sssd-common-pac-1.16.5-10.el7_9.14> H HtxHFc& ?*}},pq!WLįpoC*k!r~d >gTe95d94d62c2a74f824305ae37e77485b314c4f22i<\iv!-/ Fc& ?*}}e.~M$&/㕣: P]Jct>9'4?'$d % W *GMT` f l x   *LX=t= =( )8 0H9PH:HG#H#I#X#Y#\#]#^$ b$`d%%e%*f%-l%/t%Hu%Tv%`w&,x&8y&D7' Csssd-common-pac1.16.510.el7_9.14Common files needed for supporting PAC processingProvides common files needed by SSSD providers such as IPA and Active Directory for handling Kerberos PACs.cFsl7.fnal.gov+Scientific LinuxScientific LinuxGPLv3+Scientific LinuxApplications/Systemhttps://pagure.io/SSSD/sssd/linuxx86_64]KA큤c1cC^p0ecda3c74b7b3d8caa675db551947c43cd741c3a453c8c713f39237489f77e2918ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903rootrootrootrootrootrootsssd-1.16.5-10.el7_9.14.src.rpmsssd-common-pacsssd-common-pac(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @ libbasicobjects.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcollection.so.2()(64bit)libcrypto.so.10()(64bit)libdbus-1.so.3()(64bit)libdbus-1.so.3(LIBDBUS_1_3)(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libdl.so.2(GLIBC_2.2.5)(64bit)libglib-2.0.so.0()(64bit)libini_config.so.3()(64bit)libldb.so.1()(64bit)libldb.so.1(LDB_0.9.10)(64bit)libndr-krb5pac.so.0()(64bit)libndr-krb5pac.so.0(NDR_KRB5PAC_0.0.1)(64bit)libndr-standard.so.0()(64bit)libndr.so.0()(64bit)libndr.so.0(NDR_0.0.1)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnssutil3.so()(64bit)libpcre.so.1()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libref_array.so.1()(64bit)librt.so.1()(64bit)libsamba-util.so.0()(64bit)libselinux.so.1()(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_cert.so()(64bit)libsss_certmap.so.0()(64bit)libsss_child.so()(64bit)libsss_crypt.so()(64bit)libsss_debug.so()(64bit)libsss_idmaplibsss_idmap.so.0()(64bit)libsss_idmap.so.0(SSS_IDMAP_0.4)(64bit)libsss_util.so()(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)sssd-commonrpmlib(PayloadIsXz)1.16.5-10.el7_9.143.0.4-14.6.0-14.0-11.16.5-10.el7_9.145.2-14.11.3cs@b2@a@a(@aa`@_ _G@_H_H_=@_;_;^3^@^V@^m@^^@^>@^@^@^t@^r @^^@]]*]@]]]@]@]m]m]p]p]p]p]S\Q\Q\"\"\"\\\r@\r@\r@\\\\\\\\\\\|\+@[@[_[@[@[l,[b@[a[Y[Y[H@[E@[6@[0@[,[,[d@[[Z@Z@ZmZ@Z_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj 1.16.5-10.14Alexey Tikhonov 1.16.5-10.13Alexey Tikhonov 1.16.5-10.12Alexey Tikhonov 1.16.5-10.11Alexey Tikhonov 1.16.5-10.10Alexey Tikhonov 1.16.5-10.9Alexey Tikhonov 1.16.5-10.8Alexey Tikhonov 1.16.5-10.7Alexey Tikhonov 1.16.5-10.6Alexey Tikhonov 1.16.5-10.5Alexey Tikhonov 1.16.5-10.4Alexey Tikhonov 1.16.5-10.3Alexey Tikhonov 1.16.5-10.2Alexey Tikhonov 1.16.5-10.1Alexey Tikhonov 1.16.5-10Alexey Tikhonov 1.16.5-9Alexey Tikhonov 1.16.5-8Alexey Tikhonov 1.16.5-7Alexey Tikhonov 1.16.5-6Alexey Tikhonov 1.16.5-5Alexey Tikhonov 1.16.5-4Alexey Tikhonov 1.16.5-3Alexey Tikhonov 1.16.5-2Alexey Tikhonov 1.16.5-1Michal Židek - 1.16.4-38Michal Židek - 1.16.4-37Michal Židek - 1.16.4-36Michal Židek - 1.16.4-35Michal Židek - 1.16.4-34Michal Židek - 1.16.4-33Michal Židek - 1.16.4-32Michal Židek - 1.16.4-31Michal Židek - 1.16.4-30Michal Židek - 1.16.4-29Michal Židek - 1.16.4-28Michal Židek - 1.16.4-27Michal Židek - 1.16.4-26Michal Židek - 1.16.4-25Michal Židek - 1.16.4-24Michal Židek - 1.16.4-23Michal Židek - 1.16.4-22Michal Židek - 1.16.4-21Michal Židek - 1.16.4-20Jakub Hrozek - 1.16.4-19Jakub Hrozek - 1.16.4-18Jakub Hrozek - 1.16.4-17Michal Židek - 1.16.4-16Jakub Hrozek - 1.16.4-15Michal Židek - 1.16.4-14Michal Židek - 1.16.4-12Michal Židek - 1.16.4-12Michal Židek - 1.16.4-11Michal Židek - 1.16.4-10Michal Židek - 1.16.4-9Michal Židek - 1.16.4-8Michal Židek - 1.16.4-7Michal Židek - 1.16.4-6Michal Židek - 1.16.4-5Michal Židek - 1.16.4-4Michal Židek - 1.16.4-3Michal Židek - 1.16.4-2Michal Židek - 1.16.4-1Jakub Hrozek - 1.16.2-17Michal Židek - 1.16.2-16Michal Židek - 1.16.2-15Michal Židek - 1.16.2-14Jakub Hrozek - 1.16.2-13Fabiano Fidêncio - 1.16.2-12Jakub Hrozek - 1.16.2-11Jakub Hrozek - 1.16.2-10Jakub Hrozek - 1.16.2-9Jakub Hrozek - 1.16.2-8Fabiano Fidêncio - 1.16.2-7Fabiano Fidêncio - 1.16.2-6Fabiano Fidêncio - 1.16.2-5Fabiano Fidêncio - 1.16.2-4Fabiano Fidêncio - 1.16.2-3Fabiano Fidêncio - 1.16.2-2Fabiano Fidêncio - 1.16.2-1Fabiano Fidêncio - 1.16.0-25Fabiano Fidêncio - 1.16.0-24Fabiano Fidêncio - 1.16.0-23Fabiano Fidêncio - 1.16.0-22Jakub Hrozek - 1.16.0-21Fabiano Fidêncio - 1.16.0-20Fabiano Fidêncio - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#2097014 - SSSD -> sssd_be and sssd_ifp coredump [rhel-7.9.z] - Resolves: rhbz#2107380 - sssd timezone issues sudonotafter [rhel-7.9.z] - Resolves: rhbz#2116207 - SSSD starting offline after reboot [rhel-7.9.z]- Resolves: rhbz#2079441 - SSSD update prompts for smartcard pin twice - After update to 7.9 [rhel-7.9.z] - Resolves: rhbz#2073352 - Use right sdap_domain in ad_domain_info_send [rhel-7.9.z]- Resolves: rhbz#2006382 - IPA Intermittence fetching groups - Resolves: rhbz#2006866 - sssd_be segfault due to empty forest root name - Resolves: rhbz#2031729 - IPA clients fail to resolve override group names. - Resolves: rhbz#2032867 - AD Domain in the AD Forest Missing after sssd latest update- Resolves: rhbz#1968316 - SSSD: User authentication failing after server reboot. - Resolves: rhbz#2000238 - disabled root ad domain causes subdomains to be marked offline - Resolves: rhbz#1984591 - After sssd update to 1.16.5-10.el7_9.8.x86_64 the customer is facing slow connection/authentication (due to discovery of unexpected AD domains)- Resolves: rhbz#1973796 - SSSD is NOT able to contact the Global Catalog when local site is down- Resolves: rhbz#1988463 - Missing