sssd-client-1.16.5-10.el7_9.12> H HtxHFb' ?*}}*GwB?^"A@wq @qk7#yda2843ad9984933fea933eb9841b19ded2a65c03Fb' ?*}}Eo&%JI؃F:i:HެK#+"k>>2T?2Dd ! G $*18   L    | % l%#%(8F9F:F>%?%@%G%H&PI&X&Y&\' ]'h^(b*cd+(e+-f+0l+2t+Lu+v, w0|x0y14C2@Csssd-client1.16.510.el7_9.12SSSD Client libraries for NSS and PAMProvides the libraries needed by the PAM and NSS stacks to connect to the SSSD service.b sl7.fnal.gov|mScientific LinuxScientific LinuxLGPLv3+Scientific LinuxApplications/Systemhttps://pagure.io/SSSD/sssd/linuxx86_64/sbin/ldconfig /usr/sbin/alternatives --install /etc/cifs-utils/idmap-plugin cifs-idmap-plugin /usr/lib64/cifs-utils/cifs_idmap_sss.so 20if [ $1 -eq 0 ] ; then /usr/sbin/alternatives --remove cifs-idmap-plugin /usr/lib64/cifs-utils/cifs_idmap_sss.so fi+N@^@^@^t@^r @^^@]]*]@]]]@]@]m]m]p]p]p]p]S\Q\Q\"\"\"\\\r@\r@\r@\\\\\\\\\\\|\+@[@[_[@[@[l,[b@[a[Y[Y[H@[E@[6@[0@[,[,[d@[[Z@Z@ZmZ@Z_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj 1.16.5-10.12Alexey Tikhonov 1.16.5-10.11Alexey Tikhonov 1.16.5-10.10Alexey Tikhonov 1.16.5-10.9Alexey Tikhonov 1.16.5-10.8Alexey Tikhonov 1.16.5-10.7Alexey Tikhonov 1.16.5-10.6Alexey Tikhonov 1.16.5-10.5Alexey Tikhonov 1.16.5-10.4Alexey Tikhonov 1.16.5-10.3Alexey Tikhonov 1.16.5-10.2Alexey Tikhonov 1.16.5-10.1Alexey Tikhonov 1.16.5-10Alexey Tikhonov 1.16.5-9Alexey Tikhonov 1.16.5-8Alexey Tikhonov 1.16.5-7Alexey Tikhonov 1.16.5-6Alexey Tikhonov 1.16.5-5Alexey Tikhonov 1.16.5-4Alexey Tikhonov 1.16.5-3Alexey Tikhonov 1.16.5-2Alexey Tikhonov 1.16.5-1Michal Židek - 1.16.4-38Michal Židek - 1.16.4-37Michal Židek - 1.16.4-36Michal Židek - 1.16.4-35Michal Židek - 1.16.4-34Michal Židek - 1.16.4-33Michal Židek - 1.16.4-32Michal Židek - 1.16.4-31Michal Židek - 1.16.4-30Michal Židek - 1.16.4-29Michal Židek - 1.16.4-28Michal Židek - 1.16.4-27Michal Židek - 1.16.4-26Michal Židek - 1.16.4-25Michal Židek - 1.16.4-24Michal Židek - 1.16.4-23Michal Židek - 1.16.4-22Michal Židek - 1.16.4-21Michal Židek - 1.16.4-20Jakub Hrozek - 1.16.4-19Jakub Hrozek - 1.16.4-18Jakub Hrozek - 1.16.4-17Michal Židek - 1.16.4-16Jakub Hrozek - 1.16.4-15Michal Židek - 1.16.4-14Michal Židek - 1.16.4-12Michal Židek - 1.16.4-12Michal Židek - 1.16.4-11Michal Židek - 1.16.4-10Michal Židek - 1.16.4-9Michal Židek - 1.16.4-8Michal Židek - 1.16.4-7Michal Židek - 1.16.4-6Michal Židek - 1.16.4-5Michal Židek - 1.16.4-4Michal Židek - 1.16.4-3Michal Židek - 1.16.4-2Michal Židek - 1.16.4-1Jakub Hrozek - 1.16.2-17Michal Židek - 1.16.2-16Michal Židek - 1.16.2-15Michal Židek - 1.16.2-14Jakub Hrozek - 1.16.2-13Fabiano Fidêncio - 1.16.2-12Jakub Hrozek - 1.16.2-11Jakub Hrozek - 1.16.2-10Jakub Hrozek - 1.16.2-9Jakub Hrozek - 1.16.2-8Fabiano Fidêncio - 1.16.2-7Fabiano Fidêncio - 1.16.2-6Fabiano Fidêncio - 1.16.2-5Fabiano Fidêncio - 1.16.2-4Fabiano Fidêncio - 1.16.2-3Fabiano Fidêncio - 1.16.2-2Fabiano Fidêncio - 1.16.2-1Fabiano Fidêncio - 1.16.0-25Fabiano Fidêncio - 1.16.0-24Fabiano Fidêncio - 1.16.0-23Fabiano Fidêncio - 1.16.0-22Jakub Hrozek - 1.16.0-21Fabiano Fidêncio - 1.16.0-20Fabiano Fidêncio - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#2006382 - IPA Intermittence fetching groups - Resolves: rhbz#2006866 - sssd_be segfault due to empty forest root name - Resolves: rhbz#2031729 - IPA clients fail to resolve override group names. - Resolves: rhbz#2032867 - AD Domain in the AD Forest Missing after sssd latest update- Resolves: rhbz#1968316 - SSSD: User authentication failing after server reboot. - Resolves: rhbz#2000238 - disabled root ad domain causes subdomains to be marked offline - Resolves: rhbz#1984591 - After sssd update to 1.16.5-10.el7_9.8.x86_64 the customer is facing slow connection/authentication (due to discovery of unexpected AD domains)- Resolves: rhbz#1973796 - SSSD is NOT able to contact the Global Catalog when local site is down- Resolves: rhbz#1988463 - Missing search index for `originalADgidNumber` [rhel-7.9.z] - Resolves: rhbz#1968330 - id lookup is failing intermittently - Resolves: rhbz#1964415 - Memory leak in the simple access provider - Resolves: rhbz#1985457 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-7.9.z]- Resolves: rhbz#1910131 - sssd throwing error " Unable to parse name test' [1432158283]: The internal name format cannot be parsed" at debug_level 2 [rhel-7.9.z] - Resolves: rhbz#1922244 - First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0. [rhel-7.9.z] - Resolves: rhbz#1935685 - SSSD not detecting subdomain from AD forest (7.9z) - Resolves: rhbz#1945552 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7 [rhel-7.9.z] - Resolves: rhbz#1839972 - Authentication handshake (ldap_install_tls()) fails due to underlying openssl operation failing with EINTR [rhel-7.9.z]- Resolves: rhbz#1875514 - filter_groups option partially filters the group from 'id' output of the user because gidNumber still appears in 'id' output [rhel-7.9.z] - Resolves: rhbz#1772513 - SSSD is generating lot of LDAP queries in a very large environment [rhel-7.9.z] - Resolves: rhbz#1736845 - [RFE] Backporting certificate matching rules for files, AD and LDAP provider [rhel-7.9.z]- Resolves: rhbz#1899593 - sssd_be segfaults at be_refresh_get_values_ex() due to NULL ptrs in results of sysdb_search_with_ts_attr() [rhel-7.9.z] - Resolves: rhbz#1888409 - sssd component logging is now too generic in syslog/journal [rhel-7.9.z] - Resolves: rhbz#1852659 - sssd service is starting even though it is disabled state [rhel-7.9.z] - Resolves: rhbz#1893443 - User lookups over the InfoPipe responder fail intermittently [rhel-7.9.z] - Resolves: rhbz#1871288 - krb5_child denies ssh users when pki device detected [rhel-7.9.z] - Resolves: rhbz#1853703 - Unexpected behavior and