sssd-kcm-1.16.0-19.el7_5.8> H HtxHF[A ?*}}7HIм&tifW?'P{髬gC{(G88af1c0f24ec30130bf080005d73173fdfa6582ffW& r,CF[A ?*}}xlp g0KR gm3Y1G<767糩Sָ>?܄?td   H &CIP, : H d  3VxAAA(k8t9`:t>?@ GH0ILXXY`\ׄ]נ^b|dAeFfIlKtduـvٜwTxpyی9pCsssd-kcm1.16.019.el7_5.8An implementation of a Kerberos KCM serverAn implementation of a Kerberos KCM server. Use this package if you want to use the KCM: Kerberos credentials cache.[sl7.fnal.gov0Scientific LinuxScientific LinuxGPLv3+Scientific LinuxApplications/Systemhttps://pagure.io/SSSD/sssd/linuxx86_64 if [ $1 -eq 1 ] ; then # Initial installation systemctl preset sssd-kcm.socket >/dev/null 2>&1 || : fi if [ $1 -eq 0 ] ; then # Package removal, not upgrade systemctl --no-reload disable sssd-kcm.socket > /dev/null 2>&1 || : systemctl stop sssd-kcm.socket > /dev/null 2>&1 || : fi systemctl daemon-reload >/dev/null 2>&1 || : if [ $1 -ge 1 ] ; then # Package upgrade, not uninstall systemctl try-restart sssd-kcm.socket >/dev/null 2>&1 || : fi systemctl daemon-reload >/dev/null 2>&1 || : if [ $1 -ge 1 ] ; then # Package upgrade, not uninstall systemctl try-restart sssd-kcm.service >/dev/null 2>&1 || : fi 큤A큤[[[[t[t[[57379ce106ff8d34616b86ad46e92db25ce1ecdbfaf855342b3e39d2ccd8e254d50c2b062a96fdc50ef141b24132b40a62b776e14ed89c824f51c45e7571ba10bfcd0a8dd9ac82245ce49a396c2b3f5d3da49c8be36fb21d8b756dc151c54189c02431dac859466d4ae5e4d7005f27cf6a3693c79c2fe6af381958c0d38a01cc6848ef1145db1077c809c5df603a26bc7e66dc2d0c19d5e820d4b5867e1bd50691b30e576e05441743fcce027767650f498cf10ccca12ce0bafe8505f0e87b6frootrootrootrootrootrootrootrootrootrootrootrootrootrootsssd-1.16.0-19.el7_5.8.src.rpmsssd-kcmsssd-kcm(x86-64) @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @ /bin/sh/bin/sh/bin/shlibbasicobjects.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcollection.so.2()(64bit)libcom_err.so.2()(64bit)libcurl.so.4()(64bit)libdbus-1.so.3()(64bit)libdbus-1.so.3(LIBDBUS_1_3)(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libglib-2.0.so.0()(64bit)libini_config.so.3()(64bit)libjansson.so.4()(64bit)libk5crypto.so.3()(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)liblber-2.4.so.2()(64bit)libldap-2.4.so.2()(64bit)libldb.so.1()(64bit)libldb.so.1(LDB_0.9.10)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnssutil3.so()(64bit)libpcre.so.1()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libref_array.so.1()(64bit)librt.so.1()(64bit)libselinux.so.1()(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_cert.so()(64bit)libsss_certmap.so.0()(64bit)libsss_child.so()(64bit)libsss_crypt.so()(64bit)libsss_debug.so()(64bit)libsss_util.so()(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libuuid.so.1()(64bit)libuuid.so.1(UUID_1.0)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)sssd-commonrpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-11.16.0-19.el7_5.85.2-14.11.3[Y[W[Q[[Z@Z@ZZ_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj - 1.16.0-19.8Jakub Hrozek - 1.16.0-19.7Jakub Hrozek - 1.16.0-19.6Fabiano Fidêncio - 1.16.0-19.5Fabiano Fidêncio - 1.16.0-19.4Fabiano Fidêncio - 1.16.0-19.3Fabiano Fidêncio - 1.16.0-19.2Fabiano Fidêncio - 1.16.0-19.1Fabiano Fidêncio - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#1601360 - SSSD bails out saving desktop profiles in case an invalid profile is found [rhel-7.5.z]- Resolves: rhbz#1596292 - home dir disappear in sssd cache on the IPA master for AD users [rhel-7.5.z]- Resolves: rhbz#1594178 - Login with sshkeys stored in ipa not working after update to RHEL-7.5 [rhel-7.5.z]- Resolves: rhbz#1583746 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process [rhel-7.5.z]- Resolves: rhbz#1580281 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION [rhel-7.5.z]- Resolves: rhbz#1579780 - After updating to RHEL 7.5 failing to clear the sssd cache [rhel-7.5.z]- Resolves: rhbz#1579703 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000] [rhel-7.5.z]- Resolves: rhbz#1570527 - memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash [rhel-7.5.z]- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/sh/bin/sh/bin/shuk1.16.0-19.el7_5.81.16.0-19.el7_5.8sssd-kcm.servicesssd-kcm.socketsssd_kcmsssd-kcm.8.gzsssd-kcm.8.gzsssd-kcmkcm_default_ccache/usr/lib/systemd/system//usr/libexec/sssd//usr/share/man/man8//usr/share/man/uk/man8//usr/share//usr/share/sssd-kcm/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericcpioxz9x86_64-redhat-linux-gnuASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=f5ef1f51954a22497ce73274f47978653c110e25, strippedtroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)directory9R6R2R:R#RRR8RR RRRRRR4R%RRR R RR9R0R'R"RR RRRR&R RRR(R5RR-R+R.R,R*R)RRR!R RR$R/R7R3RR1RRR>?7zXZ !X⦡] crv(vX0|΋ f=y7 vZPi sj.3N۟prX@)Vg%,VhgBT_7qޟ-ʿ.$rVnMKiSF5b|K; J=6#ȵXo%`ߧ < CP==>ʏ"<д7Qo"‘כ2ZDثboD)pQ][ELE۶rx=o ws$} #AEfmd*0ol,8á0Y]@U 4Si1TMq" dfmAɇ\" %_j>ѯKTgvNr]p&Qk V!vx MLxA3s_ lTDQK5^K s1@j1AY@?[k .8q`& Bs1;]w6^;c$:]U(2\5DWuXÕ[{d2_K3{9}/Mb.ZJFK/\,ڙxG/ƭ t!"KnxqՏ\QѪ״.ׄM<ۀ@ Pcw RѢ6Y6fۆZ$ns!J^ U &։qd ulŖ >#u(/#Tb#^ 6~ FY!H7 ή<΁2#'Kߠ >)L~+|tю>&y\Gz0uI T -BumB{~Uam7k1z…kt}ח =/ \=3-zl & aP 'j"QU@C6B;|7if'B38<5n3ʡKTӹ,f0qˠ,)*^Syngh X C?