa,U6`IK򔈟dIyvPQ4#ަo p&sϋ#;bCF ~ƊB`:mNw˞Z$+/T EMkt:q̟!ii_".>9& s)7o򧃒e2zPiͮCvINR]ٺOKᅛb^r$fq!%MjΑ`N5 &! E%<;d22J9)ˎx '^|0%c"yB3]Y-1+/nJ2ɇe}Y ~O. *={0IN^6R Svq r"#M-~wz=ԗbೖruÉUczA5r9FhI1/5}}ԞzД/L#uF<)J͑g `$=ȥm_| &HЯRs1O:حo!VbDkc?lAcVZ.{qɠ{W1Ή^qmh>:$$PRSJzMe7hV,g)f Pc@ɇt(")9B:n烶v24֐*PM(8ѰƕtD+3O1W%a3hƳ5‰_ځzezA;L<IZsώH}av`(O=3Ƭ:^ ˼+_*D=xȬϗXm& ak:wRb"tUr~F8iZ_*pm܀`.j3e}'ӺF-otF7ARB(7; R5&tubκY<ٚvn*9JM(߆(HrZ= É\1*\fK q~Z𠝃]u¦h[U [@SӄQ<@,s:N\EMLjݕ9ąל=`MCn#bސV|Q?U5 a['( #oP8jיS(qø^=tY&f2tsu›B5 Q^-q7%a3$1é + 8:.&8UypbE;c56M: ꃃ/&7!Γ-uZ0]h eDΥ58`gZg2~(gl4 {@P6{HcEUTd T-2c81 7Qv6әSm3sG:d\ ?k.@_\15ilkcDXA31 kWD/G t^J{bH"qgmct^rHص_bT,>Th)|{.TC+K]$o`ł yGˆ^ܠff9|7Ge<5|Ǜd`uY Sg\OmGP#;BWT?.Sk+6zjf TR Քg+dU9Pb6F>@[DAM:d\6bghѥ zZoYѹAJrc.oM97T4~@DxZ_zHK%j07ۈB8$S\툭:_h`,`wYVM,TPQs'9= >cih]A|[]RF|.Ϲr)`GW'x ooܒaZ'ղ!>;zQuvHDy#B W8MI (zQr({1ib |ÎQ qfevq͠s/b iE//jzֲRB)`l|>nH,tGlfQLyO5k Β@UMlkܡ~ #~>?v%4'bp7RJhak~#8$i1ߩz("f DwچJJU@?M7>P|4ov\PȰȴhPUG[Q 7 e ^\;ޑP3hPgn/DmC4TYĶ ֑\X}<"?}3HSec`ZŠ>ԈPxuS@#m*vV00K|2m|w `y Ѹ(u1LQX8QSguEQ{Jۺt*~ u9е| r̂q}|HqZ=G)ҩm_)2~3,aTdALjZu'l*\/]?,.+NF%^G/79.9<;ԬY^b?pT\-傪Qߛ5.HCyႥ=R.TBؿoE\iz<{Uz Co!t׋0lj"ud]WqTE_\Ҍ[t:yxǦQݏp 0NJNzN:ܶw7F!ߠŧhlyl5F-Cڣo--pW2mMH*޺*d8;#%t#M"븄(P#TT)zu[QwϸCv,G|Q?Җ8}4 ̫ )"-i*<`t]1#RqF@BW'̍2Z2KL yA}%*c5L]9 CP"ߕDV=hbjدǹDLj*r T%)Q L`cO!Æv2NN Ы΃  z\_2mw !=Ҧ^ZBlt?>wFXIَ&"B`45>~>N{̱dj {Pkk[fA v =Cˆ[n1Z,:ea6 xпbCvxrC Ax{Nx@>S[8eG K.%d.c4߫Fj|jf 5 e|Y_da*PlUn`6VCyo7CUiV#5Y~^sy|쪜!_ GC#A?i2ȴVr _5'T ԸSKk& s<[*O @^b>؍af.d(7"삘W `.7ιL}P>w?%]n0JBAqz."|y/O!s:lM} 0.6wM6IfKd3VW ̨p@Qfu _!ĭlzrcV% !tK0k$ڡN:.m,i8\< @y~$&+\S{I(Z(.ƆꇴaxYcL|4'{J ]4=fz3n;S*mDˏyE;IB{d;%Y/ l^m S2?!0j{|'i]*;2l<w fR%07C^ PN.'8 E㥃3]3*j$8"4 ι*ޜi!Ϋwp5(E.#[Ea"Oƛ>l]Fؑgg(es+ #6`(&|W`Cν<6^ŕ;N@Q}7 eQ kІ7(;D}JW8A%9@ R刄@%sSK4w[QUf.!mFW|agޟK؟