sssd-client-1.16.5-10.el7_9.11> H HtxHFa> ?*}}c˜8CKR"ƫ*RF 5Peo849ad7052f5631353f587b784f2d457d53f291d1DVHӽ!{X@CFa> ?*}}w`ށYmsL|rr+9n\ʜv>>0?0d ! G $*/4   H    x ' `' '( 8 E9 E:E>#?#@#G$H$\I$X$Y$\%]%t^'b(ad)^e)cf)fl)ht)u)v*8 w.x/(y/M0Csssd-client1.16.510.el7_9.11SSSD Client libraries for NSS and PAMProvides the libraries needed by the PAM and NSS stacks to connect to the SSSD service.asl7.fnal.govi'Scientific LinuxScientific LinuxLGPLv3+Scientific LinuxApplications/Systemhttps://pagure.io/SSSD/sssd/linuxi686/sbin/ldconfig /usr/sbin/alternatives --install /etc/cifs-utils/idmap-plugin cifs-idmap-plugin /usr/lib/cifs-utils/cifs_idmap_sss.so 20if [ $1 -eq 0 ] ; then /usr/sbin/alternatives --remove cifs-idmap-plugin /usr/lib/cifs-utils/cifs_idmap_sss.so fi)K9l4+K u ^  Y - AAAAA큤aaaaaaaaaaaa^p0^p0aaaaaaaaa9cf01d9e833ca258154039692fe1c63a5ec04b8c90b3ce5d75c2b0ddcb7b6a34bd0afb825490cdbc3389d8be20394b41991acbc9c119a8a3587e7f1275ee0313e16b9cf934e7c9088281cfd0f3d7213e6b6826d6168e5a9f8f69f730540c77b4b520eb575292cf55c9ef6a83f3838b6e715daff40e99f90ffd7a5250caa26d78cfab9b7b7f9a7d871b4f3045926165b2215f924787bd58b85d75d680e80d02fe5ad0eebc33ed8bb69ac5bd58b2d733ff7443bc072c557ec7673da3f02a0a02d08ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b9036c57f43c939054fd4b831f271a14c97a488c38f98cdda5e887c5d396e3b3bc586abd9034f4f9e39a048ad6c2e4cfd179b63110218cd690e14b4a695236ce5d79c0b461739e561e7961325d7378595be0c2e39cc3df7fc3a930c9d5322d81639c612bdf36f166af1db406d8fab83fdc8ff1133ce44a4d66521d750e1867eaaf7fd376f7f6594fc4e42ef6da8e2d948446aa5d82749fd35877ec9428c06dcf852002629de70c10ef0ab1f40cac1623bc6a40af3272577a8542b6b29c7632ae6bbb7b9ae0c323aab9b998518c4c4b614488bc389da35d3b8d850d841ed0f91e1f0be873ffeddc0fbb6632c4d6e02600ca968b2285311285ab14af60be83eabdce98a805717f97a2c21d0666c63057a8fb853ff47bdb19b7a054329b312e6e34aff7d4608a51707fa874215347b3e4b7a5e3a321aa9ed2e0d4bf7a1d1a4ee8093f53@rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsssd-1.16.5-10.el7_9.11.src.rpmlibnss_sss.so.2libnss_sss.so.2(EXPORTED)sssd-clientsssd-client(x86-32) @@@@@@@@@@@@@@@@@@@@@@@@@   @ /bin/sh/bin/sh/sbin/ldconfig/sbin/ldconfig/sbin/ldconfig/usr/sbin/alternatives/usr/sbin/alternativeslibc.so.6libc.so.6(GLIBC_2.0)libc.so.6(GLIBC_2.1)libc.so.6(GLIBC_2.1.3)libc.so.6(GLIBC_2.2)libc.so.6(GLIBC_2.3)libc.so.6(GLIBC_2.3.4)libc.so.6(GLIBC_2.4)libc.so.6(GLIBC_2.7)libc.so.6(GLIBC_2.8)libcom_err.so.2libdl.so.2libk5crypto.so.3libkrb5.so.3libkrb5.so.3(krb5_3_MIT)libpam.so.0libpam.so.0(LIBPAM_1.0)libpam.so.0(LIBPAM_EXTENSION_1.0)libpam.so.0(LIBPAM_MODUTIL_1.0)libpthread.so.0libsss_idmaplibsss_idmap.so.0libsss_idmap.so.0(SSS_IDMAP_0.4)libsss_nss_idmaplibsss_nss_idmap.so.0libsss_nss_idmap.so.0(SSS_NSS_IDMAP_0.0.1)libsss_nss_idmap.so.0(SSS_NSS_IDMAP_0.5.0)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)rpmlib(PayloadIsXz)1.16.5-10.el7_9.111.16.5-10.el7_9.113.0.4-14.6.0-14.0-15.2-14.11.3a(@aa`@_ _G@_H_H_=@_;_;^3^@^V@^m@^^@^>@^@^@^t@^r @^^@]]*]@]]]@]@]m]m]p]p]p]p]S\Q\Q\"\"\"\\\r@\r@\r@\\\\\\\\\\\|\+@[@[_[@[@[l,[b@[a[Y[Y[H@[E@[6@[0@[,[,[d@[[Z@Z@ZmZ@Z_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj 1.16.5-10.11Alexey Tikhonov 1.16.5-10.10Alexey Tikhonov 1.16.5-10.9Alexey Tikhonov 1.16.5-10.8Alexey Tikhonov 1.16.5-10.7Alexey Tikhonov 1.16.5-10.6Alexey Tikhonov 1.16.5-10.5Alexey Tikhonov 1.16.5-10.4Alexey Tikhonov 1.16.5-10.3Alexey Tikhonov 1.16.5-10.2Alexey Tikhonov 1.16.5-10.1Alexey Tikhonov 1.16.5-10Alexey Tikhonov 1.16.5-9Alexey Tikhonov 1.16.5-8Alexey Tikhonov 1.16.5-7Alexey Tikhonov 1.16.5-6Alexey Tikhonov 1.16.5-5Alexey Tikhonov 1.16.5-4Alexey Tikhonov 1.16.5-3Alexey Tikhonov 1.16.5-2Alexey Tikhonov 1.16.5-1Michal Židek - 1.16.4-38Michal Židek - 1.16.4-37Michal Židek - 1.16.4-36Michal Židek - 1.16.4-35Michal Židek - 1.16.4-34Michal Židek - 1.16.4-33Michal Židek - 1.16.4-32Michal Židek - 1.16.4-31Michal Židek - 1.16.4-30Michal Židek - 1.16.4-29Michal Židek - 1.16.4-28Michal Židek - 1.16.4-27Michal Židek - 1.16.4-26Michal Židek - 1.16.4-25Michal Židek - 1.16.4-24Michal Židek - 1.16.4-23Michal Židek - 1.16.4-22Michal Židek - 1.16.4-21Michal Židek - 1.16.4-20Jakub Hrozek - 1.16.4-19Jakub Hrozek - 1.16.4-18Jakub Hrozek - 1.16.4-17Michal Židek - 1.16.4-16Jakub Hrozek - 1.16.4-15Michal Židek - 1.16.4-14Michal Židek - 1.16.4-12Michal Židek - 1.16.4-12Michal Židek - 1.16.4-11Michal Židek - 1.16.4-10Michal Židek - 1.16.4-9Michal Židek - 1.16.4-8Michal Židek - 1.16.4-7Michal Židek - 1.16.4-6Michal Židek - 1.16.4-5Michal Židek - 1.16.4-4Michal Židek - 1.16.4-3Michal Židek - 1.16.4-2Michal Židek - 1.16.4-1Jakub Hrozek - 1.16.2-17Michal Židek - 1.16.2-16Michal Židek - 1.16.2-15Michal Židek - 1.16.2-14Jakub Hrozek - 1.16.2-13Fabiano Fidêncio - 1.16.2-12Jakub Hrozek - 1.16.2-11Jakub Hrozek - 1.16.2-10Jakub Hrozek - 1.16.2-9Jakub Hrozek - 1.16.2-8Fabiano Fidêncio - 1.16.2-7Fabiano Fidêncio - 1.16.2-6Fabiano Fidêncio - 1.16.2-5Fabiano Fidêncio - 1.16.2-4Fabiano Fidêncio - 1.16.2-3Fabiano Fidêncio - 1.16.2-2Fabiano Fidêncio - 1.16.2-1Fabiano Fidêncio - 1.16.0-25Fabiano Fidêncio - 1.16.0-24Fabiano Fidêncio - 1.16.0-23Fabiano Fidêncio - 1.16.0-22Jakub Hrozek - 1.16.0-21Fabiano Fidêncio - 1.16.0-20Fabiano Fidêncio - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#1968316 - SSSD: User authentication failing after server reboot. - Resolves: rhbz#2000238 - disabled root ad domain causes subdomains to be marked offline - Resolves: rhbz#1984591 - After sssd update to 1.16.5-10.el7_9.8.x86_64 the customer is facing slow connection/authentication (due to discovery of unexpected AD domains)- Resolves: rhbz#1973796 - SSSD is NOT able to contact the Global Catalog when local site is down- Resolves: rhbz#1988463 - Missing search index for `originalADgidNumber` [rhel-7.9.z] - Resolves: rhbz#1968330 - id lookup is failing intermittently - Resolves: rhbz#1964415 - Memory leak in the simple access provider - Resolves: rhbz#1985457 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-7.9.z]- Resolves: rhbz#1910131 - sssd throwing error " Unable to parse name test' [1432158283]: The internal name format cannot be parsed" at debug_level 2 [rhel-7.9.z] - Resolves: rhbz#1922244 - First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0. [rhel-7.9.z] - Resolves: rhbz#1935685 - SSSD not detecting subdomain from AD forest (7.9z) - Resolves: rhbz#1945552 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7 [rhel-7.9.z] - Resolves: rhbz#1839972 - Authentication handshake (ldap_install_tls()) fails due to underlying openssl operation failing with EINTR [rhel-7.9.z]- Resolves: rhbz#1875514 - filter_groups option partially filters the group from 'id' output of the user because gidNumber still appears in 'id' output [rhel-7.9.z] - Resolves: rhbz#1772513 - SSSD is generating lot of LDAP queries in a very large environment [rhel-7.9.z] - Resolves: rhbz#1736845 - [RFE] Backporting certificate matching rules for files, AD and LDAP provider [rhel-7.9.z]- Resolves: rhbz#1899593 - sssd_be segfaults at be_refresh_get_values_ex() due to NULL ptrs in results of sysdb_search_with_ts_attr() [rhel-7.9.z] - Resolves: rhbz#1888409 - sssd component logging is now too generic in syslog/journal [rhel-7.9.z] - Resolves: rhbz#1852659 - sssd service is starting even though it is disabled state [rhel-7.9.z] - Resolves: rhbz#1893443 - User lookups over the InfoPipe responder fail intermittently [rhel-7.9.z] - Resolves: rhbz#1871288 - krb5_child denies ssh users when pki device detected [rhel-7.9.z] - Resolves: rhbz#1853703 - Unexpected behavior and issue with filter_users/filter_groups option [rhel-7.9.z] - Resolves: rhbz#1756240 - [RfE] Implement a new sssd.conf option to disable the filter for AD domain local groups from trusted domains [rhel-7.9.z] - Resolves: rhbz#1851112 - LDAP bind can fail due to unconfigurable DNS server timeouts that inhibit SSSD failover [rhel-7.9.z]- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete (again)) - just bumping the version to build for proper target- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete (again))- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete)- Resolves: rhbz#1854317 - sssd crashes after last update to sssd-common-1.16.4-37.el7_8.1 with servers configured with multiple domains [rhel-7.9.z] - Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] - just bumping the version to build for proper target- Resolves: rhbz#1854317 - sssd crashes after last update to sssd-common-1.16.4-37.el7_8.1 with servers configured with multiple domains [rhel-7.9.z] - Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z]- Resolves: rhbz#1804005 - sssd doesn't follow the link order of AD Group Policy Management - Resolves: rhbz#1773409 - sssd is failing to discover other subdomains in the forest if LDAP entries do not contain AD forest root information - Resolves: rhbz#1551077 - GDM failure loop when no user mapped for smart card - Resolves: rhbz#1507683 - GDM password prompt when cert mapped to multiple users and promptusername is False- Resolves: rhbz#1796873 - [sssd] RHEL 7.9 Tier 0 Localization- Resolves: rhbz#1553784 - Document how to prevent invalid selinux context for default home directories in SSSD-AD direct integration. - Resolves: rhbz#1836910 - Rhel7.7 server have an issue regarding dyndns update for PTR-records which is done by sssd on active directory DNS servers. It is done in two steps (two different nsupdate messages).- Resolves: rhbz#1835813 - sssd boots offline if symlink for /etc/resolv.conf is broken/missing - Resolves: rhbz#1837545 - Users must be informed better when internal WATCHDOG terminates process.- Resolves: rhbz#1819013 - pam_sss reports PAM_CRED_ERR when providing wrong password for an existing IPA user, but this error's description is misleading - Resolves: rhbz#1800571 - Multiples Kerberos ticket on RHEL 7.7 after lock and unlock screen- Resolves: rhbz#1834266 - "off-by-one error" in watchdog implementation- Resolves: rhbz#1829806 - [Bug] Reduce logging about flat names - Resolves: rhbz#1800564 - `sssd.api.conf` and `sssd.api.d` should belong to `python-sssdconfig` package- Resolves: rhbz#1683946 - sssd or sssd-ad not updating their dependencies on "yum update" which breaks working setup- Resolves: rhbz#1513371 - [abrt] [faf] sssd: raise(): /usr/libexec/sssd/sssd_be[PROXY] killed by 6 - Resolves: rhbz#1568083 - subdomain lookup fails when certmaprule contains DN - Resolves: rhbz#1781539 - PKINIT with KCM does not work - Resolves: rhbz#1786341 - SSSD doesn't honour the customized ID view created in IPA - Resolves: rhbz#1709818 - override_gid did not work for subdomain. - Resolves: rhbz#1719718 - Validator warning issue : Attribute 'dns_resolver_op_timeout' is not allowed in section 'domain/REMOVED'. Check for typos - Resolves: rhbz#1787067 - sssd (sssd_be) is consuming 100 CPU, partially due to failing mem-cache - Resolves: rhbz#1822461 - background refresh task does not refresh updated netgroup entries - Added missing 'Requires' to resolves some of rpmdiff tool warnings- Resolves: rhbz#1796352 - Rebase SSSD for RHEL 7.9- Resolves: rhbz#1789349 - id command taking 1+ minute for returning user information - Also updates spec file to not replace /pam.d/sssd-shadowutils on update- Resolves: rhbz#1784620 - Force LDAPS over 636 with AD Access Provider - just bumping the version to fix generated dates in man pages- Resolves: rhbz#1784620 - Force LDAPS over 636 with AD Access Provider- Resolves: rhbz#1769755 - sssd failover leads to