issue with filter_users/filter_groups option [rhel-7.9.z] - Resolves: rhbz#1756240 - [RfE] Implement a new sssd.conf option to disable the filter for AD domain local groups from trusted domains [rhel-7.9.z] - Resolves: rhbz#1851112 - LDAP bind can fail due to unconfigurable DNS server timeouts that inhibit SSSD failover [rhel-7.9.z]- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete (again)) - just bumping the version to build for proper target- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete (again))- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete)- Resolves: rhbz#1854317 - sssd crashes after last update to sssd-common-1.16.4-37.el7_8.1 with servers configured with multiple domains [rhel-7.9.z] - Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] - just bumping the version to build for proper target- Resolves: rhbz#1854317 - sssd crashes after last update to sssd-common-1.16.4-37.el7_8.1 with servers configured with multiple domains [rhel-7.9.z] - Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z]- Resolves: rhbz#1804005 - sssd doesn't follow the link order of AD Group Policy Management - Resolves: rhbz#1773409 - sssd is failing to discover other subdomains in the forest if LDAP entries do not contain AD forest root information - Resolves: rhbz#1551077 - GDM failure loop when no user mapped for smart card - Resolves: rhbz#1507683 - GDM password prompt when cert mapped to multiple users and promptusername is False- Resolves: rhbz#1796873 - [sssd] RHEL 7.9 Tier 0 Localization- Resolves: rhbz#1553784 - Document how to prevent invalid selinux context for default home directories in SSSD-AD direct integration. - Resolves: rhbz#1836910 - Rhel7.7 server have an issue regarding dyndns update for PTR-records which is done by sssd on active directory DNS servers. It is done in two steps (two different nsupdate messages).- Resolves: rhbz#1835813 - sssd boots offline if symlink for /etc/resolv.conf is broken/missing - Resolves: rhbz#1837545 - Users must be informed better when internal WATCHDOG terminates process.- Resolves: rhbz#1819013 - pam_sss reports PAM_CRED_ERR when providing wrong password for an existing IPA user, but this error's description is misleading - Resolves: rhbz#1800571 - Multiples Kerberos ticket on RHEL 7.7 after lock and unlock screen- Resolves: rhbz#1834266 - "off-by-one error" in watchdog implementation- Resolves: rhbz#1829806 - [Bug] Reduce logging about flat names - Resolves: rhbz#1800564 - `sssd.api.conf` and `sssd.api.d` should belong to `python-sssdconfig` package- Resolves: rhbz#1683946 - sssd or sssd-ad not updating their dependencies on "yum update" which breaks working setup- Resolves: rhbz#1513371 - [abrt] [faf] sssd: raise(): /usr/libexec/sssd/sssd_be[PROXY] killed by 6 - Resolves: rhbz#1568083 - subdomain lookup fails when certmaprule contains DN - Resolves: rhbz#1781539 - PKINIT with KCM does not work - Resolves: rhbz#1786341 - SSSD doesn't honour the customized ID view created in IPA - Resolves: rhbz#1709818 - override_gid did not work for subdomain. - Resolves: rhbz#1719718 - Validator warning issue : Attribute 'dns_resolver_op_timeout' is not allowed in section 'domain/REMOVED'. Check for typos - Resolves: rhbz#1787067 - sssd (sssd_be) is consuming 100 CPU, partially due to failing mem-cache - Resolves: rhbz#1822461 - background refresh task does not refresh updated netgroup entries - Added missing 'Requires' to resolves some of rpmdiff tool warnings- Resolves: rhbz#1796352 - Rebase SSSD for RHEL 7.9- Resolves: rhbz#1789349 - id command taking 1+ minute for returning user information - Also updates spec file to not replace /pam.d/sssd-shadowutils on update- Resolves: rhbz#1784620 - Force LDAPS over 636 with AD Access Provider - just bumping the version to fix generated dates in man pages- Resolves: rhbz#1784620 - Force LDAPS over 636 with AD Access Provider- Resolves: rhbz#1769755 - sssd failover leads to delayed and failed logins- Resolves: rhbz#1768404 - automount on RHEL7 gives the message 'lookup(sss): setautomntent: No such file or directory'- Resolves: rhbz#1734056 - [sssd] RHEL 7.8 Tier 0 Localization- Resolves: rhbz#1530741 - Trusted domain user logins succeed after using ipa trustdomain-disable- Resolves: rhbz#1746878 - Let IPA client read IPA objects via LDAP and not a extdom plugin when resolving trusted users and groups- Resolves: rhbz#1530741 - Trusted domain user logins succeed after using ipa trustdomain-disable- Resolves: rhbz#1713352 - Implicit files domain gets activated when no sssd.conf present and sssd is started- Resolves: rhbz#1206221 - sssd should not always read entire autofs map from ldap- Resolves: rhbz#1657978 - SSSD is not refreshing cached user data for the ipa sub-domain in a IPA/AD trust- Resolves: rhbz#1541172 - ad_enabled_domains does not disable old subdomain after a restart until a timer removes it- Resolves: rhbz#1738674 - Paging not enabled when fetching external groups, limits the number of external groups to 2000- Resolves: rhbz#1650018 - SSSD doesn't clear cache entries for IDs below min_id- Resolves: rhbz#1724088 - negative cache does not use values from 'filter_users' config option for known domains- Resolves: rhbz#1422618 - sssd does not failover to another IPA server if just the KDC service fails - Just bumping the version to work around "build already exists"- Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization - Rebuild japanese gmo file explicitly- Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization- Resolves: rhbz#1707959 - sssd does not properly check GSS-SPNEGO- Resolves: rhbz#1710286 - The server error message is not returned if password change fails- Resolves: rhbz#1711832 - The files provider does not handle resetOffline properly- Resolves: rhbz#1707759 - Error accessing files on samba share randomly- Resolves: rhbz#1685581 - Extend cached_auth_timeout to cover subdomains /trusts- Resolves: rhbz#1684979 - The HBAC code requires dereference to be enabled and fails otherwise- Resolves: rhbz#1576524 - RHEL STIG pointing sssd Packaging issue - This was partially fixed by the rebase, but one spec file change was missing.