sssd-kcm-1.16.2-13.el7_6.5> H HtxHF\P ?*}}PvREħ

??pd   H  2OU\8 F T p  ?b?? ?(98@ 9l :w >?@GH4IPX\Yd\]^bdEeJfMlOthuvwXxty7lCsssd-kcm1.16.213.el7_6.5An implementation of a Kerberos KCM serverAn implementation of a Kerberos KCM server. Use this package if you want to use the KCM: Kerberos credentials cache.\Pbsl7-kojislave01.fnal.govҍScientific LinuxScientific LinuxGPLv3+Scientific LinuxApplications/Systemhttps://pagure.io/SSSD/sssd/linuxx86_64 if [ $1 -eq 1 ] ; then # Initial installation systemctl preset sssd-kcm.socket >/dev/null 2>&1 || : fi if [ $1 -eq 0 ] ; then # Package removal, not upgrade systemctl --no-reload disable sssd-kcm.socket > /dev/null 2>&1 || : systemctl stop sssd-kcm.socket > /dev/null 2>&1 || : fi systemctl daemon-reload >/dev/null 2>&1 || : if [ $1 -ge 1 ] ; then # Package upgrade, not uninstall systemctl try-restart sssd-kcm.socket >/dev/null 2>&1 || : fi systemctl daemon-reload >/dev/null 2>&1 || : if [ $1 -ge 1 ] ; then # Package upgrade, not uninstall systemctl try-restart sssd-kcm.service >/dev/null 2>&1 || : fi 큤A큤\P\P\P \P\P\P\P04a2af0a27631b76215f6cd6cf6305db78e371271c475ed485f4d563fe2f3d54d50c2b062a96fdc50ef141b24132b40a62b776e14ed89c824f51c45e7571ba107c21289b4e97d552b64998db42ddf55987e0da3b8406107abe354bc95328514117b248da2be8951a7e5ccea7e68d53db4f7f1427c613176584e80b8927a65f9a4295b12ab9de661c674eedd60c971ae1355b8e7d3b0a2388e7a4c23aeb30ae3191b30e576e05441743fcce027767650f498cf10ccca12ce0bafe8505f0e87b6frootrootrootrootrootrootrootrootrootrootrootrootrootrootsssd-1.16.2-13.el7_6.5.src.rpmsssd-kcmsssd-kcm(x86-64) @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @ /bin/sh/bin/sh/bin/shlibbasicobjects.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcollection.so.2()(64bit)libcom_err.so.2()(64bit)libcurl.so.4()(64bit)libdbus-1.so.3()(64bit)libdbus-1.so.3(LIBDBUS_1_3)(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libglib-2.0.so.0()(64bit)libini_config.so.3()(64bit)libjansson.so.4()(64bit)libk5crypto.so.3()(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libldb.so.1()(64bit)libldb.so.1(LDB_0.9.10)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnssutil3.so()(64bit)libpcre.so.1()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libref_array.so.1()(64bit)librt.so.1()(64bit)libselinux.so.1()(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_cert.so()(64bit)libsss_certmap.so.0()(64bit)libsss_child.so()(64bit)libsss_crypt.so()(64bit)libsss_debug.so()(64bit)libsss_util.so()(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libuuid.so.1()(64bit)libuuid.so.1(UUID_1.0)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)sssd-commonrpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-11.16.2-13.el7_6.55.2-14.11.3\@\@\@[@[@[@[l,[b@[a[Y[Y[H@[E@[6@[0@[,[,[d@[[Z@Z@ZmZ@Z_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj - 1.16.3-5Michal Židek - 1.16.3-4Michal Židek - 1.16.3-3Michal Židek - 1.16.3-2Michal Židek - 1.16.3-1Jakub Hrozek - 1.16.2-13Fabiano Fidêncio - 1.16.2-12Jakub Hrozek - 1.16.2-11Jakub Hrozek - 1.16.2-10Jakub Hrozek - 1.16.2-9Jakub Hrozek - 1.16.2-8Fabiano Fidêncio - 1.16.2-7Fabiano Fidêncio - 1.16.2-6Fabiano Fidêncio - 1.16.2-5Fabiano Fidêncio - 1.16.2-4Fabiano Fidêncio - 1.16.2-3Fabiano Fidêncio - 1.16.2-2Fabiano Fidêncio - 1.16.2-1Fabiano Fidêncio - 1.16.0-25Fabiano Fidêncio - 1.16.0-24Fabiano Fidêncio - 1.16.0-23Fabiano Fidêncio - 1.16.0-22Jakub Hrozek - 1.16.0-21Fabiano Fidêncio - 1.16.0-20Fabiano Fidêncio - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#1659507 - SSSD's LDAP authentication provider does not work if ID provider is authenticated with GSSAPI [rhel-7.6.z]- Resolves: rhbz#1659083 - SSSD must be cleared/restarted periodically in order to retrieve AD users through IPA Trust [rhel-7.6.z]- Resolves: rhbz#1656833 - sssd_nss memory leak [rhel-7.6.z]- Resolves: Bug 1649784 - SSSD not fetching all sudo rules from AD [rhel-7.6.z]- Resolves: rhbz#1645047 - sssd only sets the SELinux login context if it differs from the default [rhel-7.6.z]- Resolves: rhbz#1593756 - sssd needs to require a newer version of libtalloc and libtevent to avoid an issue in GPO processing- Resolves: rhbz#1610667 - sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key - Resolves: rhbz#1583360 - The IPA selinux provider can return an error if SELinux is completely disabled- Resolves: rhbz#1602781 - Local users failed to login with same password- Resolves: rhbz#1586127 - Spurious check in the sssd nss memcache can cause the memory cache to be skipped- Resolves: rhbz#1522928 - sssd doesn't allow user with expired password- Resolves: rhbz#1607313 - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails- Resolves: rhbz#1600822 - SSSD bails out saving desktop profiles in case an invalid profile is found- Resolves: rhbz#1582975 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers- Resolves: rhbz#1583725 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries - Resolves: rhbz#1416528 - sssd in cross realm trust configuration should be able to use AD KDCs from a client site defined in sssd.conf or a snippet - Resolves: rhbz#1592964 - Groups go missing with PAC enabled in sssd- Resolves: rhbz#1590603 - EMBARGOED CVE-2018-10852 sssd: information leak from the sssd-sudo responder [rhel-7] - Resolves: rhbz#1450778 - Full information regarding priority of lookup of principal in keytab not in man page- Resolves: rhbz#1494690 - kdcinfo files are not created for subdomains of a directly joined AD client - Resolves: rhbz#1583343 - Login with sshkeys stored in ipa not working after update to RHEL-7.5 - Resolves: rhbz#1527662 - Handle conflicting e-mail addresses more gracefully - Resolves: rhbz#1509691 - Document how to change the regular expression for SSSD so that group names with an @-sign can be