sssd-kcm-1.16.2-13.el7_6.8$> R*;\>>p?`d   H .KQX4 B P l  ;^?? ?(58<9t:x8>?@GH$I@XLYT\x]^bpd5e:f=l?tXutvwHxdy7\Csssd-kcm1.16.213.el7_6.8An implementation of a Kerberos KCM serverAn implementation of a Kerberos KCM server. Use this package if you want to use the KCM: Kerberos credentials cache.\!x86-02.bsys.centos.orgҍCentOSGPLv3+CentOS BuildSystem Applications/Systemhttps://pagure.io/SSSD/sssd/linuxx86_64 if [ $1 -eq 1 ] ; then # Initial installation systemctl preset sssd-kcm.socket >/dev/null 2>&1 || : fi if [ $1 -eq 0 ] ; then # Package removal, not upgrade systemctl --no-reload disable sssd-kcm.socket > /dev/null 2>&1 || : systemctl stop sssd-kcm.socket > /dev/null 2>&1 || : fi systemctl daemon-reload >/dev/null 2>&1 || : if [ $1 -ge 1 ] ; then # Package upgrade, not uninstall systemctl try-restart sssd-kcm.socket >/dev/null 2>&1 || : fi systemctl daemon-reload >/dev/null 2>&1 || : if [ $1 -ge 1 ] ; then # Package upgrade, not uninstall systemctl try-restart sssd-kcm.service >/dev/null 2>&1 || : fi 큤A큤\\\ \\\\04a2af0a27631b76215f6cd6cf6305db78e371271c475ed485f4d563fe2f3d54d50c2b062a96fdc50ef141b24132b40a62b776e14ed89c824f51c45e7571ba105e2955e29ed46eb7045b14e09593a4201f3de54bf06ffa41f2a923130f2161d159b7cfd80d735189d55c44266f957de6fcf472311f476f6a6c288fd20eb0f03c75348ef7be0b40dc2cb27f9c5ea06edf850afb7c3e5dbab10083d6d53735767991b30e576e05441743fcce027767650f498cf10ccca12ce0bafe8505f0e87b6frootrootrootrootrootrootrootrootrootrootrootrootrootrootsssd-1.16.2-13.el7_6.8.src.rpmsssd-kcmsssd-kcm(x86-64) @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @ /bin/sh/bin/sh/bin/shlibbasicobjects.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcollection.so.2()(64bit)libcom_err.so.2()(64bit)libcurl.so.4()(64bit)libdbus-1.so.3()(64bit)libdbus-1.so.3(LIBDBUS_1_3)(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libglib-2.0.so.0()(64bit)libini_config.so.3()(64bit)libjansson.so.4()(64bit)libk5crypto.so.3()(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libldb.so.1()(64bit)libldb.so.1(LDB_0.9.10)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnssutil3.so()(64bit)libpcre.so.1()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libref_array.so.1()(64bit)librt.so.1()(64bit)libselinux.so.1()(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_cert.so()(64bit)libsss_certmap.so.0()(64bit)libsss_child.so()(64bit)libsss_crypt.so()(64bit)libsss_debug.so()(64bit)libsss_util.so()(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libuuid.so.1()(64bit)libuuid.so.1(UUID_1.0)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)sssd-commonrpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-11.16.2-13.el7_6.85.2-14.11.3\@\@\@\@\@\@[@[@[@[l,[b@[a[Y[Y[H@[E@[6@[0@[,[,[d@[[Z@Z@ZmZ@Z_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj - 1.16.2-13.8Michal Židek - 1.16.2-13.7Michal Židek - 1.16.2-13.6Michal Židek - 1.16.2-13.5Michal Židek - 1.16.2-13.4Michal Židek - 1.16.2-13.3Michal Židek - 1.16.2-13.2Michal Židek - 1.16.2-13.1Jakub Hrozek - 1.16.2-13Fabiano Fidêncio - 1.16.2-12Jakub Hrozek - 1.16.2-11Jakub Hrozek - 1.16.2-10Jakub Hrozek - 1.16.2-9Jakub Hrozek - 1.16.2-8Fabiano Fidêncio - 1.16.2-7Fabiano Fidêncio - 1.16.2-6Fabiano Fidêncio - 1.16.2-5Fabiano Fidêncio - 1.16.2-4Fabiano Fidêncio - 1.16.2-3Fabiano Fidêncio - 1.16.2-2Fabiano Fidêncio - 1.16.2-1Fabiano Fidêncio - 1.16.0-25Fabiano Fidêncio - 1.16.0-24Fabiano Fidêncio - 1.16.0-23Fabiano Fidêncio - 1.16.0-22Jakub Hrozek - 1.16.0-21Fabiano Fidêncio - 1.16.0-20Fabiano Fidêncio - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#1690759 - RHEL STIG pointing sssd Packaging issue [rhel-7.6.z] - Part 2.- Resolves: rhbz#1690759 - RHEL STIG pointing sssd Packaging issue [rhel-7.6.z]- Resolves: rhbz#1683578 - sssd_krb5_locator_plugin introduces delay in cifs.upcall krb5 calls [rhel-7.6.z]- Resolves: rhbz#1659507 - SSSD's LDAP authentication provider does not work if ID provider is authenticated with GSSAPI [rhel-7.6.z]- Resolves: rhbz#1659083 - SSSD must be cleared/restarted periodically in order to retrieve AD users through IPA Trust [rhel-7.6.z]- Resolves: rhbz#1656833 - sssd_nss memory leak [rhel-7.6.z]- Resolves: Bug 1649784 - SSSD not fetching all sudo rules from AD [rhel-7.6.z]- Resolves: rhbz#1645047 - sssd only sets the SELinux login context if it differs from the default [rhel-7.6.z]- Resolves: rhbz#1593756 - sssd needs to require a newer version of libtalloc and libtevent to avoid an issue in GPO processing- Resolves: rhbz#1610667 - sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key - Resolves: rhbz#1583360 - The IPA selinux provider can return an error if SELinux is completely disabled- Resolves: rhbz#1602781 - Local users failed to login with same password- Resolves: rhbz#1586127 - Spurious check in the sssd nss memcache can cause the memory cache to be skipped- Resolves: rhbz#1522928 - sssd doesn't allow user with expired