- Resolves: rhbz#1524566 - FIPS mode breaks using pysss.so (sss_obfuscate)- Resolves: rhbz#1350012 - kinit / sssd kerberos fail over - Resolves: rhbz#720688 - [RFE] return multiple server addresses to the Kerberos locator plugin- Resolves: rhbz#1402056 - [RFE] Make 2FA prompting configurable- Resolves: rhbz#1666819 - SSSD can trigger a NSS lookup when parsing the filter_users/groups lists on startup, this can block the startup- Resolves: rhbz#1645461 - Slow ldb search causes blocking during startup which might cause the registration to time out- Resolves: rhbz#1685581 - Extend cached_auth_timeout to cover subdomains / trusts- Resolves: rhbz#1671138 - User is unable to perform sudo as a user on IPA Server, even though `sudo -l` shows permissions to do so- Resolves: rhbz#1657806 - [RFE]: Optionally disable generating auto private groups for subdomains of an AD provider- Resolves: rhbz#1641131 - [RFE] Need an option in SSSD so that it will skip GPOs that have groupPolicyContainers, unreadable by SSSD. - Resolves: rhbz#1660874 - CVE-2018-16838 sssd: improper implementation of GPOs due to too restrictive permissions [rhel-7]- Resolves: rhbz#1631656 - KCM: kinit: Matching credential not found while getting default ccache- Resolves: rhbz#1406678 - sssd service is starting before network service - Resolves: rhbz#1616853 - SSSD always boots in Offline mode- Resolves: rhbz#1658994 - Rebase SSSD to 1.16.x- Resolves: rhbz#1603311 - Enable generating user private groups only for users with uid == gid where gid does not correspond to a real LDAP group- Resolves: rhbz#1602172 - SSSD's LDAP authentication provider does not work if ID provider is authenticated with GSSAPI- Resolves: rhbz#1622109 - SSSD not fetching all sudo rules from AD- Resolves: rhbz#1619706 - sssd only sets the SELinux login context if it differs from the default- Resolves: rhbz#1593756 - sssd needs to require a newer version of libtalloc and libtevent to avoid an issue in GPO processing- Resolves: rhbz#1610667 - sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key - Resolves: rhbz#1583360 - The IPA selinux provider can return an error if SELinux is completely disabled- Resolves: rhbz#1602781 - Local users failed to login with same password- Resolves: rhbz#1586127 - Spurious check in the sssd nss memcache can cause the memory cache to be skipped- Resolves: rhbz#1522928 - sssd doesn't allow user with expired password- Resolves: rhbz#1607313 - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails- Resolves: rhbz#1600822 - SSSD bails out saving desktop profiles in case an invalid profile is found- Resolves: rhbz#1582975 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers- Resolves: rhbz#1583725 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries - Resolves: rhbz#1416528 - sssd in cross realm trust configuration should be able to use AD KDCs from a client site defined in sssd.conf or a snippet - Resolves: rhbz#1592964 - Groups go missing with PAC enabled in sssd- Resolves: rhbz#1590603 - EMBARGOED CVE-2018-10852 sssd: information leak from the sssd-sudo responder [rhel-7] - Resolves: rhbz#1450778 - Full information regarding priority of lookup of principal in keytab not in man page- Resolves: rhbz#1494690 - kdcinfo files are not created for subdomains of a directly joined AD client - Resolves: rhbz#1583343 - Login with sshkeys stored in ipa not working after update to RHEL-7.5 - Resolves: rhbz#1527662 - Handle conflicting e-mail addresses more gracefully - Resolves: rhbz#1509691 - Document how to change the regular expression for SSSD so that group names with an @-sign can be parsed- Related: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch- Resolves: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch - Resolves: rhbz#1523019 - Reset password with two factor authentication fails - Resolves: rhbz#1534749 - Requesting an AD user's private group and then the user itself returns an emty homedir - Resolves: rhbz#1537272 - SSH public key authentication keeps working after keys are removed from ID view - Resolves: rhbz#1537279 - Certificate is not removed from cache when it's removed from the override - Resolves: rhbz#1562025 - externalUser sudo attribute must be fully-qualified - Resolves: rhbz#1577335 - /usr/libexec/sssd/sssd_autofs SIGABRT crash daily - Resolves: rhbz#1508530 - How should sudo behave without sudoHost attribute? - Resolves: rhbz#1546754 - The man page of sss_ssh_authorizedkeys can be enhanced to better explain how the keys are retrieved and how X.509 certificates can be used - Resolves: rhbz#1572790 - getgrgid/getpwuid fails in setups with multiple domains if the first domain uses mid_id/max_id - Resolves: rhbz#1561562 - sssd not honoring dyndns_server if the DNS update process is terminated with a signal - Resolves: rhbz#1583251 - home dir disappear in sssd cache on the IPA master for AD users - Resolves: rhbz#1514061 - ID override GID from Default Trust View is not properly resolved in case domain resolution order is set - Resolves: rhbz#1571466 - Utilizing domain_resolution_order in sssd.conf breaks SELinux user map - Resolves: rhbz#1571526 - SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'.