sssd-kcm-1.16.4-37.el7_8.3> H HtxHF^6 ?*}}|=|ݞEjAa#ʅ3"qJcA0e51708b1531c570ac7239e09c9593b4e15274d6h\Qҝm-F^6 ?*}}W 0p5"Scs̗ J8bQt5Lp1>?<?,d   H &CIP, : H d  3VxAAA(o8x29@2:q2>?@GHI X Y \ <] X^ b 4d e f l t u 8v Tw x (y D9(Csssd-kcm1.16.437.el7_8.3An implementation of a Kerberos KCM serverAn implementation of a Kerberos KCM server. Use this package if you want to use the KCM: Kerberos credentials cache.^sl7.fnal.gov-Scientific LinuxScientific LinuxGPLv3+Scientific LinuxApplications/Systemhttps://pagure.io/SSSD/sssd/linuxx86_64 if [ $1 -eq 1 ] ; then # Initial installation systemctl preset sssd-kcm.socket >/dev/null 2>&1 || : fi if [ $1 -eq 0 ] ; then # Package removal, not upgrade systemctl --no-reload disable sssd-kcm.socket > /dev/null 2>&1 || : systemctl stop sssd-kcm.socket > /dev/null 2>&1 || : fi systemctl daemon-reload >/dev/null 2>&1 || : if [ $1 -ge 1 ] ; then # Package upgrade, not uninstall systemctl try-restart sssd-kcm.socket >/dev/null 2>&1 || : fi systemctl daemon-reload >/dev/null 2>&1 || : if [ $1 -ge 1 ] ; then # Package upgrade, not uninstall systemctl try-restart sssd-kcm.service >/dev/null 2>&1 || : fiP 3 큤A큤^^^^^^^04a2af0a27631b76215f6cd6cf6305db78e371271c475ed485f4d563fe2f3d54d50c2b062a96fdc50ef141b24132b40a62b776e14ed89c824f51c45e7571ba10a2897f9d6ca18a39162dc4809be26add9851600810b622382c5a635f4ec6d57c65a600468e980e4aae90c79398496a4bf6fb0325211c8b97064a0c0aeed6b1d220cce63319800d5a896b4071f8324183eb1d8fe4300bdc6d7309515f16262ed091b30e576e05441743fcce027767650f498cf10ccca12ce0bafe8505f0e87b6frootrootrootrootrootrootrootrootrootrootrootrootrootrootsssd-1.16.4-37.el7_8.3.src.rpmsssd-kcmsssd-kcm(x86-64) @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @ /bin/sh/bin/sh/bin/shlibbasicobjects.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcollection.so.2()(64bit)libcom_err.so.2()(64bit)libcrypto.so.10()(64bit)libcurl.so.4()(64bit)libdbus-1.so.3()(64bit)libdbus-1.so.3(LIBDBUS_1_3)(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libdl.so.2(GLIBC_2.2.5)(64bit)libglib-2.0.so.0()(64bit)libini_config.so.3()(64bit)libjansson.so.4()(64bit)libk5crypto.so.3()(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libldb.so.1()(64bit)libldb.so.1(LDB_0.9.10)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnssutil3.so()(64bit)libpcre.so.1()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libref_array.so.1()(64bit)librt.so.1()(64bit)libselinux.so.1()(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_cert.so()(64bit)libsss_certmap.so.0()(64bit)libsss_child.so()(64bit)libsss_crypt.so()(64bit)libsss_debug.so()(64bit)libsss_util.so()(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libuuid.so.1()(64bit)libuuid.so.1(UUID_1.0)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)sssd-commonrpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-11.16.4-37.el7_8.35.2-14.11.3^}^x^r @^^@]]*]@]]]@]@]m]m]p]p]p]p]S\Q\Q\"\"\"\\\r@\r@\r@\\\\\\\\\\\|\+@[@[_[@[@[l,[b@[a[Y[Y[H@[E@[6@[0@[,[,[d@[[Z@Z@ZmZ@Z_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj - 1.16.4-37.3Alexey Tikhonov - 1.16.4-37.2Michal Židek - 1.16.4-37.1Michal Židek - 1.16.4-37Michal Židek - 1.16.4-36Michal Židek - 1.16.4-35Michal Židek - 1.16.4-34Michal Židek - 1.16.4-33Michal Židek - 1.16.4-32Michal Židek - 1.16.4-31Michal Židek - 1.16.4-30Michal Židek - 1.16.4-29Michal Židek - 1.16.4-28Michal Židek - 1.16.4-27Michal Židek - 1.16.4-26Michal Židek - 1.16.4-25Michal Židek - 1.16.4-24Michal Židek - 1.16.4-23Michal Židek - 1.16.4-22Michal Židek - 1.16.4-21Michal Židek - 1.16.4-20Jakub Hrozek - 1.16.4-19Jakub Hrozek - 1.16.4-18Jakub Hrozek - 1.16.4-17Michal Židek - 1.16.4-16Jakub Hrozek - 1.16.4-15Michal Židek - 1.16.4-14Michal Židek - 1.16.4-12Michal Židek - 1.16.4-12Michal Židek - 1.16.4-11Michal Židek - 1.16.4-10Michal Židek - 1.16.4-9Michal Židek - 1.16.4-8Michal Židek - 1.16.4-7Michal Židek - 1.16.4-6Michal Židek - 1.16.4-5Michal Židek - 1.16.4-4Michal Židek - 1.16.4-3Michal Židek - 1.16.4-2Michal Židek - 1.16.4-1Jakub Hrozek - 1.16.2-17Michal Židek - 1.16.2-16Michal Židek - 1.16.2-15Michal Židek - 1.16.2-14Jakub Hrozek - 1.16.2-13Fabiano Fidêncio - 1.16.2-12Jakub Hrozek - 1.16.2-11Jakub Hrozek - 1.16.2-10Jakub Hrozek - 1.16.2-9Jakub Hrozek - 1.16.2-8Fabiano Fidêncio - 1.16.2-7Fabiano Fidêncio - 1.16.2-6Fabiano Fidêncio - 1.16.2-5Fabiano Fidêncio - 1.16.2-4Fabiano Fidêncio - 1.16.2-3Fabiano Fidêncio - 1.16.2-2Fabiano Fidêncio - 1.16.2-1Fabiano Fidêncio - 1.16.0-25Fabiano Fidêncio - 1.16.0-24Fabiano Fidêncio - 1.16.0-23Fabiano Fidêncio - 1.16.0-22Jakub Hrozek - 1.16.0-21Fabiano Fidêncio - 1.16.0-20Fabiano Fidêncio - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#1817380 - Removing an IPA sub-group should NOT remove the members from indirect parent that also belong to other subgroups [rhel-7.8.z]- Resolves: rhbz#1816031 - SSSD is crashing: dbus_watch_handle() is invoked with corrupted 'watch' value [rhel-7.8.z]- Resolves: rhbz#1801208 - id command taking 1+ minute for returning user information [rhel-7.8.z] - Also updates spec file to not replace /pam.d/sssd-shadowutils on update- Resolves: rhbz#1784620 - Force LDAPS over 636 with AD Access Provider - just bumping the version to fix generated dates in man pages- Resolves: rhbz#1784620 - Force LDAPS over 636 with AD Access Provider- Resolves: rhbz#1769755 - sssd failover leads to delayed and failed logins- Resolves: rhbz#1768404 - automount on RHEL7 gives the message 'lookup(sss): setautomntent: No such file or directory'- Resolves: rhbz#1734056 - [sssd] RHEL 7.8 Tier 0 Localization- Resolves: rhbz#1530741 - Trusted domain user logins succeed after using ipa trustdomain-disable- Resolves: rhbz#1746878 - Let IPA client read IPA objects via LDAP and not a extdom plugin when resolving trusted users and groups- Resolves: rhbz#1530741 - Trusted domain user logins succeed after using ipa trustdomain-disable- Resolves: rhbz#1713352 - Implicit files domain gets activated when no sssd.conf present and sssd is started- Resolves: rhbz#1206221 - sssd should not always read entire autofs map from ldap- Resolves: rhbz#1657978 - SSSD is not refreshing cached user data for the ipa sub-domain in a IPA/AD trust- Resolves: rhbz#1541172 - ad_enabled_domains does not disable old subdomain after a restart until a timer