parsed- Related: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch- Resolves: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch - Resolves: rhbz#1523019 - Reset password with two factor authentication fails - Resolves: rhbz#1534749 - Requesting an AD user's private group and then the user itself returns an emty homedir - Resolves: rhbz#1537272 - SSH public key authentication keeps working after keys are removed from ID view - Resolves: rhbz#1537279 - Certificate is not removed from cache when it's removed from the override - Resolves: rhbz#1562025 - externalUser sudo attribute must be fully-qualified - Resolves: rhbz#1577335 - /usr/libexec/sssd/sssd_autofs SIGABRT crash daily - Resolves: rhbz#1508530 - How should sudo behave without sudoHost attribute? - Resolves: rhbz#1546754 - The man page of sss_ssh_authorizedkeys can be enhanced to better explain how the keys are retrieved and how X.509 certificates can be used - Resolves: rhbz#1572790 - getgrgid/getpwuid fails in setups with multiple domains if the first domain uses mid_id/max_id - Resolves: rhbz#1561562 - sssd not honoring dyndns_server if the DNS update process is terminated with a signal - Resolves: rhbz#1583251 - home dir disappear in sssd cache on the IPA master for AD users - Resolves: rhbz#1514061 - ID override GID from Default Trust View is not properly resolved in case domain resolution order is set - Resolves: rhbz#1571466 - Utilizing domain_resolution_order in sssd.conf breaks SELinux user map - Resolves: rhbz#1571526 - SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'.- Resolves: rhbz#1547782 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process- Related: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1516266 - Give a more detailed debug and system-log message if krb5_init_context() failed - Resolves: rhbz#1503802 - Smartcard authentication fails if SSSD is offline and 'krb5_store_password_if_offline = True' - Resolves: rhbz#1385665 - Incorrect error code returned from krb5_child (updated) - Resolves: rhbz#1547234 - SSSD's GPO code ignores ad_site option - Resolves: rhbz#1459348 - extend sss-certmap man page regarding priority processing - Resolves: rhbz#1220767 - Group renaming issue when "id_provider = ldap" is set - Resolves: rhbz#1538555 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000]- Resolves: rhbz#1565774 - After updating to RHEL 7.5 failing to clear the sssd cache- Resolves: rhbz#1566782 - memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/sh/bin/sh/bin/shuk1.16.2-13.el7_6.51.16.2-13.el7_6.5sssd-kcm.servicesssd-kcm.socketsssd_kcmsssd-kcm.8.gzsssd-kcm.8.gzsssd-kcmkcm_default_ccache/usr/lib/systemd/system//usr/libexec/sssd//usr/share/man/man8//usr/share/man/uk/man8//usr/share//usr/share/sssd-kcm/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericcpioxz9x86_64-redhat-linux-gnuASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=a165f35b374dfbb04b6dc3dc7feee7512ca0a060, strippedtroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)directory7R4R0R8R!RRR6RR RRRRRR2R#RRR R RR7R.R%R RR R&R3RRRRR$R R+R)R,R*R(R'RRRRRR"R-R5R1RR/RRR<?7zXZ !X] crv(vX0}iM]qPT2[!֥ @(XOY!.5.5ҚvK36]@n@BG?_Eg*_RGW!P茬zDF[Y Q5`%⛙ĩVdTj#b\c<&T!KnK6q%z {ш]I<;x~?`zddn3oL]zW'6:X{\Yܒơi^{RdL>Uc},}(<ڍ;޸u:Ãi AYtt`Y0لf]M5(fmth+R!|ooм8b=-`^[ikP]άuW} ˡy"GoK ڔq$b8/&n8RήCDIhnMRXа^ V?wc>KJ@(GUem#UP^14F~.(nB(8 h>mN%Ѹry磠t]IcG^ 5Ib6y, gw|qv{8 tC$8yn^rV9.~LG>f7(p9(rMnb'E=#]"VfߙA WL niy {UdaH3u*4F%|(hydtl !]]v폵#A?7㭠?h3#MOTAx7k o3,Ioй?M[~MdOPX2&g%-KRR9te !ͳ' 8.c|[qE^7HI2Đ ]<KznLy__t*`צ,G5a:P!";-Yvǐ ީ/P-.>W;"ҋrY[kŶyeNfwG ޟ>r*ۇ=5iNsseHh#Tݸ=:dtl"pTsF{C:-hn PE4p((/˳_ίr B$ `E w,{p8Bu;}*&H4bdC r<$N%gGJCr0D 4f6 T!QToΒaʻ5B#5m:ehKf,H7, KR۵T'׭_!mݡikN$@e]㿒젛RMȤ0zSc>ҝRjn ANʑ4fEzlG(q܂17Xx:]H2?\E.`7 #;EF\ӓ)#~(ٽSY>aB}9A)AAkXfUp0T7K_3nkw;%AI;䛓Mwa^Bǵ6ĕ ؀@/,RJףo9&[3(vjSUbx)#PSJTg8خ |mpȕhH <]d(Y'`3f*8[*CyIh2]vrJL`).7g9RNHWOo4usbۤ'ٰ\.դ}%7hǵvЙVMΆ"o{o,eCsT~f'oԝL fTeǕEo6uJUB dZ;8|f?w-.Q)>̓JgG{P7\X/3~͡Wi6մxVVٸq[VY]$%vXX 18Qr Xi5QQU`@VMϊ5'd*r m As[}1 J(x+A{~k-KcVGt kn|5l26Dqjs1X0_ޖpJ(mSUf;%*^)=>MXϲD!Alˇ @NƈZ6[qL(=ShUGc5*18L@ϖ֜}ljji [U; Xƚ!M7&*EJ"( 'cCY̅;t|nɽdl5Q}d(NvLB~6C0f*Zti&nߘ y/Ǹp3@I:8clL(N-'܉w:p9 뾊\-|7p2+Deps-øcY5 Yɷ!ާ,}71 \z)ڂ ~Z##R$1ud1 y!D7Z V):[yE4{ E]UZ&۫Zlx{~sh|33&ɫsCɩLMc:;D*ۜFx:(vCq4iOs4駞)O`xXPܿ\!yMDbgujĊ)i 8%CUzQΘS>gϼ[UQpHNI`ڡW8Nue™\PO҇{K%Nw.wItp>nB7;MwET%K,QIZZO3k;ئ-${@̢n,NoRh|~ G UFU| G:![y&]*9荹{C((5vd4XI_07dtKGQJ /KLR`O:^KKz}!K/UC^Hf8u ]Sf$} 5Pݵk7}k'(JJA!o!kyH5J@}%*Q{BQM{4vrU]ZSH bk3b0?i=mx4+lR=1 ~~8hF4vte}!G\"t]RL[ NTIE{iX7J^W #6mZ*!m8W%[aal^pU@Pmv)!Uayƹ@E 8S%6q : "D4e }C@_yD9ԨnFA_8~&^k,97=C9/t\}Z" ꦥyg۝"HUِφQQ=CU}4\k)(-ݲf\ӁM0‡}JljK!i19JzN6 g{_fHu!YfуlzMSa 5*uPNY4Ii,\[Dϗ->su!p,Z(: 4Im Ա] $2 Gm5rɩ~U}r-fSjRҩFK!f;Y'O7FRyΨX9eET ٨.Kn; ae5pnM]벯'r"ac9d* + ӱ yHKf^I05ZC{\jGzN(] v 0I~9-ȵ1EdYZ{gps%xSLICTRI A +>͐4HzskW' :WcqdctBn0_ټYNT8 (A2J.:ts%.F.N#]*CaqGYT[eGy /kyҕ8gHsO+}Aw' /Ww2:U;Oc]_ş&OϚEkZ?x)ʞf󐁙]/qS&wB;iZͥ}iX iDwD3V@ˠu#*(,5]E1skUԜ_δҹ_'H@I0_(\4h.ز/MNkg Q{5[{߃YѾp~쀜c O+ƅu%6D)U(~VQ#y1FeEʲqu^ \/UxEaYi.Fdَ`7%ôjȶp!EP[$6lw'ѫtr/l\d^sڜ5TDTgC\i Uee5I01repyahA~s@ٿޱmJrPq΢^wШӎ׿ T@JSvȝ|=e՝> Lhýx *2@XVqDJrК܄ Ԝ͹Xo5w'NZUamȲmF{bGMXv\go4X+[/<Z2JG6L`n1pw vmhE E;849'ŧwk! ΠχOc퉜6d?}D{0vr SkiɞRE4`F#.ef}mAFmdmײW%nS+ H!C@,;yu̘د2Vʩ.w4hBqi=0{bB\ΞR,ϝ:K@b_[Yܔ^A×FX 躶ctVL(İ0c:>f欹5ηoaGVcBū-ۖMcipNqXHCeoJ :c9 yBeD'ު֖?$G#%a^eUxIm- R D3˼}Ny'f-Yy::?J`lrf 'ef#k7OBt{Mԝ."I Av4 ֜U"ڃokY`B{v?=mE];*!4DXe6ަ܂~2Az[=sjCn>1Q:UX:>i's;"NqӖ޹beuY:h@9&:@[~ .x Rn- <7xtRQ{M9h|2*Zist9ӄpaYV@ 1"ʜ| pt Kvښ"<\%+܋25<5)UEx*2 \;: Α0tQFXtbb4 a䛘6IKQl޴˹,VaQ6wYɐlKFq= HZ8А^J19)᭩.Oً| &ʕRVQͯΏ|ܔLA0 {+NiIϦu3a".ugM}ry@x^oS>AF'ћ1pQ z<1wQPT.T:@gM6PxNm0͈fR>D(yL2/fXl?cԖ r̓C5`oNf"}0Ǟbu|(;[ gA#V,ha1X_`R6,{M(rcsv\TXxbO`^\m58< 0˥3 +h}.CtFHNZ2&[IJho=:pbq9x(}7)WHX{6K_ſ]D=Wq'Z;xX*£Nˇm}}Iw :ЄC\ <ݱsOboPY?$2ťU^0_Ԫun܈isP梀^'sK#ݘGLTFQ4&z8d w/Gir"C?~!}e)'Ns9{.v=0v.`]b9pM7d e {y{Lqi vuBƗ<9:έYu_g۔