|/hx?yqJačL*XǙN]q!er!LEeu07u0y9 Sѝ-ڥ] "…})+R:H˥:7 +8-I<.RvF#l3^-5=KTNtba MHĶJک=52-cPr-XfS>lє\ۇoDs?ao^!/[cZ)C)qĎy82)*섞  0DYr~ I8\8-9@RםI=\"dfpH1Y0pP!W<-AW=!74Z_QDcyanvuXs؅Nؕ< A`EY[gX]sk/;b]198ӿ^MH*c)v>iz$P#Nv=oDjUaA#zUDaIaL(b=NToKwp-LV{w,Ǵb(&;ȁ PUƈKQW\I HS|+^4b1C?xO-aI.6 !1z6YV@ g>gv~S%,>;; & *Q;敧:B,]1UG4<! V|Fi7v4=O WJg${`~;ƺc>HTo{M>GZj7 dr {0L&Lr [ o‰%dQg "zWZMzE|՟F&$9:\R.$5dZ1=-5d#NhIpEӏ”0k1]'m$ʂy$d6evJ]/hrFi!9Yx oqa;憹-YmؒIhP5ٯËйX #ꔝg>>}QFq:a)6ed":F?ͤN׍@Yp% X2J {Wd=MۿQ}N'Nle%%h @+B!ao!W?ΓwjN[{O7~I&qԋ;s,?~2vaa$K|%.zb&Sz%9V 砪,H=OUÏP:nmnz4=M ycmb_pgV ˮeωO(Gd/VFp,ٓISz '!$:IkOM- MB3:B6"DOi&mw!TH@Kƒ6ǾsFUi4 {Ɏ֪]0;G.CR!+x\wN9% dgbv[kޢ`<(KQ>#\ jYG@ǧ##Շ%!Jߚ?kfy5[EW#͔Ib/ w6T琛 QwoF&Lf5*#6h9GH@j_9 `b6T Пr_m{XNi~W"$BҊ:6bBuYMS.1oux8hdke"ns >8R5,)HaFuG  *ɜQ];C.|8~kXEh6a2`Z3[oC8L)0ho:Q ݇TWNv jCm0C u26+^<-^̳0V<̳C@x1-GT@q%ח8~@ ?Z{P7ۗae O@9-X 1"pS¥F.ـ_o0fo|F{Pi-e2ڃwoxs鵔g*5T@Q~ߗ| g ۋg_Jah_7Z54nδlzn7aEw3Ngb[XF)T2̛cug8݇OU,Q/e?=J\gB 70Z[24 zOOG=*%!s|Yvx&םX {daMy)oO,H é\:- J_J4}Sc/J]&r7DypZx)i$jW\l}hK`=0D=Y#8=D{bʽ hYF7A]@ZUϨu?7HK3kdK%Fl4Q3BN9$HAgGNg_O4a~j\GqyXhcw%;yؔۺ"F8GX"Ylc"g@qm$؏H+=|.UczL&;tEUG0S#!PS:=xb)'`{h+cC@( '$ɐaVMLPkDQw& pܡXLũ"#m$Xf4*dH 89u%&L7٤o8t`w[1Ik4}7? B, },r Al@>`se{:htjGqlYxt@xQ.؝E:Xoɸ +wEk5lK 5Zif>=w ;EZ{[b^v]gaØ[&; ײ?=LW?>{0@dhy&pKhc0MIn[5}[Ϳw k1NQNqr/$:(ޞ{Wun;G wǺ Jڎ c &M\T ^FjhP/b+u6~K#a,@3 j˙$ԭ1:*Vw {wƒ zc 4/jURE%#_w[f>PSrgQ<`ۈ}~ice,ٷ+\4v<[k4,"=~QX1{%cPh*Ӣ-qrE 3vru9+s"&_|,-L&AEmW2JŚ6M݂#~ER4&پƘcWA=Re( \]%t@}a7oߩ?/YM]RDӱ^xS-zN{wK>B-!B[%VW[*gc!$:8dyHO,6ߩ. VL9jfhQ7vOV '; ?!lɐ)ޏ Sq*YL&<׉M;/KMs#`z~rN8ھ G16ڊ:Όy̶G&K)k&Ў4:(v4nmYuoՆ,"\,Z4N|fbeHzpb Ja]]>ݓ/ J?tc+Ԝ BsCIwc妯jM Rqc,DeEބx&J"d>Uo 21q-aoH'u;V3a e4V6a?0T-e`-C'W[#{>Zf8I1xn{p!ʦQ7FI:ϷvEV,fI.JNz w@U7bu\%x·+,댫T!?a [cM|pԢ븓0, d8>1ӊnhɬ(Z,!Sof`VyTQ BcgQ6cX bx[0!E=M@#tO@nd(܏MkJ򔒍IuqW Eq)EuGTQNw󺊡ϑ.M!Or+/b, CTv?wPƛ0ԌT_3TQv{՜ó bLu'2|"UBr)rkV?L=skhMB?NBvig b~DI +发2/AUQpe:]v5"H'|G\iN81A1pA?[RMAKKS,{=jBlcG*Bh;+8:ڍ[Y@5=SwHd_P1&?T }?1f3-Lx5$ im pU{'OycP7>4kHf?5#ic1@N)DH(7"MIB"&]Uf^슎3U)%1EGP( ۘ>2qa幐[zV#c:~zj8}6q _Axʐ_v_uĝ $ VQ)FE\vf51u)\s6uyD=WzpqM(.v nj'gi*)|sǭ)u9YM]Mۃ*}.Mjf!2٠V޶`$Etodž[c7(%ɞ=i|?DO80Bw3F.ԟ2Zb*l쮕m ^ 0o]h[y+Bӈ\z=&0GzE*eISMTfsHkjzם;K1șGH3ZӇ#g9JnVi&J fa-nsZ_E 'zhI ܣ=kJ;$85]ERnoRK P?E~O}eb/X"/;caOFIL3as̨vripߚ#b1Wog5T9Œ2AWt ꙼|Uo:v"1[OLDíLf ZDXMA%JYćF;N3mᧅ!zPG8 ߄Q0TU@UhmRq\tfc4i'+M ~fL:˫; _s7,*+#CRkz4i cH& =|sVpKPMǟ/&ΐCz;tLCװS%w:+)prr ʆg[þ~HHP[M@,Y<0N ih5ZV %>`bhR>.ԓ gNfEX;o^{z> BulQ5H[I|_=L)=H%O.<]c$o IUde?e ` z&uKqVrq&z%f«V۫A7l SZRL#$& hkD_-OPcZMde9߇ʨ"uLVH3FKhZ 죥qaՔJ%qof" 2 G0Mԧ[jr2䱝ϯ/eя#b 'ʽDxq Oܼ;hPfMet' Ү8K'񿴷p|qF/O]bB͔`:V ͂KfåZ;$~yOUBLmJS#LUxg&E0'`}BD"%H3s#{c̖9Tun%}cx 4 ;62T{EoP$&XN .^*0{sM>v(|k̸ (=!o cmHYɤx뉒DN>8-$}rlob4 \cOyYZL Ѡq:Š>LbAeA>__X׫&i0|<3kx}gzj)86`ev 3yWد 1^ $/=G秡0~^.U<C&VL:U2sb?RYK!& o,?}\+֧nN6DM$nX*%Ś͍~|bizx ~F,ۈ[f/(ß;(l;+c"$g2ݾnzL!MONK &toװ4*d /]la9h9I䊞a#Q+ao!G?ޱiszV$[z̑+V&Edu?٢SwrRLk>>IyB\iL?s G8r#SP<{4?\C[ `1Sv--c)rpda!NVg2G˨F5veZCŞq^΍thY,D,ief]Cи5Ϡ/_ fP&.xA^TVx7( m7֍[,{* 8VT!X<ѡ)E;j.4j@wv.ڦ(ɽ20eC_~{A> >gOZ,6 cvٮxkGFuRX>AXXq5_KpHfTPOx⣒DuLtgһq9wtLCȤ rd)Z*һ/4[h ?HR)~UgÕ%XݶHLT>x@E{)1P/.@ mⴷ{5zX0B9L]::&rJ* f1dCEhxTтnQ{CZJ+,x2ƁTHc5e47Pui jguB"a+xvZN,rћWh)hxF_Xd"\=wqE/ HŪo_/B\zji0儫$GA^T̸pٛ1$ȝZ!cKP#1?fxjPzS@خ߬kF#ƹ;(k{RL.x> QWwC%QTboO $^hÏo` rt-n$vh5*~2"|&Y}JLm*i ȹC_yK¤e=$Zڡ:'O5 Eup|b'h.{ECqgpvF|?hFSy1'&g۹_ל5L]DB.xid^Ou 0Μl.FCmZ}Ki P#U<ON:`LB̿K5=`lMPy0Svy7x4' =.:e$3UjHW6­"LdBkgY& Ϊ@}$׆BN mT],YtMx nw5nVSj |o ?Cw RhKRR8}ؿ$.u.s6Dڬ)Bʝ,I(AOx8,J3-cǜr|=zn>hxB݋.{+WN¥mFHAC 6uNrm_7\-KdŮ~icw]7+_gUw-d…g]h_i%W9+cOT Ly!%S,1 2Ѵ-͂ =Ö^46v(L:Ԉ[!m6vB .sAtbgSt'b:IXݲcVPcm?9/`kZyYgAT;ɦopYptMbF*xv,IE%FHY|[F;A%ҖiZ\޶7D]9%wpA Ֆcau_k!dN3<@m4g # <17;XƬ8N0ZQ;9jt!aZѿ\ow^*2f~Q'T(.<JKbٵU༽{?z$AP% Ṭi~m- >GD>uXP;o%Eh֟2kٵd  ɡdbv:L8JYQ_ l0H(϶qRs80_3%N6IVNuxЌ(FgQ>J .]w|6K|?z6 fZW6kļ5H8ZcƛA{ N8pmϳ!g߰qnY!ALWDSTah9+ߕ(mmÜQA/hT nŏMp"#NV_776WBZT)_ͣ o1i%0 ٩Xs ^bNJɴ߀cc}idoWv2d[,[Unc)\&:Oݦ ~hy4am? 5| RMʯmNJוamiW *u3O2xF3E?x#7D})UE%>uќgV5W9 eR77͹ Tɿ CN;@V1$f|a-Y ]+ vd%Ymt3s$p, l,3$! Khϭ"b:ܛΤv` bF!)toDA+~QաqZI9w>U4 vgu" 4Vd6 |3:beìQAƫn@CLop #εH|EI.& ''|{v'ijohS)K7 !gaoZѢnFh Qm'Nnh: :(ƅ3"QC6j5^]fh6d֨JURrMFBoVʽu=CƳGl a E}gfިQM[J+_ӭBlc8G.Ј?}HSNHa͉okpr$}v\EgA|2j?)~b)txNu5OUDC$" շ(,y%^FGŽYgLjѬd^ο(+~±*cxVF'ŵu\PJfy}xR۠),OD2=1آVl^u M\<~:̵XtwD&Z]̼ p7u#!>ܷ~ѠfvvPIMsrl~:G&+xЅ[V8 p3eQ\^ =5eEr8>_MǼ![3Zr"oƴv7O}'#Ll5Te'V*םuQli?@(G &ҴkL=.t$'.-]mڄX470$|c>ZIPԍUMṥveka8vf=UonLv(h2F9ILsѢmdXmQ/ΆZ%HɣZXc*qۋMÚe})zcᘃ=ferkm닝-S>8؂y!紶ZzKQ"T8*݈#k~JuE/rdD$܃*մA&oj:(^ukë!ie Uwq*MKOn1[k'(G `ٝyD2e~"kvqhc =-\=*ȹKԭWBQ@F~,h*Vy&_(O.aE c6Hr EOt@?5Ac:_sUvVs(ǞPػe XL{AʩG9!"_Y8r\Sd:~rKƤx.{g">ɱT`6ncMJӣMgh"xIݫ??6rUkEl}GNyquLP/{4;}z>ѳ/vO=U(5yԞ]hXvPYb, zFץTºakBb % i)Wrnz<C3.-kYoXa9X90"S~x1_)Q7} A*]V0~9RDd&M6|C&/*y-V2WVNWo0Z0$J$wnLaeJt ?(瞧@M_i#X( [AD_X?TϐbpzNkT$nʄw~K b88=S>괠]t<)"Y0&@6ahCH e5鉊eq,|%Bj뗌C04;ln&Tq'k} WWL1CI'/[}<9^(oً+ !!MDY928VbWϑGψ}LA$\%~,^gM,8!vU;y|̀f[QpBAR}~@4XY- 9 XEYq](Lsx sg|{[U*hrmn33)q]yNK< p{r?7z94K2CbݬɐKgfкjM§esOE뫍動(t_zTXN|QC ' (*\6[ +\L$&f < L!i*ty 2/Z $dNp o"~mY$\+ӹn@ P7ӛ*ឍruh:NGw>q$)ħK/Ld1 S[Ȣ2T}WlD""/mB̑sv?¶γ荤90ң/ su`P`9 8b:E)LC!H*"ַRW؀i/HFOnuqМryeҊK؄r@$Y] qruc8s+lHmw,1zsD&/`b-PϋZλ| =mO*_*fC5"rh8b:8Au5%þce!H|:]?.SF|ߓHDHk?h V}F7zPIOwmrEL ,48H˗Y:^/׏VheX-V[HN_'Y^ȭeq'T[̻%2CUX5)ovr@Ry܋GKMJ(*i6sn2 Loᶖ`גU>~w~ޫ&s|yk?