password- Resolves: rhbz#1607313 - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails- Resolves: rhbz#1600822 - SSSD bails out saving desktop profiles in case an invalid profile is found- Resolves: rhbz#1582975 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers- Resolves: rhbz#1583725 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries - Resolves: rhbz#1416528 - sssd in cross realm trust configuration should be able to use AD KDCs from a client site defined in sssd.conf or a snippet - Resolves: rhbz#1592964 - Groups go missing with PAC enabled in sssd- Resolves: rhbz#1590603 - EMBARGOED CVE-2018-10852 sssd: information leak from the sssd-sudo responder [rhel-7] - Resolves: rhbz#1450778 - Full information regarding priority of lookup of principal in keytab not in man page- Resolves: rhbz#1494690 - kdcinfo files are not created for subdomains of a directly joined AD client - Resolves: rhbz#1583343 - Login with sshkeys stored in ipa not working after update to RHEL-7.5 - Resolves: rhbz#1527662 - Handle conflicting e-mail addresses more gracefully - Resolves: rhbz#1509691 - Document how to change the regular expression for SSSD so that group names with an @-sign can be parsed- Related: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch- Resolves: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch - Resolves: rhbz#1523019 - Reset password with two factor authentication fails - Resolves: rhbz#1534749 - Requesting an AD user's private group and then the user itself returns an emty homedir - Resolves: rhbz#1537272 - SSH public key authentication keeps working after keys are removed from ID view - Resolves: rhbz#1537279 - Certificate is not removed from cache when it's removed from the override - Resolves: rhbz#1562025 - externalUser sudo attribute must be fully-qualified - Resolves: rhbz#1577335 - /usr/libexec/sssd/sssd_autofs SIGABRT crash daily - Resolves: rhbz#1508530 - How should sudo behave without sudoHost attribute? - Resolves: rhbz#1546754 - The man page of sss_ssh_authorizedkeys can be enhanced to better explain how the keys are retrieved and how X.509 certificates can be used - Resolves: rhbz#1572790 - getgrgid/getpwuid fails in setups with multiple domains if the first domain uses mid_id/max_id - Resolves: rhbz#1561562 - sssd not honoring dyndns_server if the DNS update process is terminated with a signal - Resolves: rhbz#1583251 - home dir disappear in sssd cache on the IPA master for AD users - Resolves: rhbz#1514061 - ID override GID from Default Trust View is not properly resolved in case domain resolution order is set - Resolves: rhbz#1571466 - Utilizing domain_resolution_order in sssd.conf breaks SELinux user map - Resolves: rhbz#1571526 - SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'.