removes it- Resolves: rhbz#1738674 - Paging not enabled when fetching external groups, limits the number of external groups to 2000- Resolves: rhbz#1650018 - SSSD doesn't clear cache entries for IDs below min_id- Resolves: rhbz#1724088 - negative cache does not use values from 'filter_users' config option for known domains- Resolves: rhbz#1422618 - sssd does not failover to another IPA server if just the KDC service fails - Just bumping the version to work around "build already exists"- Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization - Rebuild japanese gmo file explicitly- Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization- Resolves: rhbz#1707959 - sssd does not properly check GSS-SPNEGO- Resolves: rhbz#1710286 - The server error message is not returned if password change fails- Resolves: rhbz#1711832 - The files provider does not handle resetOffline properly- Resolves: rhbz#1707759 - Error accessing files on samba share randomly- Resolves: rhbz#1685581 - Extend cached_auth_timeout to cover subdomains /trusts- Resolves: rhbz#1684979 - The HBAC code requires dereference to be enabled and fails otherwise- Resolves: rhbz#1576524 - RHEL STIG pointing sssd Packaging issue - This was partially fixed by the rebase, but one spec file change was missing.- Resolves: rhbz#1524566 - FIPS mode breaks using pysss.so (sss_obfuscate)- Resolves: rhbz#1350012 - kinit / sssd kerberos fail over - Resolves: rhbz#720688 - [RFE] return multiple server addresses to the Kerberos locator plugin- Resolves: rhbz#1402056 - [RFE] Make 2FA prompting configurable- Resolves: rhbz#1666819 - SSSD can trigger a NSS lookup when parsing the filter_users/groups lists on startup, this can block the startup- Resolves: rhbz#1645461 - Slow ldb search causes blocking during startup which might cause the registration to time out- Resolves: rhbz#1685581 - Extend cached_auth_timeout to cover subdomains / trusts- Resolves: rhbz#1671138 - User is unable to perform sudo as a user on IPA Server, even though `sudo -l` shows permissions to do so- Resolves: rhbz#1657806 - [RFE]: Optionally disable generating auto private groups for subdomains of an AD provider- Resolves: rhbz#1641131 - [RFE] Need an option in SSSD so that it will skip GPOs that have groupPolicyContainers, unreadable by SSSD. - Resolves: rhbz#1660874 - CVE-2018-16838 sssd: improper implementation of GPOs due to too restrictive permissions [rhel-7]- Resolves: rhbz#1631656 - KCM: kinit: Matching credential not found while getting default ccache- Resolves: rhbz#1406678 - sssd service is starting before network service - Resolves: rhbz#1616853 - SSSD always boots in Offline mode- Resolves: rhbz#1658994 - Rebase SSSD to 1.16.x- Resolves: rhbz#1603311 - Enable generating user private groups only for users with uid == gid where gid does not correspond to a real LDAP group- Resolves: rhbz#1602172 - SSSD's LDAP authentication provider does not work if ID provider is authenticated with GSSAPI- Resolves: rhbz#1622109 - SSSD not fetching all sudo rules from AD- Resolves: rhbz#1619706 - sssd only sets the SELinux login context if it differs from the default- Resolves: rhbz#1593756 - sssd needs to require a newer version of libtalloc and libtevent to avoid an issue in GPO processing- Resolves: rhbz#1610667 - sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key - Resolves: rhbz#1583360 - The IPA selinux provider can return an error if SELinux is completely disabled- Resolves: rhbz#1602781 - Local users failed to login with same password- Resolves: rhbz#1586127 - Spurious check in the sssd nss memcache can cause the memory cache to be skipped- Resolves: rhbz#1522928 - sssd doesn't allow user with expired password- Resolves: rhbz#1607313 - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails- Resolves: rhbz#1600822 - SSSD bails out saving desktop profiles in case an invalid profile is found- Resolves: rhbz#1582975 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers- Resolves: rhbz#1583725 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries - Resolves: rhbz#1416528 - sssd in cross realm trust configuration should be able to use AD KDCs from a client site defined in sssd.conf or a snippet - Resolves: rhbz#1592964 - Groups go missing with PAC enabled in sssd- Resolves: rhbz#1590603 - EMBARGOED CVE-2018-10852 sssd: information leak from the sssd-sudo responder [rhel-7] - Resolves: rhbz#1450778 - Full information regarding priority of lookup of principal in keytab not in man page- Resolves: rhbz#1494690 - kdcinfo files are not created for subdomains of a directly joined AD client - Resolves: rhbz#1583343 - Login with sshkeys stored in ipa not working after update to RHEL-7.5 - Resolves: rhbz#1527662 - Handle conflicting e-mail addresses more gracefully - Resolves: rhbz#1509691 - Document how to change the regular expression for SSSD so that group names with an @-sign can be parsed- Related: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch- Resolves: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch - Resolves: rhbz#1523019 - Reset password with two factor authentication fails - Resolves: rhbz#1534749 - Requesting an AD user's private group and then the user itself returns an emty homedir - Resolves: rhbz#1537272 - SSH public key authentication keeps working after keys are removed from ID view - Resolves: rhbz#1537279 - Certificate is not removed from cache when it's removed from the override - Resolves: rhbz#1562025 - externalUser sudo attribute must be fully-qualified - Resolves: rhbz#1577335 - /usr/libexec/sssd/sssd_autofs SIGABRT crash daily - Resolves: rhbz#1508530 - How should sudo behave without sudoHost attribute? - Resolves: rhbz#1546754 - The man page of sss_ssh_authorizedkeys can be enhanced to better explain how the keys are retrieved and how X.509 certificates can be used - Resolves: rhbz#1572790 - getgrgid/getpwuid fails in setups with multiple domains if the first domain uses mid_id/max_id - Resolves: rhbz#1561562 - sssd not honoring dyndns_server if the DNS update process is terminated with a signal - Resolves: rhbz#1583251 - home dir disappear in sssd cache on the IPA master for AD users - Resolves: rhbz#1514061 - ID override GID from Default Trust View is not properly resolved in case domain resolution order is set - Resolves: rhbz#1571466 - Utilizing domain_resolution_order in sssd.conf breaks SELinux user map - Resolves: rhbz#1571526 - SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'.