search index for `originalADgidNumber` [rhel-7.9.z] - Resolves: rhbz#1968330 - id lookup is failing intermittently - Resolves: rhbz#1964415 - Memory leak in the simple access provider - Resolves: rhbz#1985457 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-7.9.z]- Resolves: rhbz#1910131 - sssd throwing error " Unable to parse name test' [1432158283]: The internal name format cannot be parsed" at debug_level 2 [rhel-7.9.z] - Resolves: rhbz#1922244 - First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0. [rhel-7.9.z] - Resolves: rhbz#1935685 - SSSD not detecting subdomain from AD forest (7.9z) - Resolves: rhbz#1945552 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7 [rhel-7.9.z] - Resolves: rhbz#1839972 - Authentication handshake (ldap_install_tls()) fails due to underlying openssl operation failing with EINTR [rhel-7.9.z]- Resolves: rhbz#1875514 - filter_groups option partially filters the group from 'id' output of the user because gidNumber still appears in 'id' output [rhel-7.9.z] - Resolves: rhbz#1772513 - SSSD is generating lot of LDAP queries in a very large environment [rhel-7.9.z] - Resolves: rhbz#1736845 - [RFE] Backporting certificate matching rules for files, AD and LDAP provider [rhel-7.9.z]- Resolves: rhbz#1899593 - sssd_be segfaults at be_refresh_get_values_ex() due to NULL ptrs in results of sysdb_search_with_ts_attr() [rhel-7.9.z] - Resolves: rhbz#1888409 - sssd component logging is now too generic in syslog/journal [rhel-7.9.z] - Resolves: rhbz#1852659 - sssd service is starting even though it is disabled state [rhel-7.9.z] - Resolves: rhbz#1893443 - User lookups over the InfoPipe responder fail intermittently [rhel-7.9.z] - Resolves: rhbz#1871288 - krb5_child denies ssh users when pki device detected [rhel-7.9.z] - Resolves: rhbz#1853703 - Unexpected behavior and issue with filter_users/filter_groups option [rhel-7.9.z] - Resolves: rhbz#1756240 - [RfE] Implement a new sssd.conf option to disable the filter for AD domain local groups from trusted domains [rhel-7.9.z] - Resolves: rhbz#1851112 - LDAP bind can fail due to unconfigurable DNS server timeouts that inhibit SSSD failover [rhel-7.9.z]- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete (again)) - just bumping the version to build for proper target- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete (again))- Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] (Previous attempt to fix this issue was incomplete)- Resolves: rhbz#1854317 - sssd crashes after last update to sssd-common-1.16.4-37.el7_8.1 with servers configured with multiple domains [rhel-7.9.z] - Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] - just bumping the version to build for proper target- Resolves: rhbz#1854317 - sssd crashes after last update to sssd-common-1.16.4-37.el7_8.1 with servers configured with multiple domains [rhel-7.9.z] - Resolves: rhbz#1859554 - Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z]- Resolves: rhbz#1804005 - sssd doesn't follow the link order of AD Group Policy Management - Resolves: rhbz#1773409 - sssd is failing to discover other subdomains in the forest if LDAP entries do not contain AD forest root information - Resolves: rhbz#1551077 - GDM failure loop when no user mapped for smart card - Resolves: rhbz#1507683 - GDM password prompt when cert mapped to multiple users and promptusername is False- Resolves: rhbz#1796873 - [sssd] RHEL 7.9 Tier 0 Localization- Resolves: rhbz#1553784 - Document how to prevent invalid selinux context for default home directories in SSSD-AD direct integration. - Resolves: rhbz#1836910 - Rhel7.7 server have an issue regarding dyndns update for PTR-records which is done by sssd on active directory DNS servers. It is done in two steps (two different nsupdate messages).- Resolves: rhbz#1835813 - sssd boots offline if symlink for /etc/resolv.conf is broken/missing - Resolves: rhbz#1837545 - Users must be informed better when internal WATCHDOG terminates process.- Resolves: rhbz#1819013 - pam_sss reports PAM_CRED_ERR when providing wrong password for an existing IPA user, but this error's description is misleading - Resolves: rhbz#1800571 - Multiples Kerberos ticket on RHEL 7.7 after lock and unlock screen- Resolves: rhbz#1834266 - "off-by-one error" in watchdog implementation- Resolves: rhbz#1829806 - [Bug] Reduce logging about flat names - Resolves: rhbz#1800564 - `sssd.api.conf` and `sssd.api.d` should belong to `python-sssdconfig` package- Resolves: rhbz#1683946 - sssd or sssd-ad not updating their dependencies on "yum update" which breaks working setup- Resolves: rhbz#1513371 - [abrt] [faf] sssd: raise(): /usr/libexec/sssd/sssd_be[PROXY] killed by 6 - Resolves: rhbz#1568083 - subdomain lookup fails when certmaprule contains DN - Resolves: rhbz#1781539 - PKINIT with KCM does not work - Resolves: rhbz#1786341 - SSSD doesn't honour the customized ID view created in IPA - Resolves: rhbz#1709818 - override_gid did not work for subdomain. - Resolves: rhbz#1719718 - Validator warning issue : Attribute 'dns_resolver_op_timeout' is not allowed in section 'domain/REMOVED'. Check for typos - Resolves: rhbz#1787067 - sssd (sssd_be) is consuming 100 CPU, partially due to failing mem-cache - Resolves: rhbz#1822461 - background refresh task does not refresh updated netgroup entries - Added missing 'Requires' to resolves some of rpmdiff tool warnings- Resolves: rhbz#1796352 - Rebase SSSD for RHEL 7.9- Resolves: rhbz#1789349 - id command taking 1+ minute for returning user information - Also updates spec file to not