+)P|h r@NDn63鱄ݺ|lvO}68qW{z $o6 u|׆t|E"51E1w{fj`sK=Qr(4[Sg-Ϭ3aAlY{ -0[6B2s^.@o4ڐ0B`gȷyN3))x2QPe $#tF:FY#=lj3%5[+9rC޲O\+Ab0R"OAooN|:&JOcODI422n ZϭP}UppV( wG}Za8 Je[`ռJ!5shۺavPo+YVFddQIS+D)4є[-'M]΀ƺ[[JFv + DQ~0)dn\<GΙE7 o,13 $^HbHai4d V?Rt4904>h.?\ZL ñr_ Xs s$#eqj'Y9'Y3g̰ '0e.TyWQ~=cLAӓTh(dIY+<';SRrtZcy%45bK|y\X,W4Pp\t/U8Z tC=mqI qv+"XJM'?rAioK_8n,;)Âr%7.Dvs}VDL\[+,K~'i &60i\نzVKLyY~済—|cs@w?`j?}%-~x7MuPZu)!W.y~ǹ(px%{ưeTôxkikwf52ב[]HU^cWMbEj9> DaB οyD ໶s1a L! *C,!-u,[hIqA1_hGqm3>y C0bx;b۵+Ǣd(*H?qe8l?F'.@$2t3T@0I弼3NsR5. QMOq;BYmMMK͟#,L}^ksBR6i7Ȋہ~smE7c,͘4ݖpnQ 6ia L++fƭ*x26C2GTa|g#a`8,2a$; 9`I#=R݈㷡KI jvpQ"0`qg7]V3ERK-y1hx BrkP!={xZ+Cs##SY䢆]i<*HQ2كR*|gdޥI Bt:eggԦޔ#_znF0L^ ?^ ʤ b6Z,܆N`K ˱gM'Id_U |ë(s36ILUc];X@2}>v3]xp7۰WJNc\ȥLg?+ ϴ:@^( 4R u:SټE:R0'+yN{!P~jm/+ slak8v}9қ"<_ 6?(et|ܧA19J?UG%W ϋ}aduzF,uD 7$)g'TR$\k20nr:Ǧ:zSj pdѩ. 2$`#wԮQE*zl}V1~aD/MTu<ǿ"=N\r02 Lm/-BaDvT·G?l;:Nʁ:!l nqu ;z ɕլnP9y/dž^ɧ2Sܩؾ艩^Ğ`a.[ѭŅ F x#%\k`H$ r K\jVdt1@'B/>|{(hkà2\ 1`dc\,R#,ށ8 ޝ0SHhTF\!EbZ W3c/tD?9~.G\eQuMx^fqtx65"kV Dh?}D:WyF6`ddp`:ᆲn):CSVu<$'v Xݹj c徧k/di1;ZlTzZ_P6fݰ:Iؓy Ts@EVZ9a  4VWAE`)6TɮZچ(F9<a%#84B,j+8qZ8&T3),8ʹm*J˲:8.<: SDjyTu[Qm|ˁ% ®gV6N߻NZq{Noř`piEWD=0pKr-gfK)@ >!7"n.HK1k,u%C$Ao'!i[R)oؕ'/X}K!)YHf-2ަ,vc@Ҙydu#(Y|\~+@f3@Le[wѤ!0m ! jucP QR˛)`GcȽ8G~=Ocd$ʇ'S<@:%LĤ)]U]V׸.I"*):.[X^w.H RRݼH+ %("7x0oWo'2ʌ]?lxE rt}D])d/F"(M#t5PǑsO@p:NvЧRiW&?%?{G!4鮍.Sp3m;C13dOC]& [EfJwFlS Vk.tS! лY>)LbĶF.~L=;}ǽà~> OAե1ϚVle5ҳx2B:`Û[49ěAHz"K-vFo i'!1o\JMQᝑM/Y&%^PAQ3`aNxX1݆xxD뾃siG1"RCWv ̇k)m8Oee&" (ɑ$h7u9mq55~K$chPam!S#~5] !ymuB*f3Jr=H̉?'】g %xЅ9f^L;Yxpp&Z}n=UjTAY (!(CĴ70,mM,bf+]=_0؃HrSlg)7A4((ҠW;S#RIm t!Cׯ*$Fz"#I{0ήzkyJTZR!:`9&3@<㩦odeC\ gzy|J>0*BCݦi@Nuq'te!BI,\%I1q=dtu_NﱇR $!Z 1Z\Ar\Gr.aCQro YUpDOEl$W~擝|6ԐC6J.c<]"#PYR{ oѣû~q4#T" ` TG8eʻ/amF(Xjet_g>ցfGuNtg۽U2&n6挱p̎!(Zvm4c,Dʰ#$ r)"!l.M81G>P-퇣|gϚN>"HPB3pJnLO=!O1coKgJ`- / $ѻo7VnP -c4;N|>a\cF'>!16u7'-tp=_ӆc wud.N(+Ud40܆jRkc>u7A5VYbQ21n C=g+m UA so=&y X?)$voo P'%գnXiإ~;f=g1Xcerm֎L7&pd$e2^(R`3џl q\iEԝR5ĥ0sB$v$O8;esȣ>OgE}gvyAW$ )MqXC?3|&뇟? kQGbw9~%ziz=뵺T |&2y t(f;r-jGQNPJ `'TZ o˨ Fzt0rXzMms?NYGT@IF1~CjPYެPq҈}~EN ק #ed0Xw=vTFbsɉKcq}nn[\h_kRhJeL&N00P ==S7 T!L Y>߹~*;Ir&%;zWPL 'wQ[m_CJ={*bCfM2`X woLZ2}=e- fK$N]VbbR[qȧ=](Z`XD(2C,r;Ф ƾA1W͔A9&ts('),~.u7z y56n[z ߱6HnҸ4_Js7nGkjD$Fp=/KE4o,qH[Yk5Tj_*UiIN{~pq;T3ң.{A:U|]v\v_T dH-f"tÖ7P8xl  D3+ u, |@JiELp] oK@?Ŭ 2y* SqkE> 6 iU]J*L%֐,ډ8Y/zXv.Q2Sv2 ^^^[V7qf򚿹QO! c߭A7k)P=4`ZJ ytwʅ}_񞡍_[Ki>oskzdD6G6ݭl}PYNsnj΋ e|zi.2妰pdǹl1:WV9YJVC6p?ै(¸,Xhô"$d\ԁƑXYe(׽Ңc"s5#RW{i5b=beʝ,kpUV ]>AX>Cl9 D-" p:W6řZ`I/"<ř-1~As ~}|\92rU\bvm8Ǯd\PeE2e<;#G_3DYp5o洨$_(J[٩((w )99A:"J{FkGj\ 1ٯJkvr}ljqׄ鬷gISQtB~$ND#%Q|Ys(msg˽ᢿA>!+qs"{݂EzAY,Q87⻥x8+l=< /,@.m !eNPxܸT8Ir 2>s)ZY&$M~ZxPCx/=j1uT~\"ڢHC΋;1qDKb#U7Pߣ=·J Q{c ޫ LD9 yT㝠k]D@/8S Z;!_ t2 S2To+}ƞg )^*N$Z]x\~]fN' [iU֪o _Fs'& ȿHO DgZlkc<}qp rItO8~P~%k4d$Il9eH(\<)R}gNYpE2'Q g2I0T5 u7CU+rH5j`}$!QX"XtK*ᑔ+ z̺rB]Dr{m@DP}JuWysU]KO >83|yōȪh4nEZf}}Ie&cD)zwkz$B*kE…d}Zp3}pF7uՃ%YϢd|һ33.J/݊gY9 d|JpU+\ep]Xrg w&<(v('^\qXF;}XU6Baj4ߝ),^J1}/# n׭ELmoȀK&xKev#L,mVvRjVm~v eAoϲeR^K'sv%L**GmQ-APmMSY4:/X oyB4l^;hëk7-NJb咆D:X܋Rv;XmvRUG²!:Տt%ϾP)TQ)^*GxYyUrW94WeJ Lrݷ4W@aΫqK{_+'\Ƭ0Tg6V/ (蛥F@ڇݫ+)@CQG$"ɀ|GeLdblL~g{PFvwԿٟDIQh_9 St~-nB\kl?=(e_ !9]ꄻHgTzy7-Gyvp볖c͇ŀu[Z5h#$Oa٬);?w(tUBwYq;bU1J20՝v涻#`#e>*?nW.dYZ ug ]Hl2E.Z{:ײʓҀ#Dj3ΆJjOSW|d;}**@w ϱ~FuľS1Suc D7c BV_;!+|YV;f6֘ʚԇ"?{M% 8E]C)uB-ȍbbXK|2\'ޣEݑ0Ng̿\!] iR~&|H(dM=Z]M5rܘV]=0S&)ɫxr V7~g)t03ZFCNpE7Pr"Mr/3l,y,B)tw:qz,}Θe`u{6ξ[|uL(Wm iĨ`dEM~v]:KURxxH P>Od.{n +GAf XX{K X5v+2ؐ3$<=M5r0.\Ѥh*̈́c65k @K>7~ۚq(Gpz֧cƶ*B1uhXSCz&/V=U,"MНnp5}{<ܐw{ ` OeQ&VIJ7w昡9"V@l9΍մ&eo9"254KEkHqI[l:qW`8+Ì(*ݼ3ġw+QQH#nhdÐ*F$:MWOna)u6Ne{M#mHu7_|gq'Ey[({2>=#tګCmŽ Ht=gIZbOy 8B Z] pJ<t97Vƍ!Ќ_|cI9Iɍ=ѿMF1vդ9wn|qjr*^FMN5B (n \}ʠYM# AMM,/~g|Z[ݕj0Lro6D Re,@_OƢXJ{b w*7=~d7̈́]Uck>͍Ɠ6+vT)x$36_-(P@n^,["ғz{@3ImASj㛦 L]g~0ٴ _uiH7aSc0M38D4y vдE3CXzGEϱ{7ij",|ڝع9~5էH^!I /Vvՙێ#kC-Y/ZWxBmRC*m\{޽_ش/ˋ7%FN ~/dXI8Pa~K3S1%T?* g 4u~ U,GMhv2{-!35ߠJ g&!&O;MZCv⊚ R(?Is |'ϔzg#Y~nG@2F,.=ٔn?A+TPݬF(̡XݣyIQ% f `d3sO_\%A6NR36]gZ*=~f8mNP.ӥܠU.iOx!tD4`Uh&um@iwE*݋]3ɡS=Y>r0]Ωd*sK۹i;fY rI:m A \2 pdlّ)#^Ɩ'@BNQ5+.5/fH`+WiGމg# VEΦ(y4@$<`-|]_ܥuJ;n\Y&A-8A2Y}dsS-O9;i3W];{l6`i"- /1z*J,Y^Э/H>|7|"̒Y\.C?E`LIީb˾o,2gWӆˢl {Ʈ1pރp,ڢ/clH0uǬY=}윉)]Rʞv3mz;.`,x 3PDͿ@x׮se jY- *zX3JWg\UJ8Q[+ KWOY-tsϔzpJR+ `& ٚiɷ:E' N. +o(vdX  mJ?e/ YGVe4J'?7YxNB߀!Ӿ~wWFm^X܉~Kui!~'1_U<]'B|vD9Byz2.t~lݗRSOƣ8zSځB%5qw0D}ڬ 3U#RH-~w 9&*x–ܰmd<;.8hi~J σRn2cxwN[T0k1l5[Lך([ Y^zpm᠘NלrWnfɲQ~E"*5P`NiÛOVjĽ-MWnjrQ+qN28@3aq]\ DN^C awof>-D"L+}j^Ʉ ohҹ;zlO V_eU&#6E^ɦGZ-W3[, GibhQb9`~*th'g5-Ui.OZ1e[ǹ'x.=~Рqd ~;o,,5 At:Wo)d\@|rEحw}#ڮӔ})TI@.hG>iZ W<>4ycS$)ݾ\u Pz'4tNi7+}<-.>0<Ff{G,4bbβxZĀ;/Y}1ͥ>C̥7rRjs^lقSA\u>2SGI-pZ9gCdw|"'5ʪg4eo8o,d2aEP ġ]ȍ{ bdX>x;<(:MfP?wd -s{f1VrOG$YY&dHg&W]L襃Jo͑uEGL Q0㖩6oPȫ"9΅) E>ȦD?svƴjZK{ ]5Aۂe6:az屓9͍An,34XJX\L/! 5{Od,G|H >tşkCugLQUc2I^,w`Ϸ4 @51l^ \jUENbqp榮CFPY?8K*thhBWHg0 aaHP`ܞ\nG&fJDLliޝDMFN=H;iN#3J<͹V/o#Pt"R pNem4Ac~А'lA~DU9Gp))¼2ZQ *S%!I7 )fT KID'ECi< %Ñy Qۏ3pKkf]SArVK}'WAs`fa|KM 2'so=M!7Ti{DHUڹi;#cg01Ȇޣf@(!=\O r RVHQnva!j˧㠏?9ۘYc -(@"ˣ P=QEzarvHSoxnfY>-9ޗolͲ7iPb1Q4ywI8]U g `4x߄"Xn݇!@>$I[e"IÛKmwzx2GJbor|V=LPW%?u >iݒnOd,5)#ī;c[8[&[oco$ޖZ_EEM+J*ɋ*uW uCe[9DfL c(Gi'U/DXx"U홒bs 픃A2b;@ä?3x?