5,"ufE 7m98gRmE'uĺgmdvwt%wl_o`Q?{U8DYZjۭ^,7X:L%QG1?o$&otu~zK?? O}Qo˳;wORQ;p~Dˢzz+,R @T˅ &l=q<4$ $6?V,0RԦ`t溎W52wo ~!V(?+c#=1W.m!k@rJBq2Xfsp4vOE`K]zXnˌqR{#OU>Pet6@ǓR=|\Q*yn⊦/CaND@oP sP`Tíj/pL^-q>bC'hIge^H/bzzv[1&y(3f:n^|e{WxQk4t2o8+{ |d0Av8 N|[UMt!9g8 3iD.-Q @X5"J¼42@VRǟSRvޅeinƧ8"M}nm!v͝^`ưVS޺eC@ Vfgc$Qri~2Ùt& wNfM=U4@:0T)t3=I!66$JŒ_#GӞЊZc cwcz~kp qV }Ͽ \"zڈGz<3BUklr.:c-P䓉 A(VX[Gǿ2fn^~5:/9e!zSöȝD4@!5ebBnMf"M_3R|tgM<-ƞKpiti8KKqH9xrUR26xko1GFʘWؐ0K4w_քMry.<=UJs YJ4KrIJd1֖gAeUbw+@c艰E4QC+.yYRJ !įkiVx)|޻Orm=@,̮0iy)DC $֊*t$˥̈i0 ^yI9%ySGHxvJҊ ;Fas{-k7sg)onJc#S@:D=OYtzvuN{urݞr&R'͚Aͥ22zS7nsUntĉvn0{3Ы #.=2?Gj ?Bvm&7b3ab2[džK]jYkA6oyt ^m]EHxUa ̈:YoN`DkuqF ʝ2X[QD'G&(Js^O7yJ.4H#2 grņiwJQajIgӑ̦Kt`:HRřRtMTc"Zwc8>5]KFpiQLXB=P-;ĨYK<`_>SlM`rѿ (cSD"ʕ.mIT[[L8=qpn&o)~vZǾ-f7CnMFZ;͑I|l%ޱ2Λ-c;p}](jcELsexD,jȃض]D _3 hʧr@F -'g|끕 e]PY/E"cwifAJD}.Bisoe]<=YI 99ո!۲҉Ͷ{L=Ž0gDfvܻyiԛ%tjz//Hx J #0I⑃hVdt[Z9&|f e ^a9CkVըle$G "DYoB8n!-".IjrBx#죎mfGɀo>#gY%ʏ}:TmKG g膕CW#v'A(!+zUp#Bmε!!A7h3'YO|4BfXwX.Od63 +/ ί_m:\_Z@w(6Џ{vBS( 59_;jɵldœtR7VaԖ&15:<>٦ݯ 鮷 xWS0I@d\FyaS5 9;ڢOG}@,,a99E욑W+&)8()>UZ\*, 7 ϕߑ֓}ti̱흔o-ܫ<4a?Y A,"V`l~YVzDW3[͚ VZTq|8 9:/ߧz u| xp"oXBfD 2>Pq?%mCZM=j 3/:ply,j20˓G9'5 `=D]`/fl뢖iKIAubLD^ųޣVLI^ob2b*]B'"T\ny(x)6ܸAi.s9ϐA40隤UcT޲6+(-85uTP7uPl0y'kVZQ>\o}ȸٌ b&;r f GZE-QQK}8s] 6o+h}ѿI5C_9]/1U|YjmȲ𐮰L 5lYd4?wYű1gXj.-ͫ}ihC=4taPs,Cy`kc`q ;VP DABdEŵ(hIx /vlo)eo(|C5)tKm%&Wj )}W _H}IEonnoc9{c-/`Xop c# PC.Ķ~+5 njZx[Gv'D3 AƇ<4-e{PGpiR/_h =/O>ox% ဲ7K6QB徛e{ᵃz K1ݖ8A5 tQx׸ml{;5x+;";\lG 6z)q{DFfXgekV47NPV(lgZ+S4(HGӦN~OQM4T',a)% W"MEݯpUq'$I ?ltCj'^yVl0,uJ#60YW)XvMBT4gQI!t8Lz~[ǹzn1ˊk!NW(эY^ ى)'zr |'+DsV015U?yA# d5닾{4Wmx (^lv8_c,cI:\][J Xo9 !`Ԍ ۍոLݑH/1est+ ZK,cJCɬ kVP^P~ Pzڑ-awFct {u\txK-,t ]g~cݙ E*OثoHVI?_|2 WM LMl7O=j٤;":oi BFE\%60DNJkˠfSrw)m~;Ƹ7,JNMU%ڟ|#lޒ<{Ex|;ƍc< ׉a-Q.պwk_L&XpsZu$mp]lG Y\PULcP8\i6`~ wq5YoWW/9l(G51x!7= \!BBSd<%_R~r3:aۙ6,c$?Tb(DkS#<vO'c{% ٯOqV˷a_ts[q x.]&L!0nsYCpUϑedPlC\O&ǀ2T)') \YSx\X~?%^G[a>*~Oa-lm%\ҎM#_qu1%}aU'oIV³<,F @&RfDzgyә`D>/ )N/n+~ex/KzYk}Y֏ɭ_PNnɔK4]fRj"ݓs96d;Ek/gW{҄.2n[9\D$4 3tefm '] u-{aoVwvdU(0_GrW٩QʿFz"J@6+gz"BE ]eHjͶ{K%Cz{zдZvҏ{rnSL~'S>'d(Q *&~#WLȐ+uAÅMЎ>+81*\d'.H i#סbhJKw$DRu=?~JG=郉.mC270uiK蚖I+ |)fkz7!"EǻM⮹iIdDŽj0$A0mp 6{Q./|B]!hWs`v";8Z\^1p!:AoAllIL,Iz> sH{5[4t()1u";/_eI 4Uk'ƅAa:fM!k M]8߁8UPǧrTPn!2Paeo' kO>!Wn9\xF{>z?b0{'^H[h2pL$r8곪Rj @O9ش1Tёz)2B ]3opU&뫄+K%@`mS)ZH".1u$+hǵ'BX)`Mtb w>7Ayчb>:ҏ)gem|(xKc+2 /#>Ag|P geBruIQTo6Zx% o _Mg%U{l_ zHY* yn5`˓8U娛eq"@b3ޘ1g*T* ҟ%|{"0y)HCLsG]@Jl1h8)ڛM˶ & aКCp1,J2bB}V YM@}g^ճOKG]X5I-S4`Arp%!?4(I[}3Ǝ> oJhKP}Bn?Ӂ-͙'c=Du.P@ q޷2߰lO^# oXm!uQknc} 3J&H?D/m2h]IKx 93j\A|`c<2@SI06o3c@$%fyc@/( Mڤ5-tK =pĐv hΗy@߻bΨc:5DR^eJ/摐%қ`XH]|P{^p^+ӥ}_ .Pz%BbfYԜOyŢ=7RQu 9AeiOvVܶ+7OKIFv,wU"7WkHHxJ]~h{n]v F_yh@X]lbzz2S6v"~ UpU U)f= AS)zzr`?%iEW&EqX>R5Wx,֭B ꥻ?)D4f7- -8)"z?IͣcAWǫ&Ii&%`HJ)Fë, BG\R%q %m;ͺ>Ì9!߷wbs(!A6JJgmW_R"ģT30X/QMJEQ7 a!.*^N 7l3ql ɦzoFG)PlёaZ^\(^MBG[ qж[!`s LW㾤4'U+NP-%vbe pM^=ԗ c(I.z`l5n+5'S>Wx%+#@n8.va9YyyIwYf TY(EG>r闗QOw`PW7n0Se(!K@}ᚿXȱZD'ۑ Ae3)wJ\(ml^ݺl PвJ+hcuAbFGX_1}FS1*j ^Ul橽N*o]w3v< 6e ]aJJ#mswJ#c?4Oj7]kЉd= 0ɑR?G-+ڧ־<؊ e Th@ !к 6qT=y@{#:x/<'+Ղ؎h0㚷bH5{NF@[Y{anF<&k,)Cj(A6ǵSQ,ggsE`CTmL_ŀ[? QqS&pn!U.g!4`DfQe>æ!ǚK˓YĿE̯WC{ vUxw)l,b?sR>S#\4H_1ya»X;9U܁( ŕ8* KS~iJwE;JϚE.faCFvyUT7оW$3aD윪R"{15nKqh'k]&O4/I}e Rw`Wf,.+n`r8XofdE4p@iuER=z18%q_zG?R Y[UMy+ٝ^e3 >A }?,+{Ez.FvuEXӷE<'7]M ͔%ZzCВWzYlmEa9ؿCe1J6W%1iL`=b]9~#1*>zy0ƚșe3ƪw%/ Wy;ɏmɋ#Jg,U*~1[6BxnR y&K{6@*NĖDW KKR)MJz 3WA$VzDI^$.M}Ԁ`9bC2v|8zaF/gOXolL;d {!L_= B3q;E-zJGmt-AV^I/2n?i^Y1P| {  wdr:Ҕ02m?3[xE58y LV}'aj+pV=o-s%>|.0L׭Clm/ӮUxLup9z[jTS{u"E`QZyB~ Ӟ<mO3gZ峉_'h~I*ss_:]1> YOwB|ys)> &juaM}82^$< ÿ )*jW8b$WZyb(jR.b Jd'Dc%jq;c_4|ed瑧7خQUp/+hhWf~9KCX*R ivE0g{٧ʏvc\IVbT#]vʠJ͢]lԑN$rVd3*-V`*+9s~ϯj6ht7:c8JtNbyn$A5GCn%t Wf_,!Y}%ՋtyNMڿ,AGk< /|&E#k@|{.Dra@hpyG?S'BMa}+/7 ڼpr\'Bh . BHxLuNP-<?/9is3Y|HiPP&DjK&m?J.*8>ArhW,DyR%?$-#Y3~i6ks-!\wߕ5 R懢RR9 tm- S-NNI׊j$C w[Ɩ{I VTș5X,pJ}Brٞ`cg+6& лZzA%[%AY U+HAK"Rq E2m5\ObѺN_0RhzwClIr28us/KvW1&/eSDuce4˪泐gC](:tJYK[\(>>a?L{ 1Hx% P(T*ٜo'q S_'8#FlF5:K Zh>%]Fu #FkOjf;utI NЬ-FO[j6($bG:XWW@'aX.99S 񅥺WAc_\kl@& &o_'6ΡoM9\Y  OBVEjWdWׂvE HaK Y*֩LV !#UF>Ȍo`{>>*8@U{PU΋0yh)FpCFAIBLl ]jlA[z&:"WP}qʅh: kj=dGB*Vzy59P릷1@l}U5@KuRC0:D)[f([XR [ ڧBۤ'ԠV7on[t8tSi3 fEmK,D|^Nw09 Uc(v5LV1nTbv ɰ[Hw= ;N=5K/h'FÏRpՓ ]P1!}3d2ݞ>\Yo3e؀f7k`J$aк#s?-'Mq-t{$eGt؝|VOdO"[ S(lixCMoʵc:d 1҈=E/s 0IL6qqҕ 9 $g Htr٩_6%₆zW-[E9T@6Ԭ ;]x#~WYE(3y 1Xwt}?Sj&Ɛȸ"jDTo*5é*߇ &{0Op91Hka n.RZȸsK%EG `d^0;vB4W6k\Uc`ww]"8kuWa2m~$$\ |IeUHJ (!os`tvV' Bcr)Y2[BPW7@;=$14n#Tł|` 4z8M+*U2z1U;_LeaGmяHr(&nE0?q"۪ҢȜkU C*Vs7^ԥHaBV2FtD;'N6)/%LB%m1+-W0Ju_\T4ɶD{{jl_̋n5$ChZM[-?pI6xCO]Tq9gPmڱ5߱zBP ҟ/1;?E(gBWDW.ݝ;xꧻE"$r EF=u^L˼ei#pǽ2$*rC+(v^+A6g$4fE𚛱vO`"t@mw`o)`6ѶMvɂXyfQqSc\Uc":0PWv{'"Xwu!}%Yqm/;.Aih/lT=6ivc\XZ byWe:śf&0\8[K1!<H>%ʌ:liTj걎؇鐸x+\vZx$Ua1qW o Z)Ҫ~n%W@IQwfdy.%͹c5\"RcU}b^+Tğa00y]OǠ)oWaL&eeJ \V~9zr wO$mD<Ί:Ri};D0h%C'ΨME?!S"BS3oN cGGE,hw I,.1KeTP0t\X\r> g͉Jo8$G9 Z$f@C,M4y]?W79鰒ďֵDo=J>*v#-ҧ.ű{2ĩ\$%WgF >uO݅p><))-{K;M`x!çUs"~0be$ȹ~10]  q:?AD QxU:b"boQ?/]qaϕ@=a T0e ghI st%3XpK EnP%6&lT|\N+FlӖV馇+Z6q=J6C& 6oUt5KfV~bHSF t&!kn E- @#ʎs8>>"'$-u5X:P庝.Rfla&2 @(4蔯xѥhJX{_S.~mIb 6#>I7z=jW+C@/Mw j:n8ŕ6m^JKi.0̋to`k8 ʾ̞ `{ĝz#͙q5Y$Rkfn Q F[QcI$s]`3xJRXBq CR3NY0iiC3SIb3d@8ܧ͒>!;>]\B%gkO0W~oʫ9hvngYJ9Y86t:ՙȹdCZ5FrHV^R.tQqSVZsyJG [ \0Ki;l|7"ޅza r ^KT Ԓ-/(}nhli qIUNv'Ͻqj1OE.m3;d2.A=YY8 ea)`8H2kYKM2&p= %7T)>-k3ÙH0;UTœ~OϲQ~!Vdj@|ȏ:'{GOd KC#VsjCrfkqbCO)26?m$+sJwkTis}]1蟨 DbYF ]rt4mdݣ2a.5ɥZ (HEڨ9 !P&&..bG[FHي}b _`a{dWz͓Mw )7 9&o;ZDG4X-IkxjEﰥLUk!.5/9R$vǔKg &ZzŒ?;xhN CLsKW< ~H ]~H&}֔út>f|mnJ(QYgďe))q'g|", kIm} x#wU3ƤMa&G~hpzp>p<&PE;`j۵v[('ϣ2O2&+.hM}m?Rҩr<h18 ~>Z\Gk ͌m_ii&#e4C]Mԩ04 /. \ 3OBm t5;:iЂszI-z#-_ 7\<O-!_ ZlWb z%;k\c+L!CkѕBNm6aCˍ[`U+S @|bPuulǔ$6FC] ѱ&Z9J_I| 6UGʐ'*HVH7 8l)!>؟7S M(u <+bQ}/suʕF;ԫ)<\42AD،JSJI5n qaW*hIΨPS'V8 8phT~]x8õF`\Bö9qx~*?]5T/spD?.%lMC qCk!