- Resolves: rhbz#1547782 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process- Related: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1516266 - Give a more detailed debug and system-log message if krb5_init_context() failed - Resolves: rhbz#1503802 - Smartcard authentication fails if SSSD is offline and 'krb5_store_password_if_offline = True' - Resolves: rhbz#1385665 - Incorrect error code returned from krb5_child (updated) - Resolves: rhbz#1547234 - SSSD's GPO code ignores ad_site option - Resolves: rhbz#1459348 - extend sss-certmap man page regarding priority processing - Resolves: rhbz#1220767 - Group renaming issue when "id_provider = ldap" is set - Resolves: rhbz#1538555 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000]- Resolves: rhbz#1565774 - After updating to RHEL 7.5 failing to clear the sssd cache- Resolves: rhbz#1566782 - memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/sh/bin/sh/bin/shuk1.16.4-37.el7_8.31.16.4-37.el7_8.3sssd-kcm.servicesssd-kcm.socketsssd_kcmsssd-kcm.8.gzsssd-kcm.8.gzsssd-kcmkcm_default_ccache/usr/lib/systemd/system//usr/libexec/sssd//usr/share/man/man8//usr/share/man/uk/man8//usr/share//usr/share/sssd-kcm/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericcpioxz9x86_64-redhat-linux-gnuASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=d51399428596664000ccdbc2a2af615c2c9965bb, strippedtroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)directory9R6R2R:RR#RRRR RRRRRR4R%R8RRR R RR9R0R'R"RRR(R5RRRRR&R R+R.R-R,R*R)RRR!R RR$R R/R7R3RR1RRR>?7zXZ !X] crv(vX0dܜO߱GK]&2%:0YakT#7fcҺ"YO+{NK7뚠siˆau|{[,"\W酣]ۿ ?K$vlgK2J/dx'oYx O">/? ς[B2[@U@Q{n*c?`<*Yrl_ͽg$Qz@YѱK VWÍ" Pת*Ē[0slC{-Y]? Sjqk.t˖dݽc%x=ql?,MI.Lu~\pQ3nSx(U07we] R̓#FߖaQ7kD vV$M>,xʤ`9zxҲ@f^>#-!x/,Phf#6c*T7-@xM20ݽrQ|\/Υ{Y .cMe MNuH(K Z8p(%?_PVއS-_4  ՠci;J8 E v"kiiW35Ip*Uݞ͋XVËi[9jiQE }>8-ňm&.ۧȟS<ۭGߊ+.ȷ`GKIB2#$Z$`}cHK&ҭn=cp 7as>ou,!2DehMVu,f^>:$Y[`[˺^=kv[.]toɪskZtu?G4 8tm.1rf5ݨi5+lp;`ke%6iu$aḞ>f>Ǭew$Eɞ) g͙/(b( @d}A|h'(Gѡ! cdfZ`np`J-Pk#"uZS-< KkZb܀CpR~p3j8m]x  n @Vw'oKqutU،_UY4L%B7NVz0V\d9ܭqʫǎr[ D5/$WqeKSXO4PMBݯ; *P#_s;QɖդB#l5*~bˑ . ~yoY (g.ʖ$0-S;yUOk*Z&8`< N}HW 4Ҩ_<#RTc n{(4b4 䗲| f:0R40ΏkEޘh8bԛ/Y+\&c+묡Q_A;?,Pi8ۿ*÷oRP꘳8U ~,RKٷƼ> <4'rp~̿ttf0| ^HȚRU* 22WwWr"UQoܷA9nrŪܘ03wSehú{%ee/1310ԘPd7YVr?våY%_uy|0"7l罊`4ObF_0tJsЁWEQ#Ʊg㛦1+y,;7/tft"G(g 65!e;+GT=  OwaEvi_NA@dh6tLuHme(GkWw @Xz_ z!",m {*S@ͨr ]1~DD"&@<UX,q$%q\Ԏb1r&Obµ=hhjpMSM:3MhNV] r1FNJ1왦[qIh?0~oPݦk+JI eո w3Wu@l;mDpnэ >^:. Чy>ӱ:}']+wa'Ha|f,d-iz\|R^Fn*2Ӟ)cmS{V?у5S}ʛj&e[x__|>j=Tc\9^dHy7"(J%Wӳe5O1/ a:rYT1# RS %#0v! Txzx<olh.dDd&8S+pFM4޶4T8#H/{ ^ǯ j3҆2gd6q 9@`HFݦ.6]|l!P|D$Nhj\n8_pcCSŚV(av'3ylP=JrRYh l!ŋh6O-}r79+]g7}U|/!"J5 bΝ]BFGov]_<݉0f F)ˌW@pRuX89vX-_J*=J#.8ngؾCcd_mQHkm;ePى H̑Cv6laQWI)jOT+ּ|HI6wSojetuKO>{W-&d<.0 ר#݅a;OOVsa ԭɄې~6R* [3Fk%۹S?qb6e7ڙ *MqNLsIJO?P0,5bjGYmJBe^>hmtʮBE QKwGuҠr~٢@)/1hGtS!6}qy% E& х1#LO>pQ(,aCd6?@@C&QE[ӺM:/ӕvTf^ILߟYr:<^ZՇ%;%kJc# S+N}*W0 TW{ӱ"6|dGFrV1 \s8.&"V{Y6B9*Q)U4o+\7Sldf09T:LX?UxX RUIkxZ<d+~uҢ6>;y,Ý!i \ї=r\^c: :pUC{C%0oxDAJ8|=|HvuSyt&B!u=4*_"<-6iak}˩BE@ ɬGDνoըwfYmJz8TOP;QP`oH֤!VgBݴƩ k|dk9jqdUyvi^cq5Pgf)vKv;52ja:R&=< ,KE~2xs[VoqkM)V:AGŸE'9`3 LebfTMwz=+B6خnhûm8 5|YO$9хaҁXAQڮc̻΃A]Ev&ߵxI~m5t_?VwdXߏ@O;z!yrˮ0mCMp4Tc|jt.G z\S'2\6{gK.xT[ZiAZ4ku[_G-;@8Rj <+$Zj_VAJlX S)qizDk:13uj.yZ؟W,J!-Ys!d'*%̤~ yfpr1T٦m(59f!t/I2T*<)> ^t߀)s 5dGk aS4Fny{AY`$0 = 5=FRӈ_: .\ (eWkdVlp| qgh0Q/3%`Uy]x |c`7+8n)NDϴC.Uc@tO< QlH*oUZa05ҒOH1-3n`SG 쁝J6C4x",?7(_a4 6 $3x(}bLb_'1R4<5 W/$Ɛ(($`>+`=PV~ lG #?;XcCLK*jE܄: Pg8,Yp`ȥ)#9_c oqVP-:\@AEA1y DZNs;3*#ކ뚎dE#vQ㮠n#=sGG8<<:<-H&a)M)p`sqhRcꛎ*%Ce ;fzo=b% rF |+rTpz-_wI|G_ KY:kc0ީﳷ-"ެ}1kM=ǝjq4BΖgо& ();$M𓿃P ՚ciZXQЇP+å>3[0pb/ѯM`>5·/@c%d IJ׏*lhlt%VMLf sٽGˈ,ec؋[]D0TOK/6AmR燧N$tYȜf UdO3P@ >ЉwewxbrN|ǦN%Nu.ܒkㅙk_ֳMԋC%W[PR G|=V a1TYS/.>j4U1MؑrIe V\FNsZI}nuo%ңvYD4utńk1 >XEN1} #%w,tf/+fz'p^]sKFZ_Dzo>x)8qGArtAu((F4E?j[M"O"Wml.ugr#ɻ'=6HaeN.:9R/,lw[dq5'0@ Hڽ6/}sbyQ49Zx(;A OϿv.jo!.toGO1NJLo!{rB3Wz( L)N`K<%hsV;La&;} ag}gB: /kZNmjӄfX r?ݖaV~IR ^y=\a6\04j#!co&OG# v23XBPp.pB -c.T.CC.Dݥ"Tqѹ$cXE`LҰܼD֚S$6iQy#&BގZX͌!5eԀ`]j\r4f>=@RxxL}-TIT_ڵ0e]Y`V/mC`as[I y_nMeanoC]!|69䃷 4A%8Q7EvQXk"K1K>hgJEæ{aB|ڷ~c2er]Qu*'KVn@-6Zx#ތ~? H3A!XjqUɲ0>Uz`Ek,^0!i1; zĐ{1J!PdDf&1d]Јᮐ߼EiVGi-SAϝ/*2%aaٸ]-VY/rD@D"6W,YXw>紕V0˽ofcx;r򔧗[v$ OU_OpFQ=?zO#@hF4rp*7`MϔL^xվ[=x)_>?:HѭkB0IDQ5r[ *- ^ \߾2F[Wܽs"TL"R?( X孇,a96@N:ے(!ĀK9DSSf1u5y>0Kq좣}3q\et~Vla.B4!>a~!&uƃ;3pOxZg5 fd7&O1g `F )2r Yw*O-FcARJbXzXcn5OYu #5B@vYhU%-DLɵ XP8FPyUPX1M>{O/Fr)UE{i%O!C{}sv{0 iqė)?-W#j2끧O|%!&}l{q(SqE`A:b͹⽃m|XR[E=(c^+st}@({Ϩ'*/wTx[G}Rd'f)fTm? :K@X.6DebP4b_ 3a2x쮉8LŠtX=rK˄Ph]: ; lXۢ(Ww PF G ]ڠ۵67 mĠV mI\cçxd,xb8IVקȁKrt4 !ĥGL 7Ngߔ5t& "ʉڻ_rU&\4J+S㜧j~ 9osoPX0*ļ(ו#4FriR$(B&_8Ӓ4(ym_iM ȧ4ڸ>lmH s%=5U1d#0rwAҘ `Z{L'4{j_\WwnޘvX_t}lr藘DOG"G/tS "^&mO1"ǐAwuO.3ZqI?0D6S"\e{k!g_# aA!\R9o7 }x.NPmF&'xjPV^jz+XPRnu-D!(KyZ-otjA i̓KhUBfo$NrOtƂQN&r.m1EhJo\-^-1@M[H#h&0ЈB2/I)$ͷHLM rO=m=F[QG F*h;`Kmk9<׼ԵPH^vH>b79i5&j,+fH yW\=W#eOD#MLjLSʄ5Ez)b/ Ym:e5btݓ!ZbNRkN -^Ki 1l~ќaq5 0X3-iY>@~1FF֕\RYl90B2H%=.$M/`,g"2UM%2cu9 j1ݔhڂ~q=a 48+^~ܳFO/FNhɓMhh fK9j+1xqPi$_?R>~zcX2C~MqA62CcR'&LI{Qg0mzQ7V$I["JD-Zd| R&J Cbx-~uҤj3|@el.p0?;F項r:,|) 9US{MH%N)U#?wq,.n>Ua^ۑit^޻*;Z6~Fq"0ny Ҷ;Tg 3M۰tPU#dDH$:flG] ,)nG0  BKEfJG?Y 7)@Eqjs\u.@q ^CYRkQOoUփz4)B\n&s)͇c`;"ҋ{79nEefs_t?6%kר:zR*++ݪζ(Iw<QQ%0JU(wN&.fHM ]ᆳd.o 9d neО w.Sb;(AӾrGRx-q}츪ӲhЃ$_&DUTmK,̳ydKySŋd6uLl^W'bdfEҲQIi~p)t P5l0о~يxy:j; l? %k{:D\ pR9kbʺd\{G>fA-3RHoyhYb{jzV#8|PPpVW0Ueȷ M\X?3AP,@.]Ճ]Xt 0iv]}ϞUɠKեm3X1ʛ9@5"˾Ug0U8f$Qta8v&GZMBz<4١p-HvG aW b>}G[yYFf,T{,/N6v?^wފaa,ί[([-&'T-W7NzcgW(z8glWpdo +D *QG38vt `HJ & ĤRwV7Ao̖HJ8}UDՁ`ь!4>QDI66 =w@4 ۧ>>/N*e^nnj@hM2 +wzb$Y#鄕ȳE:QXSP0L-V b0]wgqlҏ:""Ӆw`9݅| RU%Zy]N|wNo7"$#t0c JWSSteJVWf$x\@TiK=h _К A"}~n/#s×1b>.-+NItp<c9zX.Ca:pEqYںꭙpTN L6 ~"|F0/j|}cE"TX-^:9\Aԯkd.)'68h!eiBP_AhjF_Z33TߒsZ!5bdL0 IP?;OXu`E&zQW%3oV_ȔUSo9EX3{R,&œ1* Oo P㫌r&Eˎ)El~}I;lB+"w2a:|2#RY%kvO/쒼۫^ ^X197{l21,w'J˧2^,6{cIyLA1)brO!@}C@``,^Z .zRD09D)Pp7*_mH Nm-o]u/}+7f9+3|G3!-Z=hJ' b&8&߂0vV55δՈ̼JJYD0$v|ص+3 @*r\yD.nnfruFh*u$ - З''tB_g̺٭X +JHXٖXUk+-7rRQ2X| EDFJGAOo)@B,P8 JnCp+#Ev\sr1h`UwofAWqfaf!@{4<+ЮQ[ҦΑv7%XLŢCdv\ %*O}=B&{|=-azi0kk~)R>tFNٺļ䜵)v/&>봖G=_>M[xAIŀ0,}_y\״Ggӫԅ. xܺ5wQ00h7Y BTZpOBdVТp-0$~ kH26ӀUq~xn@sQH*Zt4@XYhZneGo٩.|kJ!XSrs[{d,R,UgģT/ &Bz^ K`~D廧?