- Resolves: rhbz#1547782 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process- Related: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1516266 - Give a more detailed debug and system-log message if krb5_init_context() failed - Resolves: rhbz#1503802 - Smartcard authentication fails if SSSD is offline and 'krb5_store_password_if_offline = True' - Resolves: rhbz#1385665 - Incorrect error code returned from krb5_child (updated) - Resolves: rhbz#1547234 - SSSD's GPO code ignores ad_site option - Resolves: rhbz#1459348 - extend sss-certmap man page regarding priority processing - Resolves: rhbz#1220767 - Group renaming issue when "id_provider = ldap" is set - Resolves: rhbz#1538555 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000]- Resolves: rhbz#1565774 - After updating to RHEL 7.5 failing to clear the sssd cache- Resolves: rhbz#1566782 - memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/sh/bin/sh/sbin/ldconfig caesessvsvukuk1.16.5-10.el7_9.121.16.5-10.el7_9.12 cifs-utilsidmap-plugincifs-utilscifs_idmap_sss.sosssd_pac_plugin.sosssd_krb5_locator_plugin.solibnss_sss.so.2pam_sss.sosssdmodulessssd_krb5_localauth_plugin.sosssd-client-1.16.5COPYINGCOPYING.LESSERpam_sss.8.gzpam_sss.8.gzsssd_krb5_locator_plugin.8.gzpam_sss.8.gzsssd_krb5_locator_plugin.8.gzpam_sss.8.gzsssd_krb5_locator_plugin.8.gzpam_sss.8.gzsssd_krb5_locator_plugin.8.gz/etc//etc/cifs-utils//usr/lib64//usr/lib64/cifs-utils//usr/lib64/krb5/plugins/authdata//usr/lib64/krb5/plugins/libkrb5//usr/lib64/security//usr/lib64/sssd//usr/lib64/sssd/modules//usr/share/licenses//usr/share/licenses/sssd-client-1.16.5//usr/share/man/ca/man8//usr/share/man/es/man8//usr/share/man/man8//usr/share/man/sv/man8//usr/share/man/uk/man8/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericcpioxz9x86_64-redhat-linux-gnu directorycannot open (No such file or directory)ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0b2e531bab60ed93804e06fd8e89ee9ff07fb51d, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=65342b7604e87bf90e71ce80d8be542acc306324, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=66143cfe37f04e1ca9e053c56b52b0d6450d0f5c, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=b32a2ef34aa6d0bc7b9e02214c5efcea97999e3c, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=03b3abe5b0d2e962b1796dc9149a43bc0e3bf18a, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=225a401ad1e6270e03de1623745db36629227ab8, strippedASCII texttroff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, ASCII text, with very long lines (gzip compressed data, from Unix, max compression) *6  RRRR RR R RRRRRR#RRR R RRRRRR#R RR R R RRR#PPRRR R R R RRR#RRRRRR R R RRRR#RRRR R R R RRRRRR#? 7zXZ !X*B] crt:bLL*L 0-źJD(~a!1ŨD[svb#(񏿍%ؠ,Gw}>W8I,t=&]kh x}5@nfBTf>aѝ tܼ|7I/7P.9B=c |!1VF_"`HWbViTxIhL53p^r $Ֆ*IP$a(p-S0u^g:SV4ʆ]n/kanD; LgUjnVLj ҩD|rQ'_I 21P-deoZl>9 ɭX\^#A  #N<2<Ua4b42;C2*=袕O^q^d&-\B3hve\jJ%N%(S׼R/F%yeq18:hXO $ E 89OqzYL$lVQg4uE(OS+0sT;dP; H$)3=2O+(ދfAS/pU4AL,˷m\! wn_yۜ|➼< jc-VW<]oibwbDXE X5)ɥׁ.,C2J6ϒ;` Bh$Bcm`5ez"cA{S:J"z(vܹ!m`z<.)a|P ]Y5NrFH%ըގx$;rp x:-: s['_Eqlo>)(xz.S}<EkT#z-xA2,laҟ9D*[Ư&` ^RjR +U%^*q۶m7L6l6 >tlfxGta2MS 3kX3-Y?w.Kf0+ch l3" *%DCz;d $eZedކJr@GÆFmzbؘxG!E4C4{ེҀ3LhQ#S!Pt9mWz%dUhBMN*d2Gf+,{ hc6C&3|6@!{_EO|臒XmuT{L`둅lSЦGX~'iC<Jm䡬]5 R8]΅Ã ^*8`JQ,\ 3wmcJ14[J@mVu:V@ 6|u!אh(?### !TN_n;m $Ko/:X{ Z,oInkg$_3h6*{ڶhb޻/:/ma^prlQaw16nMj& ~cn'q'B. Toú˩Sˍ$t.{u Gwս=xu8khz+I_*bTwi|"dS0=W[* k7oM(i*5ɿ>O>^#R8om}`Vm};҄mٓ Qї y7J8*?ue S`>R,c+ތZL9/A(A+IeˌDjP 7jJlCmAG*u&h=@A!cD>8IO_OĶʻ=9ѵωfV4D#f*ɹ' /T+c@Z(_t ^yX_:_$eS/\Ffg [hjm7C9Y( vw{NhT~#v%Zdmi-)jp&wx"2 ZOI˃*w!Qb;6Ul!]U J᧶foncf2DF#IJq'AN1Z2l$-ҁǟ62iNbIPYk(Wz\MCŷ =k ys\s*oX[#p l|Eۺs x~WV+QZydh/S(ݤ/f$އ\8h0ZJsu^ZV-7Q1}%3o!J& /SC2Έj첷kZ$W@چ!#Q4>y ZٚvήGd`WCzSw1.9ga ڢXi~FNV2\TqJ`*}'qK0XK;Api}h5%cMl# )Q$CDUNu!jѝ`"H t)hs ctѲD;afb[4.yֶAs4Z U h5X+CtXPQ57KM+0Z30"&z0tAkl8+op[vP. In*I?T% iYwJ6KV `oW AE 7󕠐eƺ-Xs1ޭ9 '_+WUT3K֌t/ e`hF3Fw=e'_ąz0X %D{2-N>:JYU ep/HUI*Ĝd1M9ĜUԺM֧W-QJw`3BKj*̨ pM sJJ^\wMɂv͎ii%Zec+G<3UHnw|71zƿ n _eÖ,k e|>_56#7&P6 w` K<@,[F!t8Ai;_`S>>&.~gS)P1t܏C] tǕ蔈uu.>Xf-T (w6B4-fT`:ՙL|g ZR4DA {/~  /u ^8.^,P0̘XhOfr_Y;q=o8X9З)`2KfiyHtDKؑJ!sj|S1nPzi}hG؛_~U}&S|sfIUh0^hEy磎tqy8r:(],j [ hjK*pS!hBGP**v5vXd~Cvz|^\2ubo<)mi&^ pxDPI¤}+?3'Ǩ})2>RYZø],';@H,)t$SPʬ~a25F'}I)7fn/:'"S(XYvE"#Z%Z -"~%8]uY85TT#)OGA 51Z^)& c, wS r`a "vז LdNѕ`A!*!z':I)\WzͬQO8"$ &dR;XyzsA`L8w< vH^PDDF!{M`1/CHeȏ&#vx{ϡ=!)3,ڨ;܉ N7ۑ&' }e ~ 3v: WE @Rh{W,* 1V蒦G r^kkmZr'P:2&" _ȧT~_c 8vl!<.rK[:# >~Y< n3&߁I Bv-qAr;S}v02=3A6jy  q> ȟr ƣe7Z2 louaX1qCoy?+c3"0 4}y۵"7( ?(UYXtdcO5x {_Y"bGxfˍs!2S2R~4\Eb;.UթS֡ftJ*lZQ\: . >C<y*/f,c"K)\c(<8ɻ6 p]y*tQdn@"- i,*B"t*`#Gd'ZA_bϢD ոvAx~` nI?U|t: Iz-l3d k 1cz\+emWʢiKs9* x&-#qu't_klTƋ.Ay!.酰mkpPG%Jl [M%Q(=E]^ŴhIuۗF <T%[@_hcp:n58]43f5TX(Y}nq^!Kc]}w~I7A6p- B*`{]吠 (QAqϋe H\})$8)aK-dj捾")nίBԵ5Tx(UK 4,/ac2 eel5+c%<(&˖K}sK8LB=E6pPծYVd ,z!tSj "/ %u9jخ2(y1& m&2 c/Cjlȍ%޽R"<踹ddeqmLe&r՚̼^|2ͧ $N܎]=uvx U𑂅r*,pw,bg^aD} P"j |׋$%h[d FJaclh\WY,[ $%i/]̩D(zNŮx)p*\ %2yBz'.Q'ç6!DN ƨߟ8/ &m>Gw/ 9iҿ;+-MH$q|?4sﱫSE)=X!J{56O|0@_,2|"F'ػW FaSfLd2Ri1b˗6s64ujPC"Y}>H8W ~)]lfVd#zT0g}T}~w/im ZzE;*J&Ep,q<=]ְI\dM+lkHDGfʶnΡtQvUQjۚ$ $Ifmn!g1Yd:[I m@L# qS/uҮpIc.Ȩ^[ݺ3o2+CE< ;T#R Nix2Jt (\9U_TaSs}iwf$  hb}/efw36Ҝ=NMpI-nhч"F FR¡q[HUi"ЏnYۛлAI& ^6ٝPRrgA@T&`$TAj\L 75:vr^H=Z'#|&RW-:&oNr\Ҳ.k8Ă8S׏I6|b~/N)=$9H@g4yd|Bgt9Mұ^HHU[mK-lYK*A|h 8EQDhcTN;v*.E!Gn}2(e|mY 3 c$+ºbdxX"1VHOR*]V Wņ(w ~ҿ5[VҖoϻ:ل9, eBgPrYS;]m{Zֆo\3ĽwWˌ k{4cFSl$0}@v}!E8:eWo\)}2$!7ˡ'0^ed'fXj., Z7i\8zN׵;,J"(F2(8j%=_h-} @Bv3zymPIQwahyC˗Od>"7mCV=![AVJ7,U㒋~XlRx!7q9x Z X *wղ!P`D&}US0¬Fokґ;NGyGDDAXɛ H7 ov %&= +[Ig87\uF5BB"DӲhv}ґ%P^R;Nʽtl*[1UԦ !i+k[t>(*A%'/d|9ȭֺL|Kf3r}Sr4sI S[7cL' 'lHqK^&,7 "/{70QrVS{d:&3&-Ðr1oN{jri 05}&yXZå `'N!