delayed and failed logins- Resolves: rhbz#1768404 - automount on RHEL7 gives the message 'lookup(sss): setautomntent: No such file or directory'- Resolves: rhbz#1734056 - [sssd] RHEL 7.8 Tier 0 Localization- Resolves: rhbz#1530741 - Trusted domain user logins succeed after using ipa trustdomain-disable- Resolves: rhbz#1746878 - Let IPA client read IPA objects via LDAP and not a extdom plugin when resolving trusted users and groups- Resolves: rhbz#1530741 - Trusted domain user logins succeed after using ipa trustdomain-disable- Resolves: rhbz#1713352 - Implicit files domain gets activated when no sssd.conf present and sssd is started- Resolves: rhbz#1206221 - sssd should not always read entire autofs map from ldap- Resolves: rhbz#1657978 - SSSD is not refreshing cached user data for the ipa sub-domain in a IPA/AD trust- Resolves: rhbz#1541172 - ad_enabled_domains does not disable old subdomain after a restart until a timer removes it- Resolves: rhbz#1738674 - Paging not enabled when fetching external groups, limits the number of external groups to 2000- Resolves: rhbz#1650018 - SSSD doesn't clear cache entries for IDs below min_id- Resolves: rhbz#1724088 - negative cache does not use values from 'filter_users' config option for known domains- Resolves: rhbz#1422618 - sssd does not failover to another IPA server if just the KDC service fails - Just bumping the version to work around "build already exists"- Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization - Rebuild japanese gmo file explicitly- Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization- Resolves: rhbz#1707959 - sssd does not properly check GSS-SPNEGO- Resolves: rhbz#1710286 - The server error message is not returned if password change fails- Resolves: rhbz#1711832 - The files provider does not handle resetOffline properly- Resolves: rhbz#1707759 - Error accessing files on samba share randomly- Resolves: rhbz#1685581 - Extend cached_auth_timeout to cover subdomains /trusts- Resolves: rhbz#1684979 - The HBAC code requires dereference to be enabled and fails otherwise- Resolves: rhbz#1576524 - RHEL STIG pointing sssd Packaging issue - This was partially fixed by the rebase, but one spec file change was missing.- Resolves: rhbz#1524566 - FIPS mode breaks using pysss.so (sss_obfuscate)- Resolves: rhbz#1350012 - kinit / sssd kerberos fail over - Resolves: rhbz#720688 - [RFE] return multiple server addresses to the Kerberos locator plugin- Resolves: rhbz#1402056 - [RFE] Make 2FA prompting configurable- Resolves: rhbz#1666819 - SSSD can trigger a NSS lookup when parsing the filter_users/groups lists on startup, this can block the startup- Resolves: rhbz#1645461 - Slow ldb search causes blocking during startup which might cause the registration to time out- Resolves: rhbz#1685581 - Extend cached_auth_timeout to cover subdomains / trusts- Resolves: rhbz#1671138 - User is unable to perform sudo as a user on IPA Server, even though `sudo -l` shows permissions to do so- Resolves: rhbz#1657806 - [RFE]: Optionally disable generating auto private groups for subdomains of an AD provider- Resolves: rhbz#1641131 - [RFE] Need an option in SSSD so that it will skip GPOs that have groupPolicyContainers, unreadable by SSSD. - Resolves: rhbz#1660874 - CVE-2018-16838 sssd: improper implementation of GPOs due to too restrictive permissions [rhel-7]- Resolves: rhbz#1631656 - KCM: kinit: Matching credential not found while getting default ccache- Resolves: rhbz#1406678 - sssd service is starting before network service - Resolves: rhbz#1616853 - SSSD always boots in Offline mode- Resolves: rhbz#1658994 - Rebase SSSD to 1.16.x- Resolves: rhbz#1603311 - Enable generating user private groups only for users with uid == gid where gid does not correspond to a real LDAP group- Resolves: rhbz#1602172 - SSSD's LDAP authentication provider does not work if ID provider is authenticated with GSSAPI- Resolves: rhbz#1622109 - SSSD not fetching all sudo rules from AD- Resolves: rhbz#1619706 - sssd only sets the SELinux login context if it differs from the default- Resolves: rhbz#1593756 - sssd needs to require a newer version of libtalloc and libtevent to avoid an issue in GPO processing- Resolves: rhbz#1610667 - sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key - Resolves: rhbz#1583360 - The IPA selinux provider can return an error if SELinux is completely disabled- Resolves: rhbz#1602781 - Local users failed to login with same password- Resolves: rhbz#1586127 - Spurious check in the sssd nss memcache can cause the memory cache to be skipped- Resolves: rhbz#1522928 - sssd doesn't allow user with expired password- Resolves: rhbz#1607313 - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails- Resolves: rhbz#1600822 - SSSD bails out saving desktop profiles in case an invalid profile is found- Resolves: rhbz#1582975 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers- Resolves: rhbz#1583725 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries - Resolves: rhbz#1416528 - sssd in cross realm trust configuration should be able to use AD KDCs from a client site defined in sssd.conf or a snippet - Resolves: rhbz#1592964 - Groups go missing with PAC enabled in sssd- Resolves: rhbz#1590603 - EMBARGOED CVE-2018-10852 sssd: information leak from the sssd-sudo responder [rhel-7] - Resolves: rhbz#1450778 - Full information regarding priority of lookup of principal in keytab not in man page- Resolves: rhbz#1494690 - kdcinfo files are not created for subdomains of a directly joined AD client - Resolves: rhbz#1583343 - Login with sshkeys stored in ipa not working after update to RHEL-7.5 - Resolves: rhbz#1527662 - Handle conflicting e-mail addresses more gracefully - Resolves: rhbz#1509691 - Document how to change the regular expression for SSSD so that group names with an @-sign can be parsed- Related: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch- Resolves: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch - Resolves: rhbz#1523019 - Reset password with two factor authentication fails - Resolves: rhbz#1534749 - Requesting an AD user's private group and then the user itself returns an emty homedir - Resolves: rhbz#1537272 - SSH public key authentication keeps working after keys are removed from ID view - Resolves: rhbz#1537279 - Certificate is not removed from cache when it's removed from the override - Resolves: rhbz#1562025 - externalUser sudo attribute must be fully-qualified - Resolves: rhbz#1577335 - /usr/libexec/sssd/sssd_autofs SIGABRT crash daily - Resolves: rhbz#1508530 - How should sudo behave without sudoHost attribute? - Resolves: rhbz#1546754 - The man page of sss_ssh_authorizedkeys can be enhanced to better explain how the keys are retrieved and how X.509 certificates can be used - Resolves: rhbz#1572790 - getgrgid/getpwuid fails in setups with multiple domains if the first domain uses mid_id/max_id - Resolves: rhbz#1561562 - sssd not honoring dyndns_server if the DNS update process is terminated with a signal - Resolves: rhbz#1583251 - home dir disappear in sssd cache on the IPA master for AD users - Resolves: rhbz#1514061 - ID override GID from Default Trust View is not properly resolved in case domain resolution order is set - Resolves: rhbz#1571466 - Utilizing domain_resolution_order in sssd.conf breaks SELinux user map - Resolves: rhbz#1571526 - SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'.- Resolves: rhbz#1547782 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process- Related: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1516266 - Give a more detailed debug and system-log message if krb5_init_context() failed - Resolves: rhbz#1503802 - Smartcard authentication fails if SSSD is offline and 'krb5_store_password_if_offline = True' - Resolves: rhbz#1385665 - Incorrect error code returned from krb5_child (updated) - Resolves: rhbz#1547234 - SSSD's GPO code ignores ad_site option - Resolves: rhbz#1459348 - extend sss-certmap man page regarding priority processing - Resolves: rhbz#1220767 - Group renaming issue when "id_provider = ldap" is set - Resolves: rhbz#1538555 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000]- Resolves: rhbz#1565774 - After updating to RHEL 7.5 failing to clear the sssd cache- Resolves: rhbz#1566782 - memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/sh/bin/sh/sbin/ldconfig caesessvsvukuk1.16.5-10.el7_9.111.16.5-10.el7_9.11 cifs-utilsidmap-plugincifs-utilscifs_idmap_sss.sosssd_pac_plugin.sosssd_krb5_locator_plugin.solibnss_sss.so.2pam_sss.sosssdmodulessssd_krb5_localauth_plugin.sosssd-client-1.16.5COPYINGCOPYING.LESSERpam_sss.8.gzpam_sss.8.gzsssd_krb5_locator_plugin.8.gzpam_sss.8.gzsssd_krb5_locator_plugin.8.gzpam_sss.8.gzsssd_krb5_locator_plugin.8.gzpam_sss.8.gzsssd_krb5_locator_plugin.8.gz/etc//etc/cifs-utils//usr/lib//usr/lib/cifs-utils//usr/lib/krb5/plugins/authdata//usr/lib/krb5/plugins/libkrb5//usr/lib/security//usr/lib/sssd//usr/lib/sssd/modules//usr/share/licenses//usr/share/licenses/sssd-client-1.16.5//usr/share/man/ca/man8//usr/share/man/es/man8//usr/share/man/man8//usr/share/man/sv/man8//usr/share/man/uk/man8/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m32 -march=x86-64 -mtune=generic -mfpmath=sse -fasynchronous-unwind-tablescpioxz9i686-redhat-linux-gnu directorycannot open (No such file or directory)ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[sha1]=dbf10cfeb733724b305a073a17949ef5e7a8619a, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[sha1]=882dfa63c75b1eb22ed115dd0e6767877ea2acb9, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[sha1]=5cca965d3f2a63c0360f38955fbc762fe83a095c, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[sha1]=1b7798c4760591c2fa568a070d869632b88f97d4, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[sha1]=d17f0650a312361fe1a680f927490e62d62301d4, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[sha1]=0b668f596b663c1b094e8678b3046910477f3f76, strippedASCII texttroff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, ASCII text, with very long lines (gzip compressed data, from Unix, max compression) #0> RRR RRR!R RRRRRR%RR R RRRRRRRR%R RR R RR RR RRR%PPR RR R RRR RRRR%RRRRR R RR R RRRRR%RR RR R RRR RRRRRRR%? 7zXZ !X] crt:bLL*I@)+ Lg D$c<|7( X^>kփsM@GU7Lo)qYuAB*9r'o0$Đp7 wQdW3n„Z'Ae|9q~.¹}7bz…5c`Xs^$Ir #a g9ueP°XO !U p`B' ٕvt+zAnG=#E>h9G$)tCTkbWOPLM=δ[{  > CQ Nj}@Rhtቧx*ЯoHń#=0cqT' !?>iO]Y B">O)8*hhvl wYty]t)a#A~hzَ-VTq+#m)i.Wj)ȕc'M3;ve+Qp_x  >n?R1@x1 3LohaaT)f0WM o#`W!@E>cِOFaŃyhŎ_ U+{@cԕR Feh҈]Ƀ衔~ UUP.quRəy 4%}*9P\o`O HfF3~9VX*?3&sAm7ݦ%a kK!\ 9n;{T@SP0< غ,2Ez]4udd40s0 N'^ RGL4jέȺSVGE%Ǯ![b(W?)=V2 z_ EgJI0'!`5gzG~yMUa!,OM9Ƚ #F)yX>FtFkA^0+:/iHt2wwG+\cnm6$N2CITm+k 'Nq|{c` | 4-abRKO8>+J+A<$NϕXlj_>] j&Tgd6εȡ,2M;3R67՟R;`!e6NY{nOϓbHVȲgR?"q׻stOv}Q 3v#OՅL[LŽZyե`+ =0DD>O\# Y&ۮ>HhZu Tu+-yǫ`jApWLb;ʰ7IqrܿvQ~X˃C<;1/cP)!߅GbWϨ'MG7Q#bR ݲ.%(ԏ}DҝSm6}Sm:(R5{tν{JQrPpDBɿo&:b[Z8/2 I^:@ *ޏAPߠ.!hv'n@tY)Er>MΆ_NY>+/,vMC.;ov`C!w2G܎F(}D5p<%ŧ<٫؃2=[}](H*.!"j yW49No[D-W*(':6w(جiA\v沙9^ƎkuZ#8\߫fY0?HVitoET|rIG#2J0&0҆rWP!,#2I쀇;ȎikzN#ƥ0(ͯ۱9DdȕDiܲD"&59Wf )x5Om #- H/ -ፐEyUJ|'c¨cy-1W %qPgUpVJg*3to W2~ri!QZ;ܱj/.^f>Fh"I¹Tmr`ID_H4PaV[ƧLҿlNw˕PulG1DT6.YJ#p n͍˘Հײ:aՓQҔhB+o(JrM e3 gEN[ţ4d^)ג^{n_J`6vܸS3M91t2ڊh51^ZxX*%OW:&S +mp) o  Nz y(H)H73P$ M4F^ LU>{fXRÂI@P#i’%X@0*2Q)*dnh͞Ԛ|hJ/&TJ_B:J[0Mo!o Úr ).niT$ٻ-/= fp4`ϳca."