`" W^bMYdA8B_6 aw-D%>xbMG @3n/biDi@u6ƓQ5̗+6D~a*{D9fpUѵ2TxKn=Ϛ%sIb[1\RQCnk?B*WwHʤ1gOx8՝1a[PMU1R2Zxp*\57 NT00Wظ)wMl@:_{:>M#9 `dN>Q:EZ-)UJʫ8B)Vhpݢ5n®n3ڢHܑ1 b23jL\`M\5a4|s$9}N2ٗ9:cbGhgKYhn{`(}:{M, 햭PհԸ"wwH 5ASѝu{17 hܔK,l6TrC(kR y[>0[ȍYH_c^9V+K?bZ_ogLUZ x2Iho ~A.2}˓TSc䣢RԾL4FQڎ"K2-s_('kJ3^[F7ݯ\H“f,Vp: UG"M`'*6G$8%CP2|Q 貓{Ghp\rO]2ڵtFg9tdc}o /A~Jmmi<4&hp=Qf[/Tiwh645ɟ %A6D- \*3>*7F.Ήߞ]n1~ 5Q* l6 1KJ|zыP43W=\}mٍ҅VXPBަ2#' ۚTdsbxAh6~6B_K叿Ea]2 B[ɗJ&'ZWooܞ)'Y2(J0PQ<$w)":7}X-.풅d黼d1p$h t$\qg: 9xE6D5Ӯ.֖ 8O0@Q??H$۪Hg4qmsXe-R 5w={C+r ZHuF ~)MlHǩab=L-V:ЛTlњ*(3Q5P`ܺIgZy=5d 0mӶ nǹ,8+>NtXE. lȠ}:ɚAG.1#҈C. PrVuuF7A_&] k"<DѤ3)Hecz3Un Mf8Dø/C?^)̿GfuTyK)6lP+="Jt--nv딬Tfv6?z׫f(׏bzkfsßD ʄ vO_PJ"ê;u3pJSA'Vk x\) <JނB2AS"p&†`XRXm,͸2 (t[Ke^|@3a *xhiӃź5XI5Tت[qL(碢yt#w`U\CWgNDUGxމ ap^V^UY EYmsʞm(r0glNr!9Z򥞍Pv%Nd2^Rl'>9*9I#{ ih q^&qEIF?ֵ@x( )͢:qt &BV,M>G1^.rUkpܱ)Xps6ԾFiye4TFCn9 kD-Il"|*"dQUڴԟPԦ/`!Nq+Ldh4 `H!>$AN0y>k^غn °|n ,~ú-G?UZo%,GvV+vK|G acH_:p{(g4MX{<>Z׍"p0[r >dW٣w.3O[޻(mP`]tx|RNјd5ǾxݚΒt$RAL^! tN-g ҍu #05%pv"*83ft~zsJ(LDguv{ya*nIr[9IKbyDttF2xaJoL1>-Uz[KN2Ewf{vf]:#o0,.Hy5͵fTXlcƎ=ޗ,:ڄq~ P8){a; ^m_msZ߼!'@ybdSژ)YVAYz}ɘ}-6(<;XZHf>FfZӫrD/͖nn➶)NN)Dlt6(ܶzY!xui)+XF-4E~G~m&2Z}nRhQ6Nnm.]xt㩬w&RC\7j+Go,K3K@b)RZd"WCt Љ?iPe F*}j{tA|iCؑ 0[i.c&u`]k󵇗=Y2)J{;RD}xac=K1x/x]O'sp`dUɸbh<]T15[[Dz" n9o!7@?j^ )YmuB}#H~$y_vϗWc^3`ِ+l\| /Mף*.YLH0 cl {E0%pCQdN#&D!QJxC-gm{^_GF7(d5A4)]z]KG­.m'ɯdz#4辽0^lU QJ?lo> |INPif1 I۝|\:sD|Nr1c\|T۩2rv ?^3+')A뤴|W;'tp]vLUU~F7HJ\:;Jucâՠx УrM;+kȾJhǏmM`MlQWcMbFu&ņtU vA3kZϛmdj⿣˪E_ KxK{a4keF!^#/<½eymnTV~4E9`uN_MjhaYí`ecqU!NwBm_>RkfS{VNDR%=VK[N?i\˯wo&9I~O ͅ6cנNJ p31""rA=p>=ec !l ^xixNZ_j}$/5oǍ6jI ΰRdkc1lZ|ﰔAkpk.I,`'m @ \\0F/2c Vq@4̨s9zNi Ԝ1f@ )@1e8J,iϒM5q=7kG%ܧ0!>t ,c~y9<1= l3*fxa"WCB1 /2 Vq${[ATiɵִ9zI.MU8)7'kTj闩MBARԎflF{:oUD:w/_N4q%/x^j|3ˤ+~4@8 qjH2Z$oxpx64: nF}24]d uYU>@,tFѭ^?p(xg9D6ǫޯ&Az *#.XMC 5ॶ:mgMʅjo\-c~%¦ݛN}{\e8|) vbu05: W [/?S7F+\Hg%W_&x*L\x=RhE+/Ԙ $͈끶ֽMW5'f*γi+`+>e'/Ę %j.*ijr Kg'ȶ%Pħ bhȑmRZBiz;~(n^ePiXlu: >ӏ27}nA \8)Bmۘ9 pq="SMUwyHg`v:'hYq|~99:ujsZ _2 /;~=WF_H<h:1GOc+,wW+0qҬ/UeLsNfHŬkQjf([?j m1ƒ1gE,O Lj*,T ς]Vbq !< :P(,EIfKrK~8B,p)4D4 ^¢D} !{EWX :-g%|^ *(`3Ml.+6 '[we;v " RJGe- tu<}t鹞ea{-I\XH%ƹ ѸJ|myΓV@(Q΀뜃o5Lj6.(Tю }={Tvai=Ke&G=$jiSUr'\rQ!▧M}J*J&LbL|_=NDe$8wR SICXT8P*"|Gu\>H(51m0~/Kъ ˠtG?&=/ +1*jߦnj|i67p!5g2? "c긁t )x+˃K: P>a(D4U#` |>4;>mF(θ"̡48nQ:3,nd\r\v (]~ǖ:zH<`V.j{O*jco';W9Y;x&Ywj>0+fQJ{ʅiU43ǿK5?K ])`@55UQ$ӛuLdiƢb&2VMqQX#8lΠbN<{i[*@]2Q'vc,>`lu~4"*p兯ӷ!jbc#?WR./dvyД^wM H r^Ղb%ѾYCj-$A ЅcmʑθE=PTHK}9n4/UCȯ.M>r;'֬8pBwpFftLqכ)ڇ@IϢ6QOj /l5gV2Y/]!Y]QŎ2jquNFtc|FMgs/tV-1N"رq˹Dqq=ǘ`\RceVNj>ٖȣ{`F&Zqq'K:2cZT}gSn9d#rY[SHa:s1|Mc2!4\,DW7ES+i:1% yL/}]wQDzZ_bt},>=b i#e-OF :C#־W l=y?pI:ĬDښQ4v|T\""\HnddKYOX.P KiZq>@cF WfWe&* > MC,3}Fl.~*" s膐B=MUՌ` kD<*H0vh~KIßP@"{Kˆ0b,j롢1+%-X FGJzBR `T ^sF|2αc`0'4Nrbߞq%knvh iwHc6?~sMnl#J;@/w+!(zNA J7DXK@VKuf_%GppP[?AKbji4MI\Ow;y$0p~,yZ3-fgغa!Ægh> w|½!)6T2Z!13A}Pd|:Fp#w0F|23VBl1} A^ܕ DLץR~I5w܁{]E-t}6e>Œ9X1Da[fa_Tj> ϳp Z8Q!&*RpCbzOVX_#>D8;mF4PC(\V:PIvW¯E%3Ŀ[`SJXЗʓB@Јh0:*{랖AVgIDd|~}#/s$-q-n'Igcеv"Q?2wq2dvG3F)TSfX˜ژr`}#FHTr`B@7;$}_%}/k`O=s+?7 j%dB)YCAiyHh.fAm/o~&v$/`Gm j c5cbA7~Vn.:Yiܸ¬i+eM(me/MR hpℙ8ᔶ}EJ4Z^ؓ|I/S?FӍ9˨w^++O 79лqe~HGL4eM ;V V 3R-Кe^w,>As!3xPANiփqyi?糫iu%谒@xѽc3V:ྒDQ Y,OVGђQh^4^=:FC=|%ڨEf&\s< qfl_YH.Y$׮ S[؁g*#A_^%c9_aVs]):> scq\O2JIth r0;!g7h؅10h2Q[C i.&Wðe)Xo $\~lʖgyĪnQ$H{~dI|B.v7LS¬4D)HZ4%'%:6T.99Wϊ1V~J3n|g;"% 4! oSKe}Hk(_;#n%-zP4/jI HQ:#؟{+ÿm ;(x@>.º,yj|h\TZ8hT)Z !3' hy}u7T/5Ql;pUuFNUR$ -GݼI&3'YZͶF3IkUs ݋sbyGVO8jήbrzq_80źo83/沿uo*Q(r;:g*{d3KOqCo!E2k'v!eU܄u\Xom9l贛DyCE{A$ϯ-c:ak:0xPM$Pmۆ$OW.(fjܬoAH7(%tԌglHs3vz6l3ddy^3Q#㶤KjۇrJWc# ϝcOx{nŶ1ޭJ@I&40׆g# h ju.} 7)dc}_F?UͰO/!$7}ZC ǯMױԳxϸE<7u7wFBiInZ>sD*x+5v`HZ.u W.8hZ .|vzoCݳ-Ow˦"A X45R\ 8%Ӟ)Y}󛃴i=jDQKYchaB&=+Q(Jo7!|O*2%<^\)ͣ9AB"$p VHo~6~:H] ?N'4;Joy?6ᪧZ,ũK!E@wRsجHIXͯpĽ?{#CU츚_O5~-2jP HnR_=4huIsPD6-],gͨK 76`X(723~fT20&~!h &KvC-unxp+`?"(J}to+3]aljc:jgu9ձji2EM$(/xPNٞT@L{Y02f! w2钸Kש 9X4ՉY9UTpj^e[0P<_w1ݷּWE.G4M=tbgCȇp㟮lpTt,zS^#r؁:[Yp~ ͘ϽS砫n o b$C_ `1 D-Ckhg5<&㝫fl)ZBB J_t e(Ԟ!^KQx>Z(Ϡ3^H8c+w"tW;_6gŪzڃL ?lBވQTRr mEH#6Fe'fDZ½|~Fi˔Xc>f&yEˉݳJ* p#rkylIUېu/<>ﹶ`(fPFEznW-, oA g (ܓtsR~XSX*]$Z`sd4aip/>% VavS"w3S[w0AS\{ |$Kid{C/ INJ8Zv*{_[>G ֣>B5(?e\dJe0u!^h_Z {z,V {Z\D G˨g.@^6 ֚PoY( z7s(:Ւw{h1ܜ U12]]e<XYX8 Sia*.Q[Eόvɞ-3e,/Kϳ%3\K!⺃sFZٙըBv,G۔%X+SӦgJEO4>xrd@TuMH#_X/PL)+tM(J= *;1( C^+ fd5m q$L3C| i&ki94=",'32P5O "ثů!Ge"`Kmݎv44u&="{kq)H4&:/<%)7# 6_x+|Ėu~Sψyx2VOw"J`E3ƥK U.4ayz Uic""ԫӨÃүpc')H/lE _Dָ~(z\F^{]Ѽ%]4L`[ge6B"J~K5Us> Ja9|F*ǩ!Ϛǧv^N/خTU r ׫D__)dCn'|D3 .A]qE3F4]gͶ-| MSI.+uÂ>U*G8FA삓d lgaa.,h'D+Ii#9\jcB0yCBπ~kl'Tψ^+W/ j%vBNOEg1*37{OB8*e(Г{}]ŲDA1+С)5$s^0*Lu} p5`NR 僚?w*܍XCϦ LVjHYSH)Zdagh_FB))V6_1kq--aj4) i"<]P7UQ 3K=<00Y#T~*izprү)a2:SIeTӧur6岢 ;-orÆ>=e-g բw鐯̀kd@pbrX`̈3`hOE+7[sXEk"4;q cZV5P}' X_Ed.%ũC_IQQQ'2yl2M -$%i9<_Š50*LTҢ+o"qohc{ zpń CA:ƒr<]sPK.^gVZC`e'DrB˘!N?7>qi*4-|!t9%j]W[b Xӌa-G1่/ѼK#>3P] =[ÒA)ynWͱɱʿI̖xʾ8૏A-^=R$+ E0B5( y9zVPObHZVQOӷKWGi5R!Ӣw VYua f]<`5$mx(#op`#TYϸDֹe3<&uy} ,]^<`˲qu2 +-;U@l NPD16s*d!u;YP/Y_!(3gt/hrPRz z'\IJb]gOWС?< %# S?A0.Ϊ 66٭Orv!TXDk+o~zye@r%ŕ}+XpG/4 &iqYYCm{kZ_q⥱k3 $_$uRgJ/)4qb oJ <1C;1c%ʶDF@L#Lx-d5$N8 F9 3Lvy9JD h~C5 ̵H7($@&q ,⺇Ǎͳi(C)jMk?/dmG\ ?gfGZ)P2wP2e/1HOD_㪰zWd9/}>v*}B㯋3VP(Xp9[|faڴ 2[OiĔ̊>'6R^Uu ֊Kw7$Դ Tq+u*ISP!+F1*1ϝc(w] .g700sc**V^ߦ?lƘ3WN/Zwh2q9DG?|Gv:0Bо9 ^i?!K!0LAS"9=_w`Xv$G:@φ?!TKM._7j1[jA 'ILj.c֥w#"އ0'iN[eH-7x/Vvapn`6ٳ֨B1{OYÕ<$ؿRQ@֚Ǚh C=Ox!qiEs F~I$R<04<@}z"BHY"eaN 1>WŖ{?lKV+eۏ{jA>⪄(_mr$"J5Yk++t_ITA1 5aGq9Rhb Nkޟd -J/h$W`ݶ~R[U~ߓXn@{ER[ wn]}7e9-í mH$lZvI%CGߗURDIXRfݠ6C'N4Ķy:-uʷu\,V6u>ž^=@z-kmꘇI) .mU$O‚/ߜΣ`Y=?I<~Ճ^O̢Dd l&Y 2@E}יz8E#I%->mUnu+:qj/ƹԸ]PIb`{5W(Z%FYRj)OGM*`mGvI5uo{S3cy!A6CPonxíョ4@n=_oV+9PX)YmP (H/( &$g8ᬯ!msMPI)6ҟ7U:o!\kWݽ=),Av.nj_S\Exa2/8\dcuq:/QyѝDs Ft c8P?y[wW-~Gx6,S3XjNN3 ;rdyӋ)Z"l(\hXGf7ăRS7i_;B1u_ɳwp, e޶\/&(<7QKHvoamUtBF!~T=Ի%p X-=#9,]UTKAݝ1F+$ f߄%?YxvVgcӈG„fydW'Nv1Ҹa)}zw\pHfչ)Y(4Pn~PDVyY^|D靽I&H5ŚoR2e Y<+n 0k5\HO0I%KE|5p(nƚZxw諶HyB0&S+hwƣ#KZ7 V'^h% b퀋@Q8 ӟ?)h5cT oR4|9q:ߔdQ%LTehd.M3C/8>6SlnժBXM\2 6+?)XY'i ٙ=e[zz[#mOij> Uq!-;"h3^*iE ibJܔmXWJyc!z뫳\oOfPGbHik>V^CER^10441d=2c[I׌vڜ %v=?D(hWa5D d;ERz%ѣ\Mna`զQ^P4S5i͌-nq@{⎰A4p]g`NN{3hU.nw)po4)d4.