\:w/+>ۿ洚3DDUTZ!i<|RY^WU5;#:`Ba7>)J]R XǣNJcTKxW{EU&rWOrs|NB+ݹ¢gIu\\fZYvՔƞ5zRqz@1v u`iP!hcN9yLrG "n6ψHV#R<?db &UWj'3QMyʛor$}v™o x,$ji¾l$Xk  V]aOFi%]xۈcpAlv y-u9bʶJjl~im2ID0>7.5TL-(b)vΈSWJn)T`A iE:]&r%Xr*IcX y,Da (591|ۆ?j"cSN,aOmtgfIY-M 2(=4(w ː&7 B鴂nݝ$rVC_!_x V#x/+GHЪ;#oUmٲ R|.kn+KD'G=?>RnIJ,3~1aE7+JwJM{$/ Qc7reT䠾{_F ~dԣlq=wicҭIbC:zrM̽@8<Q"Єl;'^XOxL]wg'yy7_VhmYUDĸUÏ 'Z۹y&,5y6[o;Jab__K#;t^FG:]excKa!u 9bpsIz_J92FJ4O#y 08uMs nѮKV~Up#"gmᾹBZo8gIfӾC@9H*'pw/|Y+^}Mx)IďKΞlke\U \;ZտP*8Ƿ8|P:sqf 4 f1xK}mD0EIM̳K;WX\P ;(H+IU?IjtMUS${>9ؙ~:2測CM{& 䚚9R3]PIS#l5 pVP=6NPF4"Bc̤Dڵʨ][ئ[@ii|3dD )H>b&,q緕7xLf'e8Dy-J_NV< "Qna,maF4:Vidv4?2<ϝī"D?C kCDO/x̳ E x3M9T̘xDD\5LQeqLvNw"&ewgˋ s: ȍbmv+*jlSeC/dv5؂8Lne5lTGmAG>,CA7Ar-Kq<^5 8 KOWPjRbHr31r0ˎR ͵kUt~|.]UsO\.PUyJb ,Y'Nj]wRr~υF*ocmDwokNVCgL!w7D#NH W6ܲ\\}ll 1پ$^w{Kxfxmg9ui<#^ig&`jxiM8F~c)E m.}VkLnG#کpGc׽y#a|v2! xQ 9*sDq`_oK,]'^_NR%uNs{!*,ykxU I?hsW09eΰ@#±~4HVɶ۹/4@[euۜ## ]&tSu`]YЛ^^ I2WH76K͓%=(+l`, z{yܢ{h[tz~0 ܡ)dXI +`EaxnʼnI$G$i `$SNKi~^0r=6 ɵˏHh"OV4;/uM@N%qk[vY (I/[kvހQr=z,Oz7J7Պ o?IΜC_U Mn2:h[d'tr-(16Ӕ,9 ݹ ]yFԛf8V{Q ~,Uch>]Pd{k1!X#ImsUkUdf{Y梿X<_-]dzF!JUxb*7 -όНk+k(nkI|9`&W\^&Pf`c|JTC>cGF :e$eP_3فmqpd+* '2wD #SڼAgưF^F2W2Zkh[cX|Jh\A{371 yf8j/8`uyLm ݉WhުXq{ޣwދZD״4`-fEf waEkubiLyh>;Jd~1G,q{G6Ee+dF6'^wNSZy+rG5s2%OvycAfJG| dݫ|phK%N8 u=&vK0v!t0ymCκB2W8l@H:ȧLyy3mƑ kZV4(q\7_UW``<3H!s%ʱ@^;נ7F9(`,4Ñw[i/(%vIFEk;1 N`K 0'l$Wi|SʟܝPl.2-uu0;5%M􄴗wo [}ڪ]؂s$ _}%vUO/3.%ţj=0C^RjZCjƊYS bsjT)5µ_UWTL,_{=Q&1Bo%w{ gFy]D5OZ{Vib(d՛gʠf]1QT}L+iI>IdpY̔z\""$ZrA$gk/.228OE7"/MId(S,+) \Ϊ6G%}i-pM:6)++q0dzb ?|[7q}Xi% q\`9a 1&uXVf ט@q9 .L [G,`&]Cfdn0r"q C2K|y1O_)դ؏ g`/8@tlgv ॠH.J6ˣQ:j͂!UW:^lw.,+FLxd9N CU#p2TCF PU:0|*DŽ9IQĥs`I2>CvL -Sje{#%o;KSf)J&#h;:oDܼsqͻ,@=^;nWni|^ZjUt.xUeɗbfrwyt:9.H_]M4]GY uߏL |#3x*_}6ZmZHkd,elY2 VZy׷Vq%"EmbpJl?@&vǐYqRt F,wP-Zvk:#127zK:J%_+n lEv *PQݏ?<{_x*_,x"|/ -` _!1tF!E%08iT R CIW=a gS {cxv߆:)A$vTJztX/A׍׹Yj_05O\{Qٴ)ŠØw['N͞f0Oy'm4s*Q$uNwki D܌R*PTuc,15glAwK : C7 )sγ)wmBq]"GN-qO!ܿ[m"@`d m'$<ӡݳ{Q˫ }461ϥH% ʜ%FA0Vh &Y={-leߊ `tFtVn*&,G9`׆ := gI1.w06cӬC1Vj(%eYa%"9ߕDD >auc-GM$_h MK$ﻍ*(/-FJVFf -=`ṇ,ZuCf_JqF$nS4]\ZG]=l^PX(' Č 1|? q|L(n$7q* <'0 ?i(E?h Y[S 1R`.j$߳UQg r M#ǮtDOPfTDǣpZ]A6~[Uɗ̋w{r*=5x&g-m4T(>&DNZX0!z E ȏH߸CGIjuYNEq$ٸ<(`f/6&eȰ=9[ԒuY+9k$ޣ{I ͱW"@1 $kle^~g1{ ˆ nZrS_$kٞ(Q i绖vp'~fx`PbiW3s{~WP][vZs{ql.$KXm5 ByB7WRP;=uz,'6ac e I}aQ$2R 9)q=im}$$g7T*eS/M2R1k7Kf;Gmc;cfkM[Y)Rh5,Pp;YYO㭐* \O N966CokP^jNYy 7jӉ>a)wtVͶ UB5Q1#jO;I|pizb~d 7B]@F{488v/ G)*Zp?aíKQ[%Ј$ )fV#C;G L:gʶ:oKť ~ˌxZE*4l/ma hk$7a2'J.0 _ xl{?\GEҮ>:~7T=V5׼mfMOjr{B ,40sγM:K]g`i\! I>(]GZ!P’amDT>Boܕ<࿕X2Uj?'?m t*~P̐b^xn# n:HYe`?S?ÛJ̽9iPm_Z\iF~ᘃFɌ Kʢ|<FPBҕl:2༠c-VߕhFgd{!ZUA)BRt9S}@2ЀُD{5[Ra0hUU_`})q|Vj2`IxmJe μT8MWD|[.}NHh(6T1SzHl@@5}OUԔs<\6ˮmLDKd -k3R~3J]dW^Z|Ixj&(_B]Y(Zce&آ3EuY +$/EW_OQœ=Q 2\jfj}l=C20" CSS))JoMy'6sF "ˑyj`k4F=5YrCوo%WOp'B`(DW? '9nۑ3t{bXv(\_ 9˲+iR5I׳%uoC3-g{Aג- ihuSrhPi;)xciWHϨ^_ %deqf@zrwuB$³RvU;4,p]z p€>݈h1 CVMqP;7/hjx@o>2XNq=f UqZ*PLVJ(3>=^]tN11t@A % NJiJq6v_B`g{bА}0`)P)GUXΦp^ )SU5nb&/I=rl|Uk tkռ2 4L`٥EtZ̪rG=V^T`wu#^? S'[_C8X8g H)ڇt66Y>Jh  &zn&l$on{QI6r=U߃YH;ndP@SjFDCAo%D$Ӏ*CTT[usU)j5ye;5B.#b<  ޼0koJ%bWBpVB98RJҀ8 )hfs.o J<Y?Ұ+ډԌv܎ -y^9U s ?v54`+]2t'=(I }H9=5ry\cN6CJPFIR$).. XSrb-[^tM_1ׯ]+0VR l#kQ˥)@FV.ANmH9]O0DIi:&iN2Q9\&*RԨc#Oj g+c96}+ΒRńRcDf40yB3TT!T}6B5cX|b$&@cH伎IinP?c3/2tb A0mscP4w;yFd"g~f!C%b ?=yj&`DH岅`}Fh7HW[ yTAe^usŒ'22 >],?QCrG"/X-ygΚsV]Exyx};ǢDܓif) Hpo)L=!+TAo.5|pED=E ssKLu>P W-bb8L>icCIw]8b"$ED;;󑩺^̿7 &ذEkB-L9S~?qUܹ *lqL($p{NԎg#A]Ez;e/6 ҟSi/z?l_pf -22SszJioO1q ?Ox^Yt Cn9 }r7* MlIJe2q0G4VY'6ϥ @ U,&J yCSZەI1-Jz ޗd/Wiڦ&lWwr8َ[=_Zn-|?nQL0,fq>*TjOe׷o7-?f}DxiE!;q8)}D1_Zw? Lxl7 0TBZA>We-EjMF[e.o=Bܒ (ީrcԚ DF*XORGir4K–.I*#x}ʶ),R]#0@ 9w9M0d,lX(|N 3S"f=e`lPZ:7@dsDXF1)#DJeY )O\_k.B-sӾ&(,r" buNb 3y=ra!r8vvq.:dC[h?9lλQMU璑8N>`H#H;2:J` cfߴM{lmm;(91{@ KS!?,0Fc{0\[Qzô jM)G%gZ/EB;;O8ۿchbH38w}d Kn|=f%X%rL~O7#Iiw Qϛ|9q?q/FՆU՘»&|bt$_Mpu1KH#3]Y#,i9X)@옩qLJI d8ֵ /Jjh1N3ӷ3rnrP',=*dͻ+ݧvJT"TZz5﯏AW{NJ5er4SCbC23]ũW$/F`F %O 兖sT+Vع-7E4L扩Ku~ Y7=kF@ P9H;-M4A}lt,BFP ȸ]|i_mq0 Oty?_T̚'=bzx8bv9?ՈJW6&; }%V"lyoRXj\z87>D J<[c'C$SVDD0B|1 V3LAs# =RDd*ˤ|-wt:xdeH{cS,2I}߱%ʧ Z"?4f{wV'))0bq[:W8AVBT\xPLQҏ!.A8 һ:xj+ӎoyHC?$QC6#l'YDZ7*!L9%BW]m+RG4Ua``&3nu,Av@;;6ލXD+F*wW`l+RVn˜_iDZS"oWW4Zd}S`7"SAEg $ iAu.m[>.Q/]2C P|t$^ ) ʿ;i;34p~P r8/+Z95G;qĸ8j>8v>L/S^8 ,uiyZxO; Y&|WO0uB-6y7O.\h>ܥ\+CDY.Vr8ND;w ]TQ*S-Y{vf䷖A@ |\~gq,k[I]=j.hr^ R'6 %.%ZEIđ#7ru+{ıOV+re|@c#u~覷dnUR(}Y M6VPVlWՊ 2CԩMi9[q^OiUP?Is[=,0.MTn WBs_a& 0O.vs]!ς9sdl_Mo y6,+r]$[VR]D$,k.O|ɖ52G8ʿ6(~I4O]@S ֜2P^zG<u4_vggbeAN,&uQ(5P0s20~I^>:k}یȭr"Z>ط7D1 G3UM^P2`ΊI5ÆkQm WI~|%<;P |/ɾ&7d/Sao8xNOKT8ZVU3[ :>u{4It |[7}p=t 93ysCUy* # c*Lsiz* x5"4ų6=Pܪ>yAF yT5DIS 9_>)\Qmx|g"JV;odw mL 2ؙ U,KLvϨu%Х-@Gn7/?3_{Yf-ӯ}]q_W8ר׎B3&~9nj85yL'DPUeFQͷ7"i&% xa^&%^&!QxPs.9)6SF+OsKBvCDɎ".1 R _Ҧf xXwgt85E@2YDc&7JmPMyy|MR.ye*f"``{ES0Px[HђB 64ϯX)KM7LjGQu1)W0=H40!$pB)(ӿbcP=>{$F(`HS;04?f흨?O3Jt[>+)7˾&|=Iҵ>?wd8#1>&3ZpB?)ZEBF1Q?n !J*،S`.6E/'kٷS7ȤKG-TJ1TpGUbD۸d_ͬ(rOK?oz]) םiuV9,GA#$tGl.eG>틎 G9-ײ^4@waE*y#eJ!9j |ۙZ\Ιk,i*ޚjg @3k\#n{pN%q&;Ra]ym?