#:ĵƹ1H:8`ۤRRZ0h7W+5½Yl#v}Ӧ@q)FO)Cwat4;֭;#E4kO#GߡLQ?jDf3ٰIaY3HG<紱b`+y@Fɀ!HDHE  a8>dM᨟Z8e2Q2ߟ݉ߑ&Yz8e Gڅ|-rஎɆ U6Z{Ula]SL>sɏ%{_%۞ l&s{C;/Q zyW 4WTIbD#R]]|w7Kd2 c=JN4MSC%6sWLJž0REV\HU&d) )NuS_D1moVȀw}ګvd9{ @v'* a%na#ׄ{FL;N2^=C]?W@,c =ǏqRl Q5S"&͉q*KD]#yH|y1FpV݈GWYԈ9]79pS"Aެ\ļPK[6cwf‰<x9ֶ"PYQ sJ?'Mp~SzWkWΎ@!mVV\/m;sBxU^ $8iI ?ZỸ ?©t:6w͏QԭwYs<\yWJk| iR-rn. vG}-MJl =1C tG{)f)K[SoC.36sjk0KO/b=kgRBzkO-nxE8';ڪ]kK|Z#"0'5r 53O O7R<7HubΟ !ֳGJ&:ٸ Tl\!ow Fhґtc#()ä"#R!0A GP:鰋VS&z 0am!֬mT*pa,L&8vq4 pXMV-"fϦG/yz"`QBWL`$ۤnF6&@6s=6. ?GQ=|mK$hҎ L5f})|'EfúnSyue_-W׮i!*3cᤱўZ"q*ZේQO& aULZ:W8Ix/k7tK죱QcuGMm4" 71sl`fHtB ĽՍ?oT=jX Rs9d1,:ٙW 9gs(`(FI `?4qI҉ V7C|U=*̍XEYc!HX[CAVQ-: T#- >(gCMLEQoVBz;ksLfJHvwCδw c(pAJJ5mIw|<5sLv1lSP겸sdz>u>R Ls *! 06Ձ ڄ<_R,D5k}F qu SY:'T3sN+(77+W88AbuFSga'ӘKqz]Anxڲm a}fF3_2SB,F$r|WzK,AE()_b|UN%ػâgqD2;ѯ",qwІG ;_RfE!VgNqV/趶c.B(8{'|"$C;bIMGp+s4TGagn`zR }yg"0;{\fM'NTָ Fsbkػex$ڣl9wsNm! vXlw`$ćijłzhxj8vWˆdUVXk|W^J#<<>o?kĭtI醧Qj KjQˡv+y K/%D' iw#7|zsR|o\2;iwǏRD gBtC D4tEا,yՎvg&TImh~C1[jM]z]de)]vrWRǜ"j=HZ؀{`ͽmc>2LOU?\~1v#T~D{_tE^י|]OOYbn,Bz8(d)Lǧ/'T^(QSwVȠ(J,{w9 PG[g^O0!%s!ǖj:P(S=/j9iry _tE{|R> ĻSCs<@s6@@]aNXRXP?,uLGIƳJs,|'٘F+TSsg@r'Ђ)eA',aìqYu-XOy9$2*l(.6*_T |j&`%-wثCa#<O lczs&E-.|?KT$6`/J&4t=l⪐- /vıꙌ#E^bb]W~#qMX-ɯpX|<0rj:k,SF(Mdmemj䙷(#cΫxL!8@+Gj6=l$c>:Hz_=#<ITҵeMS8=~l 8G]\iugq2M*p}vmo9ʇ= B!UvQǓN\ 0>Vz* 7 T|註Ɖ NܓrQW3"_l83K;㑙—5_нs"Sq%^ZRE#|ɡ Q 2I^ >LҌ_MaV^AWȿCL]Ib³cڶapS/ *Df7_|ҿXk {/>*7u).,ٚgC[HN_j%\Ybv5>tb6-jwy*KuH> s3Y}Yx#6sDaGYEzCo@Ҷ!\GhmB ;DE"ғ#w$œ#蟧c z*da1$yC!Hhs̘"΋7t찣|/mzl_l5Η7sQC M9<)~Px>(|%SM.ӯ1Q$T 7}rSg(VU^_鱨x7Azk| j7yΗ"k7ul"Np~7u-4:\pl/:Ɔ/uFLe`s`I؁0l8>-$ji D,񸿍yhLǠB1ro{"@\ |~blGBw"W@! G9 9@jΈpVU HƐ0.iQ%9VB.rWQo1.! 6id`Rh~3'4AVwwn1˗i=u(=Q$0=ns!b5mVcB 9={%J$@f-JJ{#'*D]TJZΏ; Q\ւ'x Cӛ Q(3g}ľ[)aqV`=(bqc "YC,5b r"3;d F5[}Em(1)@ܸgT9VH%Sav܉-EGOVdU2(_N\ZЉKZcNE, ׽⛆{zG@{B yƫK?W{qu"zOZLlϸ΁H+3Ҁde̴~g'k?d.X\}Fڜ7OU]$|YӇ-v 4DYJ$FFYIngK>pu<.渻&[<{!{M3\Ӧ,qi"6BT_YuXTr3Mr|N[Οay^y/&BS& $Ї-ꍵ5HҮp!{*B!e`=g"?^Cq TJ)$^ p.d<ݼn#+t ^gv@/Ipd>lR>{1Ѕ_#IVyV5!ev 7~zlWPgӷ9ibo׭(|6l}@17a&%>WqnQ6U ܈|: m;&Q;z)9#\EsJc/+)۲pƥL l=?TQΣ鹃Vε1_%$:io+J3 .^LI]eMa=g"J/Kd~WU&l,(I;Сc/39rBKd6o:2pgaeNHTuJm?6QXF:AаS'7nv=MxuzrSǢw1ir ͖r?IH#YO^',btp, n V}27#v4%%1"n\1 hZK O)\Z!<\<40-S!?`  uq / /4ov|1a?r<66عA<'kwv^ri>Ō8EuhrXoLX` 0H pԨ`dX#Pq_WOa>Oꦲ&R&8Q-Cb5ug"{.CS[35bXEWOeI pın`zWF'>J)jj'|6b[NX|(n"ūcla:O"FXM6dJ}G3صSǾW#K-ْ=|z nseHR_d) >׻ lP`vɡ*? k[)(p+ۻَ,7ʪth!l?较-{R\*4PpwW1.M׉R5ɉ)ȗ>En[+ ^(8pپc\E+lڅ|2$hO+}Oל^~g-EF=fiNKČ훼9@Ht5b2Mm@GyGyz$=.V*Zx܍ U:sX-of|Lq@`_,nSxM z+¢vuoR@)6rz9:v(LP,&)?e߰blg՚1< :kK 7ze_9lB`-) r`N|Hr?g&wfNۯ{Cw2AӷQ[gW9~u h4!r 񳪣D#LЧ;3W_N[\FT6%MhONr4t] d 1b:i@G! ވ]-|±] ʊaR?':`Ss 7XPDoQx:2b& ъ ,])8#籏Iv{KW|lpc1" ѬWL&VĘ,5u Қx@ jx&&nXƀԅnV#A׃qFJ>'4SK_W?ftX 4Y/zq/S,D͹/. j Y܈uUCodUm ބx 6Ͼ^/N 0gR޾P 2$lhI,`aa\ |X%B ϸID^|W(]Y^1>_L^|]H< SJ*W"^zWXSlx[,']|#.~!1Kê9Y74BR$\Ⱥa<)k9Qʼn]HLUu(h QG3IBZ A^j\3Gfly#w-KoSIRhMuQ=ǶV&_P"#鵺e"վ敐M֮ZRs8F }˻{s} ǧݬ1o<[#ҹSOdw;kc[s@[, w'ja fI r# Qƨ G\ D?8#ԣh$&~%&n!i&nWFV)KؽM \7p ]wz^8 }5U >LDFP.<դ|ǐn]eIǸ V?Kcuwb.E!\bb䆤8ʊ*RJzܾhr҄Nb ‹ [Z<'󻵓SU-B.#IF)yY| =5;}L +iVH3F <ƣohO-= uH2tSXT3⭇ۯ_h>. 2#=ܢ1ۯBJe`^/zQfDhTozB) V/:Xe^e% ܚb0dROGඳOjT cZ׈Tz;:{hOl']We?i 9pZ) ?3X;4O[⧓ DvQ7NfpFӕ|pm3@&ܽ;6UH&>5{ݢ>(`AKp#r]Y|^ )i)Dv4Fo`,ls+C\q۞ZOJc[; N )8ڍv28ƁVZϧ/9p2<$,}򏐏 DX뤊|L%^Pfޘ3i#{țj [o.Ov{̽ Ԝ7jg[R8~遅6>]6Y~J>4i2H>k-V]sKeRIWJY*Fg%ˊM<2e lF׃J!7QnZ1968evFa4KU@vqΜ{/WV08jas^ԬVgn!R?$}wÕ)''dS{/-Jd,#yFLc VޱcݮLsDF("k)hVK~6ؿD'Џ[h~#L-4C*\_"*S_/Zv#?I|7km<&Y!, Gv5 X 6,@23@9WKq a2@K=-_4j}ThP;J󟔜6xzu(Uf/0۲L?S:)Z-נSk$:Ppk4 Lq(~yGHg@*3FS_x#$fܞu^{eZ|C9UDBY4 _G/_Á?.S$q5ҭ!b)[xv򱝞?~N\*#/G"c =G]KkaBnW9IvKXM34f(˅B xǴ,P/&O$oCÚ,(*w4šCQ)gm:]dq]ss?ȉkg6nk=!se԰Pv*Łdϕ%I ;G7,eof."7 w“nK h”]Vᮈ;fsk\6{eer{- ;Łն1fjnTER2Q[@Qq( XXb@GdÚN.GbPPkZ-`=$rD*J2*LAʥJH5"`>`Bʏ^mG'Zs4 I屰W?Ji[Sz:ޞxi7A u+u{!T#JcutȻu[B. iΖ_QIYTatg )kna%ɽN ̜NbnGNRh8lW|;xdox(A*4<6<#KKK:$tdh7PJ_Un&+GWKH\ӽ*wYk3`@0ֱ vv+C|jVٝfv}?Uw7/gP!>!#҂ܽ|65:SLNtfya_̋Tq۽ |5`;/)ܔ rtȝ%'ݪ\ㄉsxmġ oF-n{![\oE_x~N6dn]Kf'.Alqkd6á*k-5ұ¸ZV? 8o'$h:hE]Z_e&o SH-d|LX@֍m":&NTW#u&sS,V_pu5%0)&@Mm})ڃzpP_;Be$(9}*S ۰ {UX]/d0#X,8uNlo~'Nղdjr ;wg\;OScϫV;R9]{X,5/Q+=7 w$6ٿ [96zRlE%2Mvǔag8ʸc B8p7{;U+ nnڃ$M#VFnjyÏIŵp#á͟^ZrRO~| qXz3h0}WY]Am 9udÇ(WUJNhKֱk}=8ٌ]<;w6竀b,SE% Z7xiJ=ƾ4.]*C{W[PZXl&vɞ]@é "\)9>uJ8'?XS $ٌGh!u0E#҈O"K-mE p-z^"~X`v-N?&SCZ N綔ٴPYr7tɯrľz$RB&ヅF`HHV@_Ogh7MjG8BVOw*8{ ;\s:ʶ@+(ZABg#&&ABE/yu52UIO6Ί鱲@$'OwL<:?L=)ǥZ_@(H9@DpʏWcy.k"K'Zi_e!ol["D#M꧇<>ũ7u~K6u4UiL޹},k`v1bXʼn. O(l/(Z-cDCr=N0T˙gA'YŒkYby!goΤKkd%lQ H$ EaJ(v8 4P`JfW$AG9rN\kR*ʰw v:YF Lˈ6S(P,(sHviDpJ&c \sʮiG ]|׷}J?Rgh}a P;P4- }T(fH\ąuhD_5|ץaj"[cov@2<)Q]b *3t9nlYY"Djԅ2cV}*5iV |3=1C%H /g-_y5q"D׆x2nm&Wu@OgGw32aiYLd \; 1D`i:9F?`-z,5A%I<9$h;y0GWPϥh_|s=}d?*(C{@`gIKƳh2?;FQ!?A) tcrKPVny5?%Z,a$,{8cjd>Mؖf1`\ [a\:02jubs1!ulMm31 g?7|CT @ |փqeN.xiǸ)_HmAED"D+qg>|@E.wMAXվ `$Y~R\IbRF@:7~Z6*hW>{fȥ^vʫ5CcDhwrئ 騋iDK90JUBR{9߂sL2lLg-o7f*7߆ވ}`nA5@ˋ*[ \?[aY~ĕoS8J$?$4gq')k3Q/GN3rc0a'>k+^!{3·sf=4Tr;JcsC&;6Bp[Qe,=:BS#xA8˺?o6g KuS+V -|mp;oGKwRtVY0,l4(JNZuO)jšr0,ydgv]f 081g*b2X!Bep>@ }ªX '<?uWDn֨AD9h=bB0VD`BU) eAH:)QWxmFZ}}~G?V{OXrH6 B]DGDIw|,'}q3ugpٝG<=Q)|d%mo| ΑT+:Jo5BrN?Q_FD1X"O xœlmS.յh9X1B4ec{"Yc+`9BC ~0e·ĿF8ۼLhnvYR䅋zM~XA RJG.-Kݿ;G|0O2 ;Qձ(aH*' Ji͓y*ZsF:Ts*Ϫ@@|9n6FeG4%l "?1vJQEBcUa0+GR1`U/D\rdx"Xm*V|4&':w(w؅ TCʴGn 3°5UxFsB_ ؚZ8s#+KJkDMZ^Z{wbA1F,rJE8<5? 1i IJ@` +{t%B}Tx ɼtܱ,%S;dT^{4#:bՠkX+jh~^g"ȍBUՆ=.dGȝG~+1g6d+z'tښvݦ@>WIx"Q]cE{s S74(@W hi#5"Lrh "e[^aMٚ(ʩp)y{&xR{y*@biK"$hb-ȅ xT!Ua,֣{U1~|KA<͛5{1A{i Q dX1^ W7A:b b|#Y!Yn$yf_- G" Z h6ZqY0*[˯m(v`^ S-'!W9$.BԶ̑W\Q4$ J_Ϗ%>=a_ 8fw5 6LB4BgF3-WЂi\:%U{獱ᶌКE|e7>R76mUoc:}%u07.N[x^V Q:* Y"HTz3(-_ۡ~+_zV7euixwLcJmKF1+8򃳫`iʮkrSs']e=%\@Rf|8qzY&mEUƖ9 3T>۟pR !'(nLY2. Z>CDzq/4>/p[]WLg;PLZ5`isi"@^QgUy$֠*#?22Kr׶zF^ X`)W NJ4tX{OyO\❆A7ERei0F,ܗ{hWXIO2l v.Uo9lY81ewwRΗ;yv* [yf ;.y)x1}] RaYQWDb&G1@\jSҮX3p &i7fcf̏v-K&+#MzsOyHR5W Z ՜)Eƀ/aQdeRJ(N9]ڨKǕG[@> I)\2⻿r*koȪ F Q A|c`1SRIWO;B LO43u9@{auNn0mys Ѝe?a(Ոꂼ. ?|zb8%_ʥbKrGa8e[j01;?T ;Kt)_l!|gQ1xbr%?I*« 谓 c3g_l6HL0_bU g^XNQ+xG=xH]f]y~BXl6ҠV92@p"`. ƛh!fCm` gI;$*zsNg(I:%IᔋQ&i- 13uVB[L EtjgTkqW5oW 2R_ߨOUo=UnzF\"ÁՍl-$~'x;x0]3*hym,p]=g!bqieF{o^d+0fX\K\XVjK&}&exD%ugmaOʾjZ "=?