*+dG990LȤreh%Lzƽ:PthTʭ!)}o[B5# ~;.߻BE$⹴TTTiUWGeBKo7@W?1:F*vgk3u?.<+S"!eW/&sk>Xx>{,82؍s 2PߍC;ZI7X\Odp|&(da>oU X0"F7W#xS404g\zau6.b2d"}y,*N]I#O.V}t&܁0KU. >z}1K+,Pk=4c!G2޻ϗv*ց@O'͜z]̊ǯ ~5Ϡos@|Ky}r/?X6 ers Щؐ5➰{_h_sCd5B#;DB5IQ=ț9#&Ws~Tu(GlIvZ.vG8-Ȉ ?Hl65Z_/)Jm0UD34GfRԮJj[^)! KLDC7DvfTˣ)p_Í$B8" c ]@eaqKj_I?.Gak2Xe46#oVjrF0|P *l~o dǂjH.u¢$EzT!_{.) ThvѶߟVxM>EUV瑮#|%=a cj Pq F Z}dh MGИ*;q')PYX Qw% S,/@)a%Îʰ@O<H>Pf*Xv&&d# 9e"ʯI5Mq'ۗXG9sgA H29IS%j3g%ITjGoDS^i+ P7]x.ᔛThytMk,V.NB|d>-n)<iBùKY.xatq-0c\i13DaA3Af:@띂>)}͔07_2'J Dtks#(}:β ^ڨso0. А$|:ǻPT 桅y] 4h߄ E ϻ!P 鱍LUgRԥEdۑ #S*J_tPOm'}t1=ߦimwaXK:@#{ls\R8 v[=RќF_F`4w9LlF+<tHa*WbR aۗlP+T+*r+n!Luou5zF 5ώ@#p7xKTy BuQ1 2 C8Cc| h~! |.S3h@lvɻ*d.`r$r7:S{ N2vkԊAˋ7\)<~ 8߇LO.mZ7le^ծPy{1Tz.yܞU:sxՋ#BOX_aGh3k0.gm8/P/z蓘[N{6u'f,H358FnP}; E3)͝ONAŅ҃E(v[ocCǑTM*Q_\rU}}5)k~97 ؔ.lK/Dwi;k/ASԒi#Vl>4a7.4 VlU ,X02<{V-nRu@( DFR c\js߉`GT)QЯpQ87>\XX,Qb3~[_G/}˝VHeo``;g\w$E"5 bc[8 Epe1P]a#7Hlp%o%|@bMrUcGurEISVUCV;[p]e{6[>;|_Ld.&M')@~"cI/~kN}=$ls]ruTXxMB9 WRw!^5rz݌¨=ܞH \ԁlv)DAMHwWH&V7Z62_;yL.OAlT]Q݅WKRI G|n&b״L\5ήQSfw/XA3q?ݍK<%g-u0Qoh&vj:2Tn{bv-0ϵv JbF/.{0c>Ƙޜ~RyM33|1@7йJ36/›*y|h\]Wcy:M+1\ŤLNc4DCZ(Úa9l!-H\]P1xd#_99VN z /m띞ӿ+.oWTU-GdvmbjdK@} X1WyV $}J-r\ j}#I@(_ UD[:xѤR+&xbX $5cu-^]kn֮=jR& %@T=D̬O8DЂ)"0&tz7 {Q о{:IE? }H?O f} Kzy/aKtX t/Ghweh͙Ggh"{ȕbipH:(L=˦XdTLfrP9돞,DӑR pi}kƽiڰ9/GPvB0$ |Rz4;PyT@ } 1CSK 5_-]Y`)2Z{ѐ˄S5S X+CZKqFp";= *]HXW+jHw@Hо钪S9#Tjس#G+P-~avFeeYx r+~gw箑\B>ݧ|>UxMaQbssf'}mD/6-[5۳ۺFQU(I#(ְqk_O/X>*#Lqo8 _[/p/wb;s!%5Š,E e{92ڐ[<*նijK .:oDzǙNP\Ù깳SF&gƹbFCoBQ&v`Ɔ5%R@+9}'\XQa,CeE*6D WZP^of[X$ׄiMjrGt"yx  0* xo #PBS`5+ZPOiZQ -TV-> 2M5"Y:EA\;ܥWP -S׎vk*"+oi1)Ê?T+D.gHr@ V}Wy^'ŞyIĺfQl#k!<Eق?`PBo@j<5O`uU-9N",)O#arg9opV0&2avTU R6>d2#^-fCP;-5V'TAoh~lD-Y+&m 0^4#沲##6019` BZ@:{|5AaOhŁp yeh&]%SpMd}*û;Gh_bK* ș,_,Κǧ_׸.̓dfCvBGn1FNuM2n(Yv#dٯa}g`-`H*S{|]z\9X2C=G`Ќ-o ɉ x$!&J>qXeW%Rfod12r>}cYnif`7G,9hfAF_/RWuI>& yGdɜMzW !@p*KP7%IX"v!*E$|*^Ꝼvˉ5n6żvzu:dta7I45|kG! 좌$.V.pa Ep#OC`\֦7IK_g%t/oyy՝C.!ԟ!jp=1} 6I_37=6`K.Ln6W?/Y3ǣ.:4 Oc("y_Ȗ^>`dR~dU~.2 ?R\ԟE?)x k-♺LJٍ궡e_)8U"9~#<"F/"Eo-m1JMZ W#7 P"T5$Sރ^+N]ˋg1LT{j}: i*siصw܆<^VaKy6M#OI,X6[$ Nџ/ :

8)")Nz9DA#z0 Z-n})5x޿`L с/ZqmkB>n߼CԸ?!w1nPLL6QO<ƥLdd{gI5p 1Hws:VGh>k_Cf=qzKPx&|ձүoeM|#VL[ƘϋE-XDqsӐG;&qmb0/aTzV{^' ˠJ嫷/Pv,ф WGRRi $%DS+Am8btr]&YU*HYkTF,< óa?Eٕa..^( dv䙋nC6Tt"p0cmez-4dKYwי6}Rm@jfh?\mag| {X@GDa}=+sIC4+%資OlnˠsaI²OތeR0kF i),U[Zc|WvE -ǜZD)O9Y/u6bD0ڱ zU«C32GB`Fԋ1^F2 nmמ|n9fĽ0tW;kBXÍ2r蕗w1\ 7rӁQ*n9ğ%ʐyKh1uА0DzXH=[!m:`[.ߨsWP]8w%LS7Џ/ È@S>/M)R$5u\ȃS]ޡ"~H(␜q%7- AY#k"Y@7ƟXZ lm~V ɄS Ժ9QL_"L8ʝ;~uX 0!@ysI]`Z#''C!UpS0}s3\?< cR7ĉc f3<ۼP4 $íkhL]d FTى ]>6W3gM&xJ]]L= O$nM.o"Qnv.DZ,kq@;*d#/@Mx;|R!uN脧Ć4 zL'eWHH>agBz)jF-Y5؛QD&aV_wuc8P?]LC/y;x׌_8hli[qь9>R9,)i`ϊk̂k(-4-\'dyU=ȠKr Ogo e~rcTao $-ˉ4R#4X ".<Eէ?&H@,SFeLBcER~Q4g=u-$'p=o[̡aURS&'KQ4σ4+T.6,Y X" R4\Tl 53I*V0o?WZj-L.S*9rVdϥH?(봎Iek?>\5?;C(iMHRĦ_ofaghh yІvԯV;Y:#G 9@.J1D^mՐ??ĽA&_ڵ75{݇0gn7afD,9μYz10kUT&dq }ᆱ)TC#|6YfkRv TnOpUn:ڨgn(w`CQdnlfdnOMV9$U{ r'/PwH[xnsTZ)=eU|+W ѤxK}OegnxJ lP;cu.*PjұOgLx*c~؇yvF~OfaR#Dws](X =!K<x9,K )ܱFK @^ZxxIJ[<}r mFw}uOaI_~ݿ??{gp8RnHZ\Oq-{zO*rq`^xK.+P-}k,2t AmϰJe[xc&DB^Ν0*oLn®Aߵ:€ 2LBޫW_Ѳ+GO;;&>/3F׋=>o>pob)fQq 2gcP ^[(;QGwǶ`z8o RP!1/TF}r@{!+6q6%fJI (Zsĝd dr̞M'ATaTƨ .9\_TȳwQmӍЖH:DY~g^!V!wKtXm&ΐaG\w {n4h/d2^_ 9hTk7KA 6<6=5gSxf8p[]L X#9!n~јiT C&AEq3/,rr5ko!N[hvJ%Kݑnuc()TEw{ӒnUx nފBbm@ğkD,a1?3*2$si㹗 r87]+b]K e<+m!$}$,xHi6;T\gRvʇu=p:;/Z 6流4\6x"'뺻$2,5bs ̔@<y"9Pf |5.0AψbK"Ձ8pt0 ykW6 1EdTZP{O0npq8 W0lF߮3BʕY9S:t!4zt(Jbiz5_kHDlx6cyEK25ߘM76 7I05g.R"' D(24J|A:*+B#D9U&wwCg(gչ[y9de6. jpv$^;ƍ-p[f=o|0Wxd1zO}'žp_+U?/Jby\F2u:JLlQS6|ږ2]VFA,ot"s`- ߤeEȟ=3$N*OJj?&<ʭx]SaQT/&f(1d&VF:iګC0>;?]l5ǡawMw@Oe;X@ ' ͨx:8>RøD0m c>P$K>kTeFdgqdmVgT9pd!$T8`N1rQoڊ o =Xb9t.ā:e+EFaH\d*-s :3yeF]g!I ~Vqˢ[FY4@M x@~.(Bz{ЛFhj@@|4ij8ڽvœ#0w6ZyF9lPD{;~qQcͶN.mRLn_^KS͉݀B GDwwT̾C L`^z:pqK g.D+m:ZBJY L:SPE"g 9܍1.-InfM#xk ǶP4x*4F%xfPs\3Ҧcqʭp7V.(~w?6Y#6tD(㱿v^&2˅HnU7 G %6bU2qZ`%z-V0Cg8L.r,ĉݪIcWSƬ6Q?ZahFrӓnhB={$.ĤiTK=XLv_ekX}Zc؏F#$tTÎqXog^šAsEb_Ar"]ޅE^`96zN,4IkeF(PHM;x ?6>XLU_qwdKx{B5}Tf ҵѤI; ^a gW$uJކ03ŅUu'^TDB dA.n"`됉Mn'' iVfDN<˱s4/5>_;ڕ !CQ+3xOuq0\|>҆qֺB,'.3&>h2/7(DGzPg}Vހ4,$g{暞˓ 6%SVc9>࿱S3EI-LW׊gvDq(LE^C8XF㸺{v#ou&.Srzy[26K@{R'4}grTR5D.=IA%80e&M{k.Yb:YhH!oY܆džV,HEhwHFI%Vh%_nmPxۅX XGZW--ɈqKuj#RePÈ(|VK샼xP%|EȬ}V> A_]У㗺*ޫ"uOuW"T[{"kQ PxjG+zCҴ*=tAV5S6%#b[yI]Zx2 /o*$swb!訧|ua8h`K褗#E'~`eƦ^8%_`mxEt"}wy)K$;[A"xTWUMVhRX޾ ԫmw"ħ!:fr]hD=J_N}D x+ۏV6SL~kTH  iw4癘o\qކq鐸 srvO . <@N?¾7[,E-{VlyWj踤5䔽Tiܚw[ 4r2A//@~0| -$ hf]ipv-xOH{'|Shg:HC6 Uf?ҸGD] PXr} ٜ̕Dܽ4.%x5@[~IJ(l5=@KWGb7m7Nxt Ol M^?X:7X6]FuKW3IZ$o[#\myH6At#]JOW?ԍ dzZĝ[R\oa#~~jⲊ%{:;6A*ȵ`>MkwCG{ЕԞlN1cI*⚄whB,i|A8njC|"8E8.mys5zLU'}/$L q .'O.= G89] 'VjHERD|)eM'UnP/sVTVɟU?j(t4mdeka퀍 MXp7 مA a%> ik}-L fHK̝p*!PL 1 $*rљ&z%uj:Ss(G+yb>hL q\NZ|K)Rt(+EK󈋅xaq*] Ww3jI>͡1q+\BGC0kcY*<1!{y4p)Ej;;()ZʹxSA 3Jwbqa MҢ?Y{I ;5>0׵[`-bV`l"Kȶ똮{/&P Ãqa+D!<ß]jdZg:~%řg{X|`Zzrph@Da{7wrK(>wv)Zk>3\9Ǝ7bf9I=\Uy!sJ S@wh"Tl)u-:bVG3̓,s ŠLACA7ҚsޥMbfFE9+IUa$(4hQ K|`JEt3!|k٬>̊q; f˾e3؝ŬUПbɷ@:$T|{MA4,HReM'zTraQCӯsd~x )0 * o|aKB+tS7% Db!} sd#s0%Hi{$ghEf  f2&Y"J(oE)DB軇{r'ѣÊ{p:@t?0`tPy)JݐJ{m]2r)r0Yt,HZ&s8g.ʂS+.ef$}zl[sMdn-+CxpcpMs(ޤϔ'R? R#0k/ ⼀$ӎV-͎s] FؒEEHI.SC wiqC:|aj5)w%lcg1x3 #-/䅭MJ `n]^o`ĩ6U΃X|ܸ?d ]T} 7|0{gIEhm͵tNn^%\!5r&D8p-wncU۰r"+gM̱e N'sSH0̓/>C{P2ׇ(?G '\m}D| ~U.COCʛnaTɨx_FV^onp)KLq}Ѧ?><;w#tJ(H̶j*q O}@`?;frOwX/vg(Rm&:ܿ;]f x ., cglB8' F!9 ⼿$R7;qb稦:6Wa] B+0+pFKA(ksE(Us ';#r /g3TVca<ľع;u ٵ/'܂v,;1Ydo(l4I?E%͌ɺ)9K_|NA!}].g<rgDjgnQyi)yvAjsX@E}WHq 9 }[3#2fxUuPIdX@y6T*:Aj a^w3/I ea;d>g!%i (c n-FR/~S7 5GJ{'-9x @]ԪXz3ER*&Ax`sqױqq= OtZ!/9[R;1;2Pa \lZH?ohD!70֜@;4vL"3)z&^യs `_nG;B93-Ѳr,,aμ<4 Nb|ʑXd 3E!oPi2bEY^pt機G4D0/o rLm+vP%A)8V<^uy *Mg-Z*@%jchl/O<ke7X=oa+S,'qjr i 'YABˊ{bck^7-YF%ZРsyS@ {,旽a/_ ,tyunQ<Gz:^z&pP>RFD>D:[ZĞXfAq;$N93=++,j~!*Ce0o[ 5 DA*<A9l+TxeGGn Rhϐes`%;k;5xZPBC*(Oȱ _cKjN. 3b7D(Mx zj>t|9j'ge!x,q{񪉏e{[n9C8mm[F`% tlft@Z<)R ˸LPZ:.)Kѡrd_5Մ^V$ɼ~iח#k QA8=Թ.X.Ä.Hҋſw4`M+hlyA`^UQ/t`E|+TwᶲgKaS,>]Oxb 1 ;WAqO!QR0+rWr\X[}=YxuxGmZq3n*1F C\ ,h!4M|,\LS{[9뱶m]$=h!