replace /pam.d/sssd-shadowutils on update- Resolves: rhbz#1784620 - Force LDAPS over 636 with AD Access Provider - just bumping the version to fix generated dates in man pages- Resolves: rhbz#1784620 - Force LDAPS over 636 with AD Access Provider- Resolves: rhbz#1769755 - sssd failover leads to delayed and failed logins- Resolves: rhbz#1768404 - automount on RHEL7 gives the message 'lookup(sss): setautomntent: No such file or directory'- Resolves: rhbz#1734056 - [sssd] RHEL 7.8 Tier 0 Localization- Resolves: rhbz#1530741 - Trusted domain user logins succeed after using ipa trustdomain-disable- Resolves: rhbz#1746878 - Let IPA client read IPA objects via LDAP and not a extdom plugin when resolving trusted users and groups- Resolves: rhbz#1530741 - Trusted domain user logins succeed after using ipa trustdomain-disable- Resolves: rhbz#1713352 - Implicit files domain gets activated when no sssd.conf present and sssd is started- Resolves: rhbz#1206221 - sssd should not always read entire autofs map from ldap- Resolves: rhbz#1657978 - SSSD is not refreshing cached user data for the ipa sub-domain in a IPA/AD trust- Resolves: rhbz#1541172 - ad_enabled_domains does not disable old subdomain after a restart until a timer removes it- Resolves: rhbz#1738674 - Paging not enabled when fetching external groups, limits the number of external groups to 2000- Resolves: rhbz#1650018 - SSSD doesn't clear cache entries for IDs below min_id- Resolves: rhbz#1724088 - negative cache does not use values from 'filter_users' config option for known domains- Resolves: rhbz#1422618 - sssd does not failover to another IPA server if just the KDC service fails - Just bumping the version to work around "build already exists"- Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization - Rebuild japanese gmo file explicitly- Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization- Resolves: rhbz#1707959 - sssd does not properly check GSS-SPNEGO- Resolves: rhbz#1710286 - The server error message is not returned if password change fails- Resolves: rhbz#1711832 - The files provider does not handle resetOffline properly- Resolves: rhbz#1707759 - Error accessing files on samba share randomly- Resolves: rhbz#1685581 - Extend cached_auth_timeout to cover subdomains /trusts- Resolves: rhbz#1684979 - The HBAC code requires dereference to be enabled and fails otherwise- Resolves: rhbz#1576524 - RHEL STIG pointing sssd Packaging issue - This was partially fixed by the rebase, but one spec file change was missing.- Resolves: rhbz#1524566 - FIPS mode breaks using pysss.so (sss_obfuscate)- Resolves: rhbz#1350012 - kinit / sssd kerberos fail over - Resolves: rhbz#720688 - [RFE] return multiple server addresses to the Kerberos locator plugin- Resolves: rhbz#1402056 - [RFE] Make 2FA prompting configurable- Resolves: rhbz#1666819 - SSSD can trigger a NSS lookup when parsing the filter_users/groups lists on startup, this can block the startup- Resolves: rhbz#1645461 - Slow ldb search causes blocking during startup which might cause the registration to time out- Resolves: rhbz#1685581 - Extend cached_auth_timeout to cover subdomains / trusts- Resolves: rhbz#1671138 - User is unable to perform sudo as a user on IPA Server, even though `sudo -l` shows permissions to do so- Resolves: rhbz#1657806 - [RFE]: Optionally disable generating auto private groups for subdomains of an AD provider- Resolves: rhbz#1641131 - [RFE] Need an option in SSSD so that it will skip GPOs that have groupPolicyContainers, unreadable by SSSD. - Resolves: rhbz#1660874 - CVE-2018-16838 sssd: improper implementation of GPOs due to too restrictive permissions [rhel-7]- Resolves: rhbz#1631656 - KCM: kinit: Matching credential not found while getting default ccache- Resolves: rhbz#1406678 - sssd service is starting before network service - Resolves: rhbz#1616853 - SSSD always boots in Offline mode- Resolves: rhbz#1658994 - Rebase SSSD to 1.16.x- Resolves: rhbz#1603311 - Enable generating user private groups only for users with uid == gid where gid does not correspond to a real LDAP group- Resolves: rhbz#1602172 - SSSD's LDAP authentication provider does not work if ID provider is authenticated with GSSAPI- Resolves: rhbz#1622109 - SSSD not fetching all sudo rules from AD- Resolves: rhbz#1619706 - sssd only sets the SELinux login context if it differs from the default- Resolves: rhbz#1593756 - sssd needs to require a newer version of libtalloc and libtevent to avoid an issue in GPO processing- Resolves: rhbz#1610667 - sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key - Resolves: rhbz#1583360 - The IPA selinux provider can return an error if SELinux is completely disabled- Resolves: rhbz#1602781 - Local users failed to login with same password- Resolves: rhbz#1586127 - Spurious check in the sssd nss memcache can cause the memory cache to be skipped- Resolves: rhbz#1522928 - sssd doesn't allow user with expired password- Resolves: rhbz#1607313 - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails- Resolves: rhbz#1600822 - SSSD bails out saving desktop profiles in case an invalid profile is found- Resolves: rhbz#1582975 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers- Resolves: rhbz#1583725 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries - Resolves: rhbz#1416528 - sssd in cross realm trust configuration should be able to use AD KDCs from a client site defined in sssd.conf or a snippet - Resolves: rhbz#1592964 - Groups go missing with PAC enabled in sssd- Resolves: rhbz#1590603 - EMBARGOED CVE-2018-10852 