- Resolves: rhbz#1547782 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process- Related: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1516266 - Give a more detailed debug and system-log message if krb5_init_context() failed - Resolves: rhbz#1503802 - Smartcard authentication fails if SSSD is offline and 'krb5_store_password_if_offline = True' - Resolves: rhbz#1385665 - Incorrect error code returned from krb5_child (updated) - Resolves: rhbz#1547234 - SSSD's GPO code ignores ad_site option - Resolves: rhbz#1459348 - extend sss-certmap man page regarding priority processing - Resolves: rhbz#1220767 - Group renaming issue when "id_provider = ldap" is set - Resolves: rhbz#1538555 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000]- Resolves: rhbz#1565774 - After updating to RHEL 7.5 failing to clear the sssd cache- Resolves: rhbz#1566782 - memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/sh/bin/sh/bin/shuk1.16.2-13.el7_6.81.16.2-13.el7_6.8sssd-kcm.servicesssd-kcm.socketsssd_kcmsssd-kcm.8.gzsssd-kcm.8.gzsssd-kcmkcm_default_ccache/usr/lib/systemd/system//usr/libexec/sssd//usr/share/man/man8//usr/share/man/uk/man8//usr/share//usr/share/sssd-kcm/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericdrpmxz2x86_64-redhat-linux-gnuASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=a165f35b374dfbb04b6dc3dc7feee7512ca0a060, strippedtroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)directory7R4R0R8R!RRR6RR RRRRRR2R#RRR R RR7R.R%R RR R&R3RRRRR$R R+R)R,R*R(R'RRRRRR"R-R5R1RR/RRR<? 7zXZ !#,⌋]"k%f@}}^Xɕv|~>E#_c #5&>D[[ӌNX bH~AXUvjͺE!lvV(}wONvdk5v+}.?w hqhnF\=T˷AJW燻{Jw9 }۶XkhYm;Nٽ5Ң\k96n@nvV5_ 2*<ݛ!-.ѕdN.oNn$ 0ZILoVOa' n8uELO#цeZ36{"٩ 1l;";qb*]|թo+yht8 CK7b MyK_г ^_}Ɏ|*T(-:^V(9bCt"W#$L<$_Vv( hy]BQNh"30黫2`szPӻ&%t2;/Yܟ$-Q"6CX07EܿۇŜfE)%f*ㆩ1R?.lr&~TyBx}M|aW=i!5O6=}zJ(}sMYg8EPRCp̖Y] A׶14/,pZ%s )sۻ {k/R#dsE%ǝ6|_ O_,em0=bh_DSDn>"P< W=lp2J"mqh*fVZ\(o`1d}ߖCK0Tx6ڲeKnp+.3tX3CzX{dL\"T1-6N</Uڞܩ?zUPYb61iJ1E0&?6c7`NB\jJ{tr,Wa2/=a2E sP=M{/:th>@0LL(d/be3UiMO\2F@֡'A5ݷڻ071RZa:&@WlN1OMI7w)<Ga]"liJj:8Iny |lLŀ D̛ezV,Hs{\ \dУSmBܭEX.