ۗ`86%y7& eT0Z렕$S3ΊuPҏ _&vAnZ; ^ {R^(-}V[QU7'~p;iO.PſQ=-AhS=-íJnI@.JRwkpIYkdIP^tc8%o8{+a(80a' _?6Ȱk 0sI{DzP۩py=8htڹ@h W0ӃHmќEScAޣIWꌯ#$q$ N{N` SE5@R0w2貝=C hdׯu@ߴ;յ4l0`k @,B,dBNooa^LG1ujNɋӦ?67@[dp pGc<83 <@oL"ۜ( Įچ|j$tmϙ]Wѐ[sͪ*l̩H'lQD2 XB{p:.{xdoWZx!FȘ>yQ[b=)*{-Zi~8A 7zHDӇidцiRKK+_K6vхPm3:X\g bRj=,Ki8 y$hIbEYvKu׫*1I<`z:cD ,(/+F4ƭ}hzmP `6HQ~ k?w Fnx):z]z[@|F$rhh>^켎KDs&;Ox5/u~=h^Ӵ|-T R؃r+#@tdԝh ل;֞E"<$kF1N@}## 3 ?FA 5^0TߚE- (tgax^.CўTI<|~v$stޜ%y qQPJڼLn3m؇OgGt0D_6K+m1?QZ]D;^#Y2`Kcz6cj\V# '(TzI M-)S>y^~κȌ-R+DaNIvOj+R:|B1j f @4c0g-qgC%qt.7ps`Q:v|_ǒV>KYa(lmX8{ @jlj "A"Y |0+#*yF Ui2_CA@rW/Tz]z 龉g)V -HGD,Qж ~T"|ρ1\FXl_̔> >|=°1'çy!P5t h7v*1# 9!k:C?_ae)fli-о RsQe"{%<:VCJܩA+IeQ=i$<+`zdh2,.f*8fҮWoFH7I%e GJ7AO5q"P||mw@yyf@_ AKVW֩~"Uz0v<7RU E90h]d}P&p?i,r,tn_K_XJ6`-g bWZ2*iE4K >97!u wxy6Q$|Oح }B@WG6tYq:h:quXVj߂@| 1B#)6ۑ!v)=+\TJ:v}ovh:!">:;wEG+3ozj$Ո#{ /.ĥq@_؄$"bVMf.z%#}f ;"hv5^{+]e0WR",+vc:t?<sOթվ 1^7NWhg?۱ Y?54uYNl`i"B#LX)>. 1Zs1=(PU7AMpLlvq+Hq(ňL¼N|X]-h5B'/7.gl%K/:2^@v8v24'i! +čt آw{Bm#;5 t ^Aa]ċ5!|bi&w7&ƌVQRV=]`-o_֪´{ex&*eԧAxiՙZnTgbRZglcl)F،m5~?*R1T%2/RDh?D 2CL(y6RKlaNʊO"t`oO2@Nf]yGuiBL${Lc0rHP%4R)q]{,)" az8g0l:WgرU(qig/Vb&AJE,z&,YvgoځL4^!F=%3p!l_5M=֩jI;^c1_MS)SHdɵ{w)Ŏ/1o|ЪM c5ϵzvz'Aww1\^pgSCi٫Cxo{ih$X!K `7)P}K2 {Bd8^[a4\x؞&̫!xJj%{w:O4Xg!X䔘{;9q#TV1JivGB=O_?Ns̭ l_B>TIG`rUVh}K|cXNvj/i`DݹrFCvNۓS MMo4W:,82KQ";(8Bx4Yl~ {@RAJ|4z?fe^b6`9R]DaCf0 W]̻7U/|? zQaf ӺnBYvCƁϸ s ?yXP[z>'`MDwֲy >!_Ȁ]^ 'Fmgj:3-ݏZX];P^G̠Y1@{OUt_m :##*:D+[cq-=ѿ͝a=hR+F;f8v\7ocֵrsg nH/;EPI8ks=D0AȮSf7S!5 Zn(9^n'DZRWI/BB}'Ѡdcb0~MRwTSj!A<"?]$;w|m5\(&r^d'G0E491H>{~SKDpĻA;65)2?Q9vl[>~|Ya-Jqcpb$klU'Z~g;CH1!s^*04,>fYDrGLREu eat'ޓKvU~dp:5'x\c4O^nhꜻYȩ1<UPʥCRvETBCE K1>7)(#d|ʩb'o(ڥ퀠Diϸzth7JѐoC S߸{n_ϊViXR :7\N|?M,HulR?,xrRҡJ *z[MێvmZ5E'UMoP8"gɷݳsr%yLEMDؐfZϙOxvkY"ieC ^ϔLlB 1oG4R1*$_<!:t,}!E2+BC4Dm~/>L-+5r<1*"Mj9 .[\laty0[f.kE3CH]m$6(ߓ)Y1WxoY] x8̟ ѝX|Kcr؀t,Ku"V=n~s)Y$ ^L;)?%8(@ÕjR .;?M?6ɺ5oY)Q؂0=1TA@ ܓ(#S6n`G>tDk=\f5,VPhl🳙i +h~La]fm-Cn;JX[7GD&VS^jnZ7NB#.)c+s -ڢevhŢ!U51x~E=t܂]0˘2ZdYUͲqlb@}9H9w̔ *$>nĪ$h[&U%$1dp]!$vf=Ć s]n!Ӹ3ء37Äݲ(^RE;MZVB_4WK4U,@tw+`M>DRsy[5;nG7" {oq փ9Ak-NsF0̕0`RMQ63a3^THY;0m5=aCD%Cǣt}x ^[ʼM"!?zgpl'4bީiQO`"k╻h$RS?Qi%GU7rOGiBX]fqǘnt} 9<~qdvŸQLcن8ch:i+tB-1կPiR=y֞č&+VKn﴾PsHEF ?]sφCg ypoLD wBuC0g:?~BнEo4d^OqcgvpM)da9-uQ*_ Q+)s@hWIjK=|f`q&eͿh3@`헅P7 8F92Q\lW#"7*^y8RlXtNZds B8t<Ma}ޑ-&Lcnx NFSBԠbCg}JkI({1lTB7^G-i}Di*φ.cr#Kt-|\,-z6&cIsqR5q:uk:[P.#% Bwyu-X|e:R"*@,@`a3|uKUA@:H EUYAiݙKhYV>* $jbxpd[;g;AU8/cNmM`>Q٧D'-.Ϳ3Oc=M7?FC"X̌Q;5S..$CwN|A25aW}$SʛG6@E iOB B$v-OT (>X]jk /Rp"Z݇Z8O|,E$) =S/7KXk]Oe =vf͖m]:|#l|`}<'AIXc RC= Lu uكDAZNxZqʃJxB';|፥%<.Pm/WqR!D?L=HMzy#c&ReVsa? &f69Eh/j]fio{tyXcs*8`u}yCX);7nGR޼^DEox8nJ}o/AUM՘ B8G,Pfb#4}D{ Vv:XKu(c+:"֦7k+<~``M`{:oȆ5-< KM GZ x(Ϋuֶ*QgHh4Gh.RI639Azk+r[fI@whDv0JL89i&MM~;~Z@ R)Lno:;@I&z'q9Ek\D&BSgٙ$0T[".j@Ƭ, Fy:05[OcAh-ofzQ`KȇdoWS'bYPln#csZʸ#ؙu>EL-b3rv510ݝ=1%N ai 5Ko-aRG`r{nMսNdkEYb95p):\?@aL HS6İ+`Ou@ز/L}w[^ 6 E{$)AӉܫi@*hW)IBhl(=k oAPv 3Y KHbl(5D9Fq\,9+R.2V vZZg =F'\tRMsسK{b =Xi0H@8PA 8z -ь:- Z)JfxF9]!؆EqUr7Nv?/g"s[C?ȻD l Vy *j2bzWjЁFb4N? 8STLB=%݃HV:?g IxQ߄=CI(,}~pN4C|I$ni W$ \pTtV`*: %[p5Z5$gڻzү3})#ibJ:d5h;oT= ɫ7>gCAlpwݕ2f' a<)viZQbsv:_qĻ~qC>׌M?N{Ĭ7LJ1ؾglW[K>ݤO1w U{NJ+DSѼ;;f$ƥVO%h%/ ei(RHEnC:>L fgL E7v{$E@JkyJTq<^2`u%23r8` ^jݤDJ`g.Z?w.HUw >W2hU,7a,.` WB/}EdU:βeߘɾ4Ĕ02 ϜdFt$q+I{my㙑>3GfLގe\z~jѼk $"Pd5jr$CKBi^2(LRD/bOcKG~) i2(9R3hI7;RL42()37{fNMGѩ\q,4KHBmgIBG'SJ{@7. $Αo+ʮbԵφ9BZj5IdJAHkP3”2| H#& _d) ]|pTaE0?ȲJy+tG٭} ʼn(A_)s{x X>$<ul_oz3+^5 B"^cZ;1-ValCJmU`mB|鿋$8/c~[4\~-ӆH*"Ch^>d7?Ѥ7q 'Ţd]6ր}9T/n Xc/3b~9G>CD{aUT2g%@[ufJTʧ '.=3-Db8"rfPuH{Ûݴ(z:_b&v`'0ͬoQ3N|>ĨpS}c,(\(8 luTJk0K\F7ڜ,s|Z-JAWm0aʻK PHHߪ>G.ݘNK}s%Ų.1=/ș~`O(7ex>ڒ& Iř+6Tiiҿ1N(hhU_NYc~v",ҥBschnDY+쐿L8댐k^xAgƌ7 8g<o{p"Ȯ\֟߳aT- UE-0}&4)C;20jSpUd7A(jc^%7 f>EMqgi^HLFi;AO-w7K^:Pusľt6ҥR/q u[5ȢbJ?!Z}uc0' E;WΙNI KUwm)yӔW#M1roH-ުQV@YOo%,,(B}kK;Ku~}?ߟڱ" +l `$^u'gVa'2sR7=g:mJG)#?ҏu9 zQr #JM]}b"9r Fy!oG^h>ˇ.G4: >PЩpOMh{eUbP/f ;_5r|S102o ؼO$Si@-aѴ0tz.[xm.cN[j#\V:-Gc"(պCC/.={,;` !+TsZqVۓ|0O}"{MK.eagZ6_+l&0 (z5ɯan)Y;_ja Ĵ:\8 4aeIRJqwLTơ8KnmۛLGTFtPz\J62ideh<=i PC4%Y*$rH&I4cD}2>q*z; Gww긣S'=,H66yߝވ SD( I: n ֪i®Qr/g?hjp'apPG"N{L1.6hdf-*dں$z\86d]Oc̏۶*gU,+Xjk sFg94a&יN8KHƩԽŠ̒4fGm?Nc'Y=2TꕞfO&]]eԴ_s: <=lc6s+#4 TgAwbc`D n7 H,ZJt"Hœ N4qe^ɝ4P7MayW?U ,p*%\h?4f$!r$:+Ic),-Q^xL&og @T,%)Ly 9X_v { oJUTާ$#82So &KlC_'nxH)2'ye_-οy_y٧eu8Rm%bQu hh_[̃[,;馾MY+Kyq{aϠ*GOmjjR/} N&} mcS^D{J:Q8mJ`׭Jd]) c C#cdEb+W3v6n$}m%'å:IBclYi/8FXԧl"$ߘOD=Dy??Dv gNN̥g7%mbg=ΌZ\H ^ijlP  )1~C!(DN8K һ 9TJ< P{[Ǎ:kXC1 {S6¡Ez^8.kM6e6ZqA( aax4)/LޝMd3qě'KځTḫ J)^X=̋}r?[$ɭ11]0K?pHɻVYkq>kwCJZ-V2V(g}evOESW}3t*{v I<뤵 zdBPγyVh`z@t%_15un2CBtKO?9F>8pu}mmAeS70ӟ:D@Pi<}Q@sծd"0В,2[x+ͰchbnP캛.\~dak/);B7nOdafQ/}"B 9,Xtg=bOIl޲KhܯI%{a}YS(17@tJXqM-YM~hvuFQ!쇜%1,MqU|v-S5b7Իx[03X$Vqhm$>,ai1M@}ES;`| 94Nz!@b#pRJ+ :~=1DFK00 @o= j^2 5LbgQF"N9?5o|>ZsIV@sVO3Ph7&s)J~'$F#Dܺ8zjp%Cr"yweI>w엝< ߿۽6ͳf쨑$k4js|6s(#ȼ!`5Q{lJ{PKF h,?(,Aˏ#5_aY6+/e֭4wAsT,6zپZhj16}~'r'Yqp|B@ qFop}'Cx̤ ջ=س(-.Rˬqʐ`:UFs,dG뵒&VLMYJ`{ԔЏBAίQ7R,Ѱ-ۃG?йݛozIäAj*QΖ a+15W|];es-It0thhgΥXNOv.A( | lƨ%%^~rğ=ʇR=}b݂yFƑQU׌N16L)Ǿ&bt|ך0["Yi3^yZ3%bzj}p3GJ q]/j1qCgC6$%.mak>DlLVįף6:wR=e(- Ʌms>6j7!KNYT)w-Ve9fS!6v9,#jJ>W'$ ~]M|IP?!O2p΃)8c>+3uXԉo:ܯZ=9>l\ۯL^s<+mBF@O𡡘?e0rԔ@eg%X8x 64l#KW'缈i1k摝ϙ!k(2 {ۓ;wl=edE[4i4fT2tC(GDLtA5RgYY]EebBMX m-QA,o✜m†keH;ߦ|ꭊHH&VBG5o5Eɩ0q&%ȘYv×K"xn )nqQ&)+d- yl%hDkwh;q$lU2XT >{bEᆽ Qԇ(]-U M4?x2]CYOH.bGꛈ*6= {X@oLmeǂ\a5ܮ7"Qh*SHw+@pXsv瀶67}iH ;džE|8fI{P;U)];y.^3H}jhNJ %yRb4W7-(yL9G U8W֋͖HIVI|O|86_}jcC-7)CA۸_xs<Ա:lCnO\ŀxl 31N\k 6C[K?_4!c$wz%.ړ͠囉/C~ j^P~ @ '] D) 1bH)XX30_$Ѹ)kĵ4?|89aǦ`7 k]VZGe=;ax%p4r3ݎlFkFJ"9u~gKiA"HP3b8JPbWQPLi`Gù-U"9(Iy:Fh._KJCE?rLX gP0^dF|B~J)%@k?gV>ztmKq+jv噭 t w(y9MOR>ޚ>fLJwQA" 뭮A4ujR.g"F-{|-V@lSմ 0rIyR)%h &wMhJ6Iݸp xl[;(cvSG{%]0)_ѧk#hg~OkSZW#W{ӌ堻{ӛ/<9\H7RQ6?xEC6$ 0:+}3 8ubc M5jv3ux`^Zkrv1SAʅ&VtHtsKR,35'dH͸3Lk< x.&'%<DGz弔E"<<+*8D{~& ygGf]zAVQH)wܢ}5|np-i Ҷx6?