sssd: information leak from the sssd-sudo responder [rhel-7] - Resolves: rhbz#1450778 - Full information regarding priority of lookup of principal in keytab not in man page- Resolves: rhbz#1494690 - kdcinfo files are not created for subdomains of a directly joined AD client - Resolves: rhbz#1583343 - Login with sshkeys stored in ipa not working after update to RHEL-7.5 - Resolves: rhbz#1527662 - Handle conflicting e-mail addresses more gracefully - Resolves: rhbz#1509691 - Document how to change the regular expression for SSSD so that group names with an @-sign can be parsed- Related: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch- Resolves: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch - Resolves: rhbz#1523019 - Reset password with two factor authentication fails - Resolves: rhbz#1534749 - Requesting an AD user's private group and then the user itself returns an emty homedir - Resolves: rhbz#1537272 - SSH public key authentication keeps working after keys are removed from ID view - Resolves: rhbz#1537279 - Certificate is not removed from cache when it's removed from the override - Resolves: rhbz#1562025 - externalUser sudo attribute must be fully-qualified - Resolves: rhbz#1577335 - /usr/libexec/sssd/sssd_autofs SIGABRT crash daily - Resolves: rhbz#1508530 - How should sudo behave without sudoHost attribute? - Resolves: rhbz#1546754 - The man page of sss_ssh_authorizedkeys can be enhanced to better explain how the keys are retrieved and how X.509 certificates can be used - Resolves: rhbz#1572790 - getgrgid/getpwuid fails in setups with multiple domains if the first domain uses mid_id/max_id - Resolves: rhbz#1561562 - sssd not honoring dyndns_server if the DNS update process is terminated with a signal - Resolves: rhbz#1583251 - home dir disappear in sssd cache on the IPA master for AD users - Resolves: rhbz#1514061 - ID override GID from Default Trust View is not properly resolved in case domain resolution order is set - Resolves: rhbz#1571466 - Utilizing domain_resolution_order in sssd.conf breaks SELinux user map - Resolves: rhbz#1571526 - SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'.- Resolves: rhbz#1547782 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process- Related: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1516266 - Give a more detailed debug and system-log message if krb5_init_context() failed - Resolves: rhbz#1503802 - Smartcard authentication fails if SSSD is offline and 'krb5_store_password_if_offline = True' - Resolves: rhbz#1385665 - Incorrect error code returned from krb5_child (updated) - Resolves: rhbz#1547234 - SSSD's GPO code ignores ad_site option - Resolves: rhbz#1459348 - extend sss-certmap man page regarding priority processing - Resolves: rhbz#1220767 - Group renaming issue when "id_provider = ldap" is set - Resolves: rhbz#1538555 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000]- Resolves: rhbz#1565774 - After updating to RHEL 7.5 failing to clear the sssd cache- Resolves: rhbz#1566782 - memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)1.16.5-10.el7_9.141.16.5-10.el7_9.14sssd_pacsssd-common-pac-1.16.5COPYING/usr/libexec/sssd//usr/share/licenses//usr/share/licenses/sssd-common-pac-1.16.5/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericcpioxz9x86_64-redhat-linux-gnuELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=ca5e2153abcb7254b0250ee995d40a6d277aa972, strippeddirectoryASCII text7R4R0R RRRRRR6RRRR-R R2RRRRR"R,R.R!RRRR#R3R RRRR RR&R)R(R'R%R$RRRRRRRR*R5R1R R/R RR:?p7zXZ !X] crv9wiIs9O׶sZ}Vo zNJ[@ɢP+&yiB% ɊKvb} l;2I\+TlS\g_=x"YD밁B1!m+AD qd8OT6пP[`Ԍ~7.mnQFҙ͒d*xM蕸YoOxskO,_4W_{Q$=P:wt&8ux_Sj9C󓂔f<0crZ;in$ &N(-7sW?||X8n "0;Ik^M侣 1pW MU+Eҳې _Y1;;*'\2\otunb`u_|~+eY -鳁s\z2]\Ue !9rG&0T'I2V?bb/~N1j Ui2uBó9b^Fڋ)J2zRofmӮ9O< [7> MSlN䟑`NB$4#=Ed\z=$ ]Ck9٥xR7`lz׌m4b/&țHI͞QR<֑A!  hkmR2|M޽Ui>q|Fх2W?l@nFOJ"qf2(cFTq'%Q3 ~K=B$Gf\l@ʝ?[MF1݁P/xF,?pRUbV4ťakfit HXVsSŸ𫏄h$JQw̛тc:vQjsZJ 4ypܸ[Xڧ ڂUOY}#p<B )w᧮$==B3le@KT!> [tE"ҷ⠺^TLJ_[zc̖-tmQ)mWplfk牋a,'Swl62 rf9La9`_Iڼ2K` =3p?MҢE(g887UHٮLCjT؄idnʒ6I'ۭySP:9D#eQGx1IWy Ryr=.)!XRV`!XaFC[(3CA{WHS|N] L:=:AQKߣ'Rl[${~M6z^[З^m}sx;lUmLAQ 2JJC' !KL ӷy4&V%,BVHv`+^}5R+nNL+Er2Xpm*)h!kޭ-zfʭ6Fq-koMvfH*eYNy+|bEG B$;xrd%b4*v[: 1%_ f)^ yp"I e% TP<_He:6#v|5[}H FVL:KrTiwC 5`0[GhOՋDD}ًgíiѦzn6*_VFBÆ;v>"1Pτ~0zM#^e)5h<*z"-|Sx " n. bgW:}Fj@]Af=ެЕ䑅̵9}%I'`"WwXHda=K=ߢJh2r$]7LK=_ZĴJ$zKTv03v}"F=z9Zt60.߬QD{*՝T"fյ} rE)y(4βEɢWr@.1ĜQӹ)XEj*@GK|P? mOp41}HGi̶ ۹3s;DWQ0Xf 0$gpJ$L2f`S,-$Uw90:KZt B , ?]rw4 Z怋u5\QƢ qE58ÑIFUIţ>.i(],ݐ&5"E?6&/vr SteU@øFpdg@RDzn B⽏x@#ɗ 1@eQ xBEJ/SH3 "dƋ`{cl1sY<89c,w}U\Gڀ8l&Z9j2[&wjR Nt$RSh輼 Uv䴥T}rBsr|}σ cLXr'muHEq0o;Z 3`jd㭉}| KKEatQӝ E٘71e7VM%X=;mQu <ݶ;{q6ڶ_Ut&n$PbG|™Φ0n!/߫t扺tw ! W٠Þrdnư~$8銌a$e$Xy'ĸ9.(p] /65r"xtR}h(7 "x33Q1~e63 ^t]SZ(EZ*􄫁s4tYq]!5#1JciyTK<yz۪Iπ8Ƞjײ458v^e5L`hܫs F*%0(ATE7hZRryB."{N=uy$/9$/ZE 8-qъJzxv-" 㮲pLVNƭ47fK QlŒAZ‡p w{fiG3S`kI[D{+x|%OOvGaZ;h%}V#N֞FUr@-= yό;*Og";J16GOPc^bs/#JQ5)Et.7X  ƅ4#uyꑘR-!Hzp %~z?P5?Ʒ;MzY++ed>F<-iᓩE33Η03f}f:uFPF5P!v"Xo,^}ĜvNJdp:uc«Դh ɣYtw.s *9ˡ+܂ P'D$1WXrr/u>=\~~,0TGiE0mm4D6}Ż+Ww9/*5Պ%(NiUlV4Ӕg Xy5. ^KoɲJr,H;OuQW:Ă@8YJC  0`< YnP$N:c.rn)qXu\@6 Mr>[t_xZI?M<9d^`4AeRb*Ɇ&9+ |fjkSnFG\8V3LM,n/ea?U5a۹{3,25aDQ۫$ "|eP8`,bjuFT8%< 5W9={3_9؂"_%x7,)uIm:xp5K QH#-edYL -5]4rL,Ȼd,9勒G< BK5 q[#r*cd׼en+8 E;dv*$ynFEpdO`΋CF+ɣ0>gbjaWŞ7OD?x g8_$H^llElI*S[fAvM6& BʡrK9GVZ`}\yb1CB8cʻS.(Ӱ{Nr>戜U>_tv3?i4` &1_$;Tb>ME=);=b}X`Fxϸ;D^M<39qT}&fP(1 􋇢`! }ק裟vcDxy?HJ/1(!l$#$ljcZ S]G•>La7]pR,QSCBC MxaQ ]qm gEPm"w@gc[@ypPe&k7| [ryhU&e=J.,FsHوkut_{Hqfau37gcn1&cjPSѼŎ91#&SVLJt…@=F_^ˬb@ =#単LAw'eHQ<'ZqK ~\\TTwvlٗ kKDD zֿv.