>|3Im>F*cW(=l啚 =|)/`& &YOVwgʜ`}sĨJ(A"[;yhhz))ތY+}L32xٻxE+ҟ; %*"@|t,*JtTsA#n.jJ'y nskpy/R-;ޤ/(uz@bڹMQvO_cV̯ɵ+8ega(>t1:0>V-]G@\"JPgCPgpjl3Gk6bjrJzoI, Stbb@N'lhC̓4.ܺ.6ߣ̅xm:=g^zR*] \ߘP_.H.DBu&-$n4Μ~!gkO XӡL_ׯiVsPȩoUש h /UP}"Wm8rX!4F5FdbJ۝P?p/2l=GɎ_5S_8Dj=t<ޕpƔ,m^n6k_=RJSs>E*+#a3l+3ln ƗvP,<`5*(2>yθ46eR{x]SpAOcV:v!$ oi-0<\Li\fz irBI9 d0x sM* '^0/mDhﴘ|Lwn'ۺK9B7%Hf9R#2ńM]nc0;0 08Mv҂tw񯭟1WG85i{ˀ/)BS< UJJQr/0:T@'Eٚ[Z>B@t½)ە5t|h: ]c'rU2e<-劉{S:kiڶ/H5vd1o׸on߫X*XVЇH 7E#O{C[ Uux#ExJI60΁ K|4 G֓h D/ڴנ)6' Dt_ȫgNcXLNuz-9up8-gD4,O!r8xZ8i +3z1 judi+5 (เTsI.b>ʼn.$elF FSNCCw@^r'2RQyOA`3!^pMMvp>c u/3:~K*៰Z/jp E9EEJLԞ|X>P fڦ?:j9o˶l}fRr}??)e Pڐ y2{o_ >Lyߞ,ZJnEp#թ{f8 k-s}tIHu +5!f1d@eybNB˴492ߍMN(!VODΩ8TS$NVZ$夒2(wL5SwV sGA@u"a3p +̍lt hE8}t»h=Ï7RLhu׉I̟j. iW?HP%a;=QeKZ8^~| )GٴsxĀ|G!;i<ޯ~bP.0_-j2ٲ4G"'HR"7a?s+ehOGZ70'´K޾" /nNJDBo9FZ,`~۱9m m '3"jm|#ktr'}{$>wlG_M+F S]9k 7 /zf%&|Z'ZtTQIaev_(s$}ɩ7N_ 蘱*v+ϒeB^[X9P`we\yn3U~,c`s@u5l:8jE۲3+ԈF昝3']try$5ͿEG:NZB]QKN=h7ߠAjydHwA&PP AYӘ;ZYr%]bA(oY4xiԇ=f &Yz=MJt7T( 1У%F̀QV`:O(/ qQ4gvZ3&!50>r/Z2R;fH|t tv$x$1Q&-h?gyaSDy\ҋN`M)a'-~'A;t$Z ϯs`ng,Śo<#def! lڱj,q#=)# g(mY~@j% SfX˚B:cv=&[<6\A;\\5 8%FZ-'i|[٘qkJKj֚1ɔ!9Lh: 2S\E~0}hg&Et>{@Y(űp 5Пp.k iۮf]R}\_ΰ7&tJ-h̷vL[ J8?Wž| ' Dw$,MeG܌v6a[/|W8M{-9|f2H(%Բp|_N'+/7 Z'*%N1tpԱ\5+,G]}DT=k8G~|Val0ߌW +.fsj# 6E[áj1얗Lr^ M~W.쏳'\Y0~.v7YcZ -"y 1op͙#7 V9!RcV`/ڌUC yuVlPdPp4]sRZz*{\spP|?hSmgXӊM|A36z+$/XpD:Ta4`^2 E N۫u_gbf̯4ݹ8i3W!C (W(56Se|̒Gߢ1bToOIc)(TΑ'ZF"Ufu4le8xtP I|yKAwRM9k?oi51{Ҁ 8deQg/.j|wTs R{I'*~εquzeXNrvܲo"4cNe۠6n~FruCv)V`&zF=<xohֱBze2i, j&%Ů :]`*q(1ϳ.=6h9laP` \W@+~ה}WEE!ns.auj~`+:)܅e!҆hiS [_s[m*T[?!7t),u+ʍ_XI)_%SԾOJEFA}Fd+iOn!?x)3^%L:[ TWًG>eOB"1$:nnRNM&hˉ" M.\_6]ɼ쭠1Ybpc eTLǣiktmdFΗ8EB L BTSZ()%p CJ.\O}&Рgc$ovaKZ]?=GjTi pk[\pXs0!Y3ce7i 47$ѩAj` ͛Ad5?|`Tfvҽ(5Q$PQо!f:b?%Ff,۫< E eX-e8ƚ҉2"QԱoj[CFySYP$ݧ<2 *Y2΂$ &@vjք}"Ř {Xq-Xf֐;ᇨݢwXS_F2X9O@M|,! Gu~TG^ЖJnfK;0Jj _ӯN0--wI#__O̓+fRyKQ\{hOñrN6b!Æ Fy>;,~<&W@lꪜc; C[njP*NgiL}bɸM<^RHGo;wdHR]gCDG*=(2J.WtE2_7lDͷjNlvr28OBQ]x 톑]1gvim:pQ@jA^bmoǒ7[vЂ9s/XG< Ya=sPz4l={W(;7ΓU-ڹߔI$k-=f_ &]n_A[,IP`d&p..̵MAWG? !D/F]n 7?p!'q׳z6T* n;ꐤ sS|&?Dc%U·J2o?ziBz%t @@?9Xn zXPMON1xep~ 苐9.K^.N*)P<~S!VhA?씆;IwYuɧȾ#8ɜ+NBڗlp `X)1;cs{B(שGߋ0+Q3Ӹ^?U;:`YO=C:?(4 ۻFHDzdCŜK<$&Q4nQ6HfZ۩/ < _1u |-2-XV=Hʽ:CB99 l%=oo@/)) ^'yO:یd!ZainC;iBAE(FqMU^|)XjUa> >ԊŽgoR\4G܁ d=vgSsQ H$r+lT(:ѝμ'J8LW %|1c]ђ]Yv4sHr۸@~Mf)1215wL,_#Gąxz %mkOQ{paksP_/Y=j]nDrEzfNՇKOX$`L=Ij>^@bf\Ա!M2M3*lz,1=mG'U흺RX6EUhm2sT;LwƻV x?i#} ~SX%Q|yDCZoZ\Qug],Md%ῴ-14P5k ѐ)B:*RӴ7 ѩ+>Y_yP 6s+K5 QΡ@n67Gu.CR͝7׬T~{@~ Oc1 >x*TNYgo[g)* Wôݓc'–c%C -ܾ@Tߎsf6AB<n#3$49bIaH9'R-k[v)I@zOn^72yF1S»Ni)o.xt*ȦAvwozpP"sɰGہ}Mm2T\!2n5/֪>"*I9 ̀XaӞ@W 3ɫyrC2&ac{7rGNh9xju.J %ʠCwҙGFHtܳ)[O3AΨavyĜXxF{}Hvf zRz\<Tly  ٕeY?