αt&(йTtكaRRSόO(b)z2 TIm1{pQMD{ .d}Lkh+.T~]gMɱt͜\fmջG:1;$1_ZZc-1/b֠th;tk]ukDo@t9=Mʱ&Rp/qt^QO?GYr;))nw[GS }G̖lv٣och^1I䔟\ ^Р  v15sdJbfB'IlUA;t Su|ڠCc# X`({xJ[aO 1ґ~%e]ʝDJHo$貧@Aj!Ba(e#H0,4?ˊTHYoՒ>іC3s]:Τ%w0Lt$K_P 3+KCdf-kZ6X4v$6$pFͽ'In`30?NQkZye.)*AsMNB c2g,HQ$GԒn V*~>kh<6@ +nKʌo 7 GRfU{# Ӕ=Whdw98b?H-z悾sИmx>>r5'!9- q!mƸz:Vڐ?)o!ׅWK&ɿ<>DLLj&m vц@0*+Icւ^Y\iBUK hPF[gOamc{ k*Mܢp^vHtc>̉wP)<ҍIJkIᓌp: 3vo$2X|3aJy18F|s;,FuI G4py*XÁd%76^n3\3kpXߺx"CUc;;=KHQ3v 検HR7]V: #䚟Ā7kX.7ѸTGqwfMɸ?"'PR"<{>v?9i+G Jmm4ΐ(̝;ᖮG=:턽 8oIgdnP{NҔe;TTϰ~?bJo%϶`v\s_֗i(!ҚЬq2T4VUq|/3SBV=a%SɥWCH8*'hr nXh׮@_܈XʱuU #`cFNd_Dŧ̈Mx"7'$>w?+_A#TFi"x{Ot2A]lsv5\c9~Hp@g'm\J髛4\,$mjz;)k\o?hJM]f 1`Z ;J9PQ';*m s+tT pjŠB24[^Wu1H^P!2Kݝ6-W| vZ L=-Ι~# k kU"?><<1GEJp_c{讹aͲp.ѣuTZ7BB LĴB3%Oxx2:L?H:ΉϊsGkߝP&Z)cjKן~:n+OGR}s1m %h. , ·KfA4~ k|J8mLtgmv;뺳T2cWmȫ]ņ%MʡXyYں| j\_)*)J\~[OB\y"ɖ_೰n䨱XĐy -V֜vK~W4k~OX$d2~J^ݘ@TeR@J U{Nl'n̰T2C`ODh66,)jCӱa+ ]01MN8~2=Op|2e\Ym:C TLb4JV$ J\k^ .I? `:f'ҭ<lf$pxqPJK{vגl{*=r+y\n^jőFG )S'irJA{/Eu2͋yns)NbѥeM$#Ri٘75ܤ=GHqpe&_rpX:c:PUQ쬕6|W"-[FmaQ[dGسܡ2P7]]a:o, z' !oWĖ-Lx%PgHdS`TsG DN9ԌkPU9D:I05QTY/!7sSFDx<š[FA7Ɖm__(uup%HDmlb-]A\61N#P7196SG]Z. ]\vKK% e5fLBЎ2.Zm6Xq @M0A@O5 J-c#l=+t0d pumUldzjeIHNEQK!'1J#Id (Zw-=tkwAZ2ʥ<"=T  U'SP@0Enxf- Xr, 4<yزN2#.í zЛZZF/\\xwBR)txE8.Zl9_ ZTl:^V`*ؘb=ܐqXY{bh!; c8 3"gRɤ!LiBL=An|0KWJ2a27,NFN?_7]D4o W"xu8@?B::8婢`NY\x{3M;2 CWʚIzv|g1BD S3N[89}1gZ-ʻT/t:yM(q"X9$QL?, ԗQV nmU߉Ҕ-yzBR3= ڼ i"h*O݉:qL$ѹD_Q޻s(o`v͇_ElDͱ~8>\UuxQ58Dsh@mG8.$2)y= -Lߑ!{|._-,+~@iq7SμHwI<٤inY iȊpСHQsf6nW͕!̈Io:;/eY<uֽ;:Ά[0^"!Ap Ls.m7_Ϲ>Wn˽JW a|1wIR4S/.ꇰi齝<8Ӡdf[|_CD 61|0v^fba5#*^a{x`|fYQ7lS K-b"bMN>ק*=cmM^uśSz]P9Yo<: V_xF-EX2fm`͖V6h9л ^ G'-{OPn v%fę{ijXYOI,]iY+ySG[}!39 hTӫ%&lmj@ yuÌ'ڞe_#}NEꚿU@2*+p+vl{8Zb lɒ E3wk752%A4ab3(:2n.sQe!y786HOe)*!^,JI[_QwGv" M[0q( y4O$- 8k?txf>X/k+㷧Éw(MD@{ !#ʉrZBg@9}GZQ2Zմ m:-L ' zǚJ;xǰr<ݭ\.h_?rr9Y8b*LGI m!:N1ȑ]Tm' JOir-d]K//Ec{zgTX[[9Ŝ.g, ҝmuIqŖ8Fi/HVp\䦒Rp*A"%Ѭ/CrtSFykvvHmw[N}Ɗ3}r##__Gɚ=Dh ^ O؄\Ȥ`jC4$z.}TrG부|BP=YƼ%#x,ypt gmzAGivqӚ9b4bpp,^E? {n9ݦU}cM/^NŽ ؓ-wqwʑV #6/V:v-5e NZnݒTЖ3oʊ~b k7WZ67x~^Of;ӭ뵛;* KOXCxN+D5~t&;HcBe}3o?nH>;aW45UΘ ŝB'EG8톚&ADZ6EDHId4ng׌rҡR6)`&~w:OTOΕ**F.Ņ ԛ*hfvYs]8Fmn@ynE[&Mշz7αf깙O q>#D/ϙ,k; ;4¦hXלY4k C>(cSٌf?8#Rbwk8l$}&D9os h4;_i2LXZꟅpS5e(9m.Q5?^]pc7w=]{YP(:tY@V|Ua_ءI xکv<#X_@޿I<.$lUۘͤÄtR@HPr@͎tIm`H0;y6ve=>WAYP _)|8gM1J3¿qGF$#N_x͗mc[5Ss\+jmOOj>S$ O#ykfﵘQdaX5uydk3?ɤ 926љ}chU QJo E1)^ AЯʰ6+S@_ #v׭^(;s&rb-pф~36Qro drVx _JCAPa-' sLg5,~}Y,|cͯ:\O4zegKͺ[N6 ^;ދ#Fu`.x_ g#ve0:oߺ)XdǨ 5%t=~7S NXWt_b($Ez"0vh` /ju-{H. fʰفMO߽@CubN!dT 0fL0#$\HJ;ψ8iQkaM3 GƍPpirl-R/UudM3<%w"mK|a]@W 9_)>"ϩ<}CB9Y&h&Ტ.:^"Yƃ"סpU~T/ffeNC5Gz0wx`nPfN8+mvhJq~dS#LCXZ">Pl퍡 =Tpc Lu[h&9 =l`i"~12&}7(訾!UܫNJ~U\t"H8X ]MW}Ji8@Oc\a5$aBChbd&AuMϋ##+—6Nw "S~ᢣEvI6'VI`-7{p`b utd L-vWT^sivH63cK}os@TsTl6SБKwm3<]K$9-s(rCߑwו;ufb(&ŰRiŰ%eah5Y<]*O}^H>K|nS{]h3\U,IG)/" HrN,4l{d&4|ع:;|CޔÒ !mMc0=WVLkBMMSw} xwo(fW~oH?#ڳxA:}u?Tx}}UR~1Zrs:Y $aԡt(Ƣ4ya<\tjkߌA[ |v)S}u¨@̼d-"}[_ȆnZk.&m-嫬܇aҊmT,]cWVb-'  -F|MVÓ{H50"6bX8?7Hs0}A}Pf~ "$Q/D=~6ݲ*=꓿E%˛zL֗8#P VnG ?czfogu۶ ;kaS6D?.! -&?f߹1_ӫ\`lʒ#kChx||G|4̘J(h &3.Z^4"v&\H|W]j18rL0mAZ)'̩%زGF-5<Gx:h۶ {2ϣG |g5ߪ# &1>pt jΧ-ҠAHpoR1]KD`$H/ٛ Մ[8ݪSןSmbw2&R~XXsI0Z/C*A6GzuOܧeڞ_M~睱aFs|-y]x1*:ٽ٪)1n؋ 'K"e7D/D|6ZTD ,Y.95CPZ0]ylwV$%:O&k7Hv-t3Y4:~R3&N;. QfB8_0am6d>—0s}Q۰+mTn*hDeJ%!F;},'-$i./2DW[8S| jW`xY}/#D/^ۨA.E%vFbw m+T0"jKbק OSh(|RNC'BÅƲZ ΐg˿3L56Po"0|ҳv-D4VkCh^δAT}Rڝ qoF+ ]GzRO}RL[X 74C^",`xǦ#@|AQ}9ʠ3{nH"@VÛ9dטHxt# R;#Νiո]J!C/H,bc"薔q$dc{zehoJM,)%1/ȂNʣsD5K␮\ ^d'SQ9 f}_min|L@XJ^BF`}#ò/4=evjSNHΉ+ʡ̫uw+*cvL8aC)y_ y}a7oX?ũQ.s9=L<(D*Ә27=7/|>[T{uSd4DoMnVy*2]0VoEuUѸQڭ[&$FzΟ[cOmS;Nd OfEހ9a7-)ołP(y$TRPjút-f랟&e2r./Q;V:dj8UsfZh|6[,V e9d~G[ׇ0$OT6pVv Ų ᇨ<?fONNyC6)oZVS뷳%PDe I=v۽gvSy^aI?tbU ChO\cT}T5|s2+ccGC]'Ia<1m6.pޗnaiZBs#x/Z{3. |pn_ )i3kPG x'β*-]|BG\FgeA2аqvkdBs ;wM T[sJ>o ,ca ck9gzhfcE zp#LL10%O/RpK+v1?F`'ttԂtVKB|rĆw Dy%@,% 136~ ڃaUm߃`,P3ǭӴyxD`󎸚C2 a nk$HݓNkwi\u^= 3}2M;۴,HWxM$rȔY:-|]ȶ׮8,{O3πu{Y< tp }iwqaZϙbZ47Ϲo" ˂(Ӎ/kcxYJ̝꧈ dƋ9BJXTCSNLIWuN10 ؙssDe$E8f @{V(vӶ&MmF;b'{Ϗi&0LG2=bQcq 7Q ;3]ǯ??N gB3hs9mW |`d `vتD-<Rltr }[h݇Mʝ|,{M )3JGL3u؉f@]lM2 bUy6|;B‰Z^W6x,Tl_’,nubV*gIC\6@\r.tL󆚽B{?i+ cv$'"e?K4]Fj>Z~ 6eRsge>m8nc> AJHVd}=술wK㝩PDYisc8`ۇbw {T27\f|,ظ 5bՔuq^sǺ7`R/Y`WipƝ7$zj,!xi I~)8o3I;jjiKVrsmא@ٹֶ9u^wkr \>.f7o&]Y>ֳ%982SshkJ^+E>&CC-\E'kr ZXhydE^+w$6[GdψXvK5#=υrP|S)aRj6N[B|_jAљ3[M~:T!,,! ? K\EAF}?>))yWdS"xx]m$k"K{Xbb PDj̚m5T|5;1FS; ͫ]yqbsy1P r*Fv\lV.vK啟AtZE*O(m8r ^q^tWy+X YX 5 @-b4s(j~o)6l 2MG/ȹ(_qβwbFiĹZpO)We#|[;՘l7/CX Y/\ӬzYlFULQw"̖U;(aSūx.ah}8ý0 n`Eoǡ N~A#0#bٱG} W ye1?]wqm]IN~{{ Wuj{v1Zj '2>gd@>sNZW V2$ H(+$$mu@P->vL{uNko SMi,(XWG~5x=@ûEaѢV{+m f8sMTug|[uY ^#RQsLxW?~s]zq^c5+OlےٺmV26tDmA'FW4[pOXkQ\%AR9eyvmLwy[,ԳDQQjȫRL+ WN+h2 'Z٪?eV :P$=3@r琜F#[m.ⰅXn꭮,͠+cpXlΐ(6D7ܒ/ pJ"x?* xwWd [K)|' :d<1hΐ5Ns?LL\k"1a+D?%qaƕxˊW*Y#qȏ"apY&_ 8K!qdn)?ayElNz'$VD7 UkVn8r ǥ0 Vif(D&-' gIIėt39!:Šo&ɷTląW,a/Ѥб9I DϿ[Q/Q:ƶN fTsW%GcK#rc4E>Xq,oS/5_:3\EiT;4 C?}C6"ԓOC+C`-(.YTk zw=X?Uٕ6N^aY+.yvƑnMd:ƈ`սf!>*rz0 ?؄GቢcM9Y- \N7ckJ#Yh%輪o~OvEq&g˚ߙa&9A%+|[N9f ,I,z$p?S0LY)+Hz-$2}ǀ&9N@;jbV%^ex4WyzɦnF٨z YA',n^};\x-'viZ%m@Dyq lKLw_ߪd=:0tFk y7yc`OPےOHA^QՐ`\8um1#)Yye+Nљ-3wQ[TK:q F~g?$A%"ӻW .DaEd{jINvfcu~5 rSsʀܛRyt$+dP*(;v:,{DX IcF! g]8QsiQӾ3z}sIûcJN/P7*$j ۍ5:M_VMacЃXk<*u`=De,2#Q.[CJPE8K0 n f>v[HPr.zҸgfUЍNjNe! "FԈOz"\S2s(k(>lGQ&ElZ*7M84e p@Ka؝$}@ ҉G`>*böjBL֤ٛ:Я!<'q(p&&R-_Ҥes lVC)#=+ Z$?Dk4b^NGhH⳪2vީ+S'\3` /q7+OZs¦1r7O:[s$uBk 0zbe2cl3a %5] 8fYhWXZg+WIM_h)Ӵy΃ 55 ֑%e50OĚXn5o&ηNp #yIC$a_U)4>RiAI i*j#Fɱ\φi׳ 5!T?;etVP@8+(:įPsC'A!8_SM'$ ++hK@s" YRV6pr,ָJ=R0W;kUf9X\Pnm&=ޡ>3Ո.`W~Va \͖mUh/w{Cj]<ɛׇh̊ZW$6#zMm -1u fhMK, mVkR ZB=a ZA34/VklbOS[Hhf`Z6J_ ̤Y_4H1e:4yMr5.YsO3tب//# -Qĕ1zW6{H[\`rVpջc@!}(X8ۖRRC(Ybt1n@i@ṽ`0˞m{1ce9,ձ@9$e ;xƁAk4ଥ%_7@ףz؈Ho #-؜6WuaR"P'`7- w]}=^cQ(3=&M!_[`KϞRgYbn m)uuk*Q 4Noѓͧ*;<[aԋ h,r j)CRnJnxk|> f9w!eat}pHn_}KwM:I>6mGv{ݐxMh7^Xc֬2t4@r%%"fjurIJ#EEK$pou F 1x |\QPqr[:! 1M'7y0qDوE7b!~.