~H_/kCK{`\9׺*ruX%eaYfH/w 9Pe'N]xõL-txDխ2HL؎҇!p7οoN.D|;M.w'FWri yOj[˜5Hx%hr"߂AI:NwCpyOÈyBxfRhhVT@#tC ve>̡zگ < ԏAPsi#`0!0=t*ea2jǰ}c1,~H$dz(7]p'sFeފP$\8.N5|q/ Ip<^vtUu?E@濔e) Te;# ISLBi><74c [ˇ-[{ٜS<ӹ`va3|TMqQ_'-)~F,;]5耨7 vd32y?K晄U{l,Vo.A! |;KM顅,)-QVf3!cJɧZ}×lqRt۔|=q Tof78 NJ+1Yu\вf1DI6]S/fU8g?+G!**tqǭ_7,r]Rws@z ےa8Qh)_x!ě*rGS za]_ % a O=($@C2 $]+;xE񔘅AHT33_L?Tԕ!k٬ >D୕7-lt{h9*PQRTeb " ^uKԏ)XُUQw>~\مwЯ* ޹_FÏqq,muE淅t:喤I1'p";.(^0rPnA [ԂtMѸv^AV) h33K1o]@5מՎt+kRI1!3TSifwΡ=Ni; BKΏauľeVᢪc>ﻐs3&b]cT=u>ꚞf=2ȤIºR_FyWCNl*z|nb6tC'N?WnNL; MɟʿE z[ю}80g0'㲫<(!Zg?B /Yf,#ITqZ#u;8Ȯap7%&lsAA^r)[RgZm o1pbuzPs _ZM&@u 3˴(VNTyz]wp0k7»m & OZa:c~,VGpæ #3_M-hk'4R?.l#^Za ݒݬcPK6kWE͸=vOmbj~qT{Ftţ|<0 B*Pi!Z_Mp&3f㶺JGgby*>eSX=B6YT d7 /w9iFf$~ 2 aQ;CqKC `2Z&$9 I!Hk^ɝ2@rYA(Mr*" FjU3ӷx\ܰK΃YյJ /ĦJY{X{ftd6 QƝoAȮ_A# YjJܛE38jM3z̢ J4}RK`7|_駥%C>?'xب\\B%= 50S|Mrz.mQv˱S| J`iڥbV:Y+ACm.c踄r!Z0R͉G)hTiwyji .(nwaG7o?w70 [_tNvSGLs B7y :ɀ\oi7Cΐrb w4 ?^m>qyw^<p b!x:%TxrOb ct>(S^>.(W\f&Ke-4%gyud 3|!wbAx񼞔Q|swJx3hJMe m? _ ZyiW\׸C.jUm8vIoqc!A O J ~QؾZ^ᙅ(k1?~RâLrϲ 0b ]"/ Iܚa .!ksXH$X_(7,˅Fjήpے t27{xD BP'͠K$"}FݴǣFÉduZdNMIKgNF WS(ްkXz*y>QNр{>3 UF‘t^rr6XAb  ]!uK'\{e ZxUީ!Nyt9x,'D0C%)#I yāp{Z¿e9phJd9~$2PJɼ5j̇T)Y1/vw'l׆/)&nጕ2߷Bw-"ꩿ<:^K R9Kf#!b䓥ٟ{f5?4nٮ4ô 1+3Ez>f 8a3sxW:dHXP}??yĻ)ޔ׏Z!jRZuua: TnT/BX 8!x<]JVqӔS:L'fPD@\`/JӢ]U:8WKWIźV8 ȔZbuZ[%kA6 P3}̗F p1' բY݈cMD!B.5GB$VbY:})Zф%ndʔS1]+»LS{%K7YlB@L.X1i1ɠP=J] L&sbfT/"0Uxu5VZ67[J8]F)|úf9qxiӟ˭|alհ̴|3`63y =MiÝQ{Y $fnhS|@0/~;3t3W0w;W3mݛL:< A>ܲHKp:'R2N2HAVH܎ɔQ̌}:0_x/sb_v Q[W)m&-9Iηu7'*v}V+_̢i8'Jv1]LTC<:ƾg;9p t]WdjWƑ"*ej6W"v j%=KJ–&\k1KSc+׮//>9Ht[,F:<+B6n+KĚm|})wH!xik}_2K6ڮ^6/&NϿI!n!0"~.&x+r=mRFV 1L8 oj!tds p8@8S,KIC` d0˻MLC ׊_m1}W{{F܌[^HlR"Nteq%1Pg*W354>FlquEWO`BOt H~sy?LpDPE]#Z 73ǿI"|\3=ٗ:S(DDkb=9 X\0*SzN|zF+}ݩs_Ay\lw VѦҩ.!Ӌ WӦ\WL(1ՄvWȐdwhDF"YP#)ɓZMhcɩ[a3G+AD{Nxz$fd^p}e=@!ҥ(%]W?!}O"Sp%%;rP=~2l˖iUn,FAI{[ڡ/nDw"qMFi\BD3J*Fk&5n*=lJ,?l4@>w.'E5^g@NOjm/\ݰ0!569bzP|j) "{kTީ+{K3w>L$3^\Gew}ATJk B=Y0~/kkI7Qn _TRO!#jFD_J;nt}l{3`te:(oIH=[ * 7?^;I_v1 ^.{Tĩ7kI!s An iUEoOE:;hӅG7j]El7B âPurTicG.-&~MMf* ~_4JE/pR5b{OzpsU4.&1ӜcugEEYG"[ N͇~GQz侗-לP}]m;pQX2Sg_ڝ/ͿQj9̶'̸Mt4ވ%ͦ^^3zٲU}%&Lqd̸'X6U1~\][4zop߿Z[/m.6#GދG13:XOGxul7b%|՚{y'VtՈ8:$WLuCpw~?;#9{R>wI.7vgW}v#ƫIE,:"|O4H*rj5I'xǟ30.m]$or]&LN ָxUs$RsM.zh|TzcS2`cȮYI i0v~U&9)ƪM$ƃ '_Ԕ# {#ՓF:sSq!N_pWEb(['BJZTJ}߼GMߓ#b"!2uBrWFx/] m&J C*m\׵?;/TzRWRK ?Fk0ʏk0 O:ΎIj,f ?Pړ;JjذN] ]X^G1}Pn]Ai  ̞' H;9ɚR<+0Ǚ0&} rX}u"mL41 lMXОPAMU6ɒ'qs|B9D81BAD^p16_C/ }A ~ UY㧎>G3SegrV *-' ??;NIY'Ԛ!-<&NXmr cPiЄ 1T}-)s@*TKgGST%ҴF "@UMU*XU% fߒmlunCeL`WL?GLniEe,rzQKzGt&tM?D#+^4}ŞJGpgJugF!U2iޙ=>Ça]\jy&۳Q4s#eȶ,|'e-;$[3[ә7꛿I;1sݐ$6HArI,Of EygdZ=ɈvzQ>g5_wp28+QxJ^$ha}^C_ۖpK \*دGj[V[v"0ƁHozio3$"Fe9DhLc_rkCӇw7c֝9Dv6^ҷL/mxwV]:Y"l *?sL! oj҂j./_ȷ}5v~y3_(9nų Zq] f֖CGl (qUB+'>tEh'YH~sdƈ Zק4iS ӵLE Ď<U|ܴ@C H'Ÿ^3{WKcK`( 7-Ib7QaZJ/&",|i tl>\ 4?(hGكLJvȨ-^(}ZLdJ߫Vhl5牚phI.ii%W Ϫߡ-P:m D16GC?^sN:aږ&cJ_+IYos" p4Eϊ !+ Ns1lP]1XɁ)Di*([P"qt^^rχB@O^ҟi7s1k&a V [;<`uXXOvJ"ӈE"A+2l_Z1D^OJ=>"FFdTҼi6m-W x3]Ō3':6V naj}Ro)9}<1߽W LqљKʳu o=@ W5+jROD>682&|jQj$Vv|ڷڶm⴯}xGk;)! C68)2sXP0МS5gMTb7oSI$$R`KpR&2i0~j*ۉ_߽MJF U9&>pTT]􄟵ٯdGYл -Lm14>tZ c9oyzu?)eϤvK-ilSmz%EZeȩ ԓ+\<J!55a/3R*gE ] {|qIZ YvVt̊8I-`y ?4?~oN^\z m܃st7&d2Ӡg(P?i0%TftjzPn`Kj]nRZ빵UnMa@/obF+_)jtQF|#d??ܱӞxKW `qzǷ_mb09kn&CcOO*4sI0 .=Tkښ]VY JGwh v9]a9ucRi["-~Dpn=9;$9]AډdDȊuZc&;gezvԺODCdy-i2 [sFeY:؅"!!5U5QUP.48L{ O@y3> upF{VuKqNmsDb1FСuL댁&N=of/i2Nձ y5ċ7ie[9^'3f5BQ_o%Hk(P~H3i$RR9+7bRG"%Jd| 2z{FPh;lYep;b ~ (>{Dž-N:*ЁoV&%ۓMQnFjB>?donroFe Zʻ> Giۦx6u7BpaxsCmPuϔ ~Aҹr S,eMࣇA5B+/'Y B=<;09lgQ&@΅uo>6eB\vJ|aӈhAP6ơ$Hw%qx dґOScqlPȖVOuN7Z{8*ݤe)QUYLYÑ1:4^-M_)ћ+]C}ξƵQ(lOMQj-|y*& !$h";upCB@~l5 5eJA:e:`Bu eJ85kaYE*BZѷR!^YIDy-p=@)Y!&nBc;,ohm (ijqY~ ҹd4jlD)b nre͕6!we872̓_7h_4#(QH_\r IQEN+$J~G_^h3a9얮 2|#^l Ay2C|T({Oo/\*u gt$(Н>ܰVߐLw˽x; fG5\!¢E BMAsʙ H~6!2p5;\{9oon6ǮR bmhmjيz5lD!F14)''Ӭ_E4ĝUt]CcA@ǁS(xXygE s +I;cR?L&P{+V1բ*\l/_s1_p(yow%,-qT}sn4~K )^\؋nYc(*:8s]shdP⺑[fh!n:81~gubJ~2_q0]@#;}1""r%17Tv~~Suc>{Rn,47eGsik#تa /u[:j"i|.qMW-!uZbw`BNNP8>wx3 h*,K+1:fWC eٯ5Ҹ冑gez6}o(e\K:5;.TB~yJ XG, (Pbgy.ƤpDvL:_fWt/J5bF'ke]:Qeze;sUeɁar%CMQM%PNdn'ST I+91R;`Aț=ׄ$ֵх·5O_}mV0e З$~5!i"w)ΩϤiO`QTA5N%)k e {e꫙n)/we&s=F%~Ĥ^avl'Qc2&$Ar N\ܻ%2C}u߀SLi0D=q[iXT>#"B6KJ<}^Bd+ +BV/v+C3ɗj)Yg/Oߝ5d9} |;q!˙*?Jm Yf1AՈ|bղRRF($75e,yp =gCp/aNU΅H~Hƺ) $Z6jzܗS`lRkEbny8#bvOmn]7PLFrYc}G|3 bbl՞SHd:KR0Ԩ_=[!Wu2PZ1bi;}ϗpW"tV.܏~/`KZfe"i ˺5$rג" ?ԟ`x.I˱ 622Ī~*'̫4Pi&?Rc>%n%S}z|$jty)f'(8iAvv>T?>w#\6XGҬ~T`oy#aګ*|Aio^8~,}J~DfhnV{NEMefgrsM-q(4ưyR%k- N1'<܇O ?΂ vcq~gHۂΫ n]N7:1ywVN*s)VWNshB~3I|@L ݙtɣ3׃T }J?+la@'EWdi ICA󾐼-0|:0Dizz=sS5X1B7~HⓡۓԽ" ^w#q[ٻvM9 ~U )*[qOS $Fr2< dhEwcHQY;)=<7asGNQƶ(R62G3tđ eVvi Kq+AyeaL|%ș>߭@kQ w3JBck|6`є?,l܎ ,dagPTln+p̡D,G$N|ܹur>W!" "V1RKBϥ.ȁOӐϰ-F5L{edgL'/cd%]_Mm`.Nj>wlIS&l A&6̖T'E3(YI&؛q8P Er5Y&T ;;,)0i"טɮEVgqSV)3M\%o`t-"$ . K(hYIU0Eb63KD>ƯiI%k^k%})y2r"`>iS.W;]TK5KHEMrΤcYX#XȢPts?'t%rAnAfuK0lɜPx8GLg})uOw.3QUu:Y{#$6p-0'N[V:7#Uyui$t6mT=^먄zQ cV-gUp"/ã֏JkDbR3(LI?Vvog(d^_ײOs$ON>YNRћ>IAF׼U|LmbFp7N{c=`t tv,q9W2j)]w7b;!qOjiA,nb~*hV) HEwόfKUsnk[[i0h?WfzaJF`B1!k35 Ƨ>LXH,Fl <{qnr+h7t-[|+Vay%+?jzy9t e?_ςZjs04Sq=g -A*#&q6tcL5t{0g?0ttsQtf)YPu:S@HDQ6@':g8Xyz|~XzG!>!}YQ/;:6f*G&[wX?uhu}-O' hSdw"LUScmE^}|p|՛Ft) EXz3ĭw4.'}@^G"|uW.E9t;o0Ç2PMGԟ;<]w.싸2 rF#Щۍ[JU+}*"AK6a<5;N*诼h7fSxrkveXyTuuzCV?.IOTL@Ն9&wp6̥ Q93Q\V!m@1ty(#; |R9T-n3Ay/C@e9␔!Zr-ojhxĻaJ,bI_!TCq[֚{,{GpqJjyEɓϸ켔S7+nAEe2ɥ"[V52T?1LAb;U9|.^:MP=bU&Fw\i43 N0*o},04MykzNǙB({U_,wuxWa(O*;ްПRykMlSG e%ɸ &;PS^g3Cb.Z:a |mK.V*Дc""G*qkdO`+уD{X\?wb)c T-O,S^ѥ毷u2+m򮻃x?d&BbrG #!έn f .n *\2z\H?[fMAQ ~B-ń b&TRˉ~Խ0@.rk`w57AtdX hM 7ln7X('UՃ v:V")OAOBϱ$q1s#WU"G^TUkH*ZE0 Ym3.g~_Ir:Ё*䆙{aGbjA4HЛ(^%#5W/2EI)(A{.eq>BaK!y ~]~s -z!5{+ꁻcʿEݘfBi2ڬ/]RZ qX CF[2l)}nV[i-bŒ0;m)K .pH`: j` gCڋAB~nXJnwDoNm=/T÷Etp|]'M  فGS%n}L(0.&ςu3 OJ\y!;x"0דz8'`1:z B c?t;:nֲM]Gk0d50!)