%Y5?F'Zq9M])~m A跸jGJ# (~› pH%ʼX8F=Ͱ~Nx_7ۼ EN $_c2Ѐ QC^aa5LنKT<,)_EnU-s>E!C>GHo/G%QVoO_LÄ́! 8P$%ۨf >5of Jg)HȯA&"*q+%>BǺSA}xl-zG~<ƽ{0pw@<?Z,+.7^ښ@복,-DqWb.NY6ST(ߕ#^\I.˯ ʓ˒5O!c wQ5 +M{兣!"Sʤcx*KR q"psT@>HX31p.-IVaas'U@B{.Dըʯ꺲.fO^e\F \JQsgV~2IĪX= Bȍxz$L&18P(G]UZxBV`~>izV;U9}A`rmygBx]5@.^>Q6rHciZM!msƉ[礸$*"a~'bp2g,nid*jP*[= 9&.ix!%s: ZbܕZn8\;PsjFBN9YfXb|$z(TS٨d nwd]R?ߍU7  .68atZ`uBjxS)MI&; 4Q=,.L?b8KtU$fY,v.$.~}5V4Zʯ|\7UD,enAZ(qƃKb.6ah(y]~~u=9mƯf M"{ӆI[aEnv|>I⓹ t݌Y1A(ZJ:F鰱)Z)2qR7Ln'z549'B^>mRb-K:PE;/;_7B\8 ahB1,f[3 .&Kk*̺b2n6G&Y,S'M0Ԕk+˰Pҋл "䃊ӎ0. u5l !q- ]ny_m#K˜I7.2J{ M {hY!x+]f6(hKÌs9UXmhyOWdK*x]o(t7B0Qі֘wJm˞d_ݟ`ǭUQG2b<}+O=%f!0cb0?%:=b<:Z+ȏ*?IMlT&pu&h.5cڦ|Q9UiCfFF#aMε vs c`/ 'xbk|ۍV8ˢrؕ%K)v'z¬hW`zYV)gu-!N,aM9G\"M Y5"^H:Gjl֭X'z򴓮-J{=0U _5T[>w+z޻)򒷖jQ^* zP|0pIj}x#:t4 bަ3/|duBwoi|Ȩ}8ݟ3Cȭ)".LNl ̼OMYFYq sk+ R @TFQVkoⳉbr!R[h3O23bS'tdȅeOg=]GjBÅ݄1zبW65Qj޸PZ֙gbv="Y6דLAS ,;vCR\I_XUJwWN*-[k rfopҽTRw [g ʰPEJk0(X/4PW9 vp*Ͼ -˰q=(" buQ [=mS͜[wej,Mo*a~Q8Hю0}khdd8P+4V#7NĨ8&URn :()h=XTK+& .\::d]h VKf+WxOQe7Θ6x}:^5x*xК̱0&G/D~ bdpD.(}~HC<+WO#D%~Ԍ+o~u.2B5]56S4Nx#<`5^n\EZ@qIk@E1 nts¶b$BTI2W! a?LYO8~7{@~X P t-% 1N5g,9약("yR,=b@Gh0WD`-&XjWﹶ*TPWC'qrJawJK 93ܡMM@'#KaG"s5w6XUr9*.b+"5 V7aJ6lز, * 3pvCgM4~C}bH2ʟ0<Y)ul %*Iٿr$h-eFɩlkMG!DŻ͝ ӈ Y|H{9*Bi'! 1Iv(i|UJB=ylѥH 0jՋP)#,L'/7oy#M>PCXg!Fdy7RQbJ]~~Q4HpIj}@B \/ѳhP\b")kh4Md$鉊M§ 0tX=Ɵu% kS}zkv>;|ӑ4_4h*ܫ"JxC \NqEoZyXv+蚥D"<`E*Yw+q+0K % ߡ6-6/tlm n @[_nAK$̥9´Dvp#1K:KjfEu☫,T74zp}DO>9RźƳчbF0!4u=H_ LeJq(oFuU=˲f#dp;;G$ Tg; 9ک$xa@ڑ3^crP^rS"0o`}a2Ců;a7I͙E@r>KC{-Fằ"4Ս FWcr"Km~'xF(mTMތ Q%oBu+9Sdے<3E؀1@湄  (zȆN`([3! :CT8Y02bñO k!%X\וAuۃmM0?"'gyq'}6/!Ikk !qJtK,8.6bEj Iݕ+j3xe~w)g b-+|KF6}&29NW0lG٭k9]_^(2$ =|.J3!GJ~cUӵ˔/  1D8n ^}5s+PT1Y ?cbބ!^O>YKTb}0CT{x9x54R<$:/mW^IP KA본jwSDWQ5.Hۘ1@vYoqW! g߉랾ʤzBЧU0<=wbls'a˩+&D5fPMڲJm5ڟ6Վ3n-rh$keA&qt& a,BF}p 54*숽r @R$CFhzԬuriR@688I(R`Ax$(Z¸eK0-'\C<#_Z[{M) "Xo 菥[*h_cκkwH ]Qkl;N9|n80t ͠^}F@iikA- 6Yq2wG09°ޑAA86gI( !