~0Jog~`We4g綝#sxgЯO\Wۓve?v.H[9_ggrԟ]ƽv3d|-sR#bYcK=d{"t@[pJ͒hY˾"ٱkA6/ 7=D)wt2|+cTOB{2Zo*YA7co \_,d%u$@-ғ2+;[Qџ-OgA5r'}*2xF9zD=y>7 O-A e2_@8j.mIPа#av@X+L#=1KˏT61ף`[ "p̲?O $ҍ$(!ug Jk 0HSQrฤuת#eeD;*Y=0)9X1q̼ƧS[Z U^cVLd]xqGZ/3Ț4&Wc?߷@u׷"4?}iØf(NV_:m oyʺYU~@z9W:rJڥGVP q61I9a/IJqi;yLd>2FLp\8S^'Oc"ZToT0킗،/Lt%Il:U shO^ߖs&ҵ*l#~{D'T*uYmꮏ5rgzQǡ!3$)m湮J<(fydSyB} +ʗw%<ꕸԲ60VϼPbZ߄QSZKHҤYUT_j1gA pg&rC곸FzkB@T'FQaiGh#|} 7e| _0%%sYWgB/:nry n77Ԭ"\:9ܧvbeRƫa!YxӐҴJf:*':Ě%u}V΃naSz!LXGVŖFu@D=rgþf# qC">66tܽeԯ, vp],ZD:[@E>+fvG_fmB _"ޞy/ע^{ka=̛G0[H`EP6]{Јg %j$Wvko`&k1;nUIn6H_.z-ŇIJCWsN9^Bn v(8<.:%Ց"]չ;Txֽʔ+d3I]䩘sdvVg  ;EA[6&zqhIcf孓I [rAm1kZM/S-3M.3A0tGvb`M/ߴ>Fe1D kfdQЩkWGf^٢,H*Oxg/us~KG}F.^wpflKX$@uvD=P˲=GoU-M'UޯIuJJW\1tSpB̭~EO(Fk ' jڛ 8R\$4tZi;=j+$^"=ֵB\վk{:pFi6QnwPߍ<N)`攛pV@w#W\ˑG+ˤR9/4S]}{j%&AvBp{k[QNWʘ42qL|fIP\HDP د(*6{=(orq֊k5Xhs.5C601#(JmͿl< '^ÓϬ:b2νUTI sưi?o|jʎ9A2( (f^:J;M*_AzQ3kHk#R Th7? EvB:WxW.+Q2J jk;ӹb:sd xc~+c>a5ALq ['|ffDV=Z^ 4B{v)[Xh [d$zB찇$Q=о32_F ˱NSRƞ0HrpF\"aʪ+i #6v,4Ξby6 $ wաgql͸Z4G m &C[Sd' @ՈiEI;LLQWWRA}L'BS̱ղk}D6kDZ}E`Cng{@ķD@)L;N-H'lwf`6\Wo.u7NnX Q439F>V=(/-Y㓛I/.:~f p"@3&}؊|yʹU$-:+;A1lāvOL#Ʊ.?b[EVP1A8plD:D鋙B/Tr긣W?׬ݒ:$.y֏6zv?U @sʽuSEīm)S=4؁a)H`w[|z0,#<}OkV%X=k%v[o1"4|E^39=C\kd1.Orh ;0=ȏ:Zv!xMz\O PNiHHsުif2~Nq C-ˠFv/2RET_F *])4SAnLm̀!(#fח֜XTD(ԕd5igW;QcK{.5^UA{'9ˢ|ҕL'ʌS_70 ٴQd( kTxa"MG{bQiy#VuNK?@+h>r7t/HB q]QmNIe5s:? _dxʯMcdVG8ED6`p= Yl\ !^TE$;hkN7*:΍\T1ưrf Xx!1 A|YI.䐽ݧ,Y m#Z 6Qa>Zi`P,hOYc=A//`7c^ۈd_[y=6L;R~k`{ ul٨$*7S{\ IuM9fj2=LTFHKp$H$LŴp69h{3}IX"St"iz=&ݎ!'n\({BUڴTy#G`]V?loIڑxRegƨ6 ٝ vGdokp4vNE]]q"N~ZkӄjG[_2X.i>_{$njIr4:)JHڣi $(/~X~Gb+#q+ S$Jݼ*zA7"Erv2e b0B$‘DRf*g@=[V Vm9gg'<cZX&Z̭ a90yQ5_K~B(qܺ$i(7`mO'10bˉokT o!m_$֨*2fV'l:$1!89Gj|(u|PК4 hF &|Ӭ^DqQg< MkpȸIw$,l^Fh]9]ILWtpPfNT{_c/Cko H!qe`9?jsT t'UϛY_HS  9OskeҹtD4"lo8OQ_+˨q' ұ5Y)I{5獯 V sYЬQ`P9$+Uhl@\8;껃щ) ZQxǛ< \K7NPR*ti(PL@xZ80Md(}"G9_^8Ҭ&ul뼖N ꐌ׽E".PZ?3RMͻ9 O[XOlj9ouPj3(\<<[JTPEGe)TL*0k&ǃFB :X,0T0 >IM-גDTp}~D$fZ~R; @~MZB te=' HUIeed瘗%Y h(t#i(?.,sK27ʽz$x2@[EC"ˉ_`)@H-[Z:̲!)%ǻI[6M/MZ3 7ܩ\@:/b #5M!SVG8jszluG;NIsᕌqmE?3gif_V DRaJ~0 Pi~%_麁!- '}YZSvs6 fp\#`^S|}fvţfh$$\8}M ʾ- `ł_ӜzdȢnTBEX*t&j!ys>/aPЋ0U|xEGRg(+P&d?f~NFE>lڞnO $Ⱥ8;ҽu]{oRRnq3eL* k[cFOe{1U0.>z/#{aQ̸g~[[u_dS7xTU~zVG YNUYDu˪T;wWĄ@B\Y]^izmNiV+gAI%):F#rЋxmM$kh9 ҭRa{ .-@u&[(I~c F:6:Ki\cxHWЁۂ\I{1d6ٗ [Uֺ ]vw%Iju( R8iD!ͮm,Vݴ H{ɾμ De}/'lLAm!&I{hȮךn_lH "ͥS:='ٳT4$|ՙw+W'DyHvo4/ S0b>57 IAs G<ˮQ\s am{j Ӱ'N@9ABP9J?Zsd8 =ɡqwҜ6}TB1 T*e13?:ĬnVl<,7Lh}"?oh^>0`L#+snZ*DрsE4yYɺbN|DV%?WU-r*>I0^+qxh!q!-]|Rfli߮+tPfi0\J (o>Lbg" (+ 9ߪ-1) wܜA/s?xG|nBQ0 cLMR=*n]Jx~jc?óCC%3؞JLaGsGBEk~mF@&< 6B]qg>6aG t]{KQ1QH/F!,2ujJUhfNUYMy&H/pm ޒszb*}ľ}~;81`z !t(N/͞xy VlQ^F0FM}ln/r{+[f\!^]h2$zPҺv8d9,Ml܀J\oԼ4GU=/2ɞ|aKX ]uj}mI$v-Q? 9Zwd$J=/k9P&p_y&Y U6$r1GY~aL|E\M!;( Ҟ籣1z[l+["PERϣQAJ&u>y Gss.U]ZGom.n_O>hXzs ##=Hx6WEO/'lM"IHG#H,9+9~!d5 0]W7,IR!`pG)Zd縸/sM[،vgEi֙V)߉3,͚Z)=jJkX۞PFIK梼QY"7yӣԊBp-g3 AE6уlRnOG`_@NSU .@ x:uorშt7KqO ef ⼟*hrCXq_W Gw *4"l mO˥1BUwC;|@PO+Y퇒a-Jê|fkI:O ]{ke{CgzYt ߄rf1D+qqQ)u)umHrE % v^7vfPߛju dq"%27339dP%S{2)Dt>?j^/ ׋ubw]ri!f|s_=j |6(KnardfSKroM-3`M8*mq`?3]d¿z vyuReMȌ<0Dr=f6MG}V!+.(qDМ;2~e8I w!2r?-6RXxWN;aЮa/u{gp% ꆄu=\/vW97v1Ou5B@] <~ g!M0i /ϣͲǗb)zءz >0pynL*'[h4;~p߅$d&Jwi[LsX]ݴHDoǗ]1Vj h;:=U|Ld1T)($h`&Hڶş&41_Bgzk-ooD]0,"5dmHF5lNuQ}$C12>l2=j1h*HS6SEZ4r^:+LAlȏWP(1=0 ':?ouڙd*kcI'.T F YinC7ÞA#`Au>l$G̥PU=|/Άdn&I߲R4.ܾf@sPs2 JZX:.}eێ< zZ})3Q䥃S[~ >҉5ջ{7 ~h{ R,{ۺL"uQ&%٩9u~<Z,RF0Bkn: Ͷ3*!.WkPc {5uPy)LBTvh9]4ĪM.>aXu_M޵(khNpM @>t<2=twU/;G "Z+"v43hnI_iAF*: v d \(D`=bƇைISr bm Գ̛/X+Qn<z!/ֺߜ`,זeYPd]">6n*;u{>^Hf 13J ٬|嶥Ah40.KP9E;aBU*G{5&LeKt)5Fo e,牄B`U!e'=!H ;8 t{32j_`jbT>G->ґDZo.c['wǩ7+O]c1TkqOs~K@!j]XT@h:R$]qǾ8<XFxJ2CǸVvYPIu3B%+v`rt);{\0|4Vץ1`T!S\txlvid;E. g8V0-={Cį] EA0pB'sz񾒎$A l0 F9$FTd H~0HpF}Tu pY%}}jqebN54JϡU԰5ݼFwRj)&mE|vI[[STP%giOhc'"ܾo$L9]=Ep@W֥YSxـrXHlcR԰" ,F`fZ ;?_N4۟D~0Y6hJ\͐~ڪA4>}Kc3wR] qF=h)xwuSeJeԔB#2A8V6@j#AsFA*JqЧB(zWmOї Qq++SuBŶs@a%1VKY | "q?i 8= AyVP #Fa42^#2)ہFR♮LѼzx|(2 U;jrq1M(;zf{q*[.@wS:ѵY}?oIXe OR*%xf=Ҿ5xnmtgbL=z'4+0BL3VG)R{"OwFi;.3E(× [.B3-oVi9󋌂e̔93nSuq' ;O0{Je[h}uA C-~?6EB{SU5Ẁ|ekJM#M|d l/Ӝ3YB˘"bk;^OT@T*C*5>k8BHrUTCg@zI+TTty7krWU叩8AA_1*=ͽ( w ce6 pM917uGW`,vЌ~Bha<`{NQN L\<q<|)dõ2`+TS)qd<8zA諦&$'6zJ&G9Qqu/N-c sf<7@`JbC!'$Fo ;y7uwe u|vIHތ"fBdvE|i@IÂLa;/?hu`1K4A=K.< tD$'}: c>h˳N]2'Q֘k1USdy{RxONqV2ȡHxOqhEVRh8hQv2R>Mvk~;yM@Ba@+rqDAmK&}ȅR)z' YRe Kl'VJ}τs *cW'NFȂ/3-N(:dڱ18[UD,&Cc2779b0v=-XٲH,)) iЯH~:#9GBa=$0o;vng+L2[?g}=3 >=w>2Ay8:7z*Xr쾙#^F"&̓ʲn†+shγ'Z7_>.qjPO7RLn|` W?s @ bO({Yʾ" ĂWI*8`Dɠ44RslT㋈_F:+wi8+&u~5Ea|K ( t}B J66U0ƒ6C#E0hKƻj]Z퇇sBOcj 1|8Kj O+lGQVh6վ_2,.O*m%VG-~ ?l&|Q' 0!hrP'aQ qH M3#T$%YU_k)5LeI:\YwݑÄ2Afg혓lnѕ!0ب9. ϥ#kUX}iнpxK4 QFUzUBGІ6Hք2niQ~)M*rB? )) dxi9Q/h"%Zu㛓sW]=`39~:&7VbJ|ŮUl:?M&3m30\T95'4 2LjACfXNAD@cpD>ooT(BI҈C[Du y83&zYVqur!'t<)?7B,H^isJmU-4Z(bA#{6p?2 dXLjˉ&YY y]m& ;o_Q.l\,^:99q X]h( (RƷ0 ٻ31ó\ݠhFZ]׷M`g@A-YUP>; )2?- =ސu8I5 %P̠XpA5'UPO^YFI2Nb:Tt'@ZA Z^^:U =4MTP k!aCBq 仰 IqwŐjy39X1؎Tb؋I-|L>`JDWYbJM$gM0w1^t`ojUmbOp:b>N}=dG0,'-+ tvl˫h-%};KݤEK6).n[ȋ hKEq:bTxGglZ #0H0PeeLi}&4ab__=i7+=MTe- }~FLjXc q >)ϴ0t[Rh&FI 3.=rǮ U>jғ9M*N-ϑV+Q]BOe P-4y8Z]-ɋ3ZpsRq6&M{ѵA¹<1=pqůsL5L+`YԬNs~e=@BkX; 2wKܼJS¤-gf~yh@%b|LPY^DbUgĮgWd`H5:&$I_4#1ص~+J?-vvo/^ς6;)( DVR(]_Qh#f'1B3az 8 Ã|_7YF d&\EF@{@yI1 NrE\bM} msaٌ7]wq>xs游j8 y 8=G PEԃ?@M&/1;T\AJcH 6rY dIQNH>'79/trWWg,ڽ|+#f+q]ޤRpp逞!\*+A]4UK,E +]Λ9:G-mMBlRSi2gu1 #1\H˷A(scˀY-yMсւ&6)JF^^ uq.*N@Co(з҉n /zeAmQ R*dw}[ti3-$ ,ݢC?3}'t:Fk Q$as"\(N7guB³3pבj1KBPwbRbz]8;g5v"M_>BMS9}׿e' ._8 AX,ɬF l ~ca­"Dz'I'*/V`z?/lNm %uș{FZ5ϞP&qDS t0㪁E_Y!#2ߨh-žOUe?][kqC5~ӂ}'t*n eAX&$.M~V7)ضJlgp+U˖L: < ЊII )'"|P!-Bi !(jO&QWܰHc벬t|}?7mL7us&"6NЪ#tuG>P"wgU]:# Β (uM dW)%R(юdn"Hʲ^Ǘ%R:sMpQu b !_idauH^X1_Os>{]$/da?/u\(]S )p ^)Y,lStt&ꃚen[;#ٯ Aj&o!*@2Uyh=e/˵jCUWx~z [X0ZNSQVPLb_e[Uծ#Z(s b;x" >9La}Fc8{QMݖd3_GPS ,NZ09I헗Ԁ`LX+jD4CXx u?^4Cz0oImT־/~ 74N{ٙ_Q#9 ?