|/H[iXPdsFɲyrzK. C懝|~x >(rVU! ĩ1,P˶rk+hhe[ZmBXii MBi-ZT6}|IA5¨}7eNoƿr:Q-s[.oO80"w]G`=taLDŽn:gph,:jAV܏rSp &a0ЋBmJ";[۴M'c 8. Y [,gOF;Һ=^ҟݽ@³9sw)XMiJF5cP1>iA3&(n VpXޑDcEd-L^@q)= FiCQ[;8s*㹺*'u鼷jZ'/0~G 3G 5RoYL#TUU-|#30ܞ„OVzw v,jƃAZF(`nzO'_8>>ޒID+E-u0 hdBbnlR{;5bȶ[w_(EzӀ:Zǯk1StO_ PgHY/4͓ԦM u 8ɜAs9Ց D$Ԏ B=msAI(>#]A'c+g)ӢrӮ)@aC~.2?jʾi{2jABrFL?YߠjeR{[/%0uGag4La?^mFOfrmFzf4'+@QӉjQJ*^3q65Yә@k% /,DެyTH3.pSR\ =RJ m؏xM%SӊsdJ@mL \رc al*]&`hZys?=g 9eC ܙ;Q>Ƚ?\L¯싟~_MC|VRTMͽC*_m,y4p*1cg̡`+5㟢ەZ!=.*uD0h*{=|!A|65QmbD6*/EM1bȒr)E̶ 3s@&Wܩx(Rɿt@b;M\3F{z27CmJX%֠|o5Sh$/YDרs!81N.d%@PP`P).JOV`RvxR&vO}f$ĖR?Q2)eg0ga,- 7p%I] ~wiXZteCn{s&w߆} Not:$y,N$^k_?JYA;Q-;MQk 9QRm2 0oz(-t^*f?I㪟 ]ny!NۛB.U{b5A0OTӚu, >ht`V˚(Dvn rHt9%NC/"K?"S 8s+Ml<(fc< 7g6,2ksRKKϙBDT!3_RÉN9PGL{b-N5 y',H;rxt%Up;ȅ9'!xj5H"-?RM{d|`,_uMQ.v1ބ)9@> T+J9 vOL-Cë@8EkZ $k8KC>snjPi$eNyf6p.kF<Ŷ!s jPi1fx[owT,9ٿwz5mÜSYОD7=@oo8m`+H!;E}YRL "Chox?{4쟅J Iw5C_2h]c z:ʋaikj摧P'z/ N8ú#KCq N,5{g? ]yksƓ(2ڬ`CR?\k $>uqWIuW8:C,_:D"҇"8d1B^x' ,VȮ1qnb76wJjU;'98pmE+o>;X}vRS]WxnV=rzw<퐊lW%+T &;lzr-\>yb(;N")D~K~GOJKN# ME,}=2tptfΝ!/apMr_PprBT'y$ےH8xTwZ\Rvrk/+r4_N(Jjk٤K߱WF ֮nZ>:qR5JS _&SCc>-D^x EMNԐGCToMS9qH?Kioۜ%"<2Y@Gx,m/~iINu"4Z4NݠtR|#kĐ_?+*{zs<}rtT#>2oI=& pr O㋞t9rKO')]]ƖzXf$+ w"WAGjȖ6 O@z;=_`~?(6`ŪLttvC֙-eO+ê%sX▮1w.bҫH3y'A^&+?|T+Kh+}{;Xbw\,|mx&n~`]Uq.!'7\_L mQ5PR# ,[b"R^Fe_mw'gx^[:6vq6DaZ͘މ j)V70͗PKNM[|GYF)3Jgr̠>E~5_ &&s /F1r;~^opM}$sv=B*BM@dzGTy1p<)z?Ƥ -edu", 0ϼC*HLtDS[/"q' :Y!դU Vt2OH"&9z^ˀabC#Z"?O᣺n~|G!Ng"dwl TќX~Z |(;}Up~JU樕g#u,~X-1.;t"N8AIKd2D_BRy 4ˁMNU- |Փ(m)|5t7̞uR;f]Gtf;D. r eRa : jօyVa`g1>kȽL1HمYa;F|GH 6KnaʌۼgS0#E*r&O`r4RUh(7#ߒ0-—ϘdO`]W4+d&tZ,|B ^4HUQ/nG~(l,:ځ:AF77gBӲ I+mIj̄us{S'Om@\jN`uRgh<0may4+% ;/c,m6|C(F%UgA]^.竸t#S8ϝR;E1|eqU)d7ު;Yg& NDK8ou xx ;g6(2jӿ:z箉~݇ E> 忤E=CRY7&O/w[0@2u ,;Bܗy;{WČ$-6TVk#ffSsf؁E ]BF#vo2YXgh~hdM坲87Q )55C#:v+rq7"vՇ1;#5m7_˵,rm.EC#jA7Ы}U޶4#:$cW$J`B{‘^j=mF@"gBd[|H o 7^l){󙙤0Pqʲn{sK;łX? dH+@GM֍9&l،tEw 鿙F3oɾӞ9fAhLi(2ć1QUsHU-Z;X#vg(3TWC WpOI*c %z:XW$MGHu{z*=mM~aP> fTu䩑?jl8{7FzS8i8]qM@'~ O | 7p@*I?`}f͋SgڴPu9BCMs_s? }v$S_+e# !01! ܳzI"*@xăZ- (P%!.Zx΃yݰUpaqekqyݨ}֌vc"`iDvtk6%zo%9܃'ߑ{ah*''@ 1ovgkKEg,i8I"ErG# 3S2>9];`s5'7"[ 5h Ez#rp ՞^XFd,1}׆ }"ROh8p Gy˞씜q˱ p~FBzGzY,-=6R7炲fT=QUKQBH0rxj(PH! nUdHݣ]m 1IN(盯m pAw`ψ%"=$j<WBjX*KG7Wy?k LϲU3mh^[N.vdnQsUQQ\ %qMu1 V@YBtdfrf*R2)3IvceS{SKYyf(n!?-ln? ,W^)k>/In}r)`yNSps̨ . X M^/u=#@ }\@foУoj$v{\%vNm1G0?XV e@p'}%:']LʃCO$!xߪ\+<:H"1)x YSO'>7IB$-lo}#g.:*mג[{+agFHyt{̊&&}>ʖGa K-QAsOb%(6sʥK 7KRi^Louw]v&>319=tpNQutwoK/եsdpzlP׌V_ch . *b7}i`Y`rmtͦjU^8Q U3> aswU{`3b[ٸ}V}-&9 !'&hRI_nƼJbz] wsBe/6 K[vo|ڻ3QbieDBmX|A PibLu6{N^,ڙsAQG^KC-cr,anNS,QxCC @Q=˳ CY@Ot̟ʢj72DGwK*L: {b\ _Y"*ݫ>FT.WJ5Y"HQo'3C=WPU1PեvM-Bg0O&JLiA2<. 0yφSR0ٗ ˑ2jP٫-47_w.!-Ul x O1-)2#> B\9 arU0o¯cD/N >ScCvܖ]fƎzg wOisq:j'E޾ ' ͉fny5Ʌa"RoG|i{sGF|L9g43K,έ׊yY398o`(BhQdj YCZ/(W Gl#|"d.m kO.1N`魏t;D*IU.<~{(}M?|)x|TEu ULهab*.wn⡊8{T3x A̵LXr`^-fr>ѳAncǦrKĽ+~)ԺnǴ>ZK.m>:c|huѥjHطZ}>VBԭہ⿥N?W2~E!'| =&NR:QN6&2X#ӸgN pu l8cɖ`CO,a{IՉȇWu):"19&mE|X@ 9M}w8>2d/nC]d$$YhNM!zy)F!IJe@&r#Ӷ j̼Gw{#BEeӠT\S8FqTG0lO ;"MDdۥh3rQlgc@*{r\z tnk*'@pX虾ƒocg̕/: nýdctff$F?@RQϰ2J)gL*mg{7nGcc^ov%[:$ܘHZ4dM4#_%S(̚h٩ۢ%jp}.{AU) Ctan9+Dס<]{/f:J;Zڒ>祣7aoci$56NɄ;Qp]Lg;VJڂ |9;a2e(Go(gØoJ2ΰaI f޺DŽ3+ =r6Ŗӿg9T}}xKn EYޚg55/a *6<*vqgmٓ|N gKҺӾjN$tuD xa}"V& > J_M[IlFXw\A}q: d,rch!m|7"Pϒwh@n%kȌ2r%0o#oI#Tٰw;=,N#@2KE47)Utz +0=DA"Η:'m|.~j% f[8TdP_}]õ& 32ݦsf0kS,uF0o˾e|V7u`ˤ jfl3C_ SQqCEMBKmݝWDۛN~V .1I2u\x*_x}ve;*pq7~pXJr}]4t%Rk_;C Wr"LpQHiaIL큉$9W$%Ԭ0ږo %1P13+!Du@&Kz%z`4ldR`feU<^\8`<1<>M|ai;Ã*TΟ-|mZ1wQU1I7,yTCB3~X$MtXH\4%Z[/idN+/B[^J闤IP#R"9MHa U":X jcqyH^=mݼN9IDsT{~]eI!e )p í5=ѩFeQ>7:6<#%4߯ ' +Sw1-Z9K-sB4c/ϵ=g뜞Cew42]-%On%uq&=]^]SفBt #(m[Bh"cO'-OeG\-k6$hF餤ϖ:LG@nzztfOdܹd{l Hd:Uc';mNgL}AďF3Oa/sMȅ]ZcC55fK5qL}Jc+ư2(a?T B!M4@o}[]!&{p[.tr 7a ##h)\ nB NO4oc!-d5|}|w(zbPFYSf\m!۳q)1lAk);k"M{Z?7/o T`tj&V'niaТ钠дR y<,CQH帪'y2vUq)aoؐAsl)iNҎYq`CMF,b3qlR- 3W$>-ŗސ/0>vQ=^/Ί{k&rKdA⤲ZٟK]?ZSʷ6MmtyT}s}1M:ht6{ f-mE؜AڌQ8 kl1b5#DW s~y,0uL8! z٧^)/2p՟c7[Vι1?t2iA~JK-. ]06x{(XIK9ƁWn8-xQbM'w+ӝYbI7LZs8Ocl ;4{7KWlXm'c@+5leAꉲՐTfLФ8~.I]e.mOi@%OxO6mm Ev[ 07&-i6VJ#:B^YjDI&"n}N />kM:@Ӏ;pDè5-ㅹG* N} p`D>D*m$B0` U6onM61L:`}[|kaxH&F+XX; PfN&m&yVϟ`{ E @E4|~?k.ibp U9yݫ5_XZky<3p}ZϝW=J-{ 9J&Qho 6Qcj6\uqbrKR\yۢYE#:NA78 9Dqhy_<>M\08"miթΫh?+Wca;cĜcL\Ә&U?Nra0j 㾼&m9ħ9'(U*zƹEaE6#O/l4^W[S[z)7)E$OVQϨEFw}7nmMxGwԄd`VX)澶NϻtsAO"B1<%pK`DY-? z,5Ebh0Ps)5X$v7"JvӚ < R'S2[{~K^viC0͡/q;e0NORY(ie\ǔ(~JDrk0̰9vM`i\p(C|u 06Ѕ`L'$$-)m>A栟-| ʎyqmKߺK54׍ 3s2*8BS8%;bq iEo$ &AbNMOL'-+8 A_}u ,jJI?dbn3MȌb"[ 3It^|o$VpW( |4leے{`B+RB>y싩,UwNcXNESP\uqrUeSCZ!5xp^چz{5#%KC N 7/եm@RUtLv@~hǤsĹ:槗|)rsP/2f#h6ߟ c(}AԮ~.6}|hEK5]s]CTB&boIa!~;Y%qLv{(]dDpn̺LjJ8h~u~יEXI`S+!:03uYjsDL;W5|p6{ItM#Zߝ eyjӮP!t ҄VD{ZbR .IvgXhdy-)T8!kЕ'w rGٯ4;5@'C5d,7Z'1P$C:tхѥ2 | %l%@8ZztG<&w]g$Q 94sv;ls(Tt16{y9fE))+^k7T1$_wv-cl ڌ!w)QUUn> 0a@@, QYY k"ְ4gIJ^L &8t,eƴ6z Gm}c8OgܓpKDg7B0\y[ޏ]~e $ie? 3*zN8J Ӷ8<ˍ!+8Ɖmk >.7)a8@c)"0+{F+>~L d`(IB샳 U@eTI| [wj<=*j۳>K)UKn+V֫=hw2uZQj"#JbQ3*r*ryp޵;"KJFTޫ1G E58OUF.?ĸk ,'?| A8Er2.DA}9۾-J%H*.Y\:^0V3ɹ*Qn x6rE՞o fX-vC6,W(9FKm@nM`|ko h]ԝ=QL7=Q T7ݜ/|71G axm_N3O}NwrcΎʃ})="'}(a^BfgH[?;.a73/R֘$l/&yey犔Nv9U +} }'>$kR dB.PZPAM;l\R)",#yo]l:+]'SjϩK؝=lR%OE:Fu|2j#պS[;Q9d,<]Q+4 ܅cs/:QƂ9Z݃U- J\Q1O˖,\0ETgdṿl$Q ˛YaoI\F]' e&_(!n܏e"{)v b9݅S ş1V.pMx_{N(o Etv9U% @U ?BVS> Vey.>Ogr;sgVgu|ư40^=QC̏j{hu .ĸ}vZ5\nt8Zgn.rt!c#p.>NN [6ns$[bALN.3ci4%D~͸*ޱiBbE\ T fjcY*uP9 19jsX$v%AYT?!+u(b#A~$ͮrEi9) 3l;c@^JSZcC_ћ$[9PH0|d"b7^\Q:0[1Ǎ6"F&Fd$ĎїqvW'~E?'y%-PV]f$Q)7~a4$ āe'^vAأ4{k[J&w7t[CLJ]9SW_:B2y rEF:`o:vJif'h:oP=VƼ'(~X_~ɒnK`6.