=c\NmENhD m:0Xqt#񚁻۬82FjTL;Uc+r 4jcpm5pf9{U2$˜dsۨeo-9mV}N?>ߡ;Gex^QPMH@Ӥ^b1)$Jwe4 CEcgq"LL{AEʰ3i*,iW$:[ˈ?әTZW嬄ډe~@F6qmwJC[55ڦ~XnwSFMض%1&[D} 'eFtɯ!p6Y犏Qv,ߌKտ߮Mv.[0 Q fd{vfdZUmuu0ZLM'C YMh#u[ȭ @ܷIX:G@|"A׋H?Т s#j%fjAG``U,]"acJc05}w )0?-ؓ`aw2B5ܾ밦4#*/ 񗞹N-J u(7B-q"kWo)EuC_р!0>C*/a f}Y#2~ǽF S9S)Ռge5N2Z}o=I|פ`!F8AMT^"׆Ҏ%~Y8o g$._\Wx֨e*=ϟeyӸ0 Sg dP|=ҙ4ؐ80z<ק Gwzf(Z^)GrK{FZ@H : kcN7c/zߐ.I,9"YDB[.VZ^--8j4;N5Aa` ]*rl*Ntk *wZ_ oA܎ۭ]&Q[|U-jahYv39u7]}HF=rnT]J;"B5wԙ3%&;3ʜI湑^`Î5 #) o^-D` %q٦TECŸ'I5N%a1IQ?xb*Wd 1Ċ lt|7֯"^rnKX9l* N]ѸY:wKLAPEk*0 XIdqTv6, ^Bv(WY)rg !/M5L\qe(uT2|7?Wơ d [cHUmKHL! l(X#8e+^F9lU5ڞhQNԄb1GjO-QO5He깼=Q3E0@FY< u>e2p꿞] cTd_:;r8X>]aHե9YBv! PțW l*E9O}f%U4eۍd`”5Ѝ宨e!pݽ2/P:aPuꡂs+{NJx (BS?qh&6b绪1xNa:*?&fSgeѲdofxF6+78'ON62 g9k3 hKç}ҫ^^N|!W@NG;QuJLaT_ SNK6L;::om XkeZ v0=>2cD6 (Ḳ‰)oƽ9Hɱ>3Am|l8n`N,lŲ%Ȏ!a)LܢCS塰\# %ף\LBTw_q McB[Q:[ 6)$*  @LchA ~8̧YoVVe/4dyep*忯k 錸u q.\ư.5vvpeP%x`$~gM5I{OӦR݉=e=ֵTKD1ogݛ#DӲO:A6Tǹ_EzK{`]m@igf{UqQyپB5`i,XBG_ rևmeA=mB-g tPKE <.ك5/@{ݴyx.7;t"%G*OxNV9/%ӏ߭iZ`Pi1tp/hm!rJdVS<٘hp؇$߱w6 I@30Lt!:{/ܸlHX֕G%&.M}R@p,5G/ u cB~)i&2˃%؉Rw{kNqYLb۹c' b3Zn"C:Ak%nu?D~= 5/xwچy?Q$`byQ40lO5&xm5jJh&ރo=b>9w(ԇ,>CzJ٭=݆{C)St (N>'j83{~A`-dh {91W`rڶ\ì NϬvjŏ@ 1'tc-m"Qv!)W H߾}V3K,?vH3E[KIGxi!9|'C?h*E.ޝ"evۢmo9v}X>1r]_špRDhF*HRʏ;cFlb{ǽ&)9 M+ b1etthL=Y!<3[p>C=qBpz]BiO46k:bݝ:<^7U4?=I^KsQ,_ٲne(>qog/+1g7Kz֑CDeO HPNp$EoL7rbqy]W=_MfthO0YE^+ķ.ЗXy_@󪃀Ie(g#.JaOa<ύh7?V Z-Us;O*ʮ ~lК]ۛ=+ڛ陼U4lwBt6dZDRg3LK{ {7m9z@}rٕ0+H"E/*]nRW|(xaa/Y(a?C!H:3|_ wZķRF" NWjL(Z93:-jL%HV0wiC ҥV)Gy%.q7HSY-UD 0%ab>׹f<$"|})ss`.r6 D:),[Ĵ1jZt;cm1^Ԛ4bjFp.C$@_BQW ~@} M]Ƌ@!9 M9*ZO^Vbl"Kw}Yv/92Nr//Y_Ua=o1jm>eIxް+C{lɮ7f`V_ݖqǃD& j4V8T L)j4d*]v'ٺLUq0@^Vq~ v M=%IpHk`p% i>Zbx:znjG@\Cj,3 |ѵi!~.`9龖x/P `"5mtsh]wp?Oձzi>6bҗ W03+}|b@nֲ_%pmȎ gZoҭ~aU|9y'Û17}fCT!h8t{ 2Ys4hq-<{q_WQa-*/{ƞ# ?7T,1wQ í<9 2vDcuX\`9$T vYuG#Q,G]PIm4i$ Ÿ{cǣޟpЬ*6rT;IF ~:Rg-n GQOnC?й"_albjj1"7smPVk DB[/u,eRk{.!J^Jje`'C+E8ۉ:> 2k(㿈 C^i':\ׁm"i~@ݜR!]pfp > .ip􍗇PW2T7F~bXubv:v;r9|(c4 qI|+BVx219̌cx% `aArƓ H[&S'>ǯ kmݩΉxrεk&$v|"vyx3KUZF+`g$K jӽ`I"z*ZHˤ单}J̟> NIhgy/Pi%1U4Lv{ {nx S DԀV~e$%@q+UVcbq-xuxg1)M@䐗O`Ènާ#4-ew(6VȄv䩸Aa@ v>khė p9BfQ2d'Tb#0"?(h˳Utz}#Aᶠs .NI@SE^@5? ')IyλsL@YKd{ F'k֋,4b3!R\ZHdG֩g첎#u t8L>tBi|7aX}OE1F,Hzs8/V +}s (E3EdJ!aQ$, #|[.

6AW+3NB>luԛm әT},TJd/N\6owxKwTl[G-1sx]uNgef9y8<-iZ>}ۉH8sr?*>_./,x1[U7UہꅎѥbD˛ѓ8 tkwOn~ aZ/;`ct#XuPj4o-8=:"a0oMGn얺>y:zފ-;?&vozng?w (ɍDyrm}}e88ElbXe+lv%'&ljQ+=e(WNX *l =,iDAW=ZۖUI&m#^ĭĖ? ͓E7P;9I-h(rao D翍]-o{1&R mcD/ONn@ӎU?! ah B'$y01Ww7n 1iDN./f ?=F^Α5LȱwxIX-49MR~륭;z<ﴏ83f- @`ߛʋX}`fB!yge(RF[+ {%ZxL`ݗ, v =lyL>6OI P96,J$Jq3{-5K8liM8-i$`: Q;rɀȥx0<@̀j7)wQu#xX:Dywql6}ҁÄwEL4B$(pg@1] uw |̈́E\<[-nq7ZtV12Kɞjq]K 1k&=i=% [p(/;leqA>+Ó?KDW[XgR┷}bGmǘ.}׌+Q :dU?有;ox2@!*؎4g($]8v<dz c9U}HA=|ə,Io)<{#[/Z{nF;wlj6j?!IMK=`Poۡ- *Hmm>v+8ֳWr 8ϵkxzMgr N<7i_P~=d QJ7ՉVgK?W Մ(9ٮ 3E5y_H'ߎ;1O;,PmTމ4odtБQ*XʑrwfjSr,ńGOR %Z'?ZAC޹%6@Xc=ɞMAFjWF U@@hb|tdT ;T0Yt"0Al;;lƿ]gsv2 9> EAG. rkBk]E 5ܫ:{'v 0[Hp*)|ƎXPǖ%ru mm,ѣ |l8I6^H %-^9ԇX\ -ꚕ‚63 YfN$@LDYa|o z͵Ŋ\PSpf"HrFe7c4Y97<TRlc-e/p A!8m 3V$+oeڋ o~LڶnepBNud.F/no(?Xb,6UKYLZYϕ`. } +L3A sT?BejÕw3dpJEX$c#I+:Wk y sX$^ͤWqKQ@iױ Zĩuxr7VàZc;r LIA Q3ILi9ys4]Oe<.\ |]<[Yaj;V6-~ӥw8Mnig *Ǒ|ɎIS p;-*xmT@~y63êyz'w0 !kj}Eg/78L%n]G`uP"RiS'Z}ȳ ?zv<7\uVz0]to%B;W(_N%H{[}F#@wҒ2AU q]{azk̋^Th x7Y)GZI܉(8[Xe 1UYq s.kG{f5H|ަO>Yߛ굨CsMob;@iCVkR,iD3xإB&&PKB%e*&>:V'O,3Bڊ,kV+Ec.HZ"CT|ӧ3M:O :odUnKiptd+ǞXT#-?d #ϛ璌e "p7E8?IL9Uypc`C&H?X6+HN%2\ngvkdAF44OcDa ?nBG:ĢhbrD&8~QTIIɳ,jJ6%68;gMK7C>KiW|}oNJ;p :+fb~JlM{c|u\87 LWCUb[BW7 '(+ сsv_tݬ"i$Y.-t/nR]0~lN` ;sP8 [oUKQ*}o3\G/jvZUSpJI mByB<YBQ# V2X_f':)8lp8!WRJ V g1mtT!4qBE\=P7~ȸڧr *OR1@" -Hug%x2sϯnVHd]7enkyD 3Wd v@/c 3ug=`:,\;%&r;JmFCW\ru秌 dAX&ar8.Fd}lPYc%x@ŝΚ}eundxX%|ofQHʼ@< 6=w܁^1(WF4>܏ !M }JIE;}mHNM_ m狵DD8[)F*Q r&>a-Le!y%=S:\'ܨ'a A+9l4mwN< tKj_{0L\]7J7H@b/RdSjzel  RRC'&"#Wo6Z(u3isT_(szMACDټ CBCv2\,Ozql6cJ{  !|L{TQy(*/fؑ껙5^;®˰l0菺u4}·1Y{1+I^^ Yr j$djN&qElFY;Ytn#K>1~;0vea1F5F8pC"4~pz,z\xS_iso\ mq@!V#e C5Ծ*T Y{\۞1D?T9C^yФ`x&t;+{n?!2 jh‹3p!`%X 1^ϋJq==7/ &;)^YF|3NR6 (kva`/\2Qs$G" ~g~ ؆z5P2?t6^6d{ Jgо؄m"D**A>ט*Ǧ3DdyIA|5CH.p5SlqBGC#.!'7*/yjT':i7rB9P{.bv! ~P7Q(&V(lckpv2-b`I%k{̞Gc$U ]kL ,z^!͑1nPN`3 #?UBPEM}UwX,6 (DG0+m`I_QB4<|'5bٹ"1# tpiܬ|aasu?>+3: Qm{ }l~pS?X8wZʱŅVTon?XHDKŪ0"Y*9ۖ~yuR.Q eZon@I <8}Ra1q` \ߒQJNXOwI.IJzh$Ԭ&qPTPI#"K`6@+۶-ѱZqa l/,.ncL n #4~l`6EMD7P 67IloMI1"3XC1I>Z4ܔ;Y!B᭑*{Քi}QEjNsx[.3e PF{mk=##a ۧ;t_I$?``ɑta~)r+a6\qDG p"

]@ibVނH;@mrkqp 0J睞R[ .,g5"A൳OZ̪) @1.< qb IyLVd~ĕ"K2_ǧF$kqp=JJ!a\ZrSpA4r`¯>ʭMGSIdVq3)\m.6SyQP7λ@*&\/ѮA۲!dc%w^SJq6Aj?gj>]] (f>o3go6M+]?N<~ӓ!X~HlۏvAʬ_+fmPlS'ZDj[nvƒKJ.h* or o)Hwpkr٦RcU\(1n y0N y^tv:-I/g~qO.OX?tG-V)4R ź'LXNj;ۢۯ.Z8qW;B _Qio3 x8~& v?gb궦>6I28S^5h@VMjlMSE ;4疻T7yNmۊȸ!+&A5w/D7''U Y^@ X+MvHF@YwOGڟz\Wr v}.[ES?5<)@$(+TZP& 7K}L(MAS"JzWNe iaN^܋ U.Qqg…31]4.ͽɠگ13\/Ǭubܨy,g֖ϥ 㡭GX.D5n}\2k3&lrK -def I ԸanݶZwbˌǖTofdЏSEAN1_s|o=_xdת:R5q"a6 CmhwƟ(A=9+EUxJf"NKuCasM|#-Y#8@mqa|8$T 5&RoݜȒҢS{ë"' E`[!g-n;yv4l"Ju[vdLRg8a8*cw 2bC:);iQ4tY\D_!ޤ7P!\%ٓ;3ܙC/lbXN=x6H;GfȬMn,;gw '|q@i/)d}>fm -,DGK}%Əx8k0dL!A[& O߫ 9)m`ݲ)m R@ zY|9Rsj;l.0S/5gg!?Vq97"-aC@p ?Iuuw,d\{9v$uh9w);d ժrX6*Lj>{(J=z,ZYOo2W}J\*#YL:9AssHTW`S1!-_ElP޷/0N˃8I:},h3g 2%p&┕ s7tətRJ tx٨ xQW(V>^TYCS&T)u[u.iIp29nѼHSgH@ mo@.8DL&)}qĚ@j#.8Deˠܻ+SUhb R[ڔjXSiܞgX'8v}`6% ٯ>ĐET^ ^؈* 8O YmX;YyؖfXۺrA`o 8o( ~DwlH=c.25Dw+`Kzz\X>P[4 XkJU`?aT9|+KQKƅ^3J=#gISaGq8PW$6WrHU*mv'\ c<Y)5 0oU[kSqODNhFk5e }?L\iXC'iL̅rWןKVfqgΤajZJg*7qET&0H.b㹳 ?xoK\5,9t[35'ۗ FV0sGg+}j^]Vz) !1%2\}3|C@ͽ8* 2LQH yoOyƝSYqug::2ܳ:d>MZǞ14\EW+ Z8Qm6(䠋`;1K =+o-ϗ~[ˤMz=V:'nt,n 6/Aplހw,fd5tWC5R:.ؑF۟} ^5IH)['?iҏ4,upvg=rBo&*`bo#l{JI)[n{ԕ5:#zb&uGuOoֵ!g1OA#\N r:Ӂ،j9c"7j-a"yZ]nm)8'~ ,m߯<-VoWVf|\_0ߗxfͫEr9 >z} .4; `06XF"f j-~58:VJDžr#E.hbpv|4em:)ȦkLyzQ[?SK܍hv;  ?:n8ZL}CoC5~G^Nä[pZ:sGت{mpwKzuuiAQ<o`+l6==ȧ0Lx~l'|v)4֍a$Z,hEW _]Wn_̜`NH٪cGQBPeHUW2=j]ӉpyWf{rGXLk9$ȼ#j@`$++6J3%_Zc/HءВ~ĩ69!"( "]aB:u}ȧJD=~m <[2 İbUBJzKH_CGXocݱхzP kԠ?r+R QX&lolhHBN jkU>@0ׄQ܂lKO$C4{~y g'6F@vQ1enՃˮu)T}ãZP~,Mk&J/k&Ly UtKc`UN>DQ4pT2wN= -$3#ҽOeDӛf {2S' %"7a0}(FKJX_zm˞0zcU'áqae _8JL]Hj}>K| 7@G6A2@ Յa~ &Z󇬪ƄMY~ݣ~7,-Ss'> ! gL鍛Kɜ/aϕf\2#PK}_0pDR>5%\S$Xk9$d`׬dKQ]/KG-[^U]MIr,:lXLjO^/MԬQ]`#^KV1[WV IsJpn k^-T& Wm4 @ZxE! o`7%@BPq+V&'70X }b f|w: h%#g^5&ܽl5vސ'r/W-r^ّd~<.\G:i)+nSn%3wh| 5d`թXc nl.7tPg$Ұqjh~ͮ{sTJ< п\ׅlJE\eo\n9u-!ӌ\h5ibq=ҍK"!28aO(oCr1z]4Tm#@̯>7CtH|dy"B_y8ZPDfGlvEچ)sB3a @xu3|?>_QXs\p:,_A"*lYLUeL/!_v#`Qxm~G17ղHZr"#ҖcONXV-U;IDJ6` DxAlwXr0z-D c?>\c4`P,IWgN)Lqʹd,v^R'VֻO4YN@o蒖"E)P0ξ<yN7Ml x+;o J%Pctf!r]Ẽ׻?) P0!aF?' c O1-<$Ya0roc]1Ɛt?)