ާaVN|o#g|V91 *y'< XΪD1XUb:ߘ#ҙezE(An3f Mm@JvjVQXgՉ2Oـ4.~{:aKkyVUE9Mҩ?Z7ٳ-ҟ'J5 |H$~H ԃ@1')<0U =l:^6EA*J_{/ϡa,,>(T cXCd?#Iֈ'ӠZ4Y̎^׵G4 ֐XeuѺ7TDG.rBxAA=N`ں~d Xkܖ֙9J "e6RwǦ-ˡD/Q9 vIͭ[T Rߓ3A"^;j50kw2,~qܲH/mvk Mp$swm-"vJgx `!ܼՒۯPDŧ S"q;q5dxkP!` av1-B+O*?9bYd-IL:UȜA$`7_EL5VeC/SaqNi1Z"Pp`5eZ{"] !~=o_+70Z '3.'IWebuq̼S)3?:#tFVYB*Z ,e0Zha8 ?ϳݿr:ZQۖ5ip0Z\lN~)+,bs%G!wqH;i?pWѼm'&[\IߝhhS7#KM˻OPso(lz4Ms iokߠV| Hٔ/t Y* |ݨEIo`JkɁMd`<-BvC7 p( !'x2SH݊>tl-"FS3}X5 @k@#u6Fgsԡ4@ p>xaB*y`KpȉmRiUppKfEU$RuE ktrf=w)ptTDT@Q`_ۈLWɺc>  >6~=i*J{y$_K{TI@ "Zݰ%]ᱡ!ltdl3!QbKΊ*r? OKJغ*fKt2EP-拨F25#Cۓº+DIžmyZ:;fgêP:9D>|l'Oӥ 5~3{R ΒH&CmEgL:LyTRH4^r; V"_e;vzYTW&. LF)|Ih:Pڨi'!Yd@?GZk(6FpaK?G*5-nj txQ|is{1sƿ\cDg>ADf?+Ѓd_6EJh mڪC xrq3_.ȮT@Έea"'#2{zXw& @T0: #z h";AdcI_Q/ &Vnf>lWSaan@7}2[^]P;GpڸN+$󈖄"ͤ#NsW pn4.' Z& 1^~e#ǻjd: ٵ_su L|wt$ BfգN֡O(._ډG;h$;l!xgM-o]=/oӌ߳ǽ@gZS(շ|4F;p˴Y梞|8 :N]5&j}7kXn֧aI=-GEqaݲc5im:d44/gwhS5oTReعrJ] Ov^n$Eku*k9\<.H.ʡ9eV0:Tۚݺ`S|{ rk_ XH=:& x7}gN~NA |p5 }jL&]5P9ܰE]R"~>~~iźQ &]|?<d[дjb(Ax:V=+@ =uT{;Z-Leҕ)-k@MD#3uؠC$U=۟aY=Y_'I{=9$EM\EN\eh\*0U>2qw3YBMʚw/H{3ǭspX% Lˮp|_^R#2Z>3*@v*'ξ)SXm3kQCȋt\Tg1>k"rj{4VDK&L:58]ܻ7ZrG$6;AOe_3|ֹCF\ɷF8-K4KqF-ï[,bJءҒJ٫e98kr|Yo͜SIƅ*A5CTkfL6+IxS?7@".cslw⟚qt Yo!WZQYT˯L5w)f23\h)Pؠ*2 Tgv&jU/?1v j{2RO*^yꅐnfVct#ZԽȾg:K F:2#6M  &Zy7!2_y`43h#sPq!> 5KtXпqSH)H7eΈJg__‹0; :LQC1ļ;IFmtӛuK(bL# _.ɂ 0D Uc8w1(ꯓ,M(o>& w2}Y}, uEVqHcOBx ψ4彂Yv1 #rpZA7i EdW,S9I)m,ͳP0YG1VVA(NjOk@%sz"yT>ZWZ--ZMӺ& J Kw@θ GdDB!hb+g}^=2૾xi|&<5 $b!3-A*:} ruAioٵr6R\K?s~TVe 5*9iOr(x*rfYԈOkoYfB$[h\pl98Y3W+"Ka$4/y'_OOu~ikâPRqZR#Bc&AV?s`}ZPeƤ zjW\ϷхcMR'5x޸qӀ` kjp9!"C(Qe)ؐHv+3ܓYf\!2D2RYXϾ!CK SQ2{ɻ-Dyy cp\Qh'YibJ%x[VGa"\{u5fK#GYT q+U5IIKMf^LC."t┩iig.c0 OTDց6wk $L#BMPwaQRMo' ms_F +:}-y:sNP%,rA ^,{uIڝ_6iV% j[.(,ZQ%rZZ U"4=-ϤUy %KH0Lo3f]䌂ok,a;Xvݹ]V> s\KD-߻k~;WWV`XJ7唖<Ƈ3iKbj=trPJFh]:c,^Z7ג搭e7?'vƑc^Hr:%cA.Z%{K"fqֹysa? /%yy"5VQ_1S~ZL].iִ/ldӘ="jK- lX#+qtܟSXx!qiyÜu?>ٕ`z8$b~3Ш}!N %r#+Œ:4v x-l%j˥tNFAl=bm!q>޿jcQJ PcrD|P;~4y2 ;Ō!``=dRvj~]gPm*5zQ-רc)NXԷ~ŦJ>7U}^SO<=?c714P50ʴcr*}lfi/c)fX* 8+؏V6 =~PxcjA؇˼KDVt:*A5E2P]Pٵs ~p`|۝Gб`ԜߢT@iDcUfܵlV-!)+2hXʍV$= / SrWk62quWcGW1'է\Kg<+DA:>,FPA"L;|N,N-@Tw`@ՉnY={W:Z?>fe=gJqh@8Wg^u q#'p"3d;f]!uOLLL=9uOvWS[G\]>f:EC'Ç rPܗ*IdaNDLTQ |zb]Ex$x8:ə`{^5Hj+,$w x.紙TL_ r+]T*) I8lLS]GW0!LCY6 J=d E $B~hA2" m6;2FyIkT Kߒb>ܺk&Y1"ȸ m<ҥUl9c>nG=/Orۘ"1!Ĺ;kEea8ƵtUWvoU0iIlk/ԛc jam!B(ix]i0DZ/v#&^Pu;)Ir\>f`8: /ZF/!wQ?