`O.Z*sUDaMR"JBy @ܩι$AqDhr!7 f:ܧLk+y"6o@ OíCfiogJx#ϒ07âv_Gc([ },==??J5)K3G-?jJ] O~\T ΜT Q1m<ޅaLwhs6^WYS*C;U] 0XFR=S-p><)U<"ۗ@/jDҡKƱ^eQDs̚H}&wP H01>}zܺ͏?10D8Axj nPh6q'3>_42NVk\Ewo}hId@Ŋ[F)_LlO\wJ2L OJbcJ@Ȗ[ kʼnnA"V1{\LmM.,;`m'q :BXyO'>ȹOXrg_} wȧnji1x/F-3!]YֿEK]$<(cһhLx"Ju(dO^|a%yQj=mh7l3jBc*=4S)2,~Coc{B s=&J4UoKxi>u >œ3"&i~wzN̸̬عWRN : {!]VW<172}44m=RKykzzFlYKV?YźRpsOhMy$$YTR 4 Kry˦tze0".Ȑ4N<Ƒ*z LaoL|8w:,7*9B/g{>J9e⎓Vj,3e`z!n/!_T,)LLtyd_k}]wFcNs54^OAQGRicbn&U ph1zoT*=3}Ywc%]Ka_I/g^J&i(d|5D[M6џL]-yR4^h_raBcEmlWlJ3͞}*\~xD0H)b,pGMùb409[![ 1!!N,5PL;gQqSh?K3Ee;O9Ls^BzAJYNfU=UǢ~I2=?@̱j|+ Ȉn1P哉#!aG! M6d!MvK ՄɚR) ]/PM?2x4Vf\';&3ʡz2jQhX6B7ZRvHHY# #i֠ |$3k8#*H=qk]|#=wkaye^ ;Ri!W cTsu9O7;KRQ˃Xo '&8XK($:c\Xj5/uŗY0gq"euCg1hGԇt(Xnb32e V4׋!&Gǔ§D̠X$ !+CB$#*0]ȺxPy0@rO^9~ːo]^h췘]*b2䭛Y17`ăqVw-Q5zv/ =^MwQwc̉jF/<& 98sXP4osn upMo#ђ75Cb lmM^nlCU,н )~m>>6ҷٸHODGc85p"EDn)qxTs;%m|ya>+U6\>\ƢjyvFy8}]V?OfWpJϊ=U\%],^T,QL< J'''aY @X:fZdt} L2QgA^a!`Ӟa Eb|tړBKsO<2>%|C6/C) >_Z bq2&Pm=z)U9-znv$9wӇQ@ Y~p#9?Mj}]A'%aދCWʛ])TdYжwhKر@omґ- ׹F·憍C928Sˌ M,z$LP. w'4' og3&_aa<tavi A״$MK*te¦vDw{Z+ "_D6h,gbH\\%Fq&@@õ{ԁ1nUW(kkj[ALsKC|&}]m{=|*>X?6QÈ'|RI\X T}Zs0LD63飓HPl!ȝ ^iD@G>制x y/1w} mAʾb;w fs$VY3p Κ4mX̒T. : hG(ަ^%tnd<@Q'!"/=%Dmua§]Ϟ!TD*Y$MP&(;RMH!V mg" &7-A5r9ο˂5fr#7Y78aA8PJ{`4MVNZ=L9[3/뚗;z&;[.2@ᒅ_ivCR*E/:I$Z0eF+B;&ʽ\Mt .t'5<xlW j -6՘=+==wP9Gu, àV"ߢpL"\m'O|xK54sҘ}4feWSIyw pq:^CT%iiJ]Pz(\e֌~l3 ũ}=ճ[*t-ݳ&U_'O\i1?Mb`N,T%GJJ^: Lb]?%1/'!gx7O᪂Y=L.HtA"Ƃd)L̩jy|lw0I5A-%k}ŃP,Hc߈x򙻽y?_hshL/y,2#8up^Λ\gb컦h.!YX~Ǔ_d̬=Sc gTf|m +,ՐipPz|4QXH4x1(nXͷq.P)}idM4O,~)-\,ff+/0u ˃dHd>F2G">Kx&T7< ԇV pu N /[QIO=_,Gr5zʢøx'{R" !y.G-I$F8ᑲ*fliU\dc"I5{CKN)ճ$.KV'6EFtAhv=घBzՀ[_n0ݷ>g RF8n"M]O)G̻aZI$0&ݼkPiͮ;jMPL%.Ҭv/KA<$qjCAyk:WÙss(TAC&Mθj]3YH#hrx?|<Ǟ|rpυ͓Ǝ&MS N!z-ρdgwB^ 'V?/bU QyLF@w ;82ZC\X:!J)wDt4~Q&Ra1NKpc&Phl}\>5 hbXRW*~)xpFʔ ]i/rskeЉɍpdrЧy `T&G0 zٕos߁r t:?VDݲp8RoC9ACG~%MmfrX *QkQͩw ˿)mżB,iyni|5or#9۶}5XTD#ЖvkT\@uYKl9$kJ  e4BjqrdXmz3Z6?Fl˕d"C8}QˮGYOt/M{`6sb!#=tQ <ђQ`&\!kW:jz H!DC#ꏭ\M/ĠCu`=Emy6{K6)rao.fFCT3t.ah:%gA5q!5߆`{0fy, e x8#\Nv=*\xvT`&g\Z7^ֆW`,KW~0"aK^;Jbϳ<%LKڕDF]D 'ׅAL#7Bw(Ƌ3@]UBGn7 Eҗvzz ,DvdMG"Z'T\&g; c,6|*&#n4\< pRKJ wYgE=#BOMJ)R8vJcCD}%A j͢TC뱿DsT'tpwh 5_$XPLɇIy4LuT1 xα,T&Υ:i_^lI#})uSfN4d ~ϙ66sOu_aܚ Vp] !&!sRC^`m^Չ {w91Ϛ^gNKjh<8"{Y´_hH,ƈH(R\u<MRmǯÔ|@97esZt<=StTr?߿AxJ=D,N+Q1Gs:iK0l0l3W9gJb0,gHC_z;F}~3{#כrk˥?o(p O0+B< C-D xxzG< 2 ܏M:%9dQlq] 6+N@CXjW\p/F(]|8SK x1bbMrՒ'dt~6AOc]03Fb>,ۏ&KCMdž8<`nɫ2{ru A*HˋB(+:K*f{'6{i7D]EMKÖ)oÝ jVO ޶)!f#akK hܴ:C Ė~7(9!;Na,EzMt͘٧䁈 %Q,x;)&Y'F/sr#MxJ[ʼn KgsޣJH-'ص bv-nn8 ƥIRnEl9;h3ˎOܶբ9uZ̑-oIɧ /G6~/asdYZgrch0}(MWj1 oPkRqYyOD79VGNǔ1#.J5.-*cOs3'S79f14Zʫ#V29a|"\810>g]Uڥ"/_A86GVj9䝜/Z;|nPü'7-MRJ6'hu̺^p>ftU*娊Mh$ ?05RFvĨŚO<: : 4 [|YD"3wvCDti͡)V{Y;D9D/C*0vڗIn.tUեS,E9k=靛g^%-Ӭ}-B.[Aj'/(\K]|)#8#w$ j xD{]Y[=JI_%X$yz2t`&bx^5hDFF;a&[ueƬS=谯oM+QI Ά/ +~Xt^Tz忩b ?#X|`c~+taˠ~cxv]%K](OᏡEmQ@D;!AҶ6jz{iֳ#7qE؄u'@`fD|cU`*œN+K{]I̕؈5߳rd't>th؊Kb5#fe?b)$J_JStM,}+ i4=Tطe?V#tw" "c ё bbt 8w< $jZߞ<5Iް-YRyMe`s ~c&mDٗ^5\_ l魷hQGa) FxYޟa'P}p񐡭%1 J;oW.t FeE3j8zpwYegn]n ^1d4=HFCM(@qN,~ @}`^79!C,Fmϰ W KsȻ4>.Ozc"n`Gq/#U$& vVIA^08Av74;i\,e>Rg8O'm=%'RɌߧ܇XK K!Ji0v%'Nf=~P$SoWzxrh_mpGImJz^Db&ޖ'`'Qp9у8 ^oEs=v}7e=Xiۊ c\fB+i"KsGӮc7V`E>7p6۸LOGXAɲ/)٬]JOj#LPgMOssNJvd ^zHX=qZ\4i"eZb)u(F}zˎny^趘 Gheuv^OER/d/ҚL "*5?/ڼI^|js  e7V䳢 ;8m:6 fT#6)I4ﻴT "~z9-ϕ!dAe0imNui8m΍řnv(U8b9Dˠ]K`q0p ֚"GsC[qѪ S$[>g$N AsiƧ/;qIãRCQtMo\jκM5u_ƗHI<œ@!|a}f?.ůY⡏}Esy&>+_\ew{ʏne7jw;IXc T*>B7U y7j}0G94܂0P L3ga)F%ѥe>s61qк<Uw$\PAYۦHUF6{x NS{AvJk{ŃȂ\_ʓ ٝ=Uqmcɿޠc Pͳ) Յ[IUŶ% @EIi(ᨶwUsMLx7{0W,ztչ21a@!z`ojQnBwa+. mpn'$n^>$S|M8fH):xZV\|ݿMmإl3W^S0Kh Da=2KG6P0Xx:Ru_n>n$I8d|>Nۢ>jx3:Q%fRfԚPxҵ+Y0g^ml$g5bۚ DUNs}k{59)%A)H"b?#яcg&Ef^y@T[Df!{Sg%XV{7%c(P.[#8'CG9\X52Zt1p/*9o#(]Z_`>jX)GVֲvX) v*j xY'@ANcjM;CA|F8h sGAѲ# [K9#ki-BNu RD[?` lUA ig4N e"z+*AMjJ_2z 葴az0jUeNՓ*qO|PG`r @J~8^,S=3y1yQ^@a 'R~TaK.j )e9æ6,rR\T,XdFdĹ(-dĵ\gA'4bjoLxDhf#AQvE HM/Tּ.m鮑IE$F  oQ4e̱ '/9d9 ]Ʉ'd4:ĆFJiDjG5:k"/S 9o.B3TQ,'վQ(n?Rtd Ppa-14L&hKxXi0e~6J+-g̕Zc"@bΖ#P,cIRnPwv")ξ t>]jOb#GBzq%A>#Q.3?ܸQ <dnJUWd}gxx0ׇ=ŴeG5M2GbY'ŀa)Md@ \<8)D0PcvAA Peܑa7IVAZzh%/AGoë_K}б,v-,Kh 23?zX?Q'h}Ȋ*b]@8V`V zcxieHouGBVW!]fB7W \UKmM&z:X$Nfc*MIhwCƞ}l^":ƕmYYL s!V\Mnuc>6R,ۿEr(4HS^fZ|m)TFAA[Vs\}* n/>ي \zꗕKŜ=k鿟u;.ɹ%E[G%t:3C{!@T0H?z +RhPA~ɒۄebQMIg #\a㼴.Fr~umWסzbV^S?N#F\N_+GΟn I F1&J! V] `a֣Թ}/x '@D C`/oo]Ӊ[F< mLtx]\ -iT(.q!P@ 7zKO C![C'P{GaqЊx[S%k X?Qsx~ l3H\(˰9J9b ӼWڥ <;8i:D7-JZ\Z2#kxSd` sykr\[-Z^kRF0@7 c0`p|+fykoYcsd({PO=i1/)>^`϶Ku~:Hpfy4e8H7'AU- aHur7tQQyB~u,3Y964qY%u@ ˫R&A:U$Z-FjZ4trQygy }8 UQ[>[2bYtezsMa j2q*Z:U~ZI+`,0E|J"/l+5czMq+6%u0Pǭg: 0H}pBT~##cm3bw ȇ! S\dhTd*^ءeX^¶$&euz"e}.cQEET*ʼ't6bL`ĶYv ߬x2jIDc:Kd׺qJY ?88ȶᚷ^$ʧ0t侼WT`hKf* ڱA8.K-Ei37)0>-DI4%ټ*-9*yW*>MJ)6s.Kprq(Ba5\ p,V&V܄zr1B!mU~z&j\$wkwǬ܀45NA[8Ɛh;-}d>Km&yeRtYg0txQX ^-{ZbD޼5F`Ȟs;皂_gJB~EҘVUFu~#pU_3ʍYb1rd=CdcgQzbۆ wpφoEWz{[(Ddl*qԧ`ޯd_uzӇ.xřV|D^TCg .4Pz%A +:0g#)1@] t̫ONwWP곳ȳ#K?6tAa'txHorlNJR`j% r :ۈcKV_b'Id{ ԅ-:MKt";A>tmSO,wTF=ڣ3 }[\z%E4n<|@V|fKOͧyT P1)D&BLPJqŬsUt`x (Ƶ82n'72 ya6 װδoaH<#EwQ=*2`}t}>^8-ַ{j/Ӭ)5ٿy6 PHW]L}}a/l=m[2[.tz0 B ᎿP uV{Y6${h%Sșæ/QL%=G)Jr#`;{Kx~bZ+ ܤ 7-ȭ3y{EG<N^!=<+ ,#vndnoa7h3a.86G;W8nv#g N@tG5BBP.;J]x(ԍ\{̱Jk @a٣3y-F  nYbiF{U)QWyB(,:bC%_ro+{ մKQo{ʮa &9< =ywbWpepjB-Liӭ%ƀ,NΒ2y qnpX,-}xi4vEETup5lmqswIn{C|ⴊ#a7^lJcZϙ@HuPԜX[Q..UX؞mtb%:P~X(;74; Z7{P05?^Z.F)UDp^Xm/C&(:k6rd8"9@ց =TxN7 _M?IkyRI[.SK:뎍>`Rb G lJ;Z'l__4DN|JV[yze,8u_oHnB {Z4ܵ2WAt\~FW/Z)p5TūAY.d> rOg.\@ӛֺdjK$5mJwўI!+hf7`dO<]aX !