~@<*^ڵ?Kp82+_=!KțT'%ü, aLdSiJ8*/G3듩SR{y݈+]ݺ\FG![J P䇅;/x0aHMq5FQXhSsU;Za~h:6b<24c"8B-MD$&^WRBr`-'ω<_\|&aW% @Ą oUf5>[$" ]! *|Dqڔ4SID)[gMG$P8HX!yly{ǜþR/4W;Q/Տ<"9?O\Bu8 XӨ˜'MiYWM̺;x%Codg*\ԇOi&ELR"U;,Kxqbtկb}*-fq$xQLgYTzXI\nRuC*d}~G']yH+ˮ?\{Q8edl xˠ}TK,}Ԕu$sMO{6BeP^~x(0Q8BX t *E!eK.!a,;tu~2.VwCO΢ Rhk4L(ӢH >v6ٜ&ƴhPQSrOkDv]5ӱ[)yiYҮeq!iL9*eXAX&=PއFP¶Ԋ틂¨eH]u(\- (,F7*eU- ]%&=C"6[s8HM`~<$gע9Gcj娤 2v*C~oؘ l4';ן2ᐎW>23[_uމ/JݣퟖDϢJ%PZW|th>t"9I( 6Uw1zA4#S|8 ̎,}{3OPQaiB"V3!ZJqF]R.#ϲ};+ ؁~19O4:Oo"WS}3Vj`ﬥe@pdQ/ *Y.:l3U|zIy+ʷegST -01yKNQ(Jϲ7:z&P,+g3Vna9ax=J5W]|N,~$/3Jz&tv.۱Knv?5=4-(">P/:OF&O"/-uߌpgQ9*u{nQ vLttXp&]*j: mSvmS{Og2o1,n d%7bZ&q Fx t~[^D6'.ʾ?Į*^NkҶJ%Y)Wd2lL4Sҷ#_\Z%OVQ?qɅOL/7A0@( yxKn\L-fPUъI(HKÊ W\Nw:oN\/'ͅ ۧs`!3w* (UId°cHl^Eƃ!]E"aF4,:Beڱ8{~QLbfLRfQipƗhؿ5O'0lm& iCPfb %L[; F|,!"͕{TarAyq.z'<Ji6]bZw؝U*03Ie s(kNπh6-_` Yyف.qtЖWD&8 u ,QDg1QHiF<O:BP˽൫豹5 0N̈́؉:Xlr `kŁW: h B 5R/Cdڬ1"nk+ iwɯ8O6sΜ>Al^_d)gS5,"S;̉s#J_"2~ 慼wWDFG!>7ɢ; I@C8 h5)1q#BХo6.p6fͿq52t6U"uX‡xziLM&P83o1EA,-e%ᒧh-զήA!ft3e:8[ҞJ=_m}NڜIJ\ Q;'tߕ2k#Eh3'oM@B@ 6z XW;%iy)y9GLŽd- 9vx_jay$[ ޔ{HCMOv|0o FݧrS,FRjÑ,ȃo($n0c!V АC;'JM HD*H9Lj4,n"&NVH= ukrxdxP$*;t~|G -x97aK]&"'w6PwVb&E',ilb|̀yjf;`rq}V]>rFNTRD(h\dFˊ?b鮺:9>=֩K~H,wnV@ +> =$"xa\G [P ib`u{cȧC }\G. |L6^'qi`/+kvTNXG,i^󥥻+D[vr:nMB Cw~aŨ53Cy] "^4Ͱ ϓ\ /!L*Q>Eq!{tg#{!7 Q_-.G J&!IA9I~Aw 6TG'n$i7烸x!>pU/ԅpPvH8 cA}LwsmJ䝵 65s JGGN  ş99瀤dpf$ ;g~p9/uzO]Ig_̈;MU!iJryIp']@Lau*Db?˂q8LZb2DWR;Ooh!1f .6"_e?Z0 A[.oźQ_gyJ;3)Vbѩ'`;<8S Xnӿx.%9=ϹXl 9KKg4NP%5س69a.:rv ߆-8|5' s[R$%h\,i4MvFkC!62dŪ,z?MJQٯ>]&BʇnG]0un|yu魟:6j G آ> sKH6^Oژכ0-X|_\,7;P)^x>\p`\tZx]"84>o*?e(2ⵊܨ@tf:*n"s0(I_qՂ6sj?S{n>y.@2NkD hfQ-B~b:ۊRUxwb~y-sIuUβjnmKZC{YϪR 2|nn-:n4$k^)b o)=`c<ޛdx) i|R_^*+uj&c#q=klģ33:aHe]nAmrIC?%JϏY$ y3A=:$mKߗyE!́aM3:V2kў#?B{E^6QȂNvUse W1>=cOd-~AZ~\Cuʹ'E:N) Vރ s5_l.XOv%^̧J,U=*гOX\O?7 r꿸,>˶r oq҂L8u;vS0.k:hlsc4Xi_&R 1VHn|zZn&\W!WƚmV ݂ tYwbl) 5ŀ1 s6m\fHʚ>0NqMMLmj*,X.PE8Wpmc\Gga!{4 DBX#'L+{ޝρhY8NX\ic/M@#^`T?qHdw]/ YPЀNгtdlJ&j%߅vKк"Ea i;B|&kUo=[lRLwrRy>BY|G ]8"%{֬!t@5DBI?aF/c c $sA~KH%F~ڑZonḊ U2@|Uc ذZN?2/ٚ7#P$A|,[?fca_ǙSCw,%ѪM8}L"70/>]}{IC uѧI6TR*rfײ4ܦZB ด0\_Hl(g`CNs1pi+-VHq<-W <{##dm2)nK]tr.il۲PҐB@1TXPZDL%_#**0(c_9CͭU ̡͖/X|Zx ( ,=F̮w2@]ߘ)s?Y3q"|Ptfi:² 5eFsJldqYuڍl͜j^k[ױ$uKro(a|b,U-:.{c(uF sbCLuhqBčrieqS;ceT9-p95]+ "(k0Z/U=+CK %p7iHR@.T?y+@Vş}F=|I x^{Ģ,Q~kHsro)`Ghb7oOp9[$/Fn\bb0y@"&) *\KpiNGSeh8{'ޏ2t<^yE18F3=nj1;Lq/;Fo˱ԭf,'Տ!GRHʫc[E~V{N2J=U/Ulw:IIpo0Wki*'z-Hb0wFFd{ݗGU>1P$4 )u ^"jIa$ tqu/ 5HK8PI9nU.}ħCLfK'`hF`\0wgX}X/im̐fJA7n%hln[.:˗bd'SEbSqHUe-&FQxwyth\kv7$ Qs8 2ʫJHW}؄%oj- ʯ`Q0)|!uY& 4pfLjԐ(%G;޷!EMzqx  BB$1"q.sI7D@g>1+6!{wL2vJqD#k, 7||trxCj4lBzdh~Uբs¾R:o4LYS`Jt1jk!4oM:hތg?lgtO`Diboy׊ eV !ZZzET?}[>=w8@v;ecP&疣 "IZqݵG$x(0(w!lH_,ܴnafˆ+64tF˃czT"Z֐H2.)aq X'Fpu"WA3F)$ƌR:lnA豚 }.? kce sp< 05jÂ#ᦉ*O.@bg ' #=7un4\ZSg? ʄ^0$^6tJz'U^v {>[Pt"A}D4:;DK\ {ݜ&8BxMƐ;^aT GNcR(SRSF/Cv42͢4mb-G$:fQH 1.27{n3 6cM% 婜&Lp].| 8*փLLC?>%uHde"~Nr )G4ܛMh1a@O=_$ҾڴJ!y&|+14o ka8^.ŸVkzr0\|c&O%- >?+S$[',ShU#"n4Y%+C1m H [% l~ x6,#e^('SjlPeYInρr83,|A GnԘ:ZF\.3YIF%M9@"/:ďn.r) no@֋=0+oTn]ܘષHAl'a@7ՙJP4}`0:+PҴ}@F&CZ#\lo){(\RWZPa`^'EgvEOWj_ I6Jt} {\wN){b}s s`gMt \yi ܺ 4DN@&&T,*V?$ga ca1u;#q샑cIJ'Fe^ypeUS}.?H_'z6WWLvƥ:M|NYEk]H%l].4V$!w0 xMˆgֵV|GŦ7TP,tĊ( nADRX D*1z`?(h =B /%fX_s{]]2JzW@_y[?0"O°L {eb=xp$'`flhN ąPLOT^ %.`mIˑ](0Mt8%@#[p)]KB<>?Y32 { ݙݺ9:&aL!Ƅs \ӛ}emnv !M d`O"tO c{&,9a7f%Z\ 0pbϾ3 #h* .*ڍ TNF(W/XQM&z*wa`XH@h4&%^Z%&ixl{aeIVF<C@k%rz7wة:+Y+ҭ2=:^&/ sh[P'`P5f㪩'p#Kt)"}唵:;AaV̌c'ȸ{ü1Q19,7`la^T+472Z8gEr%gs8;*gBU=k^Nw[z6BC%?fYʍC GEs*Ns^j`7v`+ʌbo¨s_!t=gKG9]c(6[Q(.0qc{r+U)'8fL]8w(H2Ҿ>xI(|` Mq mN}43+pxP5AniRgY7@<~ K+zIx&L+\+98f-8P0mxI \U\n[&́bcVK(]Wf39 4$LN+pW>>oMeJ稃hcBT'G;/үէX)9 mZ"a!sT FZҜ6ɟ*(M>z~) pP *x@էɝ hwxZa{HZ9p`VQibm`KTT{x{='c8OsA^Dbo Nb0 2+[jaFU6)wp 9g(2a KnxzDwlmq+[TI`kRS%u}-.)NQb.hԌP,Ru^g&LD)rZr\RnEаxE*'Mإ* 7,ӉR=;%qG{eDAB6FX19YgM Bb#Л!6=TIr0sSr=P Ө?a9U 06k+2q|i'T=#z+}2RawVzmIyZD`ȩ՗K_~oO#EnPFSK$jAl7G4g~(IR<jK": d`h.* X6d7jV$ O 6Ji0=tA%%C"? L `-(%Yg;ճ6ӝ0kd wMDۈ{d6nJcȕՉ4b- t8. u#r*bY̹B0Bu z tߞ[%Gƫyy%0hbk "R c߹WdYD'|V Bǔn~?_j2`jQԥSiG[ͰUّԎqʝt\V M/6w 撅B^{Sᜰ^% ׇG1 ɸiǽ"$0zz ؃,Kx:`$Y1~,}#ĹU߄\z}Ž2H w}/ge[k|mySٽLoծMh .v`4OL_H<ͅvȝj1Ic=?8 `O[25oV刬_{ZM_sfŒ FhmLa]>8UPq)߅BQmw:K^A.{[CɞMViN-" 4nגa Ԥ$uSJ@>" <E B֑:ea_>ZMB3JA-2^il/":¯`NʝVº;=W3A@%P)}pDF\u,Y:XJQi:`XάPҧ8e|ĞGԩ[ǝa}Uk87۰Hgdp{xdZ k^ς˅wj݂B:xN])MNE ;MmK59,*۪Ǖ{Bݧy]-\ydo/Ks𐒂S?"F+'UğVVk*%"qD;$~#i)u=\γtF^-d_sY={A{U)'ųYF4,; P.*?qV&r1rvQѻP=2QUrܦG]Uλn e~k5hwS80^bl:rXLɓw*6lDG tZX۪f3%ɭP'VrlR0kjJ:0 @ZJkY†?0b]?*KkO]qwo&7uw؎q(_&Òm))ZB!E;en\⯡( he{oBNNoS|\eX6 }]Tr_\ ꧀&Nf}uPvRGeiga9-31'kg$.WW "aq:5'957sۺ>޻~#&x/.*,ԿyHHW;aoܽ~ԸFZc]-Bgk=[n2VKq.w [ViVgש:qѦcSUzH̪DBZPWm<3U ]LL z.BbIhÐbQ0b;QY4eQQt&7ĕxIG,EZ[$&"lvb,4zw ubQZ06h$bl|2qV$ɗÿ3ː*jpwNj=}iLR{UNON9\֧/ûl~_34f%5K`ZJ5/kٓc Epj;̦*o?; GmS^)HVOI؏&!3u" \3פ2Ga-yˆQK kiHIH5':v?l5⌬NuD*uohxk w['T &2L.>8Nء kaa%L!ʡƺ7$_yI8/If/kn}k\8+RG PP\":lfv ̄=^Nwը#]GT/XrJn248 1rBvoγU6NhsK)5Km M`ÒZ}2rFOi':[| `|ͥwOKzޛx-®XZHv3?ʉɡ cZ˿z ʛabWnL iBJ+MP5;fFEac]OQ0"oմO*+1&|__ɮɈ7_"tًIz1(%qDxx񻓣-+ u⚏!8}[4=auw$xؽL 1EnGP2"k+`?&&f-E嬿)IIy:r\'U[REO65ŗ 1,25~L ;6c$S֝@bQGRV3܊ã_IfKk);y>BPc2(DeB[a1UYsvpLB'Dl'uUBrjq9GQ`YQB>s<'a gNV'9~:,83nFVAbE/a)I"E0Qj8Db|/QA7t`dE&Jْ@tKPj^5\lHaazpcKG\S5׀-%iMoxUVPT)MQggθ. v.62)^b&is9 ZaEcη ְ^zm58[^[kbj=B3ٙ.Am[k+Vb2ۉ) {8ϧ 9T73Xii: IAR`pJ9aA:Eb&ss_UCF?\{34^tƷ ,M=#$zV[IlR;Kc^+7QlG?j3  0 k<7%İXn 8զtڮR`%4+k9k޷C/z^JM^`4~6rHaP9KArEng%tD>%S插81qUoO=2%u9;!b[?vh~:׬q 5<.?>ݗ:ev~xx]Htm08jO^FʰMoMI-jnu$ 0q]?N&<*^Y ntF[5z5pOV!sѨX./ڇ PfyIlQHgl|h&%eK}>} O0k0j)(u1fRŊІUp:$4tfsA)Xt 7]ۗ?rK]>벜.9#I? ©|t܆L~Z9:x?&4H_}a7Gc8Ee;W(&BH񫜎uT(tx|-PUf,YDsϖ洡'ڇ| 1c=~;9W$k$UA@2y?66 H\HDeS'::l."s!5K1Pdu\-2|Zhc{+]f]^ Zۿ +a* iK|%|,ΒTx-.MtF3(x`Ukyv*n/]Hnov/a鑉PǴ5B rJbYcC;e6Ϻl_Ol) a6Ǫ02oc+#+m YW 9pvɲ qkUc Bzb6VaYss)EcE{=wP_^<%HkgjBhyHLT (rY#%]Z`2'=Ǭr.xI))'N*PJKzXgH{ "mJ^ IV!콬g'5\TQNY^]mpCm'L{D!!Ʉ6g4I_!wcBKp>7cʿ.͍ǯ]pvՀTDӒUҭ!!ViViY)LaA'WlE0 ?gx\8p_?}Pr#n{xC^ڄ8QJbB?hl,e*O=m,+X1,8j: yiX_By|oMھ7RT ju\B{2>|DvV8 0>{iV4hP)/] dOMts96 g+P 2#(V|oF}041(w B-*hD׬gdL5$wՉF7A_Aϓ@%>k&&{[*6dEn7YY"uа&Jw$ 0ZD`dz{VSכ3u;PkgkW=V?-qJx?oE WôZdDVj LjRG*XB-Ybs]-ѷEAf ѓAQl_A40}i¤!<(g=XC_bǬoY^%قI%&?رAsqB6C1+:}̞,< ̣Vsn_ҫ\h.䫝[C àkb{FO.R|(`NH2Rc7E>]zq;b _VoG)wA\W\WFsW؜QT9eҁ]Sewi"̱52);ɬ4^,ZzW%Pih+hɋ6iϠ;OWPvFAM×Ow:)"a{<05'g8Bɵ42YL}i[ua‘Ȼ\"3w+bsV͸4" 0([MJtwN[v !"uX+MUP;*FPĘKh`Xtqa"TN늀j9Y#@YEI FY?(gTV˻H# K3C6 Tl VCF6e~@{7lBCOج7M++ -! ] %+%BbT A~H Nv)K3ڸZ8NmgSιNZ@r"-X[`k9noQXcQſg1qF7khG%-axH3[ kcd7mpS8#@1BV EU9LT N`tHv֐_,FSK] 0 3q'eaJȤ*kĝI>C{:x:-\nw T23$dp*=ǢYOV2ʉH Gǟy: EóRIA4̾@롌.zpO*j'M2₿ܮIƁwO/oY@7Y8Ml@<-B!