}:gT259daArqwMTb#߉oWi) 0"~dPx}SWiP<ņ љ7a}]d.0XZᤣU]N uDCCOT fWp'~+9 p=ZyE=QP"`my\I _` V :wP;Mn+#˻9@"p\-̭uv&#݅O3x[sPK=H ;ГEs>~Un sV7GHjz.oԇZmr9cM-NcJnţjK]3>3(4o17Gw*dם/v~ob 9‰8k$ԗ'e<)Mn{µ"AZʾO3X>QhFfBd;3 "/ ;rJ5%QHU8d[cbH<5z"u( ැ0|нrۓQ&׉èI?Hr~) C}}X;N15dA$yh|𫶇rD`K7n[驠{reW^pL K(vAdBG[,Ҷ)6 3پ!4v>_L^#g3Jpoqh+_%"Sݱՙd ݩ$wO [-@х!K(ʑZ ic3_#,& $Z_V/$wxR=rmp$h"$P3 nWR3DŠrTT+Xν(e9[helݪSSRB??7~ܟE}:R_ٗd^{q YͪŻUyPqĎ:-#%;U=9Ʒ!l"]f^]vc\ >5?/rEbp1?Wż͐4_=;IPH% @`2c%ufܺVN38hϛ6yuۭ{6aG/*pnn^g?Q> "'GkRR2&{cwƶt=ObSYٔ@6xXjKz/ YcCÜLkZj~4rU)72>gy!ϼSbn܊<y[ɲekL\2L|R7y&ΊyI7XN@7W;]'dyh5ԼtX'mh!A}2)cq[D3XWI[Za導Q @ԟ-=hfi[<L3$X{X4"j"S3 ÖOKz}*Ɯד̫k͟|3Eu5{T )qUcg䷲/ B׎T'NU+X`(3L9lB(e9@mu'=P+AF@͔-.,MPa[#pOPw\p8Nd4=E3s5Ҧfq Xn[k/?si'VA닖*ata"\{0iTZhMq fp`\xi,AU` ]:J7d @_͸r*1AaK\:F")PͰSP1H>ZCx"rCBi И{‰JTB1rKCkɚ.g#VM+7'CN\tGAXv֘}jwYDDe7YS ) d V`g7l쳵41\5&'TЃFvXdT\dᶷU?AUjzœEJ68dN*-uɱ/h+FLWB;-pg.^sٺ'  d&>gERsuH sl&j0 ,uވtBC@J_n#noӲ"  U%m褣:djpS{.ь+UGRR3}? _1S)>JVfSscbuܯ*3DY`6v_FW@'@q"}${M;KrdK[vũ!3 •G`\Y^Bi ^7"8?١ƴGGDcNuyt  +#*qq7k2qSKpnw5ؖk^`,,G5le/ނɋ.%$C&v69#a4]&i׾#BJÀ*zbLvr6BZBJqb"+wQCK>k],jz@~_M+79\⟂( \zn*ژ^`އ&iE)U-= #3e'_zkZڈxe60X4C S4.?Fhݺ&AU"VYv'IHp~GL h~~LΏW:NXč KľH ^xmr "d{tBso#G@5CgQH䴊qe9}ए*6M+s]o|H4tjuҪ^jn 0La,tC#PݯH."좀4hѦdt`egqrb%hR7;Ri fAv-0Ks^:Y>+E Sڠzj8n\zQ}W ko鿴GCz[Xf2bmhM7U9zIJ?`7D zmP*WIQpH~ZL9[Kf oI )Fa@LEA6}ʤᘒ)a qҾ T&W:qQh6$iVm˥C/}~by+[lwVӭ:L6 W7q2"+69"k8MC}7hM@,bׯ`ȂJܒ9]3!k_t3pIM?fNeȹhx#ep]G27YѵiDr*2&mQV)bÚt:*8V҂FG9V"{5l9ę3F,a6h3'.;HW^ENll7 4Oj Վԟ0+ktP,݇\T ^_A}tٮȮhZB~ IV&:iS %Ulx]f3۬Ya %ra.3Mzf$ueaT˞5Bm[+B-d'?%ŮDv1X芜h Vi*0UC«YWTjquS`ط,祱55 h7%,V~K Ăv ڠG6#1xa5WJkuo퍞lzdKfMN<ꯜ=ܡ(^qq"g[nGTwFsL ׀ g| b 64.9 B,+Zn"9$gT/}RX)`q F s43yEk؋OmzM;e8ZvĕSO$H߾s;] [ DDRJI:7=vDIfMݜdt0 i. EP E;l=a'-J>{-]< #])e])]d,~-܀CDPaI>u7ma5qʹ P' G8gɪ{$016;8&6Lyi4T%A:K 3~M:굟1v%oX`$d4~x1Ju":qpD3}*[_xD. _O˱b 9| ƴD@ 6b&+ܕ9`ulh=(*ppX/`^ߠ+uQHd (Ũgz,P6X\ĹԘ75qЊ,! @ Y ř@Y,:X>E PF1KuxyuG|E3( zTn&{EsBK7NÚOp3װ`m~S7L&Wq:'uO dB&8STU2ЛF3;9g+刔;!͡x' ?!mVg3̀[yc̾`V$0Po;RO kF:'1x\[7Ī=A>~Q;MP#gbV v<\yǁ]Y]٠3Rjw?!V̬7HIu!R0hE wn72C5+ 21(Hk5 V[yRd٢t qqL>%+fF9Gj7s״!9kB9!4*$([baWx~kq u)i; YM8^Ia` Lˆcu:L׶P^;uoq`eVV3YMHҬt^|R #MHO!nO u,C8_T*mGiz:MשC~-FU>{v"O`YхT15c6v^E<[A-HK{>xI6{ɲCQ6A1}DK9O 93iϛ;̩ 5[ؗZ|| )| PBzGrS^0 9Xoc}*w4F>5yRЦHn\AKWLȘV >*2 d8 6܍LɅ+37BdbPJͨ`}69#Xt$#6IĒ&Xx vo3C_!>dW54ck27f9k$R->W!=S~a+%Ӓ\dzF oC=\%ǣ15T_c,\TyV<]ɘZ 7Ϡ6LCo7>'5KAԯ׺T2WT=MXTފo4;ϤKRw ?kL:%C,$X}WGZy){h >r:q"U$ԦK  uݬEsLk8*}㢜ynk瞀mM̊g;# /h> )İV2r2jmE-ZHxt)[ORl} TRNl_%:#V.`-CzĂ|4-MA&I4 J "r(僅CZjs3:K|3*UcMt>Tt .w SYraOcj+)5L%û[׸ɗ_XX+hHOpN:AMUΟ+jS V),trcP}Ǫ#:r ov2۝p *btjf5^)衆=V=DF3ӄAyɾw&, ^w91}8mm\%*m J`d8Qfz<뚞JTVD IK\e'3$k3ߞACrh^G9> :.Bwtl,YZo2 _(#N@38vmˀuME,!V>$2އr긫%ajDCqnK|εQ/w?TU QClQ =l_is}~Yal-ڪ`,&[j3AzbPz$ABڇtμtJu3PK<`'SN҈$/h8_*$Seu` <$پc2'a5e1t&*az#ۃR9=?vqyT}qbsLyI?q++s~H%F4.{S`j:"`zߥr;?? 8  ;Aψ}( z&/d 4_Kǂ5kGpށ~y &[fNnEGMfz[\k5%ݺ[Ty,DE@(]Q Ł9=NQ*UNl4ۿj~4hg-y->/6l:eƟ&G s50,Lj; 8\Bm5Ki2 .6^Tl6_jqxP(I .jaZs[wͲù(HhZS:o9m ȟ4}jv|60R:G:?k@-rsR.2Do'FK'zQR[ˆ }WUpW! ,G ,gp6w!?C@|,DBJQ+;,%J›+f82B%,1QݍE):_ױ(L_E6=WƒI!ij醿zkXy_Z1FB*BBlˊ,Ǜub,rޣĉ_zD,aS{o`ws`<={f¤bbS3ˀMEF+aU>9xlٞT|d#AKv~~pD-&5j.۔=fd'ĂYEVo#ٲ|U[Hf fReS(o!x8]q5A|cn2-d-(czZ˾jy~yY`8[!z-2( da ً~#P=<|٨^4'l028RD}UG+|HnU/pX{*)RIX,kv{`mTMP.N7#l)1N&k\\gawbۥ75q@o)Y:s6 >]O.~}}|RlFQࡨ7QX-{Bm/'?ONVAPC~Hjx9"dRbQ\QMg J2J)<3;jO`W#)6Ny-[3qqf1GWj͘YiL4 PXrbդvt3zAL~t,zv(N Ȅ'!Q$hH92[  +mQZ\jޡΤf= *Pj2^['"뗆㋕CnItB(th Z&{rӧZ=G*ެoMlIBXm+ J>XD"PV65B,ZB+=򵡩3)/j+ @tzخT,]8օ5.4yrD:S;khY@7txQsEПUx<'6yPb9o3cncF ,\%hO/Blj> mvjߵZ6 D_K6ϦNbo橒)~\74cMҩ/Л~8 ؍ X?8ZC 0 l)K"y> ]l&'71Y~ _Znu޽ bCyE•ykesbS}t/79 =0&=A!&\.:6yݎÇ{1PɜrQ4[UxYGylGpPE $<( ̤֟u#vQ@LJX'8a߫I:ֲ(HM"c}|[EkpwqftJ?'tu2k{`VEQ &R:5 Tn/ ޫE1-{vVYX$aJp{:ޛC\YB4mcM:ZcOo8eq}I;v5}\& ic5 F}4ݰe'LLjf8y:]~?O}vX0IxS3nܣJS Kݭ'u|\{ס;3~i A&e-CZllCdzHw't}[c.}5*jI)gչִ EbS@C#*J1ӑl³]G2r<QؕσB RoWUD MtbY~uO.x´ݞQ1WA -vsk-;~"YeqMӆ>>|8m 7D>Qdm 7VXB,۵C QHg\ ۶1`Iilq?FЃRIn`*am{3px*[@hR؅X6')p$7%;mT5N :̴`=t<`iRCuw,d-Kyjzkk$ñ:8Yד`$- '4;ȧ+$`S)YZNETg\.KKfҼ1x`H 2ft p+ X)lHҚ4Yv4_ ‰h#N4Dئ 6QAc&|6k~hY$- ^ҝ%#MH46nYԖ$qբ'}Nif~2q(TZ7^wo?RX!2e<~is^#G݅%ω. -%VPO2/~uK؉-4+ߋGTs'd:o1?I.z<Ƈ8M񢱩0uO_ ܏J@jՓ< CjI>Ph]gYi̶zMu۞* t҃\ |K>}%4/?c*TTuN3ޙ-Yf2[(2:xI*̣ yYEW^?x%?u@z͜DXDsc|)J{ori@/8jLDZu&KP(|rMsd#RH~MݶrI | )=iPA-=r㵭ʛ,\W+sa*w2mEѻU>2O'my&\@1OYMe^Ͻi$:;1d:\=a~NA,>Ԋt6X Z<;)H®(Px TSfBvl DԝU%4@xuP| I6&Ix /7?qޭH?Z:?*Dq]1mB|}?]-2|7<4yV5@ 똃2+Z9A!Ae^k{8N޲ WZP5u6-vê.ʲ+#Iȅ?y9sJؖc;ю m*9ΏEHRkTd9|eL8ޣjvxy`哰usYkY88|?0^:crlF@_u5(v! _jm\R03T8;}^6O%l[0(v\> ؝<XN?e{Pgޑ.S~ݠ2͹͏QKGJp#;EɯBN0EXo`N%ƧTȸO)36`QE 8y )[eP C Y Z|j6Nmʸ  S rUfA6pG:DNjo7sa-Vh1Nްgs@&tN}4r`G7Z.$k,4&mu3Q9kLxl1=e6>ʩN88Bw o^j/#TQ!BM,M-?F!j$A[ t!6Hv6%+q|K]04nU^ÑRVa `aLX(gҒQ3bF(`q1 t8U+u$ezs}ؓ}4rG]2_ U]Ls m.[D {z\}1) f ,#*|PCʦh{B j@ xoK"c @Lf䷴|h(z j6hM=G@H!oܢS c-Q*_kᏭ:qȷ/J⡓.-ƌKhD#$i煱-RS`kR?B&UBdvLB@c:{Q { z=IEo_}m"lIp# r ѓbdz7vGmsV'fL ,fR!ߓl|8'q$5N.#HA ) Td;Tb'ޚ|M[DJÜpѠ1]Pao!{|v#>5J3Fꐬ;I.&pX;OsG$n<<A;9#ߨ ,4~_6AȥuʂڢSi:*ZcbOL©viS9CKE0Dq@i`Rl0ZGR/˵7nȒn) y0/5a»?o^Hz@$F7w_<=d,  `/#/ )C0ϩnfAm4A$y/k\߇%hg}L D}u6,sK%tnxߓ"cKWiԛ/iLndS4ߧbgHiڼo9[H;,UǯNxIV-te覭J,_\2HZ͢.?1-_jrlٖK lD%jD6߱a">l"nڟ5;D H|p1KE^|YQo-C_?~4!IGTOIHS}Y3 ^gq/zxIZd&r<ޑԨW&Z#m<^ٵXǯd^ll,=<Uu[%UkL\ZXAM-huv>*#e`t!KjV˺4nCN"܊ S7ӸWD?:3'V ;O3ޗ$i͘tSAJ׫QOP*fvǽ7Q+Tx/,2}R ,3Jd-t4qm.㧒:<ʜѺˀ5X^S>/Szў)mfY5/ebR%c thկ]:8UIJ 9.G nUD Ūc?f/\wFAlP@h]&ԷnP2-wVROmSޘT%}lAdU*:8@,39 wؚ{,:u^2؈D=TQJBeTd{dR]fZZ陏>O+- CY2Y?B{&Zp'N)' _uXb6\4"]>Hy'(ԋ727zzflP|M#%Ok6:*[+%Q%.&otǾH$}:bݣX%M#aK%f@=:K">CAɂ}pz'BMMGEx '0 e&̧ޥw$nlOiah_H1ּqӢ/gOHHNQozP;k~*gʏ[tM09z/ul᷒ZO5n{a!V*m%hׇo =:O* ּ73)(3,v3شHҚ<zUKtTY3FWF5lHԜٴNׇ="-Ύ@y߸8T^MQ9_*>F1엏OZn1&L&w;/Sc#.W8A#:"űȝi>=2q\ڢ(#p7IjM.w\O',yOЮ3T/g>k@Ł"P _N= 1ۗ!-o@jP2t%XVimro VG J,d@e)|(efi*d"xP=P < `mBjxQ0pOs )I֧vNgz\uM1NQe( ͗ 'RPLEDPіD>8ؤ+ru&P3"I%Bs޹ G3R9A5Y3ケxYɠL/0h&F :!_S֔O$+{|;d/' cθ+Ǘ9bkJJS\$T9Puu;b(Ytv[نŸkkOTٽT֠I&RpyY*f9/.(=-!M<\0_Auz$## ܟQ6L>7?Z)2\`$AoBI7њ4;4'}Z=XD3rY-0sAy]X6^{~z{SK4 "% P\: .KWDMD]Zv#ie&Zv7PZ|B: wKKnI{um?