$bo 4I+ AПgINk$0yi>m̕eT7zs7 YL`/=8;?*yi 3|+AW,$|#TGmjk?Jv4ncoI=xK S!}!-mi~벽1~`& hߎXlzۖbDeKŠ3ܒ 4@{&̹N6'<G{ېX<:sj;$@X u01)dbVMڭ1ɷ^g~E,@tٛ=ӏؼ *q]BJb h9Fk?38$Bĸ!k}$pȜܭŎojN(_;lta*.XDκ)nׅ8!:y]rƒl ?.[. 3 oSՈ BMaa(l_ A|uMqa{R\2J0V]AdXؕG$!E%Y>-HWyƖfRWo܈y=ݤy}"p.RVN(co5K:]_7E= Ÿ,yy^cJehYkSKP)Z"r]G3=^+:v,˅ΥHI* A~",NVI?MK(ԏJZZ1u-DyE@T$)t i% ͭ98c~F%|eq2O%DM^2Bb8ɟ\1q Lc&_p&icݸW,"/;6#F|2gGc&^ђmζK*53xC+q 6$/=c jV:?1 e;_QRJ۸,2G\ } Nł>]9]W-Pbwʊ,3\dz\05B'|TO+蠬V#7Pu8hϓu=Ȟʼn+dT~G@UQZc%9zn55m@K D1__<&̣pu6wS/yezy x\׎'HNI xG9UL.]K ѓlnZER;I| H7KjǝcU_QB@zaWrpVeʺT ֪p6Pkbs&r= @ 8@7sCcB3 tҭmQ(]$B?r!$> (p@?Yo!C6ѱ_MXYjڄvS2Wo4-֏*N΢Ԡ9ch)c^k~VЖ{;|@Yj*'pD݁b% ֑u[dRĚ|nCSmaGJ媯A: ,qIe}i<wa7n'% ɫIO1ҕVIaMxPjSV>ޑz{ƫcSXhdE0Z,T%+"-^J#3AZ )2;4uT ,)Tv26II š d-HKF}77YMLX a"/Q"%Nb#fp_F}+?`h߇`8໙IAg9KB@Ÿ6zqJrWOeyfTkFcY~N`P}4ƚ9.ZvtM.O# y@;*=d`sgS;n @C\9nr 3hOĎgɥ-N1;\4^߁(]|5f#?ab {\a˙q/yyY~ƭd~v\)(1=M|+hZl㝚KAHJmZx/eL萌ЈI FHڵe))ʫWz@^\N t lT˻ -j(,NoZݮ"{#zz[ 1=X Y8><Ӽ`u{-_տ0xal~WNd6}#ͦtGJlJO@+(C̥eN%Rd:eW[pӳ1pR[ab+jA $PrmY+feLV-hlğ>5_*[ X"Z鑄8|xuq `]*w9AuCܨ#BЊ͠'?{6NS n{mbc,kRz F@A*@vKLZܕ]顇,uY#;t1FDpF-a~DԎɟ=YPbm7 e?|1ܷnrX Nڒܞ(ew,Fό3,c_neG R\>ZB)]ʧBRhy]MTHRLPKH،(W @G}~GnϽy2/_WO-8d`<6 #[ qQ'{rsۋ/ӝ {ڠ)x\ݯMaAuKu g7_;H̟!g')F 2RT8Kp<$ŚbOzfE |݁bb) eiyl2$cHmLa^;)d/F@;%;e(QΊ=#z=~ɖzJecqͪj;{dA3F5OT5.|W_"o$>WӚ^'\?>B%]h#ըc >4段ٌ`|4ԡ@ 3A U$_7}o+֌0:E`sE+:0u^K6%99?;GhWb p.hd1R?h)eIC?AGIϱ8u&㰝@:9=4 !0$ͭCTm kmW@p]L nta9>%kw>#KזyOM5"}-~Re-׾ ﰓQs]TL!RMy UzYb26rӆ/9Qؾ|d :-k/?kEhg&^XF#M]+/jg +F]As4e_.yK]L8}+1R@6hgUMq C5;Š)x}]7 ~P,t B#w<̽Aa~dx7 .[&䗌N_s`rP(q:  7KZ9$ϧ1 6V 3R{S\[^podK1,Őh`vCN޹=HIb<`tieXs"Ix< 5VLD*-UDX+iPiY!+X ѩQi<.m=wUk.I`ťf@U/i Gy׾ΩHrOw̢ɼZ/ 0;Ӽq 3r-N@JFL:O%I@gIYs 5.IVؠ_ɥ D*q-sUTZ(4ǂ K?ULWI 7Q%бfJ H̸ 0!8\Qې֟D󩳢=Q6 |ɼ* ]2*O5Ō w2e@g'>5!j K@Bz?RoJWeafS;S.5~%&Vw(g$|u>΢n dCs:CuQ)EV1PK8Yp[b5 WpPROZ䦫i+/Мf+K ^Wk|w8 @#Q5g@Kc3B,o3k~,t+TA㙫a'R*Â$eAomp J6!Iݽ[h9:(: `2dC}߉l eekEQ#DMu3\.E)3}!"L1@% o$VBZ9Aq|~M-MKTJ[`- >ts\p8t;-u fv csRMQ6WNXYayA؜^$YΊ'W~0WRY?r~rg")}S#i=hΧZɏ4Up#Conw<(KOJ[CDJZ)бM_6n_L\R폛2$ PK)3b<At1RPp (Z]:RF^;TΙ+m),#mOgsCv-i^ T.މΜ)?7r}[^&ro08ȓ~Egfɇ#~#U9JճsՊIxWCJC7f#$SᢇLcl:]np<,hTgM$UќSp H[1|떯p.pv ~lqB?WnPTrkwj˳pt>- lpI2oe9P쎼6uًR)ȹASљL,# O, _ҠwW0M'(9ȋ6''g!AmF >=w<12pB:3v cM֗eyEaqa&lZ[=w0 ZF.,ɲ,=/P~KVLѦ]$RX:A2 X"`'yNzB5SQ|^JU*BViW}.͚C-~W hH]0ʽJQt0\H9X gK LK% p|^=űP~6[]+cjdn v~>TzKtk Koe!'834h0(XI)1&-F5w ∶IZ[j0]Xt,~]cX.n'ƹe۩k%ƣ+|lE8iiݳٜ k]zjS3}0?IL_%6hH5em}k]00y%Ԅ, 5mC*3qtϐMzV dnD%HUSN/fmڏq#2zI/ ~^NEkFS 1P(1Z)"7z DwzßaTlW*b } DÂ&Ι"pbK8@$,}iyZTٗ|Q'ǩ-KW-QI`"MfAOՋ F>fݳT[x}͕>r)kA⋃z5CV?k-?>g$ Ya}"?դ+)}@a5t&a sԽuJ1y8ay8HX< L|Ւ_S* i8ZQ5WCJ%B\'!>l,C鄱9 Ew)M0(0}@58yfյl4`h~Q $5zJOjkܞDt:ơ5i|js9Æk ԥNhe X8y:=*N- (HB٧ڇépʎI7y}`X3/-fYE |Q|Plv]sbƍY5RmM)ZYݘIvA8_jAVz]aǢι5)ba ATS H/g5kZʟt-? EkWB=E}oF0rw(2%x`_Hm3tb2kazw!Xc( BUM\IWLSĥ'G(tn#pw$x9i/3 Cv4?;IK2M~L_gs JErjQan%DRTBoD찚Bs$b&ۜ k/n.L䄙eMN^Y\e+tiKp9ۏebm{6[.n@^+{2Y璉fXb"P-;]s)_5{+J3]\7VQ.36(W _vAz_Kp7o~t'ܘV,QBc裆ZZiFC$Fm@#qQ{Ϻe,iWcAvp?(;r}'2Z|:eaY!z@6nesv0\!>% ՀEF5<0]t!H`G XGVB}nt}s.@;V6^ QV6U [|E[.5K):5_k | ǁ6imb|u/V[1p-Q{E0STԓ# Zk*zmTlL*zUĂ>Zn]P1J.!9& X]%KXw* pץ27z2y G~uAS)N|j;s fr$4zRǴ:Fj3#NxϞ'K]Gl1O;~IT 5 ÁNۊlµhPHC詅sQehJ;M&:+Pڷh (~>51jՃDM{*|TY)+vb\oݒ*(?sY-N)P }+?ӦJ8`dt5f/d yqE4OSoa\P쁷ܠ!}Ҕ[E|ʋ%>>6rUU;nʰP Ӟm.-C~qS /޽ynuXC2|@MQEkz@LEM:0j?y$6~j#%wJ!wUː^6u+084sDO J/"ՏP 3(|2'S@y8o achfy4v+'BLonߐm#NnԸ9w29!{|[&+6К1&Xs;qhzP|?Pexw^Fr΋l9ƈ^jM-X{PŸq;<{n^X{Сy9pp`@)"^ȫ-Byu7$"}*<0:`l^/3KMx<'t@(0aWKR1acO.]kC @aRc&x*W4gu8^iRh9d:Sl?&鿸QŰPI`mYvD-6>j nFFk>]c.&1`8 2N.4`L8 %As+Z^iQ~DJOByЛ/4h;`Si,lr'}Uռ:]Mkd;0zi*J0l R-Ɉn<%MKOJEMSA0; )gc!z}QԜ,VR V"6 )S !I x 2^d3jʳut-^iBPy“> W|\Wlk/|ˬǘ0TPPoV :bCLjEa܈\}e"_wFsyHx [>%m L'~r]={qiF+k1b[j)E`qL7iT{Fm-^WAvHJbwYeT4:cin#cR@9yǍ'y #4l3s.m^~N{bNcYtE{ORE&J(sⰀ!ƖGe (Rbavϓ޶7Kx +ʲ$4 +CbU)VCY=L#&z|CrMԴh|#ؑ)Fp%0!HH/=3mR!b6[NCyV)>q>;E(a[@DWߨw'AΫ(1{VS\٭I`xHlvy>XMp[szJi mI90b"sYX̖ ᰷e!g> 46 txx#r[uڦr.50Y}mXE)uNJ/%#zc LxĵWrmG+E.`O3Xղf$?B*#; R9^3݁*4 xy1oF8UZӘU.mc".Ir(V˩,^vH=lIݢGb>gk/1VyH +}@4{w^ù;Ye+Ҹ>)3=$hX>H$:mȒ:26IWzlsfU[A;Fܜ2-2fhXy)Ҕ ̅ rH툿:>%E,A!ahQҎQ{ö DY? B&u66Z?s|?<0S)cܗJR}>(=^ 5D}~tXHEX|[O<]v<ɼد5]~wIk΂/)6 KvH]fpzƭi1TClUokYP4AFK5-Jr '2F|M'dB\q) --q+cPy rމ*i8ĭr#\ ˦mG ?BqJ-,N9.R6@Qc2tjyC~G`vBFX_*X,k k { fpWkRIWQ` 6J[=- 'ܩ/iyyl+7nSu mW6t{SǍk6*m’\9!5h~# {~$[ N4-0rkcpHX!|?[+Yv#o /,tPQ(i YH݂b9ݼ?NL*pEȘ JԗZ#j9 ! 5"FKN 8̀89C(DG"q} F\1k!C/ T/OMr*YKrP)>YD^yd ºoj>K䔑x'T52,?([sm2W&gO]S [K+;^¦n.4I x \qoM2Kѧ]˸&Ǐն} f(|L8D*IkW;FS&G [2v W.7-a.pOn@ C& gZ-zp'd +w=8b9mo%UjΗ%bng[tEGy$b1v wMQ[UA Dy\oB vDŽR榪;(pӻO6ͶK0jvx#t6 $8d4)SJx#e %&$ΐɮ[Qv`@4S:Z t@0 b] cYH[]Rea #EvN$-4BQ!yƣi1?,v 'Ï*mGsjNRB~ q4ˮ ?C:wtdHΩeӝL&.(r1ro7WobyM?Ɏ/_ =yxhv[{zӼ:ܾlfGZ5lQ}pm1V<;ӓhrU!%k-? 0>MNJ/fT_C]CGx YW$@ e,EBjja$5\. 7uѼf%tRrh(w%դ(usmh~YH `j<@ڠLf"`Z.!2Z^]8.T j4 =AQd5S%mf»g.$]- ":3<_ugq+a 헓ZM_KݗrqDUGV ~F,H@7 ƫĊ1 i g?B(< 40g/Ds8HSR(K]Ķew{ qAݏҘvߠ_0IQ;5Rõun/KBebՀyD-^8NH`Sp7g&L07p<AI)FfG(` \Ż0-4JtAݪ6e=Jk[b b1O,KH3 y 9@?یmѐzo5XSH{ Vem#nZWFn2(-(lżj8"`$I-] bn$8ӇŹX&<< SfB>2,)GWܫ 8g;OaYsh DuJ{HR`ˢWY|}ѫ,r")$^!X\ ޑ==˾l!ӆ3@7z6Nt;SheI^xuegSwB|0L 1`4h~&ZR_\)[+=5 - DC,$m^r6^2M^>f^g] ȪO@ %q TEP]î9[M2"_e?*t(%V#WLIJ qe;sX CbnSXӁ մIm>Q(>|KhEc`ER#A]563q?k˽>LɍKa:`iH0ˮW=s\9ÂGj 'ZðqR |j9}f`xfH! S"]Ba鶹aKbuUșכlX if]z*Ag3s;^Mȋ-l;t*;$l^>M~ PeL] Q#I]c\0`gp'a_gc pc 8=dAa?[$SmsfТFHAy4F&Λ4^ģ~X=^M-2=MFu3͖}%/X4?ТsòA:bjTЖZzHMCtVF/.[Qk qP򅥐<1WyD) 94^W}!S(b4u0K*5 oyCSՃPXP Ѧ}$-h;٥")/EnGA).ԜV-K`21w/ v7A6Xq9:yA}W܊yCll?UjN/FcvD2Q8^B*1š"';md›Cb[>'ѱbGDu)ҷY| *%0c" [3S] ~ڍ27bS7+42)F#0"۲,L#Dذ;%Ѯvg-NMI1x)Џsu#n7ƃijcOsVy Ots^ٖOyե@T* !kE~uEO ;֔i^o!M7"Q;G>y&l{j:D͗#|GO3qJxMo^.vt\氓ÑsX~8 1 ?K/oşWyo0ຳgb/X'xA )4׫^(3;V?)jO V{rZHR;<]J ;v,(UPNu<=f>vxY8%u.؟ q|ǡBHWRS H)^bj3,]MP'955.PêYRlLR.r#JvW8.L٭-ylS]ڄ_uطVcd?<%E|rtmdH|)ͤFe?._kZ1TZ ^q8.}=}Fу! /n4˺GiMajOߘeŃt%4<ƅ_lq(|ruVvpm3<},d?UBT;e )pf.Z(6[{D&4Yi![nNM4)w`s'ﳓ ~d\NpoܔZdg@dJ}r_gƭ+%V֢xgK{WA^QVne4 >cV"2x MXF[q9Tt9 垍HM{*WTmӅB33+`g΃2p´B*X5Jt@>0~pfDhF1e)I/#gM^J]j.]tMX[D4JݑiSr.