>q3%Q/v+"fە(!nrQ!7FBƤ:b3Q?mOsږqX#~̃{>6.)%λˬ);Nù:N+!Hr26~ BC"]\Ywʦ(,qN{[2 ϱRLxopћ9.DE~+z:&\eXks qF%ZUfښ>ѩO-Qj!3< zU6*_D@G]F+Oyftݟ"u0bfiK-"}v7W(-qj#*ͧ*7_SNl jtrdI5īA_,Ҋ py&f6d`$ ֌!Wq(wV@~ t1hEMDhy)(M;y-͘ן\yRH{ܩP+uR&aC¬nǡt(7O0xwrny\USLZ 7~4bT1 9COl7(dEY\4%~#),Pϻ"vkѮ}ŲW/ UV?)(,iK6j3 \?B3^ƪkDYBdc=vG*K u8%N c >oz/zD\ؘM/FE(y(" ԋ2H0eU6?-?}YOksȇOL \GޕJ=J]v?(0Cuz?{?ϔ⮥`ق+XA[!xf*IgA&;'7Rڈgx£{nN9l#uZOwn"Q,/$qHd+ "TB'P&i.KI|@dqa}΍ _ o!^C*ي_}3l ß ]ayLs>d؃'l}GI`ʦYSL: H`c}à:ՂE^z7p8_O#aej  n%>;k~ oQ ls,^37nЮ(=Sc&Tg`fg~vx_ D7 2pRzW^\7',Q :fIUE'vO'j> Bo3v q WS^fk{-☰5b{lDX# /fSE~&+Z€n_"[ Bg~r;5JWa:Id#)ӿCXFMNF?ԶEkG*Eی*b}}3LF!⟂Ki/|TaˆG* 'A G:hb&p^P=3۶Jѿ:8`m DhB)}d]p W*" ΕQ9xU5n36g oOJ5\{&bI XRBL.JC hOxS XEʺYw!''Pug \( *9͛z1"tz/,u?i-߿э)Q/0mAEPT1Wo`O'7(:x(@f{V0€}h#BS =U Ʒ! ➈Ɓ(mgTyqO8j0TߏAċSy,od,lbm-߁c$u%<"ܲTz} Ynq'[JwnRrM\Y=Fc.p:sba.ym;B!#3 0YJ|iMgi(h*?>R/XXjȱNK ;i/￙=ӾN7u!#v BX38)FVL%D8x f*,ſe{.P"A*<"Mhn);kI'm-ļw&WW6 Lo 0ʆC;ֵf;,P.% T@uXH.81WǾJ7SårWvs>W}R K: PT ތDzȼ\ip^R_QOZ_mi ϩ$Z`/xvGM /#A$V^n^LN#i_>}l}Pۉ|P8dŎ!Y5nKO'Ǫk XF!m׎9$WF]})M#ӽx^U@W3$0FeűSmtW.:2(m1s. (DcsH LdѮ, d8k{ƠaYBݍJuH5̺ Cѿ@x/ݞI?1Aѹdu Ɛ+߯Է*. һꆲeGҷbvi=|MZG}n/l;A&kZ<Wx,M^w#3@|@51f)E@̂MWA !>+-}5>fGǻD.ԠAfIQX"-gj5xE#ur"sܑsl6whCuDrktO!<~PF3]`Ma? r9Vu';tMbrQaQ$Pdf)`1AP-QE/g`p{G2F6[vB !DEi?B]ӢPѢb_\UcB…=A_qѦl⿡WoUdr{*\T'; _0T&5UVԸnv<n~ 9ʏ$&!yB 8y2BA U W&#w "A'|M!\3Sm*2Q4{> }݉QLΎ~f̑[D:A"ة' ^✆,Cq3=J I 1LamǗ>?*p2'yv1\y![%|(*Ƶ%| zOO| )Xkʌ.Es~= Z~bwRlXu6A5Ha3̭%Ӈw"ѹ7CT ?6ky'WQ#x$ټ^#]>bofi@o8}R4p͢ ĜJeTE$.ϛZ3xI2EcxVޞxܐS3 eDlTLfF;8p֨j,mewßy_MQs"Èss{FctFMr>\4Gޥ$pTŖ[خpjҿJp]\TYN{ 2+Sq)K/fSRRW HU(Q s!^nI腨D(*.{8 5)GkEPaC 5R+F@(vtI%Jmwr6ޅz9B68PO܅yGFBwa?L( Pٲ*BCZBGa%+ کwvܠ_{2]FO R#'\7=\5"O;q2 W]r)0l';Ei\E! WN3Y{ؓgZe y/ʅQ`HlbJ8$5+7v57:; UNՀK T6$f6 ^ HZ'.B%CWu/;Q=/<)9 åDX}II!eOx87zz*T|\&jR_I,BcA,w/kkB 5l2;yj޵4= .,B/<`VV9{ЀΦz+C?d., ~"B]Jz4{ڦRJ$nuXijƴ/mWrW˻oLe6 ?2a)NZ\̄ufqbfఴ]ǦGw*Bvn^ssj >/*yw1Y6#؉F#1}A v횏+p8 $k'Cau{{S SԮ.@彩aS4_|>? !裯!,X}@eWI٢^O)J42ވއ l:|ap@h5H}P=~?5 Y MyѢ|m*/J n1[j3%>5"O !nSݢOdr\s zӮ#MNIexD׉'̭/#>Vp;|9917M^edO \J({~l" ġ=/,sOm_KÉp\x]Sq;H Ш]MR#C1-YI仼|(V֐n ­Etd8rZzw%^?YbjW}i ]],s&Nbc DoDrKQVS=/+ӿ#hMXI)mOa&g- )z1W aԔU5FuI|EygCU]ex($uVWsQк17shk*3(otz/rxa4; Z֌sL>.y!0KJ<жռOrBʜ# ah~ڣ׽ztcW dT'JSw ۸:@x!3WR5q.ݝ'gt<&02aKrʼ =NCѬy/^0) 3H'B%ݭ5g_!U<*EU~f¦@bRy؟Z7ǥ/{Ysoje( U]0PF8mYhyZSSq8 I̜]US}ث%ŰA\zї=^`F H iݤdcY{dA'#g8 cUPJ])">sG"b{FiTh ys,pV|A% noKK{D6Q/Sy){#rͿZiH+ ҒŀwVY8l`z<Zl3hAk _]l|M6t>R.km7V1!SVp_B:h>}dcڍ|%has:PQ(\Җ! +_GOms>圛F4Ldٱ+˘=l9mGBG2/W6DY*ڈpZ. k,˟/1PO$!YCsv^MCGyo.Bh)-l]rx)qٽqQ$uX2p 5E 6(W2Fْ-u' Sӎ*@7Qg.c'+f0c+ שy|=ڻof- \sj\2?rWUYz%z*, fR>)  CݤUj]cYR7{=VXkc.մn-QX7n%Jcy<@ "w3[t{8 "`XTq2mmd ¶C0wY;ۖP*Od*7;$T͒NUE׿ULD3ͨ{VwÌe({FrX4c^&F?2&M`V;0{&};qJh/=}>s7V2"IMdZave!iUN$3$|'#(1u"vv4= WB.? k$TXMd-nѲZ5*P1@_jl r V+ 44hE?r"cٿrFW018 zil;EUM8 IL)OMrĀّ3U Yw_b)Qʢt hq\P) <%b9&\Vy)<+֜@oV7c=9n9EtM&'{weJv:4k<0ms c^RV'A9_$%8nb"襔"p9Zw:'sX^ة̓,Nt6?LM}g<%у\Ƣ Gh( 悺~fmP# +@SGImmD땥nP5_/k[7C䦆R v@8]/+\<aYw5@q\dتT~7G l.::&+zsTJ:7e0m}~FDJoSgӄ̠tBDžnҶt3TpK)lB~W"}f⁚FK%n` j|orNomHu\5&tSyM ԣJ?OŔtݤxc,fI=!>r47p#LkMc Sc*'M,ԌFk!+S@fN%[%NZ2Lo9iFc~sVCDi(D]sO요$dVhV~RAe~6;Bgs'AX*WTTJX}=I>a2qAs.M=Rb¹^=(O"Т/ד~#vA3te`&OyZ^ti}z\,6xq1oɗBSǞHBYڀʣ)4(q8h>|ܐJ.$ #.=p\_7-tWS9܏l_6ln>96|APO)UXQHZ_n Ԡ|:6#[XGEKsM{MN/v2Q}ۚaLú<6k$kZ{ 52HvR[|biROӰ9@ *i \ 04'< 6ʈ}'AhU\ S}=6Ifǟ s30wNõj3K<.aA͓K0\ (&,!a}h9}_بU]ubA-|փ1}#P ]![LP XjVnf]5@Ϯ4ƅ[0=Xh]woDn&X}X0izͅ^wo"կ/KeSQ$3=7$3ѯ*i i933}K["j+lliSE i>AGKxJ0O>(nR[ֵuLy_Ca堑4:jPNAϗ͠crPfo+ ڞLE xUƂ_]=„Tݑh#p fP]`J=^#[^ǭrK0`{CݗI œDud<+{;ڵ<GiRm9JʞWgƴ=fw6䖵zʧ?S *][ OS_ْN{H%PII,Y4ZǷp & y*^dulIu1=zo%W0Wݙ1cxqs|}nbY:䊁ĪpAZXdžk)G?9aI:"M2 2ك053̣{z2-77pPC>GZ3N8Tfl A|K"g2dV<&(oT+Ix(|~)d5X?麬MS*1F=/nYy;ejʲ:/LS<1uA?avͣxd>݋zglYPhTnu1 OxIJa|$YjyWIk[;G#vXQe_&*Hc^^GAUzW@#By0l`3oua܊@l5·Q(kPjL"`k m;mxܻjX-npdϽ=M&A1 I6^Rd+>BF) )AJ+ 6'q#6}˖bmT/ӽ=X跕FEnju2XRέ6tY_Wvkqb}iaAoG5TsD'y bpOtNA" #5}35 ʚY_=Tdk^u Lx2Z02$ꆚmrhNlCdAK@R{ȋl++D#)*PKR?3hXT]\Sga9ezk4tI#чݵ!$q:)ӝQǝInӠCl(r`(3DpXm/+-@5;{ tk*pʦr!Q| Y/KIy@9nS+ψLt=z*'ca˜o౟TyWS\vmf|uj_7x0va| 1Il]" OK~U\TC5*܏ cwk:Srx5eȝ?6%5rGvQk[sTaifp\AUwn,$sKI.`9\*h ŞJ]ۿ6kO$KfGM[ ^d[@_i1 VbGF>erfWiӠ*縔hEb Ф|j17JW8ikWkT:otJ/ 9\ J1H .Ż}X%%mn Wir;⓶Kkv Z8* @Pib4p M Hu#oA~AM&,f7bܡ[2lj䴚a/(1`ȵ]c \ũº,(\q.(n+B՗]RZ:?t̩k+G:>>UQP\H-(0 Du 'Qᶑe00P"<~x<k\Sc-?$A䬉|ψuj*F=wD-4ǔwغKxmn(vh3q JK13xE˧lPAXpı ɭS/_HA#Pm8a whkWߖm[֎QÖ5H5G[)?n/W),Gq WM{?*jQ&{Լ" 4fҽ :?g q0I a };-> r |yK&ySD.GJ^: u+,c<]:aBuJaفy݈bo YUWH7>M"je#+ƣYI"PS  $NwmF\~>A2 ,jkd3W$h~'íἉ4OҦꁳa@7֟jb1(`F,$ @"kvHY6JjZv#gWzȄE:=Ln*vQfV޲'ܟc=S*$ә2WGAlITͳ|T+$c<&(ljK["vի7|:PQƳME+YJխ:%>qrߍD2jʟl9EAB2Θ3nғ?i dv ŨSî (||$B!gKOI7Z 2(;4&_}38m&.Gʔ1viAjj޽ZBFew7^ro\uy+6jFRPQ06G@"n6+7l5fJj[5]" )CLR뎉J1 kC4r2Hb^ѯ܀r?ѫ{3OefqnYE}6e<p6eV0&$*. .DvdfEJN~s"vu/81^_)g4DO/G%x+UVjhzZ0,;?ۿVc^BIت.w,)=Dz*AҔZ,a|Ԏ:&hX[\.xӖ(p;2+V1RE4*@23wz[%!>Wg'fʝbt3}SY!s~өsS엋AWX/6nxf '-jZo 4xEvnf#%Z"m<< ]bo[,sE=8)@T^{fu֋6,68vxIvoi;I1M|T,rGqiF_T_^s>:3Iu5 Uh$):M`5ƷbaT cE.Fu' ~s }u.%̊юM>c]6YR q#K]6Т3'V\ <S .%As L݅À133yJB@:"f$_V!Bzo;+ ݉Dň"b,.\%-FO\oLI&)}`J&iiu鿜ye{o[yHŮ?v<Ƹk2IEL(0qAXX؛,~PEUlIWez5S܇oՖcqLx._?(c;jUBiij9ju"ncK0|Oٔү ^A܇ n@,kZwzLؕ!E.: uMBwXdY#Ajyo hu|yApmTaR%g/B s/@"5De5~{`| L͞&h,}zKaawu6{鈑ܮߕAytKz1Үa4D4me1tb& B Ah|(4GVJ S%VGlzT1Gsƴe _r®q kQ؋ƥF?'DmVcz2q[W4|ҿwOYsZA MfEJGhJB.)+r 歿q_ewRNv[X6GX > ^i!YȾ_8 Qҹ61evW/~TC2MqJ뙈dP/i3\]_ߞ,~m{@ {+_?ӂ:JQ PjVzX#i"黛|6QmK֙c7VLXh5  UA^ Ū;4h-8xF&I}ql~@aZ7Kq)+X$h w X;7S+&,v%y^!X!^Ěov] u:968n֛nU;u_N%IA@kN0 tхh@&@H\l:+gƖBO։PW [k- i=+VagV;J9f.8>/권FV.V:}C n^ qWLynkT +E85ec}FDXI3~׫xW-B/%RgsՅ連鬾[f%ޘ<4]iD,E[2[c 6kN`..d bq=vuZKbΈSh ntحΊ8s,>"LOE_H%7h SgHw3?|^K$FQ*6KIwf6\ʼn tܠ^9x /vKngMN>"+@QHB*Ah$tXt1U '1S@&d<xTr%Xeoq*`ωZ*\:vn4.mqqȇduQB`۷$îʄ%7/OSL hy+`!OD;y{ 2xb{tH@ vBBn;bARr[C\pdo9T)P 5SŔ*}MApQ2 U*i^rΐΚM7_!Qld<9mEA p).õ8^K[ Oؙ͐M^niI( jk7KwQsF+8CoٙFԤ%#KCĠTO?HD ) TugUzJF-pik;4T&wQrIU_Ue`<,Wvf/nv:vo4+zG!*y&န_*ɏ w 0w&fEv#MnDa" G8X؇k+(M*+Ї &]8񨢜[AƏ.ȹvBY#voۤO"US^`#uhTx# JR H@댚5da+4z64H?ĉt ~Q$+{C= %0B8Ra)sM'YfUry(nʈ =2'+bV{Tۋ͘A7B"\֡q{eW0Ķ@>$?3_딧aua#&FnsM&(+YsH0?u?f] ]n:'cPSZFV-BG2L@~,!tDŽ?x^#2 Yb}7A+.c䗙>[PX_enPEXzbTbѯqbYK9j63SH#EEF=Vz' MC( q%f}s#^y-mmp^P5&KMYTO^_tRȫV}']gslB@;p$eߙ,Q8xBb*}OS|5Sy:MJn߱0N6/O?Ġ5ffpb[k.*mz&ڣ\0%ZplzFb!+H{(V53g )ɌKjR󗙴Tg; !tGΘ\^ X̀f1B%Ru,T?le} A> wH*=^oOGSjÿ[bFjr1)XA>#Fq4ޱWJ<1$/6Dd8OX5l(؇g 8DRmJg bVX{i 8[,3ɫĮ+3Ek]cPQ̯L޸or Thb@yV*XQw6ԯZ.o{@Λ٦o;+p<5Re4(\3-w1yk3\bO!dGpPvMy))JYr>/G;ƉTy^Us\=~:`ROM*uT,YVNY伕kdytI$v3@ͭE}) r{9dO?>C,[3QMthuQrID!