+vc(:,2mSN9~׵##QyUCb\8Ϣ-cWn$&Pe(E /_׈'s-4( _ّ{j WG?LqLoЯD4@$Љ/ﰋt; ,z  :ZUz .WaCGОˮ h >';uײ"lM`lhxPHSPܕ aMLx@iXp}YgHfRKP';vDC Nŵ6J_8> _8b_T crPǚ>725̚Dy:\٪wIBR':õ42#M7d[ l ٻ:?`  {Em:29_,/y+~b1Z(+ő[>|i_YVwo^$2ss9!s©; gYiV5Tn_X9U8M Dd[Y젏0IˆѸUlMйļT 3蟹FPǐ?h a?t`h\SV@W,t n8dkc~ * h/jF`Te0 "9XM!߷@:ǘ?Tm^ :Xs֧Y^%C"W|f\r>Cxx̀qqNd^CK鵊b%BD9|imV!,䫴Rٲ5~!>I8GR@ pWu/1o+$9FK! &-n rǶe̕  ń-繲@o QCC\f~Dvx5LBp,,yiQ=# GIt؜>'hlUTLnr1"E* u03+4:1 F|=/ǂq6dΪ;>!J]IJ/.^}<'kʸUACs~}I.^%fymk6M9tsۏpќ|D㍿FkdcGGM< <L.y dL=&fuL:C`~=Ծ׬Scxrw\k|VA%~[7Y##X+1+Fa:k0SԇH/撜- zL _&w/gּCkE)&LRLT/'vq*6salvB@Ϟ׾fcQ_Zq;Ξ7_6$ 52d@,m+o> ē;Jg8]S(mC߲6S̒Ʀeߑ c8lKK2 ZHi1r-iEz:CϞjblHiӑW+T) g.I73X3ɞ;VjqAFyIwƒIҙK(Co82#̏K :Jj'a: V~7yh/)}сum96p`>zĘXv`K>9 (hOXEK$+zN)n=}[6#1,pZړk#'RSsS4f|:H+\1+JY -o%AkOڼ@{R)}7i ^Z)|P_c?{M墈6VO F4/GWYd1sJ~Goi4{(Mn)Y՛4llHhqJL3ѫ$(SQ~1Tǽ~-ǽ$0JF|&J"1^iGE˝A":WZR1̅Jt} MQL SA E7WG2tʃHWsf7 4" ixDa` A~߸K(l~Ku 0;ЄIewۃ);ٺg,']E׻D=)V/v{ =du 6p]:Z~QS Ot ς'|sa䒤s%꯱`ʉƸa8 vI$d6#w@@z0FnFC  Te rlPC eH)U;{Yh<.K~=ln;zBݏtC)Q1s!+, 1s}(v2wbdb#.&H? ZQGe=}L7/JN㰏Hco_9 67ҥ H} M"l- k8: ; .B6FMʚŪ5hNraH>k#Vn`*ugFҷEPIcT_ʥ fb(긗V>Zk92R؂K$Ejz ETd]ej&6ߚ)/NZ,s \yN]֛N4U|w,Xd(b6Yln%KnSxvG9^ڙ<}FNx5R&խuQyoJa+jȫ3:.LU- xe=X{pݹ2B$P^-9Y W֟Cdo_C,pM*7䒓(8FͱY~zաI?%d3KcPZA,Ty 2(|gd$peEU~qSͫg'ƾݦ*aR̦ F)݌9R~9rζH6'=lַ:}y695 Z-wst6gڑ)'n.3 "|S9ٌp8>UN9K+ʊ hYV:z6 Y`5 KqqZUwMZkNvO8kN0#?M,,rΏoDCj;;'Vaf4V6ӵ |#ˑ@#H8Ay|XZL_&:\0mL0*-* >8)s#A ۅ$kr#}:{v}4) UKLVջ~mC56Y, !Q⺛V$kUD/r@k9֌K &Yd`[7 Ts^֪\Qk@`ͳѓY>SWE2WI S/˃Gs-^nV@缔F}3bx5=Ks {[z L^_^aq7VC+b6OwL:ѣ#&md"F䞮Z=4o&-<[}.X=hI9ٔ:Χ{K(.;vcO=gLɜ;K]o#afPMJST3f2IzoŎ u~j u226j:p1T4͞EQ|G?VāHCf:7̨c/V_҇8a2+&1ci4ne/vfJ?w3=|~]vc,צc)S1hU6?iY Xf+xM,^N̹b́#526wH"4CC\.jn[ӆ3V9^,G2WM=n^XvDYJ| M(Fo9#8ұIb!"Qͥ ͮJ (j]"a=>x#PBz׈w$v3W'ңU ibOLǁtnh`FuA _h"WքWz #܎ߏ*V]Z<=Z(G0.^s2"d *Hm'rwyNH),`F,CKO{`m^f W^5wC|V#S='8>?'7TpB`%hر2npZ*Sϒ:9IF6}Qka=V.44t6{+ Jg7{.lԼ_~I(b f*$kN/GhwIa"_Iy߽0uE2]aIw-{n(hsS gsZF];N~0>hk{@ Ø*2:za^mnfSH=$ɣfgy ?) \`^^{֣j3pdK-fz*zi(iV}I$ǀ03@\pSHiB!ݜ\[ǩcGgw3Jc}wye2j A1/l)/{ >R}8L _uٍ1zv-bCui ,KJa0JUuK7BJq! ÑĪ%|0/8PQ["hF\S .1y:{̚QYAp +5y"9;"ZH XQ&5ÌoM#6bf&C 9TAz{̅n 564<9r? ' .|R|y{ CQ{lxJRƆ5nཱིr?hb[Wѩb!OnG!gw}MSKNaumrn!Ⓞp fF@ hGYc:hd/uB,TAiү S&x&Ur2Rv+Yh&Wd L3LyO+6p9r[ITUZnȒDwÅ=<+KX"ʍpeP0gl 3}rf6qoY9Ȇ Rr֥TL_1 Æ&JMG?=9zParkd0@ G'|ڀ'fnB"hqAf;ugK-nrwD21<^ oG`h GDwe\SG`h"0\ist{;Gdp 'ҫ,^);1: /4f>|װdɚ[ Ȼ3xXwm/hw'( r\R]BRͺgG$߀Ep0g` qڣˏ+z&[:yյ s{i,=~xТ!#Ϸ z貂!j"緜%@IqJ_ #~4R-o3' gR{q>6ft\D-i#8H/ewLj.}3+|z70[8ż.FmA팉 LWi. 6:qMҒ>y]}bh2&|My\(\ɠ0KK (-p0;H, dXivaՓQ5o`LjHTdլM~(v"v'P+š'=z!