ȣi#fOd=A-"+TJ"IhwnIr:֒zt] jwb֑kkiqI/@A}hI$ 5Rlhlym Q!UVzX5-tKJ..rc!S,h0U|MPbi \Z0*nBڱ'mZJNԽHl*~I-HϊU ?%źm;No"+Pi2n .C(:&Gpb"TZ6,`L_;7#x"!o1uطkHad5y=D͈:>njM\P^ƃLҩީc|FX^kr^ʤʜ(q:7L! |rp"?9v~/zpv'YW țGYy ?cayJxQ=۴O:`H>_%k7徿+! h5etm~9`#|Mƾ3u!88EWGcG6d7x9lr_| r@uq#@ZQ]r&ܯP-ؠP$Q1x¨qENGM#ސ$=` )B ـ'3U1vh$͏ a{5\@[+ @i:+!r㼅sř!+sc]}oE}үvw:S/7cيؚБƺj8==y^a'IpDwPIȘZXtÛ{6sz%=kGm@`&=|=:,3Zv^/R|>K KvpI>pBD[)%ok4S+^4ݫ{@^Ļ}LA Uiyӷs[^=VpUc%xyD+G!Q=hoɠO+x` ڦ)7.S%JY Y}"1fGHCʹ`G`Jwˌ:YX)GOIk`4M?ٺ8[Fb{vo<1+p[ "w"Q ,Onlp2]-eDҗ^DY3A /`ߜaO/Xf?JӆW|]SG ;)rzje)LN#Qa7zTLV7U'"Jv8TE_ yMUV)р-mIՇԦީ]Ei# uKr%{ajE$*B:6BF(Qۑ\-j9=r1 ӎՊ3-nS~YEw4F#m!K?ճK\Fg]%@(I r$u5#XMǵ&$ ^B {OT.Mxv](yRgg 1ǩ9K;;9dr9`UО*: ܿ b[́ț6^NXqkw3M++ S08ƘkLjw0Kg.<"A](#B%z~WR+=T7y_#Hͺe4 S52Hϫ9?0rͪ w7( T[`*1 %؛$lwd9y78+My>CUrbeu]@ʻ{!g%i`I7㸼y,@j[`qq4G0qu>S:@d"t#? W|R>AUR. `t@ExfG0QblJ3q"wwG[v |))DhP+yA14r2" ~1 #0W5C: ̓!/n",VN+ĎCGTM{mBtEE"y@^רFy\$Xe&iڷs 6μϊʁP UɵF[3̻h5/}2r`rU]BZp)H>-ydžoLQy(5Bl9pP9c5ANZdO0HTfԧC0fͻ b"y]74 s5{)ü !Pet81Uc*oD,# V! QXI\jz!qokکTGtHz|6zyKI]S%L`CڷpLbzkF[7F8ějd2:5.chxo~[6ڝ/;]k zfWRYԿ27|6t)5(J&yY`"=b}ar]aN7,F,,b{^nm2_E]i ipl+᠎&937pG$@ǵ^<vFQjzOS2j@úce||tDaz _CF xDKTWǘ'E|GJ 9sXc IBQ!lXVmV&}0ԋ)mW3(_寊Fi.> Q7sT`&W"#/n5WU{{2ՁA qSGF=^-uHnI v% yؘEHE@fS VϘ_KXcH*(Xv2 4r Nr ƅ>po=t=x.G#=9 OømH@Cu(l#[eBrX# Ju: ϫCDr#BusGy ˤE΁aQy:AR2'9ޟ)5sy:̡ 5q膻G][pbD8C -lv_* HYb %A \C 0L!~Ǩ6b ɝǭ;dN|WQUsTpb0Iϼ[ 'd-M5hĩ5ӳ_>#e" ST'*XgJ$O$gvLgA|Nq֋BGgjO@B#m;KJ~zI]A'""qs\, LC筚vKM3+hf3BDv BBZ˻NۭKK2 "M\}-)\VEMOkp)L[qeMg#J҅C7Yk*y 732E}R?f(=΍ :OB;>єT+|O#qu,9QQ? ~:laê,GX/œWW&=%U=WCj_UiւcVyY\(2II>%' ( B(҆J^!t!שĮnsJLȩ2q>?8@ƒc-&2[b3V :As:G P#)%Eh4j{`&mF yLD`,f?tn8c>Lnnٰ]M%IsJ sJc)}mE LRіp/oba6fq0ݣ#8l%!7s^ "986]X*J݇{yNUjUAk `Q(`kaK Fa7xY̭ngt~M%c1gA(p2sqD̃$2+r;G ۭGN%/doH19]:$MjK0ͺSyؼ vǪ,$ @{qکat-mj ̭2Je-?Jg )w:IӖ]?ɐt1cSrd:ک_;wJ)Zb w `NfuQXs O*5c]_QZͳAqq `!6;`JXxO#Pn#-0%mQKyHջ=ՆY,pkNH7:17]B=vGq*^Bm!]7 gB !E-ȠZ6z$OTD!Ʉ9URK ԍpMa>MaYnr#, #/ϒi]DQ!R|-N]Ƹ q}`=>v Ep)Qb(V,#iF ҂4Lh:x}u3a4#ˀE'9& {}\cT [ E>#Q$}z֯`c8 >)68 =†4bQ9.r( 5tNisԌ';ƘP3=I~+3"zFZx=>'WC5ϡO~ictK{rFC ׿oڙ*%ѠO~qXroF#~ ζ!"/m FN/ohp;I"qdFw4T/bg hP~Yė?:#y0R&$bb4J7Cp~m."@ 9(L,|=7Cտ~sk=9Ep;r0R.Ic(bSD$Ɋ)vq|c!*O~̕$ ȪJp$[0MkضyFYjw)95ڛ+}vNRGUG:57 |]oÕlA1h(t"zKܗ\tBX~Nxxi@M>Gm:T{W=fmkKw?0i%3wfPqNG*ƣ02@|ȼ9KC44>i7Yk5 HKie[y66>3v>R2czhbPA%536, "ѹ +|ZLᏕ.N_\!2Ÿ8T=ԳF* a5t:C 2cSWA=Lk20I ց.^vA WqZLb4$_5XJJǢ`1"\$zq+n=~-%lf#= 6k}1|PpD2/@g m/4 l!Cl5}6؀̚e"W3%Z}١Hw#=~GCpANkl3gAv[Yppڏg܃*5a5xM\f[Egx#^wLQB}x⠜;t6ٞzQ$wڼSc,(\]Qf7is,$vqJEگս0"TzV˛[gk5X4=aq,b^&C.AhTs0KI$EpEE{ rw[tnN#lHF"lb<ׁʬ}d z̺=!Vg`5<8q||g>WuN!叐S VUm8 @e*'R֗S;@@5] oheiY/3ڷxߣ;>'!XJ,΁aeEksDtf)PY,nk֎*<*׹MbI׽>ј4B!ؽxf? <7.eHxUkٵQ6xvBx5'R4mg.{Al4@15T|@C՘Bv.^ieVRρ k]ӽ5" uDB~*(;Ô?L2q_`׍ |n[gHU Q2oQ2dYi_Ɇ.Ιg#y膚 뫉b/604+e`6|[zJW:ݣ 2F$Ϧi%^?S `M"ZJ PjB r|E=Ţ& [F8\J7y:X6)&pr{sy (!Ij 7ZUd/䣳W4̡UBp@J?_=51eiKt< ܗ[RI.d. ߖfc1ظ5xmNkc)P*]D/y)y믏D}:H!Cc|[ဟo x{%|@cU*IݏĶP{@!K(v_WW{̬85~DR׀Oݘ6I#F Nvn .cN|::nbF hv[EPX(iSBRSޑ8?%(譩oqL~9}pKC"ӈ ӭ7SePqOmWf`cc#-NtL\he$)ka@SSP| +ꑢ*PǦ)N(/?p@kЃ7ؤb/R2ؽRp5lBҀt82oN]"dxB8$ڜ?FtRqmc.c WNG$CF\b{Bgr቎(p=]Ҳ6eP ĠKB[%]eXdAx&~⭅;LvǀHլɖwݚUl)П+2ꢟeD@6.o01HDIJg/h-V?ˎJCಽsi7OM1 ;~06?de1ZVyx[h$3m_b]zSB#?4m@A|d7 RL,D>j v@0CJ{!ƌQz. ]+_I {F!6CUu?Ά2rQ®l#*rp4\{`Ɛ{Z9w,qCޫ? ͂[՛y8\X|R .\p ``?wPU"l ,ҹuIVr9dc{Ю E10A3Bl(m3W٩ehnW՗T>at<-blov&83= $J=dJDa)Ss^`F6!l!`,`1E#u3l+CY$hW=w=4imݬpM q3QzqbpQ3%w0׺Sa"xpf~jٗp4mg%L24DnZhI{Om{HZ+w#R6j;t& )} |^1qIijqY6氥P4TvIK 09a=VMv *]~x!4 FCԢmF 2ɕx)Pb̦x Fl˞xPBE< jN;jhyWrRq-"ѼҾ>Vk>e/9dq-U^lTmQe%.&GёE"gu`|5P%٭J&#P.[TQXA*U[n9s_#_SA%r(M[WdԠNa_9s_SυlϚ{JJƫ ^mB/:4n5/.%oެJ'Nn%^Mk>9h`ig@5TcڑjwЧz, 9KS5܊nnRD6d!yk«!)!p~`5lmXq/~/$yr  ie)۵pլ쌸cfE%G@e{Q>Klۃ@ .Cab[TB,t-a9 Hr@]s7Mֱ0'pCvc"%"Ƥ`])~ziaMJ8w^]#^-KqĢ'ro V`kS_oUmͬK)8Hemx{xS [f^>M0uLÅ7> mV\No^_z/mh34.:Z_^MfP'+h.!p\};d*0E*iZTɖ1ܘwۇC#9Z=ThSKnJq)cƑe=iXZ4㸂ӹgraܛۢ57 J}~w0j|ն8!6 srL>-ڳ6=-ĿͼJ*-{G8?;!f8mg/ x{[z8G^bW*n?D ZRiZT_cY[a} Mq+AS eұr0DL)WpA~>٦:WE蘞5}d8)y'}\{«*w[<5g4 l  ʜ ٯO(6˘sqj`;aydNׅh+lmz~Y}fЍj%OAk0Ƃ;0lY*8&TJ?VZ78Q2lOq]׽B { Dk{l[?8, oiFǬj%8㺿adτXF; /C褝AOx/ܥ[Jm< WtW)2qwփpB&vAu&If dKu1;KկޅY0%#慄!h1ޞGY16 ؎աLaJ\F[) .%)~1C'up~bֻm $lxM hؑxvC6xVٍ1kxQJ=O|y gϓ(ju +HPau:$*=j;LIF.qzԍczUPLr6! ҮM/sS>4-%CX)9^%$fVO9=-J)*|=8:HvD z4H(wQrNfW2(i,6NJSٍW#I GM@q2H;>JCҹizڙ> r(4twWWó0԰c.WIk,7>tނ'ZPǖ,l*B"|tJʔL_ÄiL48G+뜇J E8

Zdtߴ2H+HF(y6iZha5l>|* w/@po%!p/4}b`%ZxnBR:xD@CP :brdFXYm[pYq7:L l6R6<_Q 8#$̍;ܡ}>M>'b!tz <(t#QCr=G2^?&TlϕS!O(7 ]5 b 2 B6G0rY!iY׀ ~up7kI\.6Y!ިi^&ce* Ljz#7Ț @ ({-ipf}%uOj̟il\| P%]Zv  o=9Ȁ}Ӳr@ 4>H^a Aǜ)(O:4GDġK=W*ؿmEx yGiLzY;x |?z,a$;`z[,΀1(wρ{ r<l Z~x t<_!]Mw1([oD#2E"QP`S0I LSUlhNB2HY\-Zn/{D16 {uxnJf73o)%1!) DiP$l?$\@d=ƽ'}:3FN!s%i4h]qXѨ0xW0Sth.il9xӪ2/Os2HB)PdeKʙo2~o(q[@'dRr]V$2Y&pZ^~{kwX}6Eu 5& 7z4hmF"Nh^/Sϸ.|!cT@% $QDJAđVR-%]0fJ. 6(3fF >Uwt7` E0}C5*/ֲQA:EP @e?cvK#1HPgۣ@'fDLCD䵋 v4A7bKmIT ϊm|wv] @sg'NbmND"HE:@pY!fy!5y. $aVLCJAq[Q`J>U /|Ύ.qJXTA8pdxV bLXB6 lP)ݪJP G0m$b˦pz"XNH-`'_geEu|>.A) sPc_br#:&1iŧlЪ;஠S0Tf\efJpdP)@#]gԻ3w0.X,cnyaM{r-lZg;` q'r3@@eF,xs('cӻNZ{8\g=wKµ7[7ݦiӸ;fFl[$ucEV'G}CpUeV!/O6}Rot*+wa qoS5;帧_Q2KU=/KoK[Ӿf@ke`,),S)^@_聍4Dp;8ÒqyBI"I_fEu њ J[Ӷ A [}>’yŚSe"GivuX_3},v!:`3k{Purز &EM7תA3Xw[~qW 'P' gUoL#QA{; %a t?v jg?F\T_bT lSFt^\sr1Hnv@+H[Tcx*F̮@~,r5@KlHDi:kRi]Φ6ј> +6H >!