ѷc@Q"A9Qr7{i‡D[vN%JvD\7o+ʭrܞR5_9Aa]QF( ,o{x ]ș.G(GqQ:TMVA]"e[-G *ߴP{3:cog'Di,Mޅw)w(8Re+g,1d^-[OT ٧2* 76 Ah i6kI_g9? us]@'2kY ]a!1:Ib>]loZcp45Ӗ 8V57x(\&y\J+QI b1tܐNvm6Q4-avԍ:4z|r:el f DnkLŻm 7y7\Z^$\EapDXKӠ?Jlmm hj(;mE=n$z 8+h$*O0s̟?kLJI3tU:ӤWJA*[yD:1t/ Z/}H<&n@N27/R$/ekyp rsG\p^^UMb`tU5cu=hZZ2n'co2sO1>mO̘_Gh=8>̽ Ucn@&* U1 $Xnqr!< KM]S1b.43eA"}ʓ_i#Wb=r w`XOgv^ eC KH`I*Zp|'t6şŷ\ L hJ)u@k7> +bLh$A g<30?wRM%b,4mYBQ>c)QpϠa ω?TnN:@+c1$[nN1L '-xh!7Xg7jqS;^Z=8 $;iSsRR!aOލpq]+j#?dIkV[9=ej:= [//!&~眱1Ok-<4 g0.ǿ:ӑ_vԖSZ`f[y>a:/u> 1-2sCwH:[lwm{oFéߏ XېU@Ŝ*\Hղ(Zыo}L"E>qecxϏxQ8J {pr{d=]n9ǐLrIxoX ;4SgAҫ{x'~a*w۞=EJb(/xu(yʵ;r1`-1p@Y{[0rAM=lE<?G>"ZWef鬸yP˱[+|$8%_Hϖxckn@N |_ꈜC#@8o"Q>܊%U~w'PArAnrgRWu@Ej\%w4:z7:~4?__covopCaH\b챢'*<")]xLCAddTGu(us޶Ր{yB[aB+P͆C{a3A2Y|C@4C> Egiy@mo.'ZPB*-ƛ2~?я+PT'ae[0sgA4?łooǡyv&S^Xo8͡4\H7N$Tɂ׉UdӨxfwF5ΰ ؈c^tS# Ȇ*5ƥc:ȴGra@.I1N4"e=? c8%^&1H/=߻@@zBwlE l):Un۽DuSy&Wy1)o{-JunS&)^|̽]/hkr^!_ 4=R"~w̫Hu->Z.iDB򯅃hrˤܨ 9Uhv;pͤ}K*fO"|x>g/^梑g^ZUv<YYM#uPU/ 7b_nPTz'o$W$n£HaC VlCTk>,]3"qRڅ- -u{RA"eMkupu4qs_vЈ$T-i /QO{r\CPERLyndX#)g_2jiMԡ8XFf-o?c:CGj `o$F8wqu'ИEgXM;PL87jRmA.Z!Uk JzLQ%H' l/>9 8KI:MF8c 8~E SJ=:<CE"/ުwhP(j ٥/y%a09+{ siPOޒ V&ʭGC4pm0xIWDgr j5ٽźye"C]IˍZh .l4~"4ԑٷ8Wgf/kCcބUk\qi/XI4{ XI\4-/r[폞 nF/n0~jWD_{vߙ> ׆5&ꆗvZ@'ut)+ױcjN]OM?H,6=g@u?Ui0}?Y1n аӋr|t#M/ (O&F'7V~E{MVQ !. S}keG6W?@` w n ۷!CIe%&W[B蠗HQDZFSRBZō {&sV]vX1-4&bZ+:{7zL'ir nN߂1u(yFWEGhGgL+{Y;.zsi0gq?N"44gVSjc&IR4|Q+j74(k \JEaވMyty7T˧kMy.bd %X@Ḛn/mB܁.Wמ]#^#>M9!^;``Ѝ"KM 9v {> G)[%Onf5 ?y\_;xzý#3y0 U&RZ!qwc>ֶF|ɻjyS}3N;Cӗz0$VG`d].O:@Jsp@X1Pa;{' 2'́Vz:dXƕ"h+;k=kAa \zJ\A G$s՛?~Y3HK`qȸт I0e,|?^>U0 ^6&3 Ҷz9AyzkcM1=ij7,9P_EPA;wSy$|dnv]wA#{.ʚ$bWs-\ zԇ+߅@1Eί^~,Y5NZVp݉{"{(ٌC5xu3d7zķVd--v _n a{ו%5R|]{mਜ਼ۅSK&oΑׁ97373x[B}[ 1zt?60bRޅlOFQTO}vlS+[@s ,ս7d~aC2nyX|4Eb_o®i!P#8wQDz+ڶɗ2j"~G X]Laҟiဨ DӜdՠ٦c7c'DՔxU I%<\wi@VoV矗 ^RDha[lRۤP GCOuo +sQٲ@q@G Y :(!{=fgGҊ^li{BEhv!H8y&!zEbnr ,* |REǫE"= w/Wh]z+.! -vp+q7S^꺞X~"m [ѹKÆeAM9´uWq3eYOꐰwm)e< \K9;&ILK4IJcYp.8b7x^B@)`+B#tYY=BVezquɛ(>6q2|GIQy8Tܢ~e Áb]0ex?"ʾ.yY/3;\T*ЯG=awoNW%Gdbה4QX 8)V$` z-W%]bl#[VҊ~zC (gѴH. 䏊ů\ ·E a WCmeJ zcݐQm}vDܿtQ F&ixe\ 9#k粓*!џ2rf^!׈UKb2i:Uy¦ 빏,Uc (vDClwQc/[Ė4bϫobjo@!Vrmv{1"'P]rH38SQy=a(f/~)4h08gw~:q~_wx0U&A5Dd|V4h[u4vFYhe s"_ö?;u1G8㊰E[q~N|k5UǕ )].s_8<,K=DKX)d/Gi7B'c9XDi)_JPRz<[v & VԠǔDݼLC15TJf.RxY}H#54%!`>[yW24U7b0QиnEYꥪ;f |zG0hk8TmX%? xbyFc7!#ຎ?Q40xW1.?خgJm^H!7f% Rm̾ a9Z6`auY꙼o7!Θw26>32˱"-rJ7<=+C >e &L)~-3KVx+߀H@f 44ߴ?~##k/ 2e)WvႩ mq\Ur|S•5&MIm eq>VC6VDjΧWۛZQqZoҺ!X:=r+?qU?N={x%ͲY_da<-PEzt@YDpos%g%=_"\܁>P-n㼈uМ!yOh"'ml ;z_YJT!?#;F>nX$/G*K) :~Ҭv R3Cj:PT0YeJ_jhd'xCU*"Lز%Y܃) a{F"eOQDiaA[B=p~Hʏ+ufѰN~Kq/dv!Lõlu݈XVd-X嶆]$d^T.aMÝqQB%mӄ$V+Zs$>ΖqRaxObW0"QcEjP;1O8cR"EMO <^l] u@e _&`h IlHEe Jv /2t=8C,>'6blKZ+6U"X o( `vdT6sx|]DEa)G7Rg^Hݕu{I]GT% wu2Gt+'Oؼ  ޲hnl`nY7VbO_򷫜$+QR.s!;xb7| /z}^]2}]j~!t"K"o6~^- S%&l~45gOȟɳ5,6K笷͌g6S~oCh# yrT~yZҠ2k,_zl+V=Xb;1BCy2܍X C',6/r(Y!#udN!zN˖cNu)ڛ>ToE&i CIK$HuQwjKZu@9JI{X5ȲޓTn?zGQTo3*ۚ'P^> TwU}2Snka'YB Jdif+M*sL]~w.㻴 +u֊dS_]*?.$D$%Z 'gZ,ҨuL : ͆p٥)힚*!JcTq=GOu8uLw"mc,F}Y1qn?mzHyyyh~+"eImblCߺ SE_qU7K؉n٩X6γgzg|gUG?XI_ֳA#s(mO@fn&I3O#z@*Pwn/"yvYiɍ0H@߹P3pLZb+'haL :亮1յ-YGZǃKՏZZiK*̒( ÷xm}i rݧ»aw\70IʼnN_rWdi~ ]2UtJ*:2 @M/JL,565i [Ap&*X;E(ۤE04CR'vpuUkN}<؞s&=̢J1DyM SZ4;k T p_+SS$nun@ _4㑦}_2oizě;w&-`USYHކd Kd#}?wс:nH:ZD4cr)s[z`n#z9mŃ &♟Tz dwl6Z3._KC 3572F9&\@KI+L~Iv(R4$GxJDNa,Pt5+h\F6ua?AA7w*2fi("\zfK9Ckh{Zf)ԗW}(fI)n+9wޚ8$N(J\ӄS5c4HgX,c75 w1nHD$Cv"IVZҐͱJ/hch(_[BP9vjcK,I^Hl [ z3̳EV,Ύ2O;\fR|޶ꡈ7q)DG؆N8TI L؅UU*Ӊ^$WejlklR~@o1漰?9t(¦U"V5Nװi֡1j1?/t> ;?c{´y$`p"> t$:3t)FD8?g'rMY XmjFEr\s31f._ eF]zu=&xջ;jD6/kIr)5IƥND Jq$ v~,߾p&yb/!& Rs:4`FI4⊆S,q G_Ct!]@z}]@% }ph=bSzT-Tc#] D BF-^"ljLz]o`LsGjdÇ\6X~K*L{)k! n4.?B[_o [-C}'&H~}4N~ޥ 藄>5#JEe]4"QibY u^(QDp E,) $,}+2uqqv^'}euP v7?EH7>bL^[H<Tl\&9eZSn{Dnll#CȇVJQE dm n~ MCgAqvY[W[Ul@I;̯]>r!8c^vfΑ,i{xa"}Ys`U,[s^ 4 E!rtGj =' BS縃^4ӹwSޜz@Wq5;1ԷVK&,r }P-MWڰYo#TF*Ƀɢpy.!o"38H PȱȞW#o_#,ǧj@s ֆReV_XQ'6RhJ8}o.P@w{ՂĒ%lߺZ-M(*ڜ KV M\0hщ١Q7pSu R\>Ʈ<\q8}Jx6]aB避|CC%Rg3a9*I 1mp L ^M!Jድ&xJQAHLɻ<~Ϲ7",X*Kuau!4H cȷs58[ݓFhnpvt]rB>Vu<BW47{nhmH{M>F/-i*j/U8-FyߒUI1PPKu Vs{xG ዼq'cUsqCCBblǶ tØT&Oʲ-o^v4\UU̖%2_}dɟ.F7r TQ<\ ? n3`L ZIM'[ "A]wΠ"X#|mG}k`?;4€Z(̓ѷ/T*:`vkeÈL$8vpI0}ұbRn+}|0 1ovH3c! 0ap}u%B{DgѨԁ:|b}>X*S;@GftP#rFQo9ts&Ek5G7p'Gl8*߁{Q"Vj0QN @i\ b"u7K+۬Nlv߃ $t_)ݙ,1'6 po5S8,@Έ%W45,pzS@ O cQxrȵ=AU7u,)4a ~$Z3*pr%bx5dHYG@]wx#i扸gA`m=[%A~fEPKiF6]j,qn%gTHxk|_4v<%0).9L?E]$Ԥc&^K.CgPG]ƀaxhn %h\v~ ::(IcGlމxTe\2ԟfz4Ac=WWkp3XRz?j@tۺyI7H=jxdWrQ:Ͽx[[+Fx (\\ax~|Fhm՜A΢ *gLYpQ$B5Xn,UMJ[h0M(H-7r$3o-v:5ڂ%F ]4 y*EAkwNrIϴ@:H2BะѼ*G)feBa:4l1Fbڀv.L3 X砩6?{nHףpǙB٠`8(H"U`PE<,Qa8:qQ{Ootmx02y'à[(*YȅL:O~44}-"ec(>jZApGٮK. z%\62c?S,w5M(xvɮЇ-Akx!ռ*e<% @*ÓFHFv R̟o4d4q[_Xb:CaklɺC[-4ށ 4k q車D(T[Ijy@Q)\/veY3i;.^k${#T?8FC* E߽-f %yf8GkN^ԏԉr (?U @r$A%1D9PNޒd,CrfSDTc^#p? ϫ(;JBߝd2PLCYl'2Yams\\TPfܒFDKή2Yݚ دRM}ӺNphkR^AJBhq>lvl;`"pH"0 *HlFtS , 1 &h l#(j~|17%6J(Bϣf;"|nٕ K@vXĉ3}Zi fΑD. B =uXP@=Bú⼤ xC]֛"iΔ'W~ /vٔdof<gT) 0Ksy-1P*җ;)!jT8RIFCPWgPm"  :ӨiyyHʑ;^)J%=.P r{(('8UD~Q>[XmD1UcuoezoNd7VZ}$Z><ȞˍĒ s"? 6&TꖑspbҫO;&(7xL>v|cb IMߝ }$??4k.`خdד?ދP^I"M2;/|(Hzz9։{Xt?<먕fS/r!%'O}R%+|#<Ѡ7lN4(#UR g)գ'M8'eWC{U(4%Ȅ|T i6.޲kI=93fUMO{ PHtSYe<͑EK=[>ϞSP+kK{roke0R դvKvQhbY%+jPFIFˉ1N v W5}>bD߰GonzZoJ4:Y*gL׶BWak;DX,Q\#KX{Jgvɶ;e,AR%JQ\6X8ppL5s'g4B) 7a$nVj=X25}BNkOU_`>7}9,mhDm"TLF&\%9?-fk@xlUaD uڃxO6z>?߻ ]{ci^Z/ufk$\Oy &S%'x F%_0M"Ƭ6iA}zGzI.ߌg,sd¬mM 1>5g|9Dj:sPt;K \\ xKj[ M|$̦D rVS^E ; 4J7h$mHם#z ࡒZ F@#WHkHP>8E" ៳̹4dqK%P*}j~؝ ?H)<^r M` 1MLy)UB‚ɚk̇H4 ̙"AeA;@X~v_Vy XsJ`T.O;kDhXdsQ Wt\u[z E4%"EW[!>9=e^4@%*O6+lcvUBtFC4H>X(]W83*UJD)rEӲfT9%g͝Od"A,?i <vtc,urϓVZ@r|V1N?UQ&lYl>?jݱl yJWnaFĉQ<)0\7:j{UU!W!oTJ#^VMtF⾪} SX"REZ ^lS=xEZM$,_$@-hƇesO[*,y\S7Н5~|.l GPpaP ,3BF{?L!rIus.b:ZXk@#;I"U)8?U眯zALy'KX  1.K_@8/S#jr?)|Q`&v.])sdk=s b$_iWeF G?:ԕ(Bͳ'-0%G**uRBVv|_=="熱i  YZ