&HsCjA yAO . G\ۓ24{]SE'hi7jl,P:\o w1k*Յ?T.DڴÌi9"_ ~vb h[?. VDu՚$fOUs|P>Z/0^`OK奋`5`كզQL9s9$ʓPa{FD1ͅiL4fKydl?u؀HȈH+c~_ψD@W9rV -*48,fCe&3e3,Q)p J\kZؓ+79;z?Eۏ`!{SuAhGͬSK9܉,n{R'Fx(:|K_wnB{PhJFye9>W3 @11 i-,ۡ%-G:>ﻏ|I*,䢋4F|fişՐW U+XNy] jCևGJhH_LM&Rd& -"d:DO8_ډ^ (]=ҡ &IpfA pq3Y|MF*q!u6sV`WΜ gT^_ u:SV5ڔ%dJCj{?mq{O%[ 8w9zZ PoVˏ&qX ܃Ic[e ¢W^^ )Hٝ{8! yHtN[&S2ExIYn[0V޽oO6ͱTzBIODDwvlUfB3X4H%9|do?"wùqg%ƺ@E)+H{9;z wjF!W+Gef/kOښ/єtHDy>ztWiW2>Nm9E"/@1`ޚSbbh] ² pv+0Gk r].G6vDATV7kYyw}raX7+q&6/m6ڪe]NgF(\x|Gz//2 ]VMM~Gnڝ4yUexwP+B핌1zr'MMD40€;OYtb a%@E?~Re0-\Ʈޮp_((J;NKaڈe]O"R lff4!_ ֢ZwMO}Ch\q(@ 1@=_ί+G,Qtִj8.X#-L$۞BoOObj "<@qLzoc[ -S{i9N~<|}YUѠ_{O^j F39θ9Y8~At M8x"PrT¿%Fc"vI􊳾$h"bL꘽.,Tm1ⅾͨ bӂ*ůN-؃OJ#Fe5HmR^{ioJ<(QaXOƕv<$މRPyƾmWo)tÏ\"ܰ'=nO֮[f 6gd7~KToۖb|wv%rkdx.NFʘfFZ}M Cl=Fz7M:?jAMg/c+];c*q҂!$j#Ǎ4V[1)^ ڬYNi +fwhSwm2sG"|)@++dHӻ ,jĈv>]0:qc$3[k;PXo3C9b9qxȃWFrtov`sZ,.$^ڄlAmCXN~(7#W+-|ȣV31(ko[%H 'J&XQTB#5w*EGY^rB"e,SPʖ6CLTo'GIkm"sˆ ~|fl̹[AY*=U*ߢ|LVY۲%W;ڮſhK#Q g 濹]Z7*uS$ nĽjc PxRry%!r{e;nۆ>J`AХ0E'zbC] Dgaio8??Zzd݋[ˉ~nY/icJlr{#3&S[Ln3kz3ȓ]H̤ZL NkQŌioBg{tHv#NZP>7 XOJa>֞p5(Q_fLVOa/ jse~K"[BW3ӍaADzhV,=qzB w9YKT=օ5c=zv0#xz)-x;w9^Z&Tt l%g9T4kMf&>BLgpkOJ³CAz!*2 G-ZnsfW.=Gp0>vvpyr>pK,%WȰFR ~@+7[4ZM'1i)NB6y*5tw p6"|\Zzf=.bޏds霣FzR []\D PTUېk䵉Iڳ>;md:CJOh_e%e sߧ?WF›n>}G$1q[OIF>r5ܤ@tw#.{%/39Tv(׏nv.0՞Oբ%dU9{1#yW9ͻnĚ72h|Y aC']IEP+B1?ne^rѥVx{/]<}Lā亾>h2hR=D ~5`Ĭt>\¥KYQ [p4%Շ&p]k 1> |wiGFUEBͱ|[{$vCZ\;WG#@Gk^RR|tM ;[yvTm8Jh_iM"*%1EN xVYp1Úi/~HXX>Bw;cRz2ӟ(Wx=_0BKcL,3Du ]ܶ#&^ۂX (yb,T%35{{U Е d°E[WU ΋Lx'&؂(1ӽM-`5Z>q˕y1?_TxEbV\ס zD>Jd78t;.%&wh y9^id)!SOt֝O83,ɾdzۅq]d\B.4IPEɐA6ݱy{穁V-Sb2 $U|71Uh8V0gOxuqP?dc̦qԃ< @( غ)W`v Rv ӑ :hAizZMbQMS)~IoOBzOdTdQ_J{9-`A8nVSZF p}#CnQVK  ܧӣr8?0,'{+o1B;sE-Itȫ y\ܨ{!ǖw1f 3`6\U3b Ⱥ!+=ӷ޹,oyOH.wSW'Kwa.{Ts|;7͂6nH E'Bo|Yeee@z`H]+;a7{;ߜV$6]$=-ڧ2i͕8jA]tPۓzKqρ!߮Av覣I"vrA@R\[3EWZO7DQGvv P #Gz.⢉;s|}(ˠtj@6xBQ* -LkN! _K`5#jk>2zqR=c#-n\7tLn |N= 6l:Xv܃l7A˙ HTEM"9Td]@'&23B: vvf@QAzPrPDؗ43 !?0#9U-O=e ;;!-H: B<+G2OW`%iN /;v~>H?a}i-6g]Z5;XR\DWώlWR+JA#Li/2L u^#ʚ%Г}vf #]m6&zFB&hWts1Cd_ E[٨R]xBNJT^\梌o_,b ٗ0 XUB+-B-; k45:B$U[<uF ׺]zp-< mCl=%.z7Y%HsA5`w:י}̖G"j_4#o=k+|R!9onO69} Y_yDZ*#lۺ{N0X۹6.U2Ro!',XRt60l=\NⲯLf!rٹ$kIX؂pՋ('Ut /sJCkràq支;-&q hp7W{+Np.M?.Ln^x-륑?t~ԻpUKܾih _*C«x)p;@0PwF~J T͘u8dHG?{LOZ`\3e5&_\ }km:䂉e\ to~UF@${j]0\5 d3?̐WxH`s5Cn8Џx嚧cc"uKv%`k| M/^xN?%F'}&)v|+֢{rK.І!MA}#~cMoxG7궤۽)M|Q*T /2uu&z+dWnHfU&t`hLLh+ucJo .2E1j||d|{5f~8f$tiim~R~2|z/@O)j#Mo= ^#}ڴ@'a3<l)f90uiZsȵz#(YDmf2(yȩ ʮiN4(-* Xė{rf-uM>l]S"`3 ~B my?%* V4󾾹⹄y{l>ͪ60AbBXafc4"S\yQSj e3XPJ~{0U'/CGZC:q7'PKP~dٙ2DWNo"gw&l_@/ki!c(qxez QeH 䶒G`/Qʣ3{Qla]i/g?@,Q6nH#dڱٟ7|iyH~\Gz/] 5z T{=dks稈1R~4vN^+ƞgpzn,/lÎ3c FY`UQ ȕx9^s kۙe t"k^3XC۬a>>։$Ax@ g9~IO'a6@@ ;D7EO1~sDur+#X |OLDQ:[. tW#涷Yxx% ol5xiU %Ta >}p&{wi(1YFj+hrzL\ )T@IkY_{RȒZ>bat'(>SK-71Qny\nNȍFK8(@fSeN)~֝&\_lxXf =; @L \p;+XY$&mݜLjq1.؅ M\`0DG{|y AO 9X,4]Piq_g"F)nn($ڛhlCd&\aCcEi{zZ۬0ߩ+`mD9teT5ױqPůL0=H`uJMN2ިEMfFاR7(gz^eq 8ϳ9C6bjIQ}Q78X 0qvc+7vLVXvAmk=X4и=`rD|kg֪HDڗ_[XZO QW͕RYyQB`"aXֹ»癱nKNŮ(0-mޖehL>so(lNOv]cp fgЬL)7NÃfFW}'k>wEȏ$ZcLP=myZ?Om;QoXZwWkV@N6Nlww& ZSyU..;Ln;`5;!ΜzaWa[r\P(LޖL`*8Vآڦ˚^0>=. [,=#El9jʉrSH*Yf(Q&C3K|ɲ;K#sۓ`WX%1 ތR{rOM~բߊF /a ¾_bXyWuWPFKxn|θ^\J| ZF L22+yżAC]R @|,okn8ZF*3 F+4G{YCë  xJ~5%W>pɎo؇o@d\ƈ7 %7V9'M%B'+Œ'`Bgzz_]2YxmJs#I_.=讳} toc4d&Z-\eYx ZBD$9CWA!ҿ9,O`c2kLyH*)% *4]8WՍy*t%ޤmLpGk2?pUx'*>GTN EW|ϺS2:hȥX >|GxOmI$yd\+;+jYwaj]B1'< rE0̙(^kAԦWe,j-\] K迂UMjl 2Lj69kG'Ky0+ _Zq9oÑ5B@;Gm%NtB7L59n̑"l^qv 0qP2OcEBACϭkhgҰ*\Be׆Nd;AfY8n0A+i&Um V<{&ZM\Pbe-8N(AA˙&=-22xBZ:*{5L)t/>7=Q<1"wiIASks:m GNcZ=%RɻOec3.nI)dI~ ;cl"-c'[u_wTow/Z8rA $<"]na}-LW?+.DҦΪai*Ԩ#1S5H PZs3q*B$up{Ɲդ35m[Fwhl;Cƭ Hw_C%6Afn4ƈ2%c&oAD3oР6=AbXH2 H1`<J{g)+ڸx|oNx{/)x"y9_ib\]( >W)=ݖ-Vmx8DokJ uYOTt>'BM uΤ:rku甽Ik~ ~(S$Nǁa͗k!ׁ):ٛ @Y~=Vb pRerՇK>b @НMK6@~<4Upc/|t ~,'&kC/AWǨ7Y=f*`xnہG!ݓ0Ooۈ `kʇb4ꉦE0VUsqZ:]uNCt_qBFNp@BUEPҝ̓ȱ p㆑5"bx T7۰Xy T[y_Y("9M@fjɷ4INׇ5'xF~ 9Wu/utUQ\W2oQ6scYuLF!vqs'8OB҄3MK8Ti\.>@Oaljm|''b$d 0d\^fRZ TvgZPd/J!CgPzB%h/Y B6#^_z]'Bt hR<~<1-߃I*(&CggUJ$nf1~ $4M|mq+p~(> )RzU^%}hU=3DC.4{i*O"Y C#$5AF{.6Ac \McS|↗df{Zte:ٝ/"I/EjH9E Ը`B[RD?zNO` ۖtCo{.KдO!LR&'ӣI )P:r B.&H~ZXqMm#&2uv!N7D]pcbOOfP~^{VJ6xi{ǥ#uPP@\[.<L^cL]ee!2 }R 3QtJ/| g(]<+}lWMqDh-7-<  ,:6ߪF-a%g ~ոZVr:Ùgӿ٘>0hC%<c~@3}>!XCxi7&˔xM 'HpcYAh.InN{,$3%[?0戮of֛UoiG.Kz*jUz+sj PE]7-23_Ӛ0uP~ŋ"']orxy-k@(eޗϿ^/%+)oacX\1?@#4F{\<Y[Bu$FiiJQ GӺ @LD`vu ҙݶtyҜ8_tV9_/JM/Oua XefVq<U##OT dx?lpeqUaHVhLTY }缓}rj>/MHTX"w,jz:y~]P@>xHb!1iH.G -9y4; "T x4{BqmT@%ԉµ`葷̋e,mgCu'HJo9LյAАi3&BuFߑ4`Ē~9U담 5Bʣ>˳ XT9ɻ]4ZtHŋcuw^zE'>_K2Ўm2A1fh,Ք 4VS~x!qa~fy/?pUJڲ>reOM[1>m`+#uu# ݕWLr }? ףe^.Z%(BK\m¸GlWk(_1hB.֚bN!aVk} 2+>XԜC Q'o5"*qic!3K+1U?uޱM& c9߫Āel ʭQ.eOlaԨ@s-'Lt3WZ_" ѧy&rX{݁r z0J6 cAx3svMY$4 1r΅OӔqV1CP?;L uF ZXW@8QAyKzP*jӐnLywwq5$UG{x};!Ďk"AS;m=IDp}RĘLk#te>d?Mc s}="e|gz&zO ؒFIG~_UCXByqf.e.gWՇ{I74^. 0#Ar# 4פ Ƣ+;\⌊qzٸE8br;`z%^hk]Ş)/8=3Rޜ:E˜5I9^2pT  hAݿb76o;s7G(w{aܹ5GRW/Ak걛hM(k ν_ /Rc5kL~H^5l M@"J4Y7(ZӒ](nC|W$8/vcgB ڱ9G^zx!y\t#< 4"hdX8ĺ(!ϛ8iYeٙ@|i7icuhnY PB]'KiCk@7~>?'u{:ap%2I\ġ/O JJ :b'qʙ X GgLY{IK>*-oEΘN@M$UGWr۔, 2[>*;{qʄÆI8}ѥ ]ğ`ⲐE>>PThרo(Ep߽Dİb߰ Mg[|EL Sk-6p`|I]b%Sӄ`j80_-QDO.Xf) dD1IݽW7W RNDCbO0=zX.ҌM*]Lw[R; &V \jcQt"g~}R/O(30NT r6 ߤXm.:rYCwKmB}SnTDCzTSsl$r2}tKq~HmשTK!xtv ΟA h'a,Es"$ uTbP%) (sZd^ac{@;n|hqL/?2Qbf`C;x#9ד\^nnWJ9e3ʢQ8: _Hm"L"a@ r,c _^PM-$y$}T\;0?St.t/cfCc!6S) *_B"o \gwlfbEc\컸F4xRt@`oi4GGr$  0~n#z pqOWsf@[ R!LJ绞L!bq5R'49ސ}_i @ܨ09(X[ޘcPHLU'DLD+^`rYe7m|I)Z<"_M79P`Q HD9?#74>V=;lW#Y`2=jCG(t0)1Tߢ5 8\>+!"چ_} ɮ4V-owWJP?4@"!>&DX9Vk?d]Ѝ)H}\2 t[h*Z# -u"wQ'`Xծ1+K+4ZVF@y|G6)RL^!s,#Ɠi zHK!W4҄MU1nCֵ6z<Un"fIJVAy(IR:ZQsWल.?vAU4a՘ǔNHqysUQ;H li,0^  +|gtQqeF'J2Xbn-\6zL!,MHnU$q.5B!%\J F})&8NG_9*iZ^ܩ-kĄi}> 6V4+));YdPP&>5n@qlRyI lZ.L}$I|LUĜ{,^kfPT Q23f򧋫{4n pAphVsq՗:*`Y$2uh sQ1ޙ{IwuiB2dJ{-zYurDс>SwzF[=^ ƭ)QLr b&+E- 2P;ћ0N8d55+_xGxgiɞO|74K;E2:nh&tMgY*;8`n0S_drO=oHZU'Jsw-:z5~4пPhާ DJ7 Z˨ErR˙6cGQ.<"D9ޕߝl"uU-c tiF'hؠuV=Zw|3j }K{ӄo$3Bw[:ғv,䧂bطH(X0 +#/-IHCoz|AS*9d= qCfѽ_peT\KTxr ȭQs0~N|ȻiYƐi O$,2vY]aL?sx-Zձs*A) kݨȞwJRF y?GeE6M& sTeĵ &cNHIwK Aܾ칯i_>WFù:oӃɞЇܹ;m ϴ\mT \L`n ig->\]GlC4r|&ߘH"SݒY1ˌzL5%ERnWGZ^^hi;B">%yEsQoqu`q/hecRd%FfuZsu͍W]ps.Rj[-A6X[0W5_"C ή|<z]qWi4KΖ*124/#כ,]א"%^,xHxm=ƹPǶ(mh7xpOaVBcѲ?+ݪIaA{Z.epgX#BGO<9Nf&0G0?ƚDѝ2?A:zP=x6vu܁}hJ(X1`B E:B=uˢ @W ;ҧ%E%B ApLq۽ܲx)+㸚( ?FyrgIٱ&p9L4 +A!Ws' șõLV+2aWG)>NVE ]nZ ˍh9 D(= CK:Y;|ˎ~,T)Ҳ^d$wHdOeDe^H]h`yot>ˬ 2nd]n_@UEօh)=fZb"r\`>ħ<Qgm"o"A2O[ aXDC(p C{`~aN+l[=*nȈ:)eɪ {A<s JٍkP_ŷZx5>*{&9![=V#:T^rt륜w i+ %> )IGGnFa@jMJ6ASTz}P|]V]NԖ 0)L~m\γ7Y;g#^)TNJt%d6MCW]$gF{ٯ R 8,^/2S3[7^~7}J)WFv1o% !"G`]JwOF 3N$5]ÈvJ|$& H&q*v#}A,ܘb/HZV ٍJa! n0]9{LA"ɘ19 8*Q6ZA N1ߢ( asĭE0t('G]d9p2"嘑o+ ǝ-E:LdQםcL Wo2D)y4IceIsflA<6=jgb%9/L etHmlԾ-Wp;,s[1'+E*ytiEmUdfY&WMI_#?