$r*qsݹ4:zw 5[|4S&9Ui%x[*: s R;e㙂Jj'[.hDRPNĠ WքP4vv`p%%{ic^Ǎ߈DMW`J~ (ChYTWe;66.&$Sd ؅ fr{n2;aW$O5+/|f6u!nn ֦.MMʿlQ0RJY}` w ˮr-Bd/:eYux[{D *hk`J%tfZ 4l h@M!XQag^UDzE٪G)GS} oajرm6s!p/hG!Z:sɛO4cKk4tx%ZQL ył ~8t> ߳)4,f`'.&7ڽR-{\pGnx܅`h D$Plp:m.k~(ksYC֤j>x]8(@zm!W#B?!`;V ȰQ!5&wcA$w=8Ş .z&U{W"VTjّ =JLߡ\az¦ N RcST4#pM앩Y@؀ZH l Xy;XυN687)? іL.LL4^xS ]Z)5UP7=_]TT^n,ku w=r̚p"٬܁AP^#f46$]50 7m12v@ (L74-4oi5_X Xr $>\V>Lx ON[Kp# ˴a~M`>Ӡ;d+ƻf\KDY8+(õ-1$E-t4uc-Q|[ DyB+־՘,8n-Yv(E_9ڝ< '960$[X6\v(jt'F] d@[FxeXeuĦ2)Wѳ{d1+BVNc 6GgDvSv]w7)kM~b*OGkﮫ,D5.b~Iah5|a ɽ ܄c'!U:'Y0YR|niBwt ~glAy8d=?U 9&9pp+/ /\TA$7iSHjb}j^n*ض%;-MR:'FzEp4E@/p.ި\kBkjmOb3'#2N`2 R\(tq-cX5nhH}JhK j +|(_#zN2v;Co+%yˠv# %Xo6)Xdo8 53XS`)&gkL\Iy8hɅFϟۤS9߲-uu/ YJƾCB0ǎ}ѡxBm?#w,h(˰?uONN, ǻ 3=3v:NFAm#+L(<X>g(2(g2؊sX/\)9Kٻt7=NX"P_9 Fxǭ#HʳBls|v \ .lP~Q_ ̮yXh{[ju1\9˥V;0$囏/ y[ (SJ>yj2< dS2aN!.o&fG!_`B-b3$X(WES}OU]?jrr`\8zO$<LRl`+pⶮ|E=`/i8].%^."/&xG8u8ګ9rF9]Y0?7[K"%jl22N\ƂӢWXoٰrPXB iqOH#``:WwH?nFXૢ߹[\9f6JUMKGm3V6]``Jd#-H1=7&T'y:fHu?e?)ς4Z kMYkq'zDt~͋1}chCQE )K%_ʊX7H \j6{Y; =F5k-  [of-AU]ښ4HeѨ_ϱ[; p۳EҒ&cgVŹL-*p,;'qs`^0&wX!岏eNcxF m{a:aJXQ{ ԣ%C#uguΤmf7۬ΐĉxgJ=/jtLWu5 lϿeϏ=!Ƀ3#ʜb:?nJ%$zO5Q{ПouLtO=U U; %͢x52QV!L; CA67)z4Ѓy0O4(/tUu=@E59S*!e-B (l8<ϡZ>:SӖ!=_`|%OǡX%%?z߷E)ζ_2b .UٴuL|nYd(wXlK!/#3%?ٟߍGMvwOۑvZԳd&[16 K)zg;y#jwz:WT yk4{N>K?C}H`/0>&z૞Dư4ǧ{S(Ol4sa@gRspBQ QG_EFV!cԡZQ`vÍ#*q&֍[_9\ߕJ!X,?n4 K˻v <'}/:?#jWRC' ޛdp=Ifl| O P Qz3R|KUZW[YɯLBk濬-N1P]N"[ q}q2vEXSgx}l"us;6oB=fst: Aȷ /jEf<"v_ JQ!ކǬc/]p},V>AG`T:OB>f,Dù 4 3fCZ&]%#V UW^A8_{?n$oJ7HV9hĒ)`-,EfSI*)u(b r|׃Y3/F .orhYh댼pm92鈰8E"ަXx ď9fقtr~O$ J&v\XqHipE^|K`0NYTJll!Q[cRTWN˹¯%تZj@1 +bhIpiպG,*Z[ y)WHK+šĝӕ b|P4$<^#ަgd:!|JA)itJX^{g&kTbҶ<6]&a6|[2>\?>L_)e5 i%"6~1ͬ=$V#i.V;eE  %CuA' 5stA3ʍ nj*ڵNqd -ڏѻzo!cv@dI1s˷To{`pC{[+XL1ˠ5pid]q_VҊCgNWwF y+:hZKVF3DbzC1ƒ. SQ4-(䋢RnNi,B,|6m5?("}wfe1|\<.*GwAHc8^qV;Uּ" /(g"W۝=GGyJ?MVXZjx=}rqM} ^ BRhF Vf 1-Eg̴`Q'N( "0^49dtϘhWv?B8}VكԁC3s}%iO5t#b_DKIƣn}4(*L?L lul|g1Np [ը.f[ڹwQ 1g沗f  X6I/oEbr#{K ɔ;w̷5$ ;TZJ2vlBUt p -~Kv6划'pFg E4IYp0q[Y mcgSxC>>j(#}{G|?sL!]-RGiξࠨd/2Eril7ZZ c5lAaӌT dr埭V8~֍9[qvfi!Ga`5- _;X'uid½ %F]apU_j'fQCr XLvT1܏u>mp`:Z~h6ߎZ?q y~r=b, m_N[ɠ4YfVy_}q@ܧ,|"d/,FU@!r8 ڡ=n)Dc7ڴ9Vǥ_<,a;/ LLkpVGڷL/JJ!;&:Q} =kU[)d_KPC<,\Cxk&(_uW<=Z u>^ͥOh9/,]HY>x5C=N-$pèӣO)=MA3H,RSFwx}B׎ܐHD*i0 ؝Ppr? 'iM  Mt,vnۦڸaJ4 W,6!DɘgSP՝H6 M6A*I{'AAfe3Hr><4kwz5^*#m,lMWoiv}gE?UM m%t %NV>"y>ekbiɗpqm"B:p!@ ;af]tՀ@W;dx˧7dhx=de ͇~THͰsGpxC6moLNéojRS `&Z«@21v>`lXÁKՐxp g>r׹*z$!¬zjlk"ճq9vD\ALVf;o9 ͺ; 7o~Qdr˛2gVVIBzо\[ #Bc8 *Ȫٞ,{WMo1Ĉ_oot7VILF(BHg8*{޼F}'oDB[b@a*yun$#+ikE o&:@ w AwSM)Ѭh=E`xqi~: pf^ZcXpV䓙s2 #iX:|+/`ɢ0Su'#M޳D6NᴿsX" hV/G/GX&3YGYU-ŃxC\O$mF?@"E߫sO_TGߋo0\ˇ^)V-@G*;0I.n0 3iPo 4Ц,},x͘2](EU-VՆZn ƥ 8|Vį0ܬv@U(tw'=IYt{A%J lj>ڵOE0~D\_'ȈԁMRBu;;To#%vt (cRH'e! 1y<~<$A--.Np_nhQ\n{8jc:L%?r}slBqH2r|%)Y_GChoT4cth!o3ZI`ES̹␴cRixD{t|KR.K"Ea@]Uh T󥶫x)'sz6^LJG5wi.LL-OtL·9CEC0 u^5$VjNؿe沢:S h,ZzYrŸF{LHܔrzӆ(XG0L#!=),e2t8?46, _yUלIcgZ:(i&\ދ?vCqya,-u{H%NjŲ Aex[b@mA_JʫF_s*Mnc=ǻ'`bIW?`44iҸxf5~]%LjvV> [FB\-RVk=6n]eV1qfb5Fq1Ɍe O\RÇ"V /(mU=~;>Qd7 =RLSȄpnhYI9h?2%[U7D.kl=OZ>9Zkg$@J)n, r~ƱޓUv 2pxDstĻ ME+m z># PIui6iĬl`ÂLjG\hPT^|Ti P#deȮevtVl1B ㈛߰ׯۯqMςp3*xtdLw4xب6#};dM#h=v@7b]lvFd hB?PqT<-{꬗=`2HrQ$ %PVN6OǨm͌m%,gƕ*?LM˨,wINz !m+܉ܿ|cv79(7#]r i55k޼|mKavNqAO3#0?f}_79*,+W 2sƵ;6hlhy )}~/#Lw"`϶+V\bv^ V ߂B,J͊E_մ,sm>>a/id5Uo!qOYw?50fpF>U4_'=0bÐp!ܚ9r.pHI s|=v @=/z\I{Fq]e6^3j^d/fz5/=F%WnB.[$=ӣ`sKЅ.\٫_h&T)vZp Vա$aݽ)}08S)(ޭk):Qq h6x^[dA⌖sS7sRGvjj2?ǟޅ g= {;SLɍYY:4 hV&&g<IT*wѓPtCP>Cb^b+cO[99jowxJ։)X@ԙ X} ֬!Tэkڱ'T?i^S}keRm|B-ɯ,wa@xvl~G~.y#Z#E.ÚQfkoȊKz֝NZXiŃl]ĦOF4 fyX''f.";EX >aotxʼL{4IeV5!3w|^M'̜F9)JGO!R\ fzlg,ې=T8|L3W->H|Bc-XZ"rzfZST.C}!qAq P9ku/&i|^pG*=+[WezdX~aY =Asc zO#ԏRkWH|3ǻ{27\ t"7\_G\!a$$) Ҿ=4nALT';f<~O.ң1=cC]=RU^}ndƆŊyp@=Zq'GiXj u^ҫ?00E<XD8t; $MX)t58-1xm4T[^<oZ2%3{=^pZ0d7j]G^ˆP$=2\'M_l{>F. BI [)|O.Rf7Fe>۟X! ̭tL|RM>FTZp^wLKnh\,\~$mt~j7^Պ+PdZ8̉W~ݍ–jN>ry0M*b/AzVIWOė7B@uad/v8&%j+LXU:bذk m`&4*g~RY+)U?^>-{ JȀ^`LuHBPI-,Σƃ!ZkTZQrN,gX4FneIv1mZ,8Rrq gQUv^ ^yVqA.u[XeY8eQNɌA)DGo *xma05 մA$ڗ @?g0gŜ%##gAd;o%ӷJg|HEW0fFw4'<ہ]iS ,SLT-~fzqk1Wױ c[`=˜髨G|t.FzUTZ1"E ٔu4>T  KAMb^K3: GuUm Ca&s⌰b,& ~nɍF` }Ve!7F'Xj]}XB*>9_H\pjf^:Lg[& T]Om ىC,LqiCm1|$$dqg(ݸ/A \U-~(/ 6-3ebDBc+s5ʇg ;2N K.AH{ҪAqjqibۗqcHo=p &8pz|-Kt:ޅom0Q޻!w⡢TvB#'4J;Q\AN^HCj7ظf靰 P ,>FoFrsp>qOoafBܩ@E!7Is8:U %8өgm^YHb(RTT}}wy|&G}kSw9k I7+ܘ]`x?t3]ƞr@dJ6o:wKTClh ٸ\t|L>9Wvk VC9hLҔ{[-H7MY۪#>&~ ):Lo!|ԫ%UXa0q lks1wͨO z׫P9uDQCg#Ag v 59J2a쟹jwfaWJ$$u aki%nv)O>٥ v^'#,)Bxh xWv|" .A# SQ3 5 P.һQoTfj/2r #r/lq\Pa+J! E[6Gފ3YZv ҠWMbZ&$}ԙU5#t:Ws)"W. eVhF/5rsS%Z]mkx M{Z0ታ(ϰi靆ˡpٿX3 RN-֊xc>)YHGHfIrcy M^OeF?'kb/L‹vCpf=Dq1:#O@YU9 ^qyaX?rDLY =swdC~ (dq(U^b5Ў0<`{`ۆ{vOz"jɿ{2>M{f? ߋ#Jߝ xzIP(T6ީ%hɫ#TC4]oAAM/D-̏ز3oߌg7RB#b)[p3XTΖ0F׍?f[)2gG`Ki3!i9e`oQl'j 1lYj‚ТZ򿬡clda ;Ǧuq CV7B4Ӎ%Up<X U6{v MyW*if͞$6> 0D8Zu;ifeX^&.2i'Qv4D l֛&4JHgJOnJs!Y`87"|Ǝ5ZD|,൝‡C6muEGmx, N\{y @aݸSMlȵǖ\se(`v貭݃ fZ\,:t%e//&.8:1}1=E_;+*v?Ǎ7t=@d'ٹ\wX% [!ar#!;9  HV>V*Cyȯ],W4XԄmݟB$>y-; ymLt B8mUvmr|Sdۡӗ>%\q? wF͒n{$s":^,fUBB԰|7}=ZxAZ%ai i)2*  ccW!^}\h$V!ar \Q|H{ئΔa \bꖿoljH sJ[T[,EZC&?&ճ=H4j\X MXpm>B$3R VL !Pz뎕Z*ms"⧎^_V!Wv{@3^$ wojA)kfOoGm7w,ڏ2;fAݦ6sEFᙞ_%A/0kuaH{) eYZKm'B%aMff7+B( Zs礌?KN%0-ٙnL yE˵dZQ xY:6kr+))qqVoYܠҷ!~켇o[,LkQ8x>p09]Zn tqF7+#7OsYVI]VkLCM[{ZvΦi 'wT=\ k`w.Fj:Q~Wm'Φ!/T ]NИX:_Y7u@a0'5wb|C ̉"a2g'CXyV)+vތ|qKZA;@!h=¥j*82vcB$PbG6>QRTL^.-2_+.;?2%9 ,Edc*%.tqm^x솲c G~B>cǘءjXI⋤doLZ5f(Y*Kt 1N{Gx@ ƃ)+.=k#tC'1&LUiθ_x*X X[ #|9767p:fMg've!6q04-'ֱo1P)׋~ӄnwܺ{PYNc382$Ms=Jw +η0G;hpۀlj&}skhtl?L<);E̙1ʙtEjew,`sd^Iızyq D,p0bC o5B&Vt^^E-6;eX5dsz1$%-Y>r9? `nǡ cey\uʈ/ʱ <>,axlj}e܋IqIה ϳdIG]FA}})I~ $|+fK l*gT`_HgZL](<5 +*ZG]z›wyi4 :,gE鯏%|Fu0J>0.RVkq .{{oªgז%ʻ пa[QSG^2Ԫ)=*-%RJAoo?Ѵ?6' |Þ!'=Zw`&T>7 IѦ x3B>PWvYb^jڝ1إb.)cX+:B̨݆ \m̎o^O/z༈ &!̄IF]Cr]fƵn'Ov +t- ܓu^0JYSZM; NVa22;tRWgfGZt5]359;*VqyN=A8 _b8C^}Debw6, ni&Mo ?gu.{ 'Hr,X1mS,u6/Q: ғ2u}TӞ{~i0Cx.D F@x!v'G $;H:fKjgnA#3وXD6n-'~. K@kǞŹ ;8i*[U̡q\WɓjWHýlox-bw$WR-(Νb#6@9ɟ `#=Xf>c]5U t@0oWʰi4_r.QʁINW 9PkxQGZ=PV*CZ3u4fb