ǭ) F0wo4y,{vӂYїqS/d˸jP#6NpLPJgH1]( >= M#g I L%1R ۝ߣuoQMOVx| g `hXcMvFL FtGwC"+Uy!Qߣ&V{Pi/HՎz4[? n:.3 RLU0Q 8۔7䢝oLlؓΧ;ݜ>=S2O' WaO7:k.}3^H}?OVA _-*dɝXwG. EZد&cת!as>~ʘ>gM:ڸWv/i~`27ܹڍ3dwFTU&.+hQ-([۳e%7>u*.m Wm}Q$5 \9l"dvØz u 0PQpj ZF~8!@ć66-G4Yc83a⿙U3֘Q#OMm`b艍j~#+8r;9hqɗڇ=_VnD ̴y^ө+q"g7.쩤S1.ݒ\|m Hg`TpU+k&684RzF|>wyсa_*@(o>0dXv{j'[W oI1g ʎ ԑkBLձx/E; `Ôڎ-ΚFS/MԆAjq * (0Yb'. պfXi^ DjW`c>RuQf~yVB*XL$@nT\UA>_=ڲ= X u9 \{gc-Y=cyEu&Ò@  X0)X@(4HLJP)<7T}Lk-+Ej_4MQ2 *L{ gҥw?5  zuyjYqL(Τx+̫z+ !r?SN.ML97=.WGNMN Vۛ=*~>ئ]smyF<;?r+aS.Do9P(q+Wzj4 Us"BG῰|5(W׃5߹iTI%Kr=`Ezh/tv? \΅k߮Uq鯫ems'|MZG~)g 0l~1E͓&'9R]g.8j*$P!uOV ;]^˴PDi&ARbP?7n'Vԅf?D+ 9ʋ,XaUu/78gijM/ oŷ+qHvXH"*M{E:/TJ-wp˼yISgS2_ =uȰ3'-2rmW Ke4yjېԬƆ$NnW`UNmOEIϧ >1r}<;tQ7dVIʠWQќګߙVU9:u_9m#A峳uEL` (y7]nP|T[1J5sܤ'~L3ol WYqTty!"7+TpAt*E1ښbS]!GukLq<>hqFNIO_:{趓)7JFۃA9+I}s،K_WNj5Ri4`FnZ-g=~"Nv.Z,XMfWM(nvrbQ}/%v8hQ(X䪗$Sď׳puӻ.B;CE%DcJ3> xuBN͒{('mJy`ѱ3s@tc61@ڿCMaX-5547酚s0@Dn3Ԟ4ƛ/(HqOЪύBȇ D+l#n*+:#)r]}~gUeH1""i3#OV-EߪW{'r.ay{Ԫo' *`ExizY+7^|tXيH[Ty>!o)U>3C'w~؈aMN6`=J9R/Aslb!B1ι|ʒdž 6M)q#2ͨn>qѲzEw;(j2b锯pKc{΋}ԍ1ǨG ӐbHUSlpzw֦Q1UsCɽaRkj _N4,IY4mUM&XQD.u0dƒ vhf%Eusm3NOV)9wz.H֐ M^;Z$20+ )J^ i;6BXqD~@_if :OɓپI?κN^IGm !n^|%GPrvy 3' J`!:N%qC~ۨeϜUG!|8R*~¨&3$|(V+&1%)<;|XuX&M24_L%@AUͫ9%]Kb i?JsߥfK,H,qiQ+;h. ѐB7&ӌ}]OkZ_$Ma/a*]rrKNY(_ќ:v筽0(C?b1ݦ 3DI/Lk4Hq*1sHoyct. NVP848Zr|hmy QG?bzLW3?8⑙s?\EO`<]9UJ1WZƤDU닯5[e}ϙ8ʽz8-+ \`B)PI<2vٿM]Y:nɪ 5" ǻq D зNWYDY-reD1_([^!qAvˍ1'Pp[`{C&ķgN/ΧɐL)ԯؑ5Za׀4R_P8y!u6@3ræz,٥`0P֒ "J/1+xGOW]&j%?`Sc]Kei/fGcjx@C ʕHt)d%Ka N\_I+;{T~ t eKZi^5e8oiwu7"/ՏX_;B4'՚LF(97T_qL9"i-ju}@,wE¤B~/ 7A[|E0w]L}MTf LK`z Gp=u tMjcd {˝_ܳwIc8d#U y;9!J1 Jx <ʖ(\*歓\47t9Sd?^37# %!<Ǫh-PW40dF?U1NZh3V2ۍT[q)cGM "prQC{O]|p}ʓZ]L(_/"ax>k}GO=]ez|$X=Um;&b%\YuZ|֔ZOWŅ%Σ܍ +U2lڥu~>7qφYA&Sr^މux #a~Tt.;OJ}ru F5cJ0Ȍ|V=W;y dY-DԦJď`; \ n:*~>TE폸{X]Xm"4D4Q/ ?vA7?%,`05 쏏;Aɝyλh|{L 5 7NZv=cF6C&iYR~ʺrr"ll7n%y5(~C-5L]8i؅鿥Hd|L(5Y~pIZ||R=0ђt䱋 ,6%pd63ն1٤ߢذ]\'(Lw@`8 •shDי2eM7 LMIX$-CInm{[|PHL2OVN6K6_"a`~Jeg[aQAn0 9!~[֕(@flþ/ XF-6Y t3DZ`#q nT22!l~8Üf=; ?2fD{ki,3Kn %JK68SUJ;xdR{|qS"ڙhsL"]/10ciS+MM$x9#(X"%(u5uDJP_?)nyQ ΁ mӔi##_: X$+h|\}Һq{P=Fyjo)!AIZLIZNF?ߒ9kj,܉wM,ǩ> U }u? ?h巬ܭd\`OEJ+H2H^zv\|vJJ(A t($ZEy.+Hщtl $T~?Y|q=Utc~Put8['}Q!&֬y_(g%y`0z2ו|NѨ5cF|v ZcK w`G2U{QgB~VBٵ2B`_ JYMdʈ%g C_xH ; =Y$ {D&G*N*j]&Bo.Ks+;I#R. \dTe,G;ı 3BaKȋYzRRnq !A涄Ve56[dV6ۙ!''ڬM4w~Z2OJu=ssq^f80UǁzyNF3{0k6 ;^x⇗ᖢd%ZrÚB_D:rxҚU'Ԃ7^Op֩OQ'^(fh6C*K['s 08oi!eJ|D1}pzw21tp*dn ND` ďOi&kj"D35ytOre.Ql7ƃRæ37uNFr SI9mp. 9u9pZPE6):us]%p:=OX|]^g1"EF)RZ6]|65TuIO~@ g!\ZF8ih u܍$<ɼٝ+~ m JR;u⌨"j/2dJ? Cz.\Ejav` 쁗TްH(SlhSxD˄@L5cе%y.8wȼ)\Z=6;iNhה-`*l aL74ռk3MV :9=lMĀIq ;2@^->n'1 ^~"O:`xɅWjtj#cC-w.GMbLelGt|KFvCiiKҟ(b7l6, :9fV#mrW*)PIɷE@Ys{<7rCS%2P< ڤЩV%JuI5F_F,g_掫0GxF\=+of{FόeFW 4ĈūÚ?iX9 n"5Dw+s äQxp!j?T]+`]:T0oVӲc{=C)ta4wl{PSB%À.F̗nvS?qbEN#9.>R3(};BqᣁC'E Ax4iQCU;tk~?ɑXuiSMk[g3/?c% }j>( 7S)g>L^"6a?&Ab"(Q(V=Zz%>R:= Ep@N]_ZeЧHN2 iۦV* -dLIH`|-J:TZP .5J"IPnE](3P! [y{^")/j2kk i8 @ b~mLWp yw5$ 'SU)iX!v8-716@׋䅀IEw͘31a ˣt|9ʏ@J5azft$<.-p%BF@F`Ԣ~X%^nTY'.<-P(>% h$6K%{I!PmJœ4eC_^zץ/É ֽ*?H1$ ӊf vN&kNCz<(/fd.o&9 'L̦!.2Q*H-˳;Bˈ,jMv4)-WsmOHT:a}ËL>n16L(c0'Yv zm|pbհƪV> ʍ#Rt|H*ƣO1?oJnMi0{vҫ<}b1˪֏J (Y]YyCCat˘#O`{ 6Vֲ|)nu\J>f. -(.2$l"ۍq:W̺؂+y!`ĉ+qhI{A'ϔvCBL  ^Y9@~v|) ʦQި7])bٗ&Eb@Wk@Qp8:ZgqD"eO&Sʣ0{|Bv%P?jEQR[ٽYJoX7tc0> z÷|i|9Ք >INO4Lٜgp׭!&N/, *}_M =]ކ5gSZm1d 76ڰB%?vX <2qHEݩ~Z,b;Y+@,4?4,O)Ȓ@F4SJkd@u۸΄9H\|? F ؓGK=:q[ن&qoOG]ٖ|4t;ߍ^E^ ΁rM3wH^@eZ\uܕsjȮ$nn2#x}֗/&1r3.|}nrMBͿ-6&\Hjߗ>G } < p 4w`>-}גϢVWOVu /\~CdÅFpiO_#O-=2@8ZQ0 #)+)%*J Kpz?HoIGH)r:!m6McP@M]O 6~c]σps0@&_.8MLZRURz`1Y~d][UZ5NYBj ]I:`wzgFם"ܢ9 No#gW7]Ĉnkϟ9J$:UvH Um!3ztEĥ${/hOFN^x;f.Ic)!0;GLfHm@ zE퐎iEį-b`|ThjՔݙ{$W% )d.ZrR~f.\a6Y2ϸ[}O>T(0Y e2N93uڿ q)HeyCfT=HI`!kN[~f-ԶJOmΫ(#(%mr dx ?RvlS2bb }u-Vgί^e$'G VQq"XnGxѼ% 1zKE:c:vxpў[ r~ quM}D= QB9jB w 6Z]jT? lFUJ XV] Ey '--F@q[W4  )٫Y4.P6fyV >&rܼ[93" {O9BE5;X=*m@%ۀcG>}륖n.rAیB :.Gr{ӎ%c=9Bi1JV6g@$e Vdc]9 %͹2bd~Lm!O vnaŴlhuZJ h>XhD7$vsf%Q̰Fy Ī'Dh$1,>vF (L-Ԅ~䟂 Yﺸ}"dNv xV|k/zٌ]!U_b8<ZSV!$9zHaH0jn_D _ɥQ#ؘ m? u6""_Zjs):s'׷pY=0Vf7Lp4Ϥ"q ˚9#SpϢȈYIpIR zq-or\S_A"sa1@JYGP̀ZJ|!Ih[>IR >-);$NCR+fzp؄)-~LC*YTXIdN5ڒiMBi <20PmĒQܙځ1p))H&Ld+@e&Fo%i#[hW} TP=X0&XDOF#xi`MO]H+KX8R9tiD&ueiZnpж2ѝ E[ v`!K "dbwj^ 0X龖|O=)XY 2Lj{126Xߝ $oPN؊`~gKDp,{jDnՖ/1rVCG PODN^4 D vD3UÍm">wRD_90E%XUP ZV}c,T%(&<}~ !y8wYϾ ؝1Yz2g92!}WA^'VyQfhZ/> bHY:ChDc%d{0||'뮄"b(#amCmәA>GT+mFeVA5o gAz U c6U'dlqmMd$M$ )FV!Эqʵ{/EgC!9U 36І_mQ4r=("KcudRˢjРNb Z.ǀ-K*z0{,,/06<6ŒUbгKPq ;9U!űϙ[߾Thu)̑늪Hm<&%9V֔) ?,CDϨzefԂSEswg;0["+Ub 5.jMǖ ,Yѓ=!j(L,4gs3vǡhn?M`o/H,DpeA!$?' u:ڵٶUfD;g%fT##85g4QWu@Aߺ"YWkt5751 v^^fKϵG<6'<&YCyi!ӈF) l`oD8O߽:emj1k*sc!okHفMI>cHsݞׂw[SP /7Wn !̌lxCہe4,H~q%Ǵ 0Q{1[b @?fYGND4]['/umTv(x`;[ ѻ)qT~!H갻|"/PVBt|-x4)+,}/"/Y 8JMƯ~ƫi]g:'j*Jyh USխa3g%m.~P Ծrz[47B,qt܂3:j:mֶ-^` R 'oٽJn6"("H!#P2Fa\8{ %sK֒ir}7@/'= )i(ISFyy% f휊Q9+*vz*_SdcO ܔtіO`8 WcyCg#dZy pxG^|r ~ [3O8$_mϫ` 4&Pb9G5Q~DKX?FPغݔ<`u sjd-J@@m0R,yhJKc9 ;5B J:˴[Z̃P&bkT̛c0wwd3qp/I=ܭp:N`'# +]38V()R22bjeQu޸h;}[Xu~&7ČFCQ[ZW1 ##i| _G'f!OgQ z] @e tIƭT<gKL:+F9QnR5PoCv|doR%GoS*T6`ipMLa#YSw G=gᏉ!SaPuc DգgN|ϧCZE]3~ [3B\oc+0~sC\Iy4O fPL`<H)D OkTcz:bi1nݮ.kox ԖHBbR%U "8ۗV̛4Ky/tCӒl3wj#fNph(;r)_CL{Rus3 y+^sG? ȋ|ru}B,j o$#asdۈ8Gx #Y*#xh}l<6e; //;Pe ,N+; qoT[:pٺdoXGrlzJTfkgةj@9 dg =^=XNNYY m/|/3'aGUyt0"rS+g +}Y!ѭ* 7? (C0@RN Ra/3յ:GęI'1.Ѹcp Q^4Scw^ҩ)G%i=rzɣI ^eYe9;p]^܀A6S vLҲ)%u&> ,-kjKhj僰R/ى]̾+hX/M}oO'\юT4$iXͽ+մor"e"V&n; ^u4o_m:>|~=2)W}݂jtHWH -˜OX&+EH~-ߊ5@L_*Yő Τ, t=)?ʀLY,&yCYr  PA# *&$O޷RI G03gmk< ߷hFT*rkv2-mc@lS[pnXf'E{Zf.o /Nd0ەPYUH S(<7^:ELK*52Ƙ$W5n4jPK`V W NmɍGP&@e.:Xef$az&iy:l"ڈXSӮ (Z{E0é ֲҮD@Y[/ ${ xk;iZ] .221n<9MdcT>6}ˎrry2ъ$MԁAסZgΨ,W-*Q_r4KyyBbǠT#3%ٞuW* l[yFe; f.cshΥ@7HCd켧 "-%٘|pt4F#țخR Rv}c&E] %2iy_(uQZ-#'ևMUdTnAN, KEMQ^Kw3Jnoy(FLDW¦/ȻL%, U}5m3ݤm×BZ CB޻d]š)IBKeV0RɑEr՚5+u3*Qeɪ+Y~lxujjҭiFAŮ3`d㩑wj{\޵J2EH,`z!ֻ"}dц>|@V ~l=)wrD LQ@.ФK9+'ʌSC$¬mX` G5n8P#q JWM( 5ә a뤿ٯ3_dDR FڿM'o'dzK|q+T/91g4vtʥiitC$Xbt*yǃ%mb?7!8N÷3F^K+ifSN+njGU{`D>"\bַJѐ?~2-pGCi"v aw î1y(j<&*ՍQ 5M YitS)94Qǒ.