ɦLPW `J*0]d8AqPtfG&.NұPѾR갟T=W]VfehKHq.ZuGE*jGy$϶M^'PzbfhrYm| #gcVLsakyV2Gwv_CytTc1`8MXE'l*A!M#~z=NU,zhET2xqt)8ǡQw !98(R!8˩WZOt4d;z΍ZdӬ2QahOwZ($ Ph)oj_K=0f.@ bdOv[s$GF(ݴt7SC2&[Y=զe6`rd,E}zߑ dԸict07ܡ hcl斍$Sx  ED!PjԔ ASpCY"j<qVلyAN뜔&}cJ Tuʪ19oW;|΀{=@N^ڂJ IёhoUȐSLth>U.r0#C| f1 =B:h9<ׂ]z\^"c"Q@yxލ|]@Ϫ: f,5j"n(*_aXKͽȠ ĕ$ \VTYG;+wS'ڮqdE7G7<3fשոB:V8MЃٲh>c9Z<֐;OpYd}p>?N 7&մ5Z(gJV\,&퇚ʔZG~-*j3D:ܠw IF.i 'FL״12[bl\zd!Hz7jUr+xlY79fn?F XtEͮ__/nKYKT2 V(/@=B%)\Qj 󐰄 ⫺H#:'Z؏V2b)]PE L.Y]3K'%rmr,8M1Ӽ)!rs.K 7R]BnV{vDA(LyV>?3ʹn ;uӀxys:{rយNVI7;,s<9" FF?o7<M7(>&/pMUb%"2ɯ UެK~--uzJ+C>R R5JaT-"o=Vqԩ<.?,wаw bpIl)P p>(ج"@e@L)S4mںaiP fx}G Ǹo} U/3᪁)ΗxbWI4ϣ_۳0y#-0`C O*W$?ήkMto,@ tL 'ImE-zE(`є@$*%`Bf)!Ns  )edz Fex*l(Hs1`_;&(bWY Xk= Kko2,L 2$k"4!4 s٥ŊoBN78*LAtg=K2UjO!_PJnڒq-N(ԣ XHtjY8fr bvTt _TX#&@#D|N A}N>^}}{Sqg+`P߭ހ۰Uʍ,Kw b*`Y:1]f*1}jFUvnvÑ}r_gW} <(WG$r݃9 3Va_ Ya~7{9E% Y D ̿~ϊuu R,)9I;X ᳧-Xj{dE$CE8eHga )P m3*4g k"d8>P5D<PD=ASc o0qkW>&@8/P1hc&f~ kTv_\4WDe3Qz0XQWY[@+) :'\% &޸IC y Zn_eeQNwI1$fiŅ؊ ׊h pޜ>a}eҒ2ACğs E ϽJ+ >` C-}U^ϽWqۆ92&(3E#-ST?\X2]"ł֟bwDVe'UqqS:.ct1X/{yr.a,{;n4zN9"P5JC̍٣Ew[g=X}4 }8Qed#Iw jrf:r,M&7JPoj$'WoPOX {9{cEϧC o܅7HA<.׫@Ѿ3:9.;2M HW}Htc}S ow$" 6\r LE "$$ }[R5`!H$7 s>rn~T"xvDTՄKkxc؞葤۷'mAJ7@3o8aJuݼ^n CLɔVL` #(Zر(7tLk2j^p&XA!¼d X.y ;c>+F[?]C>)B Ȏc}Ƨy M%-؜>`o;]5gĩi r6Kz nꘗBf>'f{r֬mS ?b"DbX]1q9s[@uZlms9% M>w/(#Mwco$vN# (˺0ADmHl|$915@Eׁ}P[vjq@|YpUpge~@^j^;.D1}Qehk?כ`~[YOH[SK*5s[m|CoZk2"`o/Z.)zbedZ< J(!TiLdFuwԙgڱd,)'Pi؁:WDЍ򄿊VF_<STC$=]N\,~(Y=>(V:3L$LkUߢ_yFήu}.؃Ehb2K7] X_a 2 W*AW;3]O%V؈ՙj#lli2MIФXK55Azy #!-s-rϲ"Lm24,6,T -¯t|"WtHʿ?#Y^b(nDFVSX&%`jP̂6\JvGfvÅcO"B߫{X<~cdXyV8DHl"+f/Ggjjy-- Iz=n2O~o[$2jr'uCŠ<8\ȐMjV hwwC>Ҁѱ"+:9nHhX{w>,3b#ùd]Qb-,iVzIW-8,+(4ٕZrQzʆOώH*3n {ҫܼ/€pFxOqL%F n6#2Vq#1Nz"ӭh@k Lу3$rzrt1Z=DmMzף_lxLN:7 H_nJo<|DzE~U~ѧ؉!UeԚ?vTAT †4Nv{|LD)-e 7-G22#i@+_VʴEjsJhBzA$^~LDJiap⸚ȡAKo+.}c!"z4i>/rVUzQ[8Ge*䞭a,Ԡe=kΌoģ$7ŗ_=J!f \: 4z-%BEpya R@jRbV\˴a*ix9CǖF\ۄ4/II8 3+F%1U1yU5$#= ;fqZ[N2x6WliI0˿8>{/G3~ SPkT=F.eJ 0ko" g:$ 6`+Fi+^w)F$} 'zPw~,GۑH(0h-zJ_ES\0Y[cmYvר/`@Ѯs `;7UeBeB(\,PSC|SC oeRDT.@ Uϯ"yu#r)Sw]^,A]LO ՟:^Ӕ68i?; %pfj j)%4ss{ yp)PG",+WS@IP$ 8s# kQy&W ҍ<)96I[嫧xܸSvU`&]׷:[j]I*gfSd. ] (Z_a8n|sE&S98E*PGe´]~)9 K?I!:9(&f@-i+oPG:Q1NDhoj(7y13}* 管*}VSz}}sssLq,Ys)}&Sj>[p֯J'-%4E~!(&hVl9 &Bi5dH zyMr㫛X&$:࠙bͼ}<9C5[|7 rpb0{OLj(]QZa0ƒ}] IHM (wnD̔{$K ~i !gS6Ru6,9cY*c Mߤ\Db$1z@<>uJl % U&>KܸXXLՑXٔt6uz&p ?MORz_+$K>w50-}7!"S L^ȩn觊+HA|`z[p>nmSp/y-Jd~uImWj?D{mr߀j 3}h#! 7V``q7rStɹx(f&n;શ"^%Iڿŵyf`&V`.ygn|*n4JT^{%͓ᔐW}QtCO\E0K[IBg|4|dᙟ5PKwkit?-cï苆Vs~ְ+4B gMBa͐i #߉L !/m"xmVaxr]8 nAvCTiZg~@f WopN[xAA/f [-vݘSBUGBMl~V*k* `/^ZruM 'X.T\o [`\/Jվ;(k< qwW.w)FD]crWM)snz^~\-^2 +?J^+h ̖THx\5rq{2݆j,o hS'EtSZ 9̋ Azl2{VW(\QͫjNݎ# r hld,0q.:nz]jhZXSfZYaa/B1?f.4١; w="PΠ7O~D_[)hh&8ܨi6̨:z1(R Trj ґ,Bgx@{%<ڐDӜJA˶&aylFz5,MF§GRVgKaa?؍sl9"D'c- Lfhm9Mk*=!z9%/)0Ѩ>e Y* | dU oWy0Ar=?) p(X693#RAT襌"Mm{tUB|w-9"˜5˸fzʨFdz XS=xҊv/sc^BгISN\ 7j:?/r$W: UjR~&ib+c%&*m"ЭTjsB*&fsmh~"GE8XlLJ~?z0#Ip+!q9)A bɴO' o] }c@UWÛs\o~@]!Ꞵ_,<:_nB] wjJ-?<$jqjԟ!ś{kK kʓ#9F:y\a¸Ӌ0`Y` tClnfL#,ҺyʹF ɓ眜3fp7 _ѾWAVȞw/#2r+^I TS@U(U"j_>w nzf ъDÖkU`KXN M`mkRe+*߇T gZsY} l?#y$ A{wœ3>6#)c²y|B6`,)@wV5TidȲYw-KEVbÛ:mrǥrzoyX8Xim\jNqGͽtȍ4Դ?Q\3ƿ.pxV u7D Mc^jl2!oR?RJ5RRU6$tB"fFY=_k RZy(bk*#B"S_[UHq໚T)12ҊaߐH|s=bf׌;"RF,_-~nZj,}A.I:`#α|eBO4a&f).B=/2QlvzV6pc}8-tbr2L5]@c㓔"SZ]hn&lhuFN+̎,FzC"UI!]0w.>=2Ȏ`9əPiM9f`N:'VտDхnVY]}EtqXCZBz˒L7GCwǿbgKRI/6p[@F(2B_m~TD /@/A+&W!W#XtķLSOV7XX7PHԀap0Iqޗ.-!F sM^>2NS@"]db"A(okRjg⮛(`it b+XBE׃~Tx,ZwoO5 s+Z>sŨ}Pl9w\fyeI6/_+DX5xX{(3ʲ i!œK ԴCa9ϫD 9ԨME%O([ u5[fN( B Q^b\au"C@e + >wpo ϯKf-EKFf @x[%="2)ڔg{N1RlHH_"^k,8AWAM3UC mA&?)Z 4 qvFoi8Mt1ˆqfd*HLٍa=Ne cOr/x9 ڰT`S@YS4aL:Wjƙ1FWDDm{(h 3DEm,.PD&ɫ}۸X(3IHŖwO70#uDŽtW'ҎNwܖtNH{;$1q^^F2Iۡu5·T5a(2:O.wQXlJ6-՛(`Tnd;|7mRedr_dڝH3\$YX $-"RF{zS!idi6eqv[#vUzX^ d,Bt`oy;v2r֦vS G|(cd*UAؕ->wja1r%1ޟ Q@f2hf U h=I0N/PZۨ%IO`zbEioIv#UaW1}]mmꌣф X'B %pN6'N8zIB,$IuB sM@D=7 Lo@Ǜs4)(,zg5Ħ!#-/T tfptԜ>hc5޶՝(SuXk^7ܿO! ّaP!Nu^.llϊ.g czVcaVy?%֔ ~&TߐQЂZ^NdrO=zyX@R|Ŀ,<ٝ'w IZ,gf_LfEL OΤ^Ek{XSr\㋺Go}נ928ѿ2 3Ґ;|D0dg Q$?vZi3>cO%oZK< o0|KۛvpF\.Ps"s;ɀ&Q"amĻ=E :6d=eL7[2Z'Ra:|^8tgM*\Hb( ( HǂxCǑvMpG?AE=~+A5IZ#|P&j3)~0Hqә0kf=H=fmׂo*TW D*:&%eQ1'G 7=j8ɫeMVa=yĶ`iU*ŒdgLw:΄ wb:VX!D\wuY>A&j;tgM+M [6 VJt5$ x7p?B-џ|C0aBv9n |.f>'ߖg{32Cp'cjcwV28^n<@ՉáU!G9vg=dKϮμ#-| =蟆v UH|# 1!?+^_Ʒ~KbwuZh/ 4w Г )XW ،XЕ,!;LBk7 %z'G8cKC{ŦwڭW"(+6-;qmēm?3ALa6714Zi$Y|GF'°$MM9e%6bqH76⡑l'%>뷄ULpaN6QG0JֱHys T5,}pxM[ћwbPC~a\e9fjWe/!A~CƘPNw R^H._cdE= 磤r,?*Qل/twڲs#g [WGadޣ}{RaR)5AIrˁDI{rˈpH_:ѓ;u9`off0dhQ+mcFץtkvs'JT5Q?បp{8gQ70!SznmcC%/%3.ʸ.o| '2D~:<KTz\N4/&"ligf~c=>H2 - XQY?Pu6Jl5>٘fH.L. )?]v)bwszG5djUlBIX?tN::k0!2A^ `=ΐ8_{|),PX뼎'rc~&ڷ&VR YqGmDh]ל@Ӫ)Qc2!cu/1^{C=yhTe #ɹ$ Dc_ےtlL,F~N;M-(Ɏe bp8F橿v2nҊS>6^.(x;L3jo,HY|{!+:4=+B++ ߠ{̈́V'K;i?E{aX>wԸD""0#I `mP&QV ZKE]'eF30~>K[`yF! 'ml;,EaOL=FG8[C)0Qe`k+n]e@10: nm`hKH!Y5>W*8j嶿5Bj0O=z$,&I?io^$%;_ S vB'Bb_-3Eh4^ +HH(gx/(vx?ZᔞY0*D+9J x޼EWve[%p]21gw=?ktt\79ԠdW>bt(hgfȯejΆ}{*نC@5X]#]Wpd`mj[M/STOEy(UfnCl#|pWMtjN%XY(+-/ 712aXsQie_OF ^FM _[J4T`5ਧG2 2q>jnl>>y0~Bh6.PPZQ]5qùUeP@bʝD qW:W1d%Yo]^^MO8f2^Ns5νFBvB}#snMuf5W0;† cb-ρM&^OR4)M-m4cSNn$ev3J.CAz,[aX/NSSe * _Z|fUDiG9[ΞtkuWr N|tz_u%/z7TgK ˲*X%|0y-+md' ‹xKgP)WBOSs.4/U:v 9XZ"o?I}i?;/v9~E],]ӱљ/bq Ie0ɺxqsPK'NEn DA ~WKi(Ura[? yᲝMo̐@Z@W:1Ipf nqc&GNk0?(Sxњ3ߐ nt:Lh`Ud/-EÛoeXMݫY20?TN% zO~BqJAC;S'Ƙ$YI-J ɼuh6EWA#(ݰ$3g6y}QQh[fJip/sRMN+,tGv<`U{WېԹm[K ٖsDfh=OkK3C];i]@*fJS5x.Z#H 4< ;a;!i]RAYpL@@)\a@h.vtRq8 e[QphK5y:+.R9. b`M` \[\ɵA:q9OhLi~g$1,\A[b>vy8adr]o8c7w%« =s)bJÉvЪ)}*Edo22\6#ޥχe!!@9)% -Urel,+dVQG5ua+C K^`;"6p8.}*$ȴ)c ex_)E ;DeI5S)=b)>B3MNԝ;VP0e11\۵}.Fu|dNʚi՗D#][$0A;o3Ա^ r,N-;-@Cl?=˚KwX%}Gs|K1dHPp;Yf;E;wra/ISHERg跊0ʲz(@($~8[?h~P3 ~\\?zt/2pȈ/L%U*8+l򻽥(vq'u2*09aq^)´ribhO% X44E59 z54{ F+ogWu{Q7\\rz.oNc=bQ_ZWbh186D&M 3xS$^fL=FPLN=Iz[ *7k=S8ߕL仔/PG_s4miY$r8B =NGJ?ti7.YmydtXչW=U@j5+X:دXspN.5W>k_" FXPJ٨e+Nz!39-NVC+чƌ`zo$LCG*Im+ 'vBedrډ<(" fH ]njJl8g_ip3% kʭY!gćj/d$8N[}`ȂzՋ |㧢3 äeFlh+TB!Ctɷ5Jyz/^y+3l:Vd{LqwZ 6E=Aqf +$jVZ%$`g' J="ndpe(uWnVJ}f {x\[~0E)|cXڋB+'Ar"WjPWLJd[$kxծM,%غ{ŷwc4^dδhUO%u?g0b7ZGOv.,y)-/٨#^\pj YB\̍4ig6pk*D 5/++.y*'`hnQ#:O ^k`+]4IjϽ_ƊwO }Wם#]~l h \i~af#4O\S9g7Sm5\}<3-Yt`.SJ<t塣P2(q9`uFujzQrr`ʱη@|YOYIGm'xwP[my[RweE $JfMJ9E2A1$Ш) pW7, ) NL^h PvRq1z6K.`<8>'#Vl!猧˥9#gdORNwͺ(%&+R ('"!c^hۜyjύ_t\'N] tU9ʓ{7ت-_7*?48K qjQ`4to}38|LM݈_ TvU ;.udOM@z2Fgtx@?*vZ@慭!}$k꒴YɴNj_ LHymy`$M:+Ŕw2h~,p_\^ϫH%iW`KtZ֬BZ!+y{aPDeR!@'1]=\E^!{u YZ