}VH\MVQQ YA>ᾐ+IKǐL>ї'T,C9T5P/tJgx:3M}.>D28u8j% v}9Q_pS];j+;Ǻ| ^ց3-5(BbKҿ %&B/V?()^j}~ :KגTZDC}zJSVic+L r^-2'hf@ <#@)~LFpRx={;4_۷5ub7!ѯǑBSLvHf#K+a/W=6*gYs ށ+c]R;ĺhIE `cYө85(ObMDnQ Os X/#5CZG txq\ s(R!nV"3Nufz~pZlTճ{8w{䴠j@Fǃq  ̻IΧI1MWtb䓵4FobYx\2U;FTzF c'hpb-`բ(%'݂=GgWA^,O}!٣+J5dm1G~WG#"R8J6WB#q@o:?qA>t%5|! gQ^@K7٩Y\7GAkSUO7c )',l!Ӥ巃0Q|.B~ YR/)1GHL0;]WS_PJóT9]Jը~'k7٢c- Gܚ D 곚3,zW$Jf`.j[ pr:&>#q'2% \iqK<>Zm6_& (iY@Iu&&~1:=3IqvxUI= ( e醍f(,ƖM^!aRmOᜢSSn sN. |:0iDaJ$爖2&F8L,-H$k#.IkXF@5Wjr #aS| Ek93c1kձ|S>PQ4[$t0yZ.O_Xv:̋3Ek#>vA :yWcNq1޷&FtjFڗ9wb[LjJN=w V'nޒWL{XH'a]f]lQ\0{}5m~3'Lj}|aaܲY6ns 7II1k|R`ן#0'`DeܖÕ,6!3⽷wG9{O=Ql;[~=aD8W~Aa`ƪiKA$P~gUJ*Mh9ǰ23QZCVn3fsw1JקJ0]KK}<,L:q2< C)YkTbZoQ &F LOo'}"8| AwӪm&ps(Sxi+{&I]3 8i)Qq(6 V$ e9^M晇(8B][x!;#^G qn̈́t4͐ĐXD`p'sD3cɾB~5(d\mzA^l  {QB#3{F7s9'z1.wM>mc+!A&<ÛgڳyTL0qBv*'B >.vL}y9U\XҐ"sl"zfNJKR'>#N6ykߴ3s8?1#^1K~ʥMyQ}ɵ6V?_+?V l+yv?+5n 9Ki<9$BJ"Տ=ߤWį879OF=j&-DaSUxfA [zVYpzC("gd⧸ht h%ީNnE3(C0lb;շFpZ_HTX9 c:1#-?E ` [5܇kc~_@7 W1 GMTaT =۪a2??M̈́ }dk&Ku^]GdD.r):%tV^$('v./uo ڀY][!rh&5 GdvRIOu$~--{puMYE*RNI/Q=!ثZɩ[@=~lpGRQc,lq`fYIriq&ov>mso !t΅FWIdXAE)KeޝN<S:B6~\:/ V2)\>}^޴uIiKnVW` <4\lNm8z0&&O[LGƖbTNr' ,4DkMd v_`9@7ZjI??ϧ!W୞ '"?:sJ8bE~k΋ݧ]~JQPIQxTAmk`)]I3OVY4Y99TC֯${ QCKӎ ̄+W&{6[ƀ&ӟ7fo˺(&N=lNox_0^ML̀r ¤[!m"`{R=*{IOsScJ7ܕCY3;9/, {c`7d8}3Hx-@þ*H76 !&.nk.&-QϨ"AhGH}AS)jY5Xۊɲe{QA94zS@jڈԮg]=EB}ӡI{@&_yW ;#KeבRuL#~L8VrQYlZ{ ŚyY|s34ixoAFAE;LOYM6CJ/> Xv BmnL,Gs^~ 6p?ޫ?q6ZH:HgLC fPEIBCJ̷g&. @yM/G.w.y|$6>Uu'^cUHHf׾U#7j<2-鳚̽YTqW3`q<'7u $Za^vƂ`vTFE磌itX,|;V5o;(heҋa k U:Tعa݌kFXY}u[ꁁQˈF" *rc1{Mug۱Y.H?0VVJE)hd_ȦG؎i z;/QO1 . Sfޑ}WGA!N_UzXu\8 3򎔼3 }4L?'ZiwW@eؐG w5(9S%Fs'4h y Jh{ JhK+?BI?ćSS*|? yej~;v=kQW8\FWϚd^%+Џ+a s\}_](_`֍l?