-BƧik:k? ¹r^y'Mi($0M8 ["]#_i;@z}wo--5Idka2d׺jpϨ:w$(>se䜛 .'k}}zIu tV:Q!Gp8eCKՔ|%ҽl7Im8/ ʾW&O aq=MKi^)wzPS42ɝfAiv;=1_U->gdR\@U*qohIkc ȍ;I Lu;)\1OU;(^,mI#IҪRy:H x 5?* Q74Mَ}(:&!~Z9liEQzE@b^V"}d06 rH'A~(: ڡmYxEP6ʍ৶q-DZڧMgY'9 ]!TU4Ѕ1h[FfU( TrꂫFoǂBjh&ǒϻU|\nԟl=BsY7A rGb)zCXʬ[^uF3j3:`–A@xMbG1ft1hiW:=xsAdfU$Pw}- {[&Z Xpݕ=Ihi9MfƤY{2ōɌ/'OWgL83Ԭ5ccْ+1j- Ƥwc4eKD-h?‘س`O:T/SˀÌ6#>xe9 LtG:Nn?.>V,VWhP_ \dd`O3&kGjD+L`hLHSR vcTT݂ܵKu |lx$G鮸 fAWG U4d+~2s6H3X%Dwd_U]3A0~yjB  xx#q0x"$^eEgn J/ hزj5$'Sr%n?k,oi¥e~|Sjf-{T\BD{ÓplSݘˌ|[E+0 "JtbҠ={ PDu)N?t x^%ngt%)cwQd3ے"=dAu&Jz"Z+j)imjEd{)s[9B>gw1f[\t66E,}tyG#AKGپMvԥ \:,: J m#[So;:엡r%~46NRV8xwA~x){"*߈3w9aJY9GDJV\VdO*r?fkꄻ Mx+`Hm8u+i eĿ6󠥔,`۬L c,Y8|lxeQH@ܛ4 жeZsSg .7ָ4bR`$3@ܯ]{@B0?d8]L}qړ pQNx>{uw͓=qى_R?,,MDRf6yƕTu%"Y\ ({ 2xHCc{q*LHP"=HTv?) zu.#]EZ,%. r^tBDGP,Nmd;.VB&7r\ aOћ@Pݞ R*_%"EAh8€h~ے'~;8wn4fu)9VN5Bh5NEE}Ue^@U?? uݳ)i+an6f+C}?QQ=Pyc%|*YXgX!Cvw(] b$YU0,2eFJ`C|ml3Sc Awj.`ګO[sKԁEOGTpIo9sp>ypjS6)^'=WXM[XM`'I|UdusFhe{f"8"'h9n}`u]?f9r(ʀ]Ǒnf%'2tʕ<1l\-# =kV{K؏ dO6r ӈofUz5_qk^ -Rvn9v7xq.Uq_LKGO \EC@Si!X՟ʚ[?=ij>YDl5n;;/,ԤKNN|!iݢǼOM(ٱ}ALP̟K2nѢ V y}RU>|(Яh`ظxG9I_/sgϠ Jizi.96{=WIv&CaPn^1N.i !4.P.uB*oᄠ᎒"H3Aݝ=:·ԧGbpʹ;y5q߿%'N/+ Tǹc2'ފ{OjIc&;,y2ڤ d0jB?SV5ʹw֠ d؛n఺k9}R5Ǩ*}DP vz؁&tr2BX7,dWejhBM+b Pj /v|{1>mC-4U8|Gwp,>3 %}!sSŒp)**Ш讗&SCBzuG-S-`4DZyyS;HzL-gc}qc8I[5@/5]t^-ۿ ncT@E:EhIQ %Ȑ^Re(yl` A"s60: kd2VHnvL\jd1>}l* QDfesp-(8OJ4X@D%kδVt+-(߁Z QwqnZk0鈾Kg2f";=><ɹqg۰G١ vLjQƎ*7U3I{:[ 'v@56`<v$..Hhwӫnږ?~)@"j1d^+~;ciJikжܜkfQ$81$Vi>JblJJk(iS#=/v:(;z HcoLY!)ñ 4"4(|ȳ z \~, DlXm-§hbKm`&2z&f<z pf@ cQfƖ^9J>;T N۩0c:lp.:Fb*ܛN:"Z_Y9s So ö$:<qHM7NѡW̑ȗ^?sF: J#KdY>Xi @i*vbȍ"?y0ܫ I[L3͊r]ih$\+ob2iIuxN7.{]W4m^UG4;6i'R+▮Z>>ϗN,3*)FumS׳`L?Ŷg29X5]0pj#zAj-\1/4I̝@y9UQ,zA*?)&fѲnX gT}-8A  F7~ ?Gl9x/iN$I\8L{.٧>J&_չwɉ\g1#/\TX@n38qk/\c?UB:j ؆9~g,޼EJHfS),W79Q Έ iS%Nynr,S  x<)jBcaBڧ:Juz(}lk|\Ō5ߐUg&TWЊИJ'{TیI8u\%T8;$FB]k!84 {E͈q sZ%"3HF+:KV(> /2 _fr',v),S~WtFDh6gJ|Dls:U<ۄ8>m [dtU4 =ܵŀay8by&ԓW+Ԇ7R},}O (}Ca[ yx{mSfj$uwl &UD@&Ċzd5xg= WL{,rRB Y)QE!0cc05.%ߋupl#^rc2oaQk>fZ`y2B/Gw`pK(}>|I9x8: (o[akpX4aq)]tR-"4Љb!A ~ PŽ/x T\񝖰.~]zk]}URӠpVȂt$chAtegsmI7ͨ xfQ1ĦM?Х$p12t@cI31(7 hNu3;d`C]wR6z͓erD' ɜ ,]G/_r#=]JhZ)Vh{I+0$ٟ`1WH.fIp~6# RRMU*V'՟W B.+iF՜ÑR8rcoJGi5v"eu?![7t9-ڛyT(pX7Q5^;&X ;̀xu еzL]s}T$4R2%U h^gQNeYa~@QIRG5cHj.r Aj %:yq +\)Er e#h{Q&) -w;R`хr.a :? V(@Zɟ 9x"U("}FO{N 7cWSJ,gf[k9oTʙ'Cv^o2j9M, 멇{Dr ~F~4pWmէݍ7q-=FI˪=dbnNtTͶMVTܢ5HDRmA`jZX PWru@`ݖ>ق !TzhO~r fk9T(MNg;ʌX)FO AC,@ӔJ=%=J$/EpJI t,͡'nc&6YR>\~?@&"̢*),fMbNRr:$nu~yNWbp'=LlCϭP4pIJΈj-&o  *D%tDA~&|ni.Y'ǡuC D,W%_O] ޵كz%z:@(f~qs@?%q낹w(::SZed>d4pLKBffqmj=: vNxn4E笛\iqT ӏ˞5]~楧iTt7T+~Il[N9ezCj{!S pFΤ|-@R㒻,)K)*@#/(~ͱԾ %r_/s(M8oXr1W䓫(+dut@H$X)1 drNb4?3ޫsAgIUc=ԟa|3hXS[$'ڍᗑeuU}t?rŀˆIAT\!f" ^ PlstwY(ZhLK65ӑi1 -; @_"Oˀ $@$z&'\HpF&䐃=Fgک\U)iv@˵0{1WMEcṴ%xw&GkA)% PvZl5d zQ0XCCdk12^8 %ZWŐ{ Aw%mɹ:J4jDw' t^MxT`Ǽ(EE 챓ꩬ65UvcPq$ԡfRHVs:Ϡ:&& #LCM|$ \kGy_#yFC bYe{K&!_$-&c*Wӡ5H*Յg>7}Z&Ɨi]G?Y 2]j9WdL uedW,|yqY۞ـevw[/:vRjf$Y ټgcJ>ևwBW3ǽOLGЏp/U,&]D|EhyiabXbc|wzgcă];- co(fA}`gaVL$t}|]sptphC0;əjAܔb3@9J}G0]$}$D]R zZ*ԙ1h!l9+&SR"@rJJO"g9$L*KC!KDZCudVu!=?N~{f`oAC͂jT7S٘R["r lsQ`"}XjwrK-H RHERmYԃ/ZEnLc ӲK&༩!•:\LaG!#^AƺWN^4LۏN}d68co+!aH8p1р2Sț8'ec(E^2 Qc+Έ\|igN=j)YPY)&Fn:EGU>okɻ7\X͢.Li?ElsS4݂7:#:6E?'ov|h|G| pV(< ǿA7;;ٽ|P`{Xjҵ-Ihz![S;% halwKKgڣʭ4ꈳ̭{jhwI~ܺFKP5kcΙi(ҽlǩe0iqr̎JaT6Ojͷf;Z]jzyFV V-_r9 `ĵNQdW<FҶviI+Lo gHO1qKlLhQ ݻ*f9$$!p)2}qfեt>%R-2$Ӷ4>xcv;'*3ɕgV<`?t $C][;=`? NWpA鼤&Zڒta% ~ܣeE/Psge4]iOCiɔ:#W b^N|g ﴣ!ݕQM:va~iά~Di gh3gqbwQfۼ{EQXH< N7Wm\o0NIJ06$^ilzс]4J+ 3W0p{8 ~9 ¥ 7+moN!]-yg?8 .^Y v)90aTm21Q]f^] l>g>%L_fW÷[:$!:JpFfRof_&\}1f!W7$@ˁGyv:s0|yC&m*dHoRbOSgDڛN|f%7"sݸ>)0KU~E 5e]b@ !\a2gg)M|q= :J~a~aCХ@q uA4)g@H(BX8FkD?fF Vd2e f=)}D9iC&tp#}j>(ˌ`~S@S1|FXOW#ʲjr-X5+nŐg\k{֞U0 VRK7.%u:Mw\s!ͮ7}]>+~BW*NY]vb9a/N,0[9li Շ3KLW[UE6-F|՝"usO/O+җamE`cq!.B 76h P_\E٥()Rp|)hq$`Me0n5럘}%`FQA&6: ՗ZBruN%_?_d0wD-{Z޹R 1O΅US̿%)1)omlCL묩3)<-k\`$?*<MA-)6 厧?4 m<`2THkIŭ^TӍ H:Lᓤ[[rs?L麻c~>iE>i: p#Aξ(_JSͻ"<^)tmϤ^l8A :uF-tܑ%K:21xOIu#]Bj#l %Za@䵿pBrB=p,V.5p=VN)oy˨;" 2Pd+g՞0, mܻ: :3<#HYly FJO=<O !Eu6ca.+yW[ײqGIONX=y㞭=d;+PWlrG?|4fs,at-˭pB禬,)ϼ@Iz_I7=4Lq.~D%aJls4 ],SQG3츂k-涥{"26`< V˙7^;ώU~1؄qqrHXBJ# z뾟l"ժCO1#ɕ39˽[~ 1f%$"8YV=GOoMf)j W:ZIHUl`PXuџ r?%MȩneaXXDCv k$M[}.R;6||;`"vg#ߊ-U_>a%*~um9 3-.ox u89F*3Fze@*\ɲ{ُqE@0~z@|F8$cfEs$dXg#՝tch2 b8w2n3QVϹ1H.YCe9xEkRa/F6wqVvIJ.!Du_6`{Wjk*#.ۑmNzG|!d?xfnaU~%95 D]G IͣY{юo_4\ZOH=ޑNw>Υ#9J"6r.}SI~1CtkoxE>uy1}A6G ^UTg$\li*Ѧޗ:bAv!y[T?YDKn:"֮(ߩ8{؏V?] SkLOӺȩPu=)p )2kʦce  ޮe^Z ,R-ɺb}lة䈚5wOjy Hgݮ ;9<ȵ@fآ\ҬJdtuTh91v/lQ9靿q= 3?,b&DoZ6ũ 8>%Jm~E2SGjݷfD –iu їc:c8ٻx!4@Mi~p2իtTqCm!.c*j0哔^)S'Y!~wJ ^J^¸Ps߇3ӵ_e$;<:'D40.V\l[IPfJOBʂVTLdeER.1 5b\k/g7Ek1^+D޴\5+ǠuAޤݟA?PiSVi+|,6}4s|M}_ @څGDo-nĜu8`<#rk@s^ԡn#D?.`; Zp?Q#<E3W,JH)=2O͗!;{dƭ:!\ pь&Yi)KHw!)eܿ qW];oR.5b+ٟr+6/K^Hy`~EkوGyX 2K\ev,1OF|RC#`X43<tcFg:Jmw)qI6NnCeR=bblJ wv&j8] wp+j*0 9>a \lc$it|'DPex&6!<l3{ϒ^n[*ތ+NYVrS2 6i6NF ;>s[j^K|ɕ<`=P޺Un$;)U![J/)ߊvac9$n9B0 =Tza[g1Ny{|_!կYwڇ!بH T.y[uΆ)85W/N?̃bQXTsj){Xm-niN {UE϶lxUʶcgxJ< 콯Y=I<$B' :<{-_VNN-J `uWqNS_A *$셹 \c(3>1AJ4}0k -mBQ+8Q}Ҿ5ohA3Jg-~sɖH°xm bN*?GB0]p;ڸsY^`(u_6rJZ6gC&n}=Sϰ kEJ:|@8φ|GIglg &ة;ep{* = Jr >JzKGšS|=}=YGnDU}\ -IY/4Su(zSr{=騞8%n=.Sx&-wxqF_j񍹱"?=fMbȺ?zPN]pj䥝#V5fEwmeU)12 u(+ /l4Y4XAUu|`[}i|&Qhf~+D& \VfLhHNq/񵈺D[7",hd)pyF!)/RbX?7ue9w@.4 )я7J]h3 nC{P^ i<]$ZdU~W!DW|/8.9"$PU EmGCUPf(ͽPN`V :7pUҪ/;2̺&HB;)3ݔnE"Fg㗿qChSpG3 씞f@Xycv!KuQ}?(ΰ£6q@(fhҒ-*gDc郲͸)%K0!X'ؠjː2Zםray=VyL!(kL4%p@pƘnR15Fԅd>)csS1j{.H9 \8/7_1ŲWJ^WI(7 * +54덟$f_~#v~FY+c7r:ٌ7ÝcVz}B:x4qH8Syk/t'C[Ra>0=^RbQ`لplՠ.hP[klaWS[*;՘MW N]u7+ю'l쇗ֻ^ok}4S~-`--Wk f`oG<+;t t84׳~~\;&/Nr xּ5c>MPIR?0x5 J ݪn0Ƣ#+D*|wж!!ƍ02#~N> uoSZox";TlJ@j1B&NC\/k2O<Z%=υ%Jqɛ"V 2z1>sG&B4(HbiS+)4 YIq3G}wP}LHʫC"z6Ֆ9oxKq,^Ԑ=+a7̫PQlRPȻbPrБ.o3΁ B $ڍ:L .+Tf{͠a+dk-I 4'(~pΧ?0',)\L n3_n%:Rӡ7F\fvfGzhTqfZzuOUhef"ƟN8bBʵtA;2SMl1>2q8Nw2@2z'jhFg,Ftth23nqVy0>U*wY2I&vZ+2ؖ0j;Gm8\[){1*%8{Ų%w *[y":UQ+ޭi挓K-`ıH"R20hƨ{|B0D2S:Kf˹2ywkoWn</j_r%Ȫ#ld;GXy;!j9ƌDl^>8ܝ]'B&j,5[G{1~QBWX(%rTiO]v]<ߵ.n$י8\=R9pn# \`{i.