<_aiTxBvu>ݢ[ﬓTĐhOGrd)XOV R;485d"_p)Ct%$,?;GAō.tؔh=-=(s,jnrVo-U|wܒaYfL><ߡ+1>>Ar XmBRꅬߑnESmqF_6YgzDC{YnyぴʻqTUؠ<1)pZNʴc"]XX7J>钐k)_pfF1F:'ssi )7hewKs]%b?8L_P#)QsĨZg+\;CsI/nʝn/_O2Ed WY XsX`9))y&Iۦ.HB|5 w"\~o6Fr|]s,Q&^It<,8F*lXG>HqFכFS7SxFvnXn[ ٣?b){WԺȲX .R/6*N7;M>e_ݮZϸN&W֨jt@]T꣣z^W`X/U@o[5d ImpolA4~*{~CL'ӂӏTMxSy".cɧ@ {(rޕ@Ζ3b$9Rm.:TF{9r/hE.qhp P0<TÄmXłP"N#}-4T#*bCCj 6!iC'=P,-ZYj,4 -tqQ X+:y(oG]Ĺ,-0R jUߑSU=Mط_G7\M!Y弊D?MBbF]YZ1gu=P D9x}DCD}:uV48&^K8) >XGd;~;Q- % M[)D}Ȥ+ g۾ŏ C<>j=qq{D+ĎZ\¾d |:l O=GS0(ҩEA[:s h0OӔ 郫FeN+K(&c}si_j5f+q&v]B % r7sr2vtC3bHg\rY|(Bokbb+Ze4C{04sZz=5έH=F1SRޮa-~af'(EI()~vN&S׮{-8],[wV1g,IV\/2UN&D)-K:c/+@x1ړ}d,`$35F{mYw43VJ7ht3D'P RLGq za,PoIwUO4 7N`\pr 5'1o!Y0[oCOi#V₉5s"&|I>adp3y|U<I%][%6]k)~5p-ӣ(g !s[s*y6MUdN &_4aA.$ 7۵{W,.pK7KFd.\UBrW-Ybe(B_[sN}`zX!9HqKn {awաo2&oϜ8!tVMb.6ݵFRjCKN?K4,iX+F[$#[͸z_`qh5sX(3N+l8l`oIN4" 4 A?EͶkf .U ɶ4v}S~<_ DIrY` wX|uA',`ع9) d? opAHp{tIX614Z{/ULOV!XGU Vصs*]vCkD 0mb!V%>^3~b tHH;GBr ڂ=y\ BZ]nɞ'A<}QV癓Gj6 ;8J8^(+BٟoȘ6Iįnb¡ `߀u>=E8E-[:;R QI>YyQ1A܇ jw{4{Yhkǭ"҆i$ObUlU%>Rfvl;,웑 <&FiF濐Ƴ6?d2/{eyŧ,8Lp5k.N)ċq,?U!`΅ɽ(~Y>/M ^_ $g | U`ͩ)ˍ#Sk#Z|p9_oCM6W=Z~ECz{IDoq?e>$*%bH@y#YQ?`MͰ( ayW%"{ida^ߥC~NGh` qgS=5TհXB?6SɥIHeh {zL# ;ɝNwQǗy{NG$ն"#C>[cxP܄{:EI=&jAwu2 27ʍ`k>s6R7i;pUU7=vg<肄 . s6S\b#W-+b+U6- XGy<#Z&TM=uv.Qe(ùii6ĺ*up{^(MK3'9lsc1D D 0rrHy3 "C & ,3-Y>Cp zggGڌ2 NM53\2Yow,zooju3>%_5BR)B,Y% ^tp2D! PkN7>q\eog-'s?x&R;?=4ML] q?հz 2pA*nE$Hz  Z^6FRH+ROYU{>Rrwp"ۂ\[m6;y&.Ջ/kP.W!OϜ+`ȹ H>Vޝ>IZ6"S6XWU۔-̍e7b[8VWyD?t9718u{+..t=97(hc怍TJ<αLEQ())Qk2d8ң .]aƠ>dx~TRpTĮzo̓,^3`&/FS'|qgȶm2Eߕdi=.^k#!bPα!E:JD:qaӈB4@`?++5SImb{d ,ˌݍ3klo}z -}Rha钳_FSμȖNY٘bVz~P>IՒvJ `_~p>jF{wGz;A /uk0[ͧSW[U' [!I, }AJ'pyE[Xυ"P!XEwV=i<Gz_]zrQ/D812?y`xFOctP˖t򢚇z3Z!:hl*@<׭Ns M`//hv ac [ѱ`\X5,w*s.k`m Ȇ%?voUɀ}^uoz(>CCN@) & :D.%哰*LH\>%.M_-Ikӓv]ZGfL{5,}a 6%4r+23e+!m˄:. NNQ1ڊtr݊f@T)6 .'Jz"[!(!>^erK.G/`v1NZ;&W͑ٿAhW6GyyHu) +iǕveE~-H|V^{P:+)5v?rZAhs 2]{KP/M:nC  y,ܟw8Q01C2,mB6k8.ި[ A0?Ůߨy"l,k踪=0[cO+,%J.q)([qR$٥kǾ[B{-B 1{=S&ueaœ| =YN,CV댵;{#f.۾d88]l/V`"<i9!&5t JL\}qJA:e>ov|`91{a<m%&xe-i b..ؿ0r!bS#,{2^Q-7b7X!gJO17ZWomŵ̝* wG4ꑂUBWBMO?bí6Ѭ#Id䟌 k Ly$!\x* nmNTO@j@iJ`DBQ5%וj{i>F3p\QNby}/x^]额\ 7A$uPG0rP֚\s1bSG >@F?)I[1꧅q㘳)USJ?k"jzl<12πFՓ/_#&*9]?zۭUܘҞ<YMo,QQSmjYR^S7ugaM1MKy-GN^COKk; gInW[sTF$EU'=?H %pDN>\ Tm|›у}x̕CE)J%!69 \ BvЛ+/i6\/Kh@;Ǎ$c=!ߎdbsB%q~” hEKXh+P]UͺKdSRݧL9%xc4,HrVcgbCFȯ "tZvF&}4^Qlcq&Ow}otͦ3j!Ju(=c}֐C0):w[STKb[߃Q=Aؕf17UZKbX nZ? 9@5uz;&1J}\}$az Xk3$bqO8Z ڳ`A.ޤ=%1(a1'O6U?ά]r۸L0T$3J%$3[zNatm8p|<U}6ZPe,r XVOH~=5x]8a Mx.e<}?_Q<-qCr0@RûTvtΕDk;gB.nM$8<'f`;?vaAx-'Rҷͦ&-=i)S'%`/C;=A!S`ȁjk9,-ɾ wtvB4PFջ>t%;ld5( gzߑI zh2DAqlBlȗlJ_Cr ]2tGcH6y fzH.gsS>1{gpBc@Tnb¼70Lm 3 G] vD2@{ן(5ȱU2DLɋ~!Uul`P /m˂(Cz^9ٴ 7+C.;nOrפ`/}Z0SOlTp"aDsߟ.2,4?-wn,\Oxlo4t@APZ0v2x`bi&ўKkVFE:=38912^Mr";H6ڸEJwYR}#dģMWGp4TI*DoJɚ*Zk_I +!R m ǓX(}lV' K{'\[]M elVfx?#H$LZezǣіK<K՗4]4)l9ng'D[څwM[k)}I*79ydX_dGs!KQbء;#u|,ٷφD!HeLK#Egrןrje6o @R@7T8UW5BG\4ס1K.Bx6J( d(ʔ[WEi',I{uB>,*06ꑊr<_m='%'s6k]ah6e'CQX-.[zNܙ+"G' s,KYZ7DGӺ4aNe7Exس nX /˚Lg$-k& ű,yy]ckuZtR! $>[[$!P.V@м ?\`9`GWkDoAv(ܥ.*_\Ov.!0"{Zղ/e֑$Fs<5iO 7"^`,b_<VɁ2n$2`%[n 88> W]Esz8)DaL.qRda9zfơ@e׼ٔy_QNwx[vY%a0N|+0֡GNr&( vCqrYG|RhC:"G!PL+բ35cž TꞣՆmQI38jwDCTh^ /q4Bh` $QzhD~pLq{p59dPM!ܝNUܘV$}b)ѣVj-k;e]% >[FM507o%yk; ;6Q^ډP|츆e4$8Zзy s>w fa5G˘GADOdq[?/Aa+IU^Ò&xvAF 8΋2Qx̰ݤmAkq^/oqbj:ĕjs ݤMMţ 1ԟGeqv4ټ[h7>T>Su{N4s4rupH8iIy8АDxLy"F6f&zB3˹XeX\XcgY7QVDns3bus7ag埧NE\LEj-h2Eq8$DQ_fnN=e(qF`FgsX97+B*> zŇTxąI)[°J= qτe.F\!Q~'_p ӂi6me)nՈ_ҖsȤ^Fi|4Qx"Xіȸ$ː'e%F.Isv4o@jlܠq(k•Ykح%g7R=_"s4,!OQǣT$lݭP]_'<.YфIGƺ)Z أ[gLgPh')Xl\Ԏ)żBw{v>pKr4_q"̻B:MxhI:}vb1^kcR4ӣW~ƓxIMfqxG1W&upaKbW_ tgj$:BcԿ-8~'NYb f77ņ nv-%,LPJ#Unv5o_G8Wd  quzdq(Cgjw`:n5/}~ϳRMElGGLh?}k,E6:.Zso*,Wt<2C%]fU9AGnyvh^Lګa%^Mƿ_=+f CοYsu[ȸBXLwHIF{g+x|}Q3 EQX-g'p*F?9~"Ny 5]I* $ J[EY%p $AQĠKQ6t1lcc (lqq^nC-YRq\ٜ7= Dbq1 0:pMU61f:>0)K+_M]^O mķ\iUv ;(CVE9FgWm-H~?3m0ՍLΛb=8K㯵!xNo$VՕX2F51P懗\?us {tPBn>Sc[VUvL5MkFr3ZFDB}#n V"Cҳ'uo:THx]֖-LЌֶi7R}$!$FH+Ę;'%!u,|/iuY%`euDЖ*3C|e\S^88j93?`PnC-OM0E\5@Ґhy<8pwQ mkf-Gzd/;"0AsX THd8$[}3m /,IQGvJxbl^. 3L;f;{ȬgTvPsٌXCfUci: Crf|rva%Z2|(R=9NתoxP%br?}W>SX C F|w%7$W [ %v$'xPre͍U%5?rUd> BTfQfU(㼊.lqЬétbAnݐH R<,^D.OdほD "t\&"z#7+.wn9EPPF>H*r&k:NJ%2/!A;]~`JDŦ2'a2UUf`.YrY(2h̝(}`#^1w w)N薸uwäzsYlbpEQ2SG>jM#,J`:; A>f|gdmX>06  O$]1 qI(Hۻ h gת-6(^dfaog sOGuB`] ^g}daN`ս2ɜ9L|&-``jJ9wu Ѻ 2kf<-R6~oz*>`bV{-"G1{x`aD!:ef+CfXGˍB])M1%~H\ s,Y=ՊD@]7 '-=ɋr+|0 L~ v^(kmp ^!yI 4 Z̽KifLd:4X5`ߠܦHs\ EU[X|f!NpRՂ/myt}/r4^6&[g3j,/O3es7Y jIh"AE%l/|kx'kť`h/ɾ͠k_r4 ̜D9/Bش`]v8z7ӝ 킞;ypXeՈ&-¸6ϔs,]́()7q<.M!?:K ;+Z\/QAt9lI7Bj7 ors1I!/?>P.`XP(,R%47I?!%/`O32ȝ&%ҵYxe`^q*!d% K{+-(d%tsBԸz՘Zsc6;;=֦t sWMSjiv]dSRz?|a. j>u5\`3 u*Vב"Jq7$ i &,C$/@.&DktayCN^xՠ˽"oj "fk~L, . `wUuJ*Mz ҖG̱ȻcQo X5OkWDi˿|cI2r=?b1]xpiBg,?oa?{dSÓux >ɫdiZ]TA3P9* !v#L4%`rCCd5,Fx{@:+ rؽ؀7" t]CؕE?A:@/_>5+Av?H'7'V=?2$.p`DS/ &A=Ϩ-U%;@aZ屙I a]L jF&00"TW3~$>aN-9s_e d@Xl~f XahcW ${d}*oosU}fӵ̸j!:jCZ ZM`}}[A?I*r]5P*-BW g Ft8'Ht4E u B ұ>򌯅ʄ9PYS<[W,?+;tTZY&R7 ׍z9+}\ouO^./kǑ =Zg g+޻؎z9kM2ʭti1g٪ KO4vK1sS`Gʭk :˘ꍍl;yf<!9g9@,%}Q'K/"J?:+4tE'"m+o4ˬו4[>ӾxlH dUہ^\0_[I$Ap1F 8&պB;yc*!G 1pq0A\=e=Eq ZmTU0cr)JbbOP3-UP/BOMeW:EG&OC 0#0H:SSVٚiGMgH'{2Lt}^ϴGQlUjt[웡i !r9BNܔ!}p۱~Uݢk,gH; !" X&} 6zbPCIفaP3^дҔnAg.\)` K)rd>M\0|~vCK!KaG(!d-WJz|D9JR*S!1MIsTͼH̀xrQ ۿ>!VLYK )֠ܣSڱk )A >P2>\eCCvLHpg LllL i8J,N(@fzR6D|:նs"xm4tβ^JZưbA ^>#Jݹ9xlC.