һtFF 쩛J"D'kZk]{>PjBg>:F:\{9Q~ҥܗ}l<k[Y'ze}ώl2GakE ҾPbl :~uB) wP.d>=(V. ` SM$Rv^73IVDƓ#/Ox*ʤZO>M1ץ)*-=`o+ rnO03M4gY"& N0ve;H֯Ƶg泺.gk/ݟ:ܪ!K㤟j.ac}0Vː=l0ޭ9Wx {-:MZ  w''SjOq% $6!gn]v#s$K 2N_T*ЙiFJ~x>ֲ̏J^}BJI?U`!x゙3<;S-H [K#;fn7zKS7T/zOBe0.fZ+hVA1dl2C{4` ĮPeR h82(ZP651?nZ b1ò|1hMMR {j>jur\"C)Ī.2L*vh@tRz*wQƛy HDl G,<d¶2QGMotEj1e dEn@:%VO9\kpLSbSG//I} 'ͻEC~S Rhpn$)9T6yࢠUt`Hi*sױa~XU$)3sʽ~e4"Hm3j cg7xΔWOJ&"2rrM9c[*?xrQ+3zӫܲI';ڐ抧˒&!C|F Du3\AfΚ~Y): Vgx5z5?YYaͶ Hh󆽧cf4YK"m됸^]ѣI@$,#]7vR;? xKT`8/1#yn,,0 fzO"qw\8P"mˇZ> =I!Ou >}*BZJ]]WVBXQ rUZ>Xϊ PĶ8(zyڬziyvY??LU!0@_T\6^ T&RzٚA[*J\+V$@it&1JmԳkW y qEO@k}^Հ%2ىG߅I '$s4IH1bLޖQRnRr]9iLDnW?xM9¹vl^|M15JB2V3Ck,kO][-к(51}ռV*2dQIP wQ zb @%15}7yLhWK|QqCyn8Br>G|e{vdlN0j'g9#*wbbn >-2D7 [,Vx:׬cN[ xB^?"8ZMdg^^g!,c{cJmTJӼ ku::Ϟ֨ݹj늸pz1b-x@g\x 䜀MTG8EI`ޣaF~G>`⾃SD%D(=́*MTwG4ǒ=f%9YŵBkta3eb}e3ZybW_BqDPRǫ`]Rmj v̜ڨμHUyEqL7Rav5U$ݓƅuNLSvo6]}oAt ųSq~T\'#NJmr1Iƚ]w^^> 7&.=s&&vߥ[_Ȼz@g-=%C`韷ɈOE0c9 `HG6A?Fl[ˉf6 r\i#첀SDv S{E/W)qb%Oeb55qk8Y:.a`bJ>GqkDkHŷ|88q1-ԩ(V٠)s3\8 ]|pe*B ;Y07ME8C?xd'| (܀]nqJ D/ՌCPe0u>.TvZmE>r݈EҔ0坻r#meəlHixV &;6߮⺱o]uBƕ&AB~aq߳vDѝTFoco[R.51]g|嬿lX T|ցVAJ6fգ)@e|Räu΋ ]{~[.m@8\C/ g+DH1Rbxik'K2vgsu5ǐ1"n)S czdndHʢ;PLE?F$ sv@vMмO9L.=yfպzUmK^#W 7jۜ{ R-< Xz0.s7ip7'CJrNұO)g"0t6 iT`en9d}a[yݘRD`QvHK8S/up= a]ld!k0F_"K+U./eRŲ&2PuzeH '!C׹w*դy azek9>OܙI?@V]8 ,nh ޕ]6>#KC%h qhq ABKl+0'ilB1ihV3NI̅92kk\f-!*xv,=J\S& p㛜/VbXq-~X9Fxfw1D7_"sWJbhn;lYIge҈r?LN6yK!2!"`u$zŚ([\`#8ZLڍ_` nЁf}n 5m\2-gS fJ]kşU0..J|bd.o K3b˫hl*u# 4+g ],,1, { B_Z憰PW1za2MD"VҳtkOUNJ} z-ͻT(a_f`:C߷]*^Ӄh*:Dd nP@ˍ^ʮӅP>kMx%zG)W ~&Gr_[R <mz67 E4ȠLe{T94Mq+@>!7)V NYEAx| z)4qgph!;ijEe^kq4~G6")0N,+ϳMemF5uHB[7 effɕr.>6Z.4Yƴ%M襐}/2a4Rhנ{s,SֺR'i$G~zi?XGfRyIaJhgBKR/?>K7TK05,D}t#C4+7t87՜z0`dM|< 2 Me6ҁtedwVF죦o^W:_&ev晶wiKgx[B&2NWuIb{AYcBk|xV4@ MGUo/AyKJgF9wP0C~if+1ʧFZ0?hÝp51ek HEv{vqt.J' .mV¿5#ȩ\ ٘SE*ߨ\ޙ8) y1)Qw%,w: IϕN(E+)*Yb04sGXz3`mVnnx֥@2QJZ۴vw-%ړl`ikp Y|{QWp;"z\ڲSt96E4Z\􊠷>~rJēLyjIXU[ sfl0D6s$$M?&XLa=:-Jd:u[97Q| \ռ|rhQaGQ%\p fBxUfh,5u.‰BH)$@*Lb+ueyV уhw sν2WXmy&]J`NےUl|pDPƎ--286ےW_ ^BchikPF m'ટT4Y ij5u)H4")m| $ne४V[[0&v<>Je2*JBtT֦a?ab8䧌;-_@nώL._89:[{#늍膀_6JnJ::)2utˢxpHȨ$ go!#|TVg供#srՔh=mjb4ؚ XPDBHBU20`!0( =TU0IT/2"h]%>4jSMֆTh:6܏BL¶hL[eB;ՠY9(zBh+gX2A35*$񄇼v `%6xwYV nr'|蝊7uۋW=Pʇh`<c) r hp^SN#O| d+%GD҄*z]Hx/zsu1 /hٳbI)eA9Q4{z%\z! n_2kSdٛHV6>DGe>7j!D;Uk5)ʲ@]%7iB{hf;#c/$n_{%T?=rbqB֛¤3 $aVf%h &1O_=kM> nt),N.}A^ |K4oMx!a1֏y:5 *L/ԝH:©6!=> e[t{bj_N+ANtD3&ocFDyUO;ޥ`ZHR˺[~~=t ɔX*]ͼj4C'6&bN&d Ua>ϯsK{4<2@} 5]^[T87w:|ԟ.,/. $V19NnW/]ls@A3?,y" k< ;yJ íLY:"r3}a& :8@4 'eW^ľ2eY CG3Gv,?ez2?ui(]|n5ʿ nsTL-d JĝIYxE=‘r0 Y(O(Nȼ>Ps>ЈYeϗ.}O ^Evv.%`~L4 ^&5 SBWt"uiW`0ڰoHqTss{8DY(8o*9Վ|4'f"|1Pʮa] )j ȟbf ZrAD,s勫hV繏ecqE D]&2Wvvc;UUSٚgYyZ*{='qXnh8ϟ&?[x<%S(8 akL=\4@#̐w"~368X՝i(Dz- a]\xu  7qPXM=D$_.)oDkl`DA+-zjh2l _C\K|/ g/"LB2zBԍc?K^(٧2j%|[<|Uq^x[( _[9v?UWV8{ԛ)L{.zT!p:/{]Ydž%*닝 O)QcC}yVD t+͌#Zi+݂{.0?$`Xrv&OWMms +=VJko}TǿV#Geq#Y˒"w C.QegqlbZ$d\ [+&< )70:%(KQOP<&/2k߂.$ (&$>kJ|_` gm 1:yJeF/^w\u lFl'k5W@_4 1(&T싹©/S$xQ#cbͻs?#^Nӭ4{{YבV \!CJLɥ""d1FI.amEA=3P[!9>@ކp'(v{AV).Ej?fg|$2XnH+ E'ӗZS+^iPJpg@q=eL6 jt;MJ.Wq[ȴc|#Ie "HYm( e]B`ӭ#/= 8T $[ޘ(wwģ\%qWf'y9rj{5bECdutW`\F һ"VxfPv \3A2D#O6,u~U$$JurS~:Ng G42;aE*wi~bV+QiHGI ]U7'0MOFn}5<?xh+!kw=O6* U-Y? wUIqJa~>*'~V9ǜ W͠^N`gF |3I(\Vl >i#2e1[RS~Pє;DF Yy$>_ֻ;Ր2[>}YXѺ<9ύIW9%( W:3q+*,_.5~~*)R㤄;?Or]p⧪B&52_P~m;q쵳^Li4]Co/I A0eqUUHûUQ+w3nv #NNQS}K[(b&{fU Þf#͞+V;3|R^Ao-a6Lmaq~:(6?ʼnԲӠIv{#!1X Ԩ~!lBYәҕ0$ $ ǎh_ZiR}>^fd;Yx?&;Mҵ`ܴfH#`AƮi\Р3-76JeN wn2Z*aC6pAyjo^όi h, YL_JO!I;|܏wG\(ALe&'{~\?&*Xu-=¹&| = )bodDOid&m, J!<=penK'7 g9ty0/ħJ89YS+5tCWfo UiF~F0 F‡Ӡ>xʩ4{q4gbuJHIɣcNn^dSYm)֟#2G=v"2ԀO`\(ua$Od)N.T\y?z#h<3y[/?uc)@G\ǧN6!H>L{6 8ULWQM;&} O:)u.?,ڌjYxA1ՉÚZ0O(jß<{^EUŸW5s|[֢P\5obPS |t]g.(_.5.  >+ pcq~e.ۏzڶ_tGkh0jWxJtbEʾ+yzFNJdMi@ (' #tzN+]\1<#zPT@X5Pw][PqŞ|#h:28:Jj£8eמ|mW!ٟgvbɁ `@1_ÕMdaN;ԍrb#%UI򄧹ĄSsL2!g88+]WU*oT%(GV MCPiՏ|fKBȌt#ōWYUngr0JzChMMgN`G+yGWC̈!wYZ%\& ]S*0";cuYN f 蘮pKG^PX*׹avPF*@ TG/dY!7J2vfL' \錂y=.ֺe6/FPZVM¤x (:Ѱia J9b ;>睢2;:Ə,$+5@ް7>98\- )(rp˛w=nR¢ hH?[dVOxj( {>\>k-ᴄtP9[TnB?% <ͤop`4qFJ;vczbfh *n{,y^1;^1cԺiP|:[*Qv[oFVB7=+Ջpsa+G#^|߲Mc~>Ⱦ |P#>3qƎ_r=k@lIlۄKmk uk𚙋 ޯ `:ǺeV!&]{X<2m4&HKڗԓP>UjAaՐp=7QV o߫jTQB)c[wݕI}&4P]GJtx',oKRjY`OUsvQP^UzQS3(VEעYaTXȔ:&5a$)#M2>Ebe u5J%I VQWeG|e)Ӏn۾IvG=N6mdu7 з M q ؂*.2iwWHsc֔ݨҀ < knܼEٶ96'hq{'yѨz5Av/ ᲫH9O!Pko* k?JzkL4ִ(Bb0"G0ZDŽZ`=IN;. WI0XxxFa!3UֿBښ*M6ﭮVN猩;S\";MƒiF\3ݮ1t M0X.!f h=LWu|jE<%#b=9ވn5N2nwS8)7{JNQvBCmu25T*Lx=Y2LZ8mℊ1. ޽13;!$MފK 3_@<T[}|;es؋Bf g܀o}ç[[Kf|])Lq>7ihh}U[\TR4?KF!s%D|h x 1=#.+[b,SUNb \Nogߞx ׼S#_ ]hCce~q wS:m W'T$<4@Xdv}4ivG`3;8(áuUcUW*x}ϳ:"E6z"ɶ(D pKEId[gɾnK'>on'%uAkpatӁ6\A8x=L8'ZtG7)o+`Nmx ˦mIMsEFVULI>Xm/&^~OHQqHZ  ,hd\MOc^R1mJX]l__R2p[t=п֘,yOwcy/IAM^1Vd"hLEB2|yݒ]^*8 >'H:j$%~yU.zG.#ZZ. yxˠn9HtބP[!\4IO,Bo꒻8w÷_$Iv^UsSs~Mܓ[΍A:(P;Z,r|&Jh2McID3>g$bţmP*ۼ)|4%-rig#<ŨwdgD0D^ްRtNlȬW&f~/^?h mGiMu? v3GOCt %ݏŒsu ch6*Ұ90s0s5yE XZݞ̾Ī'3V)ihgOifW6ac杕`$c34B/rC"./3AǏ bGRFRC"*&%$J=[Fa~xW l\xϴȊJj-|4UAg$D@8=T&Xf5y'uA*rݠR0v\{ei%ˀq߿.Ke0"nZYͯ}-ݓLRQ-7~hsic<ſ_wFṬԂ^+aQL*@1!wj`U)^QN,5ÃjZUNΑ |(#D` 5 `4lz%5( VG\-KCF$Ay1)P$!@G89lhP5WD2DL2SFAJ*R̲Xp^#hoKA*Hf?YC54SAfܦUu|()3DGTy=mXۛf%iX 'Yu.uY; ȵ&౗J1RIv-nR9y1_^5-^w ui#r,lIEUu@]}_[:Ktse^( Y "K3OgmaB|̷8Ƃm:otؗ[ij.+z<~74u0?qڒM$˚PX&łG<}_OpƧ0!X̯L =q tɚh-y.ԫW5i3?9dZ\ g^n7@n WV6~DoBH^BS;wqbWOOR^$5F:V< |x@iq&_[@RsbA_(U?b̼ԧ#yXXkiw)XXz) J,jk̦>JHss_nM^L緬Bj(ɅAbxsG9"Bf`Ւf+[+(;7ғdںɯFTo(xG'(ߟ4m$吂,Z6b-sUm?c|XR}JFdAQ[2E%: م.1Ňݯ>&2@\ᜎ4?%w# DY860tH]K:n]dRePQfQ믋!2 YV32~GB-{}_Ѓd8 '5l"fzGf9]&9Tk/I* *Nૃꁌg4ZMZV\pns şoPLJvHmMrA~:CVޭ-/k;x#Dwх[0@ܯl4 =*h$'Z3Ymrgc-u;<3O(TRP.Q5Je">| WLë?ZNCQa6ݚ#2Cdt٣XL]|]I\x z@:Ĥ/mr$Fzq4Qu5?wEP]C?k3ABvOU 5?(lg3 ӝ Fn]-s3Y!痄9~Y5lXyNleLS\v" ;V/ӎ-:).ؤXQj{011H0 O.]&QgQxsI Mcpiˮ؊I3l>Lj}3t˄ծ 8~[y+D`\YƬbBhWB"VrW92H6H B,85 rW;u}6 I+}dXHrO Hd%UrUI[ _.@OH{KaoR1wC7R C;;ߙ%KSSUv 犘d=<MLx*"3x.e65I?Y"EWKP޲`C$B; g\e P\$`~jmx='LvI+xW "l Pfwk}+*+&8&C~`UuZ iYbq2^G Ϯ{;n ܰ! b^@1-5^8w A8fRzKdPۣQBVcY7'DQrlLLb!5NH^o$Y 4|\<2Ӊ' :p䐏A?o0p_Pj /0e3vOXS 3I:&omϖgoBXkj؜MB NǍ޿G2^žуl7J)Z&r˚]AYQ'iļ\h1w:wĄk˕X'VRoI~]8Q/, 'jѽMK/@ouIߊ|RدjFk[m7HWq*XWƖIJB\O$5'&ńDj%Ge졙[?