#gYeLg=Fbu}`="qqK{_%v;Lca8-n86KUW ?U9\h"?o>p%0{@D5x┼Lqp@Cџ%{léiL@nLVWydBXLr+,XqTs9DBˏT{ REYݪن>ND h7: 9zq_hnбXK){Z#k'-֋_+Xi]Ww 0^ܞs%f,VN9H\'-x\^2O)$DYSz_yrXC};9ʯXhL%O~$6=kcʹXJUU5VteXy_Lw R!BۗY!v`2JyFXl? B8_/<hyS;TW34\qG>g쟰OcGB&HEFX5yk ;vgu`6NbH1-b0OYUȊ[ua7m.e Pf/6e[219Qs6̖<,U>۶WeVe|BKqi%5(Om\X{mPޥ&zNFu$c*c{=k|;oyρ;T'DBZYh\7oLwfeݶ& s a6R‰9v?As wW0Nkl911 倬4f^.QSиmeƤQ\bW(1a)"z˩ 469H& :xX ?Q0cz0G!+5 tm3Z( SAOTm+t]6C&PzG^Å?%"ќ^⚸Ffdb;./>Mԃ { v8#[cvڋB!|:A{F>&؏ XcbP[YjoR7~ri$OP:4mi-rꍯ2=tϑvncW²a6߫d~r,Q9.cRׇ,Q-j܋8AlqV%aVh6[lN!>VALUN뙬zp)8= v$؉{,t@>r-;xN[䶎#lah2%yRXxD!薛MՄVT]< Y-PO~UP`>bsc 1[knv;7d׾ VT5D!$c`kD "WR Ga s*@*a$OֲqKP1.+?n)k=,-&;@g g/ugF)5\'prsyV/b /ޥ&_`s0t4Cb6&ߚ.C}~dS媇ؾ %9Y]}=XNO`_0 2,hb#S>ob1?i@=H,ҧ%;Kml@ճ26B|ÉDZ2E=&7ʾJq nv,'\Ӟ4R,I6Ȼ 4¶nCP@DOiM᜸|v2#?A[nDy'"m~#_U,q0 sK3SH^^WB-ce[][#Tai'-0;f;' QF[skG; 5sB^FZh>`v1#\gapǿxD/od9q2[E%$6iF(A ؼM7f ebb1L@˺y]͘\͓7[ndkM/lrEg6}rX7D0$]BYy)4lE+kBɷf?? X)n-sI̓J0GͫiN1q ^@|YIh=f @3+S\F PlOOAטbƒp ګKo=hxHXX/òl80&UIď͸"bk2kGQnx!;Z uٱKh7l-I*\ sv2ڠg δ,^y.jQ?;g-58?؀؇t!bձ9d~p4Fb1Vwa$߉`ʼnI1*KI;#tk:O#Ám&SP޴ldA!o*s@9|Q#gEtꅛJnvS~cҼ^Gϛד <)^zˌN!̂l+HbuyusUWe"VG]TP*֣yls_g%;gX0BD,tcg? {t9n|ڨ^ hlYz+$ۋ͠čPwN,R+?eMl,[BBo^)C9/-=NYnHeʲ ܴ>iO$ mַ%Jt\ g>7{8w-sC*d |2[rjVu޲{F㽳_a6馄ơ>!FI.~Z?W Js[f̗hgcA0Td,72/v>g^L~ 2^}1鿲 ,ӻ\-lIJf:4Ww#\*lSZs(!@bк4qVÛ1)%2_L>]¿ףAwZ\S7;m>,/DVJr`^{wY2jBxcAIe % 0qV, |r;1N`uӝ˺ =*(~4TȟR64g4ne&͕`3֩Y<9=V0`-}#>h}TOjƴn`3ju پ6Sz'JЭ"8V5D3`r!]PV%#? ?/s+|]l-VKݼyZʽCXe3ȿmpbˆ̗^XSĎ^NuX1g&KfP`=Ge<́&ͳU&(˷X#{wj:]\d'D/.L:CGL‰fY+UHj@ OcHspBRI=8a`ɳ]03nPhӛ] [(܅;q>IAWdV4("O`/޿ F/e9jqÃ4q-ēP{X{mc0zoDeFT u0=3?|Sk#W>)136-X̪81tL5pyNB˟_v_J%P`((hI*_h5K'-UU =B"S<eU=)&~xI25HQK})t3(;FT:_~UY)dm &Θhqlo|?M 檙|˚(a9wO0p} \#}[e_F J6tFX eI2&z蚔BrWZ PTQ5XtjB=M`FK&H.'M~ Y7Tzڀ`kRLۯ":R?.7Y!nvt'Ql)h0$7od-xw <%[yJPi}PC@dzW>{ sÑUd)4A7`KtEJ`ϗDh(ϋet|=D_6*6AG~-jsh AQ?X*Z0mܒW ojC[ K㧹k!qp)K5S΁;l,nu E;o0>gzHD)8x=$aFGa?y{)OD3x.B5hrZ\"WN18i_ \ͬk*s fDTm ÆiF`N1Y'tSGט[MS`jhXghH2m2_ ,)>YX#E ukH?]ݵJhr#uyI緊u[boyC>_t5S6Z3'<]I  șVzKI*QK0I0-R 5bau7#Ts&@ ǫoX|>Rk `ppFɍ`E}((nBGz} cD8gEkƯ)b"?4ѳk OiG> }|[Dʚ2`͍ܵ I3k(*cb(mdDbl;0Ox\;ԫwoJrXӛ*h0i3RPT\p9??ٹPn/@8sM=6]+_;nn46^&? WXawlh:װ+l}[+7}D '1=\0&V(M_9+hk4-gno~Cȃ.c.{oCG}̫4ީᘫ<&G6uD[E%T5\1ў 'VW.g.G*L^.6o]B " sq qŽ\%TP&j;X}yjutfr n kkdbe"^I~kE̝nVB|_ܯi_܆5.rqZk3 &?ˢ9q0/{gWO7#!`=gFy3[56; x;k#71GF7"H^̄g{nmCbu*ZMhYߘql/ s(p"|X/!J_c4.dZk+ >hD K Ȟm"UU*U':=0\Kz[ߤ@==Bv2H{zŻ>Jali;ɽR¾YzgwڥShkRuЇNf;0:XmRx.@ qku gMAz/U%>{% r1ϟb)9g%;} ^ )?#@v/DsFZ;[ݥ1Tp[\̝-+w} j]86\&ZG/`qx =-[S&rS7#RFqwn%Ŏ"+xcƏL]Cu|8 D:jcS5^@WY"?[(džQsU,sIISD\HG:aIڞU <cg^ֺVy# UqDݗ ojN*n^^Nztr(POG =1hENQ˃R<)6r3nA"M&,Vut r=lc}t]0dIMIfMwg|aV&>Ŀh:vu[ :Vy_UBoD)=h,c4; S^w*4 di}"ArĻ뀊8̟r={q]GlQy b} GnUlĢS2o^wDbtxfn~[. gjYI>^LNt}- Hne C0yTE-R{|OL!8 NM-Fpۋj2ɿ,n!xos5%].%l 8kFa?obzaU" jy&eT>Kp#)QBqnKq~? =767!- ؛{v x"" 2 m)/n!ZJ7~wKt@W ZnZf~z n\+Ski$@r;'$P#$Ӛ3MJ<)K6IXh\i*xxo_D ZMhW oǩF'[F*9- w:=5𱲕B38 9,J(qxf]~WZ 6(!2[fG6prO:N@Xat ԡt "]NwKخ Ҩ`t{)J=a5jno NmZWX?pZ*Ȟho[Qa:O'] C}~dTcr@X'٤{әb-U<щQ ÿ'oh]ծiXZ;&)꤮e%C?v_v<Vɣ`Cl>q/} B<:M;SMO6c:PA4i|қ.w!tAd,rH91w>K%9 Y01R]sI:?{M E$m'"p{c<|f44< ٌt66P me-{/"1^ aQ򶆓QmY!L7\rԭ22ǕtLˉ}#utEF]bː6g3-bb tZawhM@h󐏨͉̓d`=UTEU#1\#XL)4k^J1{Q̖f9i;=&TʼH"%KVwq/l5d7D ͵fs; @4T cbI p4` @=̂kGU5K~zp?tQlh*<(-eDo尿FH}жG{ på#'! 4[tv3.̞lc0K _0˹Dqsz- %P`94&KXvEsnsYߣ'e;\ݨ:n.%䊯c?&2M|+CpO\Ѕ.r }\$&,V6E+A`gkCr:gM,x?㷐{g0N۠Yt'ܳ!e^ 4EӘqYza<5hJhhvp\w$7^cP҉y[D*]Y6Id$P޴?N8uB^a7}sTgiiቡ;"&hx{iKdBrr+7)S4X¤S3pe1RǯaDh6|\;ḃM*Xȧ)<˺JR΂07|2V"͢%1_Й8tTh^=ݑYXyE5@Ǭ$\~8FAW4%a @䜠v)F-0!2\kRJj:Q+\/UOU{6$w4ɦP\|Zɻ܁:l}Xj:EUj6zEWEN3/n69[ ($W}L2>mG Ymq V-&Kzk0Vۇ4K-b@T WۍY'PnenM=s%JK#/G]Y]ޞڢa9 ^K a:*ĶZRpՂ޸ڠ f>l튕o?6dO|fY3ټ%6=s; f[,choR? [u'yB43Ge;~Ki8A/쩳!1=Z-^[ɢ<JT[iBX9)1ye}}3 qs&.DkYb8 TMԭ> w<TwBd/3<8Y+G+?֑Uy/g`}P*b_lTI#UgY( c-Ίh^fԳ/7~S](?o\٥!Z̏nRi;Wx)6| ꈢ[*-f@Ap1mhM94-CGD +-m7]evx40%r4P)C 3:1x(|">i~n-,co\l~@$xM~x=#brs3}{KW!n\+$'S7#01/vh   y+@Gq߮Ը(|G92v6Ss0۾PGJ f3Gwb"V~tdu '2~ C6 'W2Ɖhe6v!s7f8~l%B0U='$QhSPganC}?r Dy/%F\HgA9,2B5Ovo?|~`I;NqsR.9.X8̬UK2Ewi斕KS_'hjɟ@ss !!Ư;ϫĸsje^GX2Sq.ʓiFa= Z):25Od {#-? {N.WaJu&&m^W mn7Όr|1^iֈ7o׽T:;>$`\ @fwAlbV?Q bLZCwPPxuߊIe'"w .ez@rcB5Sc.2MD]M@()fk̚[k ƲWԺbgGi]2b֯x$zÎ7}}pu=M8jG}K`tiidq )X]>!tۇ] !it8_mw~mצ6hyq5>aW ,jnm7h/am 0X:7єZgD9j$=E!\p&3EtUs.`ɆmɚaVS4yBe/ШYn>@[a|91q?ZPZ=p&C]ex^?Mpe]l {cqj s@],o2~+_qt$] wUT߻bʂSNc毩pݒXIQP fݫ9r[@S]t"(2iM:޽JZRrP/M ;`˛wM Ox""3\\Ś́6(m1Zt15@wOa &X%IfVi&7%ţyFBn7zrz%`yxIf4ﱷ)`i{tMӎTz^.\XNE\|b+505j̟CFS47=qri1f<bcΧև s 07S^V@YÃ5 @f 0B'ߥڊ_ f[-r\5G@Ln; l(q8\OOצjQ\, 8!v1N#yQ]!y)|jq#T1Tc&>mmuʳr&θĶ_ h4hkUc b8SGL5"z8~T2mO<9"84uXLfS .*p9Ԕ鲤T}T+^o4z1AG)~)s^ E­*)N3>#sݪNzUֈ/SV?=դ+hp]N;5۾خf媾5*qC?z/zLawk >ȝ8E8?,-_嚱Tzp|l|DbrƱC}(JҬ݀0ufmIU}gl*nFJ[8iޘS6،_{\!c$6aDz(Xy"n%`0w69`a}'N1+Gz$ds翣{<mjeIOe#ʮD0(QL1Bt tpDW*[4{uM6|Yo |K>S[]Wž+˖X[~ara`*A,V5r!##!he%6(1yL}XBVVx?ݛg:bKXPq)xG|ewӜ  \m- +;$rޖܓԕz O? NTX}1nU(Evmn|yO{-p6XLٞ_ˉgRh`A1 /RIʰ{2&|㭯`dO6&ߪT&cG,j~Y>qWV*ټ4 ReP"ҳĝϵR))V-Wk52#wB*ǴK۠eiWi9 ARwCwğL S4O.CX1:} ! 9\!L-Ituh[Ze$eol6گ[M/K,ࠓiZGtI;>Z19{}GsZXݹV'ץƎD226 n pưې#Aej}W K"$&TGBQon-UCblѢ,X b?#v۳/ ߘYnhq)kucl8X0VLJ қX.i']G@4:qEX%D8}Yfc( .R09X]ZwP"%|EW`x#r {zםݩb֬Ȣ߆H!>»w~ cz]rk֓(AԪױ%7l.*P[si1Y QӃ..¤~oKC>1wj|`nXF*)Q@{>bэ:v1Cl4x,/!\*O6ٺ.&;KqA!I03R717[ƿ;bgRS,b)Ko./D\ݓ7C܀E4`75ph[+$W'љ2铡DglJ:ɗb@fwH g.}5W/ɲ]ԷΏsc&N# ΩaaNc]=u{禄 \gx ,.`8w^ wUV$yUG._mMPGԽw{z[Wk3b%QΆEzS$l9˳.do[ZlE<| 4rgܗzt' ҡCݘ~:~776`#G|HFgX}n9lbT-5QUVz}W*%ddL M~ ܻ۬tݱcPZAӋ "pjewL01^c%V6RtRnkQN,?Fߙ0t]#L -ڬZ^F26mJ]g.Rs,wĭW֐ ,y}eg3ѓ* Kj8eIV<}xo.MAˆ_@9W\E6@ʕ8}I5"J [z1 .Sr}/n.ˁP08B'^?`tSE|wgbJHg"ȱJU{)rtZf~?Әûdþ/}nq(Ǚ,E)ۺ p5(qkd41`Dyv0?lج ҵ&Yv#As9Iτ2Ɩ#`أ[~5ȓW \7D`^Х{]5<8Hyf\B4%zj%NR g$(*а\ٙonb]^Otջ@?OdS,^ܳo6ek<&|H ^?@صs:'X %qLğ/ף`nwk j :eQ6$+(JKvZdZ x-pcIvi+,v?Ú-B iy0*LjauMzZ -'Fy&TW>i7T,n+|=oPXvx4RT2nט ‡-X'xv_.D8I,kզ(b e t? rv>!WiGYEFNTݖc1ȯ2+MKj;T{WEI/2UpC Fy.ezTM 34⓽d'Ɖ`"?MVl~ď.;̸&H}/[]\Mb-=Y sݎ?"ʵn ?j*Q%)LQaFJw{Y(YИ-c YZ