& IX='exbAٞi#j>a6u%F)'}]f1Py|cɴ,Ba3@r-mV^Lw#?KܐFݪW !#]"Aъ7iwDF6^*{6D$gR=S:[+\nV?c-Wjmy V62-3P8u7yK DQ[P}:}YjMK;gIT57 5&EJ}nL >Du{^+8/PiB<_Kb~#TY SFA7CF="PnlR3BާG0m" ˳{g\G 5?B'x$dz+#͆2Ǣ 07ŸlFS cO1,֭˥D[yԯdeX| ~8UUhܕw)jI:9hZUQap'"fV&édԟn!U3kvº<=QDGNҊgZ МVٗxeЪ`LL>5ˌW=kv[ ־'0JeTN.T1 4N'\fc#mj8*%2{wXl/'`Љ['8r'*杯O7 ;~)dKN`uϔob; .2#m*S䀊.1&g+;~4?d#EɡE1R'f 2R,ٿh)PD=zRO hi ( u:,^zhky+ obF,ѵt#-vqJ]f55~BI\&br{\u3d(ZMIh-_{2ˊO5.*SWX@IpqVT5hWݺ>v h=%DNXTCȗ4pr>'W814mvP% {3g~,7 ihi`AloKrgՅM e|g64Qܵ7 LL!gQtyذR AM]'ԙR7T۫X?~1:c_%(Ƭȋ$+7&vjHa`]A{߹dTȍo<_BjUq)r{aҡ׉3{:=КM mxZvXmYѧ쫦⢈.%yM*{*˚2 T9up>Y&4SeV 1g5gf9=?S{f+E覿Q ;.<;"V(bnl.Qw9DvB=֒oy&8dWy'm$@jv{I'O>Yqq9f}Lx5kh_E%{ˀ> &pKŧdH`R'T;KX&}` ޗ!Tkڢ|ĭQ?TʂH-`|ܘy1r3ze$35z9^y;'=Gi.!;I2 GE Dž]m3D1zW<4`mNX8|aeF}[t.TT"MppjAvGj/?5;.~٣$7a#^?qL,nr: ϶3\lt!N5dG ݂KoM*v!;n ƥwuN 3|01s$^0$"?-w K$s%YB=KgA*] oFaQ(:d1Ml%ON~0yq~SÛ4 8 Sf&p'TwK}`?0uq[6\CG/îKL1~/\<%&xgLiMAVNLFB cAM8g|w|F.M v,xfFf7D~6=va6C3)xp~cQ]QL:$?5:OXEYMӳR+x1,ew?$~9g2}8/p i?}o6PҖ hNA='MhO[hh?,$2uNf>߫z=CGA5/?\]hI%nNgeOm;4W ؕn0:OݕW@L9B3"~iyljC8ebJ?tٮB0+@e1zTzLC o^ogWs[lX16r9aeR2~^&ǖj#puoD7 ?ڨN;`$f#L7:Rm)l@7q*_ſ)S1ƀ%`G#uR^URA~̔)ۃfhA)N:Pt/9KFFe‘_As{LF΂HIi Ou*@/F34ȋѯf1Ip^(Dc3{4 /`Ξ-Ub(+'۰y~Li=>Vץ f,`ceђ Oͮ~&Xѐ f+I/ CV,1j.`qOn$[O%%~ t35k*ʥv@źCW"=X\? C=#04՜g]UB0k&oa%a,CM\Ɔ&eS8UN`}SzTl/uy4س)G~F/fWmy_Iux jɅ<9ds1|Mt$Y[>g8Eqy?{jPT2)])^q 0߈*Oh@pgyӽª)[ DA䨈㯶w =T1$X{hSc/~5"fQWnpgx1w =v\NSFVќݫo3r~DT VaWL4 ea9–e0GYB65@zt@] Z%Y.Ɲ;4vuEm/*|eJgZ 7+V޺dD+߄mh^k_c&O] BS0%',1Na&DB1.*06*2N'?ߛM0߳nňgXLwBV6md+]+eLHx{=5tל^E&u Ԧ 5GX0 /A;@?a"x~|  (TD13u"-y 5MZt[w7\ zw%YHѻ[CT>UOBG–ɢ71pp֮ͅa`螄:{5pBth8CCm2,:kӌ-}ixqB8UȘO|Vt`(PJ[rAn:^Vvu$Db; J۠9& |֓-Iai|lr5ʔԒ],g:;ۚ)TΘD "[ -:R]ƚxӌ j}fnN7X *w:a ˫_EΡg`(}O"f8v^GKkcnёS*$%1}Jk_ѹvF;56e AE3H<8]p` zMj֕5ygpT( ɤ~"R`^ef\ )Xj5Y.] H+#]+Lb%0&#n44OVJ(X\? 3åj*8){zsb`W >%%h/TzcsKKpͫ J*Ek-8p4;:oߐ|M_&j0P껮1u_"doR8KW_ A+UoV@|re[qެZBu@*GN^JEt^!M%عKZN$F L=ZƇC^Kw?7dav#V=YԖ ؜v@zƝQ}x 0bP'kOm޻TA2 ˂&CtF9 .%I&(@ %bW|30v,س7u˓97"gXJNa>oG-r NNSj1 #{!4GSF(OESDvLSxψa-FJ͕(4̧rhX5 A'qJ28L&l:=[WV='c?&+RQv[z<(N" zAK1$(?Ѣ^"7'U%zaW1 zk<\yG_j@8З6{di|Hⱘq S9-+)w0g7 iߞg-7Il2.xdJ]-tWmbΓBa渌b,2061 uR0ɬ)#VGsl| I[KHâ]AQu^R C0ާ~u/Eצǁ;=| 8eMX!P%pĤ<7|b<ܬ <ȭFE WODӄ6I\q춂WJ0&&VF)ȊXҕ<o p[Uy b&vJ;o lf7#wǠM V'ENT3~%ZV!U!3}IՑP2lԶA~̛ݛ3-X fM= yJՈo&FDWe}l,_ j|F3rU_;V(Hrkw*$O@_P));k_.r0D G,9F]+LQhMWb55&h#. McT= BfRW>E%f!u `^29z09/8ˊ.> _X E?ֱQg7MosϏ> އ8-V R_l~g1R6mք)"%>QqI[$^!T0M}ӊo;4~ĺ\?1X86_?BX'BZ Q9%erXoZ'A\8eaeƄpRKe %kg Y+˝EK͡(m`4Z|OB[:͌lm+p*?}D5c`nu Вkc,f̨!9էxFII=V|x"VyQ\ٻ..)GTT piggw Hz챷jgVY: t$fl fNRGhBly7tTuv31ĤƤ#S 4hZ]Jдq9-%!mY? :JC"\H]V㔭݋E@R'XkDž hm*c?S`v X[.L/Mb;i;0SJ~.X[9tNu&Uxg'1}`[Y86kMC.rUҝg^e%g,g8(!Pi@MeиvHpj.kJ 4#\ mY~q uF4d+'- n\rQZ@z,.Th>)%^r즾_ VɃKH-PSg"WU՟TR?+V$݁g>~3i6Շ߭F\7Oxca\s5oҰm ;~\yH.gP1EP5Ydeӝ".O{xp ,^x9hoBvu{49{;<J1{]]3&Es|O8IC9/a]˻@Uyydd֥c'E3 dAs6E#AHR>nQw`I _>WÌ  u%,+H.rN2 ĸnjXO@mzy<]9Tjv4!<: kCGvN(&!~.R;gp?i>#] p#n-:KgC|A|I<ﷱݹ\@1=N{:-,+5˼3auQN!g1m"iBt XI<.geL(6int{ˠ +n3-IdqL\6΋!%Yѷn~Eոr.{9^!v,r͸-׹ͷPTHeL?ҊE=A"!59R84ZkǞ|-l4AIOD9%_~ز֩uF ʌ@.uO07W0^Ev{![ߦ:}PJDiPg×7=GMxF* нnSHg6ᓢޝΪ1Kws:ok!PőPLY\!҂;PHxe?"rY=64bwI>ԙ@6Ҥ7o\kD O"~SJ>ǘݩXW[I*'@)T=[.9G08KK78 4u#'Xl)hwd /EeU]F j<  ǁhRueXD}!!xFQ֨ *oȭ|&ъ2Ϳ29ƀ4]wL%<̯~lo{h3 ܪKNL\dUqyI'p}2Fxj[+f>oゐa9W.B~倠¾b|aan@!jr-#4Uw:cY'u .<(MF.ű_ m:=eC&O*?ig]owŏ`gr^lqU:4;z[λvqNY^nHJj+Dݛ1[oʁK4۹uE-vfIS+eM5bo5XKn_,)270I:9ۍ}&TY_͈hEҠGtr"Y<1 Ui=bQ ?SSIҳ.3Aܕ=@Qq!Q!2߅R Y(g?To).&FNPf3.u߃419=HP2`ЍBۛ)FM,6<zm'z`/0Қo/e)N*! ~Џ"oP UMS!1 'c<ڠ#vNDЀpXU&X)P/<˥SA/{XQx3*$ AXqtQԉM '~3C P!`Vn-&篫 ^- B߼GjF_79moA 0A Sb̻kٙK=CsJ723]?LV68HFѹ1 ]E=voF2k)ݬS0QHNiig)r=3,;gLjd5JP#q\<5_,ڙԧ1`k#[g Osjڕ=/+Tmض7Ή%;>U;xɐ5*`w-Q= )'d~c2+8stI&<SePD\IƢ<ܱpr_0yTq9F &?++yDUJE^I@㈹*z7'!R]sbNaPjg3[ZӛԘiBRBi"U1=7; W_{iƾJH_|3pw8EXtsMPOeCΎald$H]ܹw8&DNƐpAd})zL a BĊ\Ɔz}>87DO[@{gHɠ6peF ()Zk4i O=‹GӤ(x[)HS" gϼzx7NЗy*U]3 ~rd(U7 KIEϋO; 9DlEAׂ4y^=ʻx^Z .[ES=6p2Ș C(e2lLM΋9jnd:.~(^JbdIjv3Uc)d[ +=_Azj6#^z Tk^'ǃ!?)Ԫ% ٴ܎W[ʚ:$-޾0eg sz&Dqekܹ<kOUݸc}z< ׹Ѹ*u+R{ce_<^`hlTX4Cę]R܄xN)]w:V*Os!29Ɩ+Kߪ,c{OLCKvP"Ͷ6C1cə[%LOߤ1(c.޴ .IHV|$Uض=iWϨ7aN}}~ܱT^ހ&Wd@E3(!s(u޿l꫹0.ɚmURgZ)m(sKTcoS B?vUס/bs,s'yB`P'MP4 KuݙW0C8Vib~҃{Y7eV^vC?yY/H+T\oaioO֩@Sim7 ! QId/r9-T0f8*+(.+^2hde$+vHGsM|7Gqm)w&~on1[P IZj> K MPJh+Wv*T$m552iJw Cq+gV0pn[  3J}?t&r)vez oL=gwIawJKˎk.]ޫGO_V<&N_ 3S#J4[DZ Zw ]e3J?R#ީD('MX\/Q!{ VYI6;$/Zo(QV윪K8. uyMV0#ӫa@6f oiAAF9^wFX[#,=]FL_\f"s(e׾)2s)+wރ_pC911':>`JjLtPm~t\9Y`b4@j.G. S%xNjf>0$2R!;PrE-M~4~d r[ ^9Le-^R+ )rt{%d灗]NVbI/#vgn8Z99?ni!9D҅ItT!8F%9ve2TgE[ch6, qvZ>x&xANm8C"V;k􊬬V{AB$^Ad羨/d]buWDigޤ.b6-:;7;\0gk*A``bIT%9C9=$Y&+W%?ƼG?j8BuCjoԝ}*X᡿jFWysBplQ8qd$)3'$Qez9r 1oCB(]46}:,SHkp}[P\zug> EԪy` rivNf'zyyZsPr ־͏ `Y(BV11z f^v5+.I7a5XzZꕍ=)e"b㊖俑숊X>/H{b}38qxIjyb&Ah/Av1]AfHm斵`J-ZW?B#2DѸ 8'bgx~dڈkD wK_B`1 ea㼂ڏg$ţC"8*q/<Esĉ'NH "0} 33Sh`*.num0}SR"sE"G$ǃBåkaI!zM9rj:_\T um&jo˗[fCGb޵I2qQVuJ :BkY*=K=蕄ѻ[V>fnVDT}=􂖅LvPN0XLw^.|(BpTcv^lgꐈ>Ƃ nFewcQ)ҼuϘ7N,&S0'chET e+O{JY]$<,ڃZb*iNLO 9:gcyHrlMט'NoA5AV@m}E,IE[Ʊ?LJDlR6WN]\Md1?^$R ~-֏y?lS9DWXszfK.<1 u[;WLCm,F`T=Xyc.* ]?YCVJSV lFXJǥ8Mt4ۈM? -a)A~!VKC i8ҵ87(>f NAtΒ`1(? ϙ/UTIbvF܍5a5㪾X20@Iղ4HT+bR?!- :4T_LSm5+DY=f,&>B,?uP0B"&RkJ17 `=_=.D[ŀ烸F-KvPV<19\f4H] }ls6Qj)~Xv8%JG8 GQ?kF adJfnMs t^G#X;=cWi)NA +hwZJhYhfNMV1^a[<ɍkIKS,wsz/8j|qu=*8-\ lwc?N۹yek=^(+19_iZC0hC F{cY_-oP!kh/{;^ !n L YZ