ے[ t 辪}_p]:V24u!;§`Ka ~guú!"n77v j>5c A\Aƺsh_=JtLx5 <(4Jwq4_Edxk|Rqj0AzJ>-oX98 ,}Hl<=@F{l$Tj//hĞ7!g7] dz,{F̗_(y3jfOZQ11#Dv'E!C4.}9>37/vI /[ݯGFg@iG'VlHAs7@R5y/Y*BM4@?2vdK| {|LUEc݆ܳpk( FViJl{0RD;\`!#h w&9\+U #Eg2`XpMt϶hQў.F-`SŢ>K𲃊s舊ȝ=u]uL+ǐēTwUbS=tvao)׬Go3t7qW|ŨO.7E"W9N [x| k#SJІL &|}(1K[݄ٹ4#~VF*ʱ'6$FN./ tK nh*-D>O= z/[N\gr1gLRPs5d:u5؜q'QOt] 4Vzy |.~0@ʁڏnR׫m>Xt'O~]~}@j$_?PHtd+w9_7K,:b \0`JJ.xfOHCCWHiP#UQL4iym+oW}eHt;eydh|JƙzE/EC]\kH׈h)TwN^W@rR-@++dS`4t"I})ׇET#y 8daϫW #2 wGwqVtyhE/ nshyT@b}r'oSB9^zi#m͵3B,Y%_ʷ |}2 pFVXԑTy|̳IN1.sV2kaZ |-voAZ )فtVWiX1'*SOG;.nOacxX8N72\O8LPĴ- d؁t*6i."c~ɩiy/n}lWԡ `K\[;K?gl {hTp3ClkX"tJ? PTwu |R-R?="4߯'`ULt-pҠ WGm5Y@,J:]S?eIY[[y_toO|c5{'ai_ALj3W1  K8niZ7:;ͭyȟS |'|nTi mR@qoYcvޥ @aXїAvRXxxD49o5"S ,G˕-8޼Kb4Ud@d3ʩ$*Tyg{L wB=K#㸩_=]* (ڋ }akatRf_'}$n'[G\2ӂ$YiMSxHhƞk]Je;U6_&`V\ H׵wmPS JlDnӤ.}TLDfH$xs707lk}/30$5: ;,q|qXxkYlu5Ojf!:{\@&˟rǘldޘًµxy#p O,RFPٚIjBHs{5/E=)t`7fPw A7]ۜ9 ېgh%qxŽ}uвwDZM Jx|ԀI@)LLJPe"U}u} J3cڪ٘KQK?sov` LƫvND  k2#Q?td i&`nSDUE͌.j5+n-"(fUXUY(Z?@vIK Ogyت^f%88E޴ VKy3uh2S=;׹Q1qMDpuaH7 ]#c٩0Uhvӱ !ДNTA5kvA3&yp4N6Lʁ՝ )"#SÒB8Lw 3DG.2q&5vl )jOT}9F(ZLNjʤ/o0ryXQG[\}ㆪ9HKϟor^,ꎅPA=;{, 37$ eξ1//A[kM!Di-4.>9sMp4Y"zV8SvŞ&=GF@ijъ4I%h>f|$KL9[ S$H YY7\%Y*e8v8eu=0hwMj8nΒҗ='g'0hJ,Iɘ.x>[';sk}2zKߕFִs͍9|oP;M27[p`E/\ OI)?v ^nxi.`j$j3l{`}0uY܄ PXk UׂTZr#7lЂj[ޡG'͠]h{%M&-'jdݺ1 ͛R"gۇy6+mڌtG ӕ5TOSn2pQ*t1yĈTufETȢ'[fk\~xyxl򐕯c>SVd h[lh&LGC:'yu*ӗ8B+g(`/m(AU`|dyR[!ͤ$$lm 9N*D%CApP;Hn d=ՐHpq?4;DY^  =E0z![u)=|r[cOYsL) yȶkwTpyȽɤ%Q$N7x[DȐ+[5BW!1R>@ޔ#vn [bʕT{h8k3j0H|F!kTw {0lxۀYfh:Oz68xpE g9S8~}l\TCT"`Bep g+?10&fGUlEs@d/ 'MMn ][Q68|Vw,9vUCtQF.Wٜ!M_(KOđp})i+IRW}j;vw&6}lQc>Cݒ50O%% Z]_XDaBqWH~(ey˓Ԅ^!pv!5KTvW̗XJo^ S$1VZ%IK7fVAFjO丵Șf;;]8#NxW,d0(L{Zg'yBeB1@"X?QN#،-˵pYՏ$,{JOG87Y?&rmdHD1Nj Ydo?$CQ2=my7`^])em<.$_-sTRZ̾FyAF /g\ZI@D.-FiJX#l:`PI;f2^Pj헟!'389l+z9._o 0f xHg1_9wraPp+`}x)yyQn~ܷ(J;LX (g_%zl#/W2Sgq/୶W[)Up ̌7LJT|7v Hghm=`Trd>AG܊Em]VO0=&=bD Vw$sX p<4@ F<ڢ$ypC.sfS{|uįc~O-p<dKْ0b?c&"ꭿiti_sn5cjUՑu/lb1'a/޼w}حqsljrXHB}HW8$b_Qws3j#}ևN D{a'CC0o|}`|݆+<{Tet":A:0֕&=P/{ vč$\ҟݖ\Iګ傻qrԓV {"ڢh4*FhLsiad9R: Ѵ&b |-Sɞ; jDK O3Aoɧ2l{0_>B/2!jb D& R^% " ֠B/9>FsզxfУ:íE\G8p'f7LтexwίRrWMP띣ބXxp^S ҡM9C(BMU5j1>yYԭ뀎I~J/oAk#-tް>=O=xPQ|\5, Q.jfac+2=U!5ȳz [ʐ 2/a05u}k# thD_ŤDrN,v=zY9$UyMwޫo@_| s1f$J) $VE! < PS|zDf`6k7+T3ZQZ׫0b9zZ4̘ع?R3[,6ơa {̯ҬY3.ܸ Ii:)}i#SX'& /*ƷQ75ْew.h0^d",yаhT6JS9l\+Ih+?QHUoHEfs E1M3on$9%ud4W.gly Nyw"cޞ *e1zo!9&ȂVJ#TC L4R]DOk5֍%F38/M 7js"߇Ԛ=-`Ju8w+&ZQ; 4=aF%/M+ȃ4:ʕ+䓄+NrC!!{dS W?iͭ-\aژ)v4ytzg?cu_ʇ^>C-AN3^ ߢc@t9ocNŨZE3B9-Fk5tC;4ik }_)k Ji_\d uhB`: -7gA4༸zfcbCD. ~Lv/t<=|U!Č͵u~Tg-^*~{yb ,?VCy4{Dzw "^XT*; Gh@sEh8]AX"6"O6ol>{qJHb!7`}He=ɞ4 qkۿl3ebOTz O&NM^&1|<i]ypx -*pt (\n*WVLu 6h:\"bb'[ "Y0o *=@&~UH$|tU=h~] eDqS'V\{gH[@OP>xU;X&d ha(A%g0X `Do ] y< LlŘ,]ZHB.[p^"sKUwx 8Rwsb^g4P:{])J0D7Jp6A8&lnT$3ZAȌ 'PJbvz,EE7oJ #ΕAqɌ,,%s.VSSmhsnRFie%Lf'l|Z9.Nco.vDM?z8`bl+R}F\]<=xL|ha/ 9s1ӥsC<2ckܥi1J.mm#I`w4$ԚkOC|dC#v^ϰXE=aRuiW2ީT$)fļTJh6}kvaKRŒCNw{Y\vf\e/*] %3n"@#DU6 OPJՍ / 07/;-H"#Ĺ Ӭ=FlVGm2";UYb,Ѐ{|jbUp ȡ5@9rY %kou"\{5Qӆ9)6h }Y S *mɈ\H<*wh]w)U.&[[㟛d#ǥ3[Kcu7w$ݳ״|9ȕ3̵Q (b|s˔]2}2tn8qI.pXؚoefh!{wkB֊[3Pq%],l20KC mϻscsAXb PA{ ^lޫq|G'] PU0I!YS)yacכ KShTk<8]etpu$|J+$ lĵC?TWSJ]㹵x=64,g^?3xu֝tt[el̐Ⱦ:R!([<+_&];PY rAԆ*=?deݰ (r3ZwRT(KO{ ~; 㗆#Q'!Sၬ*bX8/p|Dهf-IхudV0~KfX|nwaFuNj`u+Ez*S7n&lҼWE10ĝ(0cyS$,\ 3yK^VN8 QKfThY$*F]a o| tZU4Ɩ.4@l |ag *P\`+#._q:c||5&JsvJQ[߭-DPV4Do(8;prSڸi i}̨;rI4YAc_{)0 6yI ;p*npo̢H&g`4`TI?-}x]1:+ EH TҾs=åb8*|? ^Jj|f% w6g3, -2۸1Y&}Ʊ?||rgсrnMp0FۜʣE+Ar]_Sf+ei<ǹ*5U8Q kQ10uWO)OC:lg{?\Ie''"wLNf 0 jw.Q0Ids 8{Im4} sXB4V{33jow/]g. cy3'ccJֹ rCWÕT.ccrqn.v/৯-EFbi㔬5fR *lݤޔQj}#Jb'Řęw5 \z6";) 4s&UF66UXQa\!n3`5iQ]xj>[F?Mϲ q4ྜྷ=DOIej/@qN`R'k v&#!@-hM$:+9 >!ntY *Gaً'Gb$Y$U10+ݭ98L%Z51OmyJE/ƍ'X q3cwO)QݦBwhR??MprzKVG_|jo*%'hшFa'{RȟMqB9q,Od77]'RQ>Vȵ0ADs~& T%0ܷAM|V.;Y :wjcKHe }y#h< ytT\7 Sd"ƋfM4mx_o}_QUlK[M"|jo͐i9ɬP= o[oJ/݉Ox }QESk!Y 7Mk&KP=l! >QЬU AF 14pA_$pvOѧL!>E5493NK90H&,ŴROU=&G`@LB : Xk9US1j͋,G<f雾swZ.~">!|lQfOW7Y9G ٨ڿ-\4"!G) Ƹ}cͪo /vHȗ1 e ]쭨iu)KOzhI/΀k͢Xyk$ ?JV&!6E~I߼ʊmWn~rw5/$͛0I; #6Z8BP}LY1 ]l,)-> 8: ny kMt''BouQ.=6Lh!._sZ*Nh7. Eiּc.D B$FΛ" 38 ܖEMXbJS]ٖ|};׹@F6$8+N~S‡{`NOVq m{S q'$ּ0W05'x]v;B(Wu)HhLvmp4ob"2>O TAyԧ>ŵA2k5$"EWG&GtR?3 p6"!Hɨ)0QQ|fyYAPwGJr[`+Sb,*v,/4<2{wezI >0TƠˁx+5Ge8nɆZ9?],YS?QD0EQPFK{gpY4Tqթvqx+ǂ,إ;) 6^YZI\ޘx3"碐gԄ~²ҔfgH.V2.wLYBkYo'=[i;ڃk1a9tY03#*\k,귛aΫ}dZ?|i8Uw ѣm1nEHٝކm)P iGmL Oۉ#D7z:Rvi,Ek.\~\qL kLc ZؾtrqKP'U_.^Rsg%h82ZճuE'Jܒԍu&N%G΋!~B?<%n~-Ӈ[_(n SpӦvt$JD iilqQ50Br* N-4 5>b%S{)YE1~e7AE%7=9D'z!fLHdbp]e7.o3-hznjO VKhA[$nvz A]==-$LHuQ= إlZY ?zՠ%|y R4>߇!~4]X?Ho JxɎla7(Ly8c|U@͔^%>B?m]aT%^<፽uBCfq@w練a_4ױgIkٷЧQiQN w~dBfqY[i6^lQ%'6kE @5-&9T<=h/O$k:N2w%J)9eQ .b9vʼn&Ս!o3=@Eφ3kng\0m>jסA Czȼ3Zs/JRউk5Y銙zLL}ZWU/{c&!Q&mw<>& {yT6(L^|%m^E5|MALu󘀾p 64pZΕe];إ:FX>ZR'O7?c* H,z`^HTc2 sTalhj66RZȉs׫?9A\qRK1Ѹ8P̴`p9Út?GdջU8M(Nk\Tsۆ랮;UFzFeC47{?DZl,15C,vto.ihL͋AG1D*(CcP+Td̄Q28ܞp+zwťDF8!Yz9Vb1z=2+ewvC<ٺAbWŵ e /3 u4ND;,pg{9ҡ"j%&5ePjbP*`ĊIa޴ɺj(Jz2oFf7>GS^D{,H6;9?7~Cg>N, %nӷM(b6~f=YEڑ3XQcUHS:'Ë<u&IW2U>a_RWۆøO/檄9<7Tؾ O?ظrp#.iz7rS+"ARvƷ褦y VEHaZG7_H8*b8 n2cx,ǁoJaܬqN_BKQ04hQȧ/9 z"=&V 'Y}q˰^fw2䩒Z 6,#yx{M?9rr ;qtVDGP3D ܼ8/)ftξjx]Q}_WݸwbO_ZTKJ;"IǼ埁 %'r땂ߵ0]K!,AX8/'vfcQV$UquqkO{M5 G=>MLKSQ>uŮُV9HM-ZXT||8]2~1zo-0q$% E;d5՗_UnfLiu /kik9L#Tʗ/&6k+h{[~ֿbpn/J84 ԧ@^<.xXt 46rNQ o$cղ‘N=D5Ci\۰* h6Cb8%cNC'T_ r\"klm7:}"K":S}&x94H(1'+ZAAޅ $}T60 F `b1/h>:Xm?( 9>wº}k9RBS.Bq [+B`W+]xI:d|{|‹̡hF#Vi2yqnopXp%ruhQƖ%a@JډRC)H2ssӂ`D:AQ~GSpg8W՗j`$1 7-o0KZ"(kў-76Ѻؔeaψe-y=-(h$&]Ukʣ^E:&xq[iBA Pb*nt' ,/o\`fhSS IÈ~݄hAp77Kݪo h*_!ժÌ[iLӆA'SWzwQ ՠc>>! ^e5Ü.Dوq \ݹYϸraVcBw(1ɰPYFjyC " Z;p,em}[N>LnT F;#opzpN/ Dv6S/UlMQ⪩o @1s!$pI1Cj7,.Xw:U#.ZZD3 +.I;j+9| \^ @%YRP I#sɫyᐌPxAc{+j"OgXWKDd-ײ !S 45YM`\×8WBK%Ôғ2)ز.wL7 S['fs"A*!|eQq=.D2؟eZSCTizha7ɷ_ҤͨUU|M`#b`Rewt]JvNдP An=z>Aɤ~|x ʎF 1$fz z52:y|~-\4qͽ{ 1q{|8_LËcʠ §6ml?LoK9Ox2P!8D%{"PkW[H6Ff M5(L57.jADhfEw,wm{ δPV?bPޤݐ!}凙#I4( > d\[1] g9ΘM5J9Eo95)tT_}]F$mMOea/{ʙSwޟO;"es^JٓR/`6ݫQX(|+N{UMKJvRfR``Įug@ YZ