(X %SVkS4-;rwe{qޫK;l:׊>?6X̠Ǿ{$`B.ciH48j/_Iذ+3B6->J+)0`KCߙ[2SU%)~y;lJAl8y8eqa^tP32Z,Q31dYp1f/Xm%1~Ej(.QS5ԅo7u8!)[N.t hU"á#Ҭ.5{wRr2oaھYܽbfs7Iv>͍L)x +)MR>EO"ߧ5?(les[^J=e;LXEuj;M8Hcn>n zv@nb]3'4rK~Ppāɐ Alusqex AQիo Uc^-K{p*-}Ļʧ(bZ9-pEQX#48TbPb)1x3@lG[3NogR6zH-.Dv<4n|#8buM^J* i$]>;`вVi˗`dc^LK(灕[\6&f`Ph^b)eY^,- N!K; 3:huLzH/ra%P5=0"V+j2>Sg_g-`F"z'Ģd7X>]u HㄩgӬ1O;57HK}vq˘Vtcۑ1 aSZUC'r  ERpOj͝ Dj 2tM\^A_S[R[H{]Y6唰5J7JfQ?>nm `=T8ho $PȧPv x?wLx Uc=#cX+wL FN߰Q kQ(}[9߳eiҍ?LCqKp1K+ ?ȡtӻc\m1sE "UNIT=c];)8?6)J30X屨uZ8u`)~_h.5>(:Cja.V6.-SH$0_IV8!B?QTg7n$PR)( Xl,-6,'rp=99\XZCޑLreQ$ڈNwD8_F./ve%=q=A EmSc?.hMI637̐ʇ8F7y14x,|^@:9ovMB8vHVjuUU$&< hQW}D=^q:mJLlkeQӮIWt .7E*dq_tt h VȃX9@ޏDVfP?#Lk+MAV*jav8[ikSOd +{Q~a@\(=?嘌c1s\_!\ !ֽoWN~o跕7Ny<[NMȜ}\Pj0aA(n 8|9U.V\S ,dUbt)_g D~S eIk-QR'nU*F[Ic3"Aѥd%)F tZ /R2"?Wzo?a jmZehJZot[rMق:ٲh4+R1eNأq) $yc;V?%=^e CFDqW|ly92+QP3>M99HS7}%;_d^ Q@C""TJ5ҟg*asQVYRlʧdP>(DD @!*]^?!N13oRv 3Sv hCphe5̇a5a$Ba0п Ͼ!/#'0fDxsEۜMuGOY~;2nWCtXF#֏]!a۾HC`2;b[uLh*@ӿX h[`6Z\,W ϒROo^Z I2dݦx~hM| aKhZo]s a0R 3ž&_lKhu<ٮ7ƽ_D>]>V׭c_[P-UWSܒ=%^N=/ǽInWң{f$ Hzt_MI$sշB%x3DǼwqo ZDy2uR ,BNjV=n}}XWq#ʻNhxܖ3TS."҈<4A-s<uk y|o .4(9QVqbBv3ɼǬ%I0Szhڢrd!EM9^H+DsOLk'd37;urz6fx^)]u[)*W4eJl ލ8$;B4V[WT52 ǃVdzRWFax$DK>QBe+QH<#o ]st 0zZ#ЀuP臄W~ `Zd*>jWznH}Kєj2qxqJCJ\@!mx9p~EIR>,u(}ujQ4'T+}O ω73ق`r ;raia_xFj=նTV}|[#T3ag 2#rY0 fhN5}-N!e'yerS@ ~0Yt UB Nl:Wnl}$m<l9~F_|tEd]8#-V_m\&( B|'-HG?r &LxGKQ#+诜8zvGFfB uƕO W z8nw05.Ҁ\~y›ɷ8iR@,]yİk3pYmY0nd{8ZI.>c^d$Ƶ㴱z:ϣm;ASF9>A2v=KWE0@^ɀ5|XR"b]2/2w=hs 0p*<ġa<8 k9KJ%`*gs":Q/_m.laFjؖ,X2qC!}Fvv,Ixc4R˟2un2E/ -ne` ed R޵V"@ f QG' =Tp+6p# KE1I Xy8պRZ0uFwOňe/:Q9Dmo][PNW;;X="AT{ك}!G_< y Ḁgx=G Z&q0֮Q"F}njZE#^Htoؗ Q^lz>BkVw Ur#e ]ۡ oe[w>)J g5B90q'cQq;lĦe+<XJѵCg$jKe<[l(G#dцpqo|rW[r=RYoLPR#opvɜG:\dxsPd5++->W2 {÷{̾*M˾$'[=.a[y@+ArPޡvf#S3W~p'1 K, uhO s#|f+ȟ <`yͿ]*'rM [R(ƉhLX YZ