=Jօ]o%]Z׭ܕKMOOnq-#⍲970 bT"O}ƚ1U7< K$ eP]VP7jha}i)cg=U\aD0gs/P989q|Mvbg\֨ C!u䘿pk_-}(-6Ǟu-4 LdRYe Snsuz(e1VADk#kLO*qDpڡ QbRC?uGӆe6RVژ=8 Lvye9tuOw3^9D ޹Y"B$ۢ^oBچs]^:9'{Y&)eNdyZyTIB$ԕv &nL5Grb;&I3H jpOz`lgf)~=?ǧRS49[8>i lNpp؏.YDea˕ [<2D/M;גSee۰V~9Ľyg˼ҵlj:S-(_#DK&P-1&Q*CFrG@~> $&i8X I~5F3x1iqCX>^Cc4J؅0T`,=:y@("4+bԯYhw{+a陮tUxuJA,)g,7YÆ~(kPY:t=J0^Pu.AӢNݏ.YjcȦVw[`Q%6t)sE|޺tK,0}=A'm8W=EN_C+\B4h%*W ]lZ0cEkQn仫ŧG\l0 &0AFQv88M8kԔG1+N|h'\]փ I1xy> u*W0,ౣ[vn~_ٷ -n 7L|QLUVe'!G\PɮYt"(&w >-/d܈iԼURS$KyPfOmT,QQt+G6X[(aJQhLs>%8?ؓ^K>2c:m8 s`Uq9wpI^1{>Riw<:;7FU!5n(7Z82x<4_Ž%Az z#;qUyQgH4&ih zIQb!G#)s&K։m`OI<{?<8[y@d!~SM?MUL )k4:Arf; #mPMwy>ʧfA079?>S2r¾7zZ8YͽoO;kr1SJVp+:B:AhO/W3M#(Xm5N욦UɼWy 2"TZ2ֳ&_;J/v!("$[Z!eWŪiŮ hdŌ*V֡w1,@t6+Xʒn8c旄PH$+koAOj{I.prS.p8bakyQW@qm;ش`Ko/ |̞ $ټd#ͤk~+087A[너]kL$\ Ҙ}u0@sؾlmgNpQ_r,#%BJ"OSE[`B6RC6q4iüS N J[喁c{=N~T&ybt Cת'aB g6m%8R'}b(g3CfAP~x9e}TDo1 &2i"[eS %4@dM_NC(>AR፡L:ćZ&s )k՜ 8GlmQhihe |P`Ftg^*ʼ%AU$wyR?KM?w;Ɯd^Z_ ,ZV|@v0* aN: <={YPp O%T/[D15f1:2>Etٯې2񪁆I.5RMQ4G&,f:nAyvd~M |w0-uK9l7L$PԳ\ۇznHo#aNc%qD{Q[rZ/<̇hϑ;X Xh I}yR%zK4dO!rI܈/IPNb z]~z32ǖ~Zz[K2O FuF);AK/3еVM',{ { pWWݑb[(}8 5ts^EX )`&.ǽ?iGoD>68v *v[2]薌J:k?.u:tSw)Pz)F{:PHkNx;)̀@IIw2C&V2jn! ɛτ2"-ł#T^7ūvWGj' xvԳ ޞw8K<7B4 "cUv? &1Z~~4y2m+t(z;M2D">7fr|H=/.Ꞽ)a?юYvwh{W?ކI%X>zGbayVWT-qaq1bkֺkJ*p a%qu*E$L!}0g$8#*"_!aώp;;)0XnMgNmb8Q- vRo^䍍VUԡm't-#Է?9DŽ/aTG_!vD8:k<6 V$H/a7*nLe,0DPdHOۧk[C]؝TZ`ڹ5zޖ5ug(`~vÖ(_ub\`E/M8f&\\vD} 1mhvͤXyCm8 nTa^jBj MmION$sVetK^!act <ļ~S}28\dxc*w央fk_8dg`&ZC[ /&Ši{͑;K0P[]faJ]A*\ wAu#غǔDq ϯq#]rM򑃬ڵ4Ryɸ0.US+ {7C8UƖ(LiZjO$0LDTZ2>:=| d@]WrADE˰&;%mer'\zT)&DVjϝzEį7mEmZLSߘ㴨,; "vГ½Oybd{9f ED_LU1 tq|8ߩ4L::5we@zh /fV t14`eRfW q |3%qt;J(ªe1ʄ-!oVh&^'PP϶2GRNo|o⍛.P6h`e)ѩO%x8UFJW\a-5}[^7ةbUyA,RpW]tZ͂ +cRW) !St\7.=܄=d6_JϞ"eXFȶ >Z P# 8}9hD,Ђ.)ܭ8̅~y'Ϭ~ DǬًy ?^q0](6&ԅ9Dc24£ )nV0FxKg绺~@˔qD+ z5%%}eg^—i:䷒`dvBњdn(~ycDE4iq\YqҮf>_Pjm~chj̓+C%@k'6?Ň+a%Ed@4kR~DYQCGY&Y41VuaPVqمiL`D\Th~ m$ha8zQK (WIjVU(? :[ 91D -t%H: wSV \ΪyCMWz\rN #]0RTq<`mB"sسn~'Sf'ҫǥ8f,#Jn* {+>&0q.rsMCʰJ0I=ԺOoe.><,kŌW/&AfKΔ2 ttT{þJNq(_[PN82< !R J[<BP%R,QnD"ybTIl͌\ZGF`6D>V8C^#y4sQT Ky|ڞ/:qǥ=A1<ܼsm]J*kDi#$k2~^zY2'o*_B^dҔ6z{?K..@W1_1 "3'CgJ8㊐tvz٩R+.e=@X[6SQ@5! U*[Dنs&|С: q62E9&]~|dMe=c"~^S}`n=ltUY_h9rB{[]͌e5n6q8 S=Rec? W rRUpuBt>ʯ7/m+z}*wAT r&;^XEu{O zMttX݉ě+EF۴UKV9D sk@B}&;kHuyդ?xf{qY2xxir N5~9ui+as9Ð1(4L9ᎆIMEH|G{5om; łUPêvZ9HD >"{OVM ?~ zo㐣А \pvQ哘Zhz|l+s=~2|\oASšm^a3_)bƨ+:z53V/ːnGeSTz/KK8:")w;\|Vq_*pCt[!Χ8ԇO蔭˗}ض8:ȅ=/i&f՝'h鸾r2? ^o3_C9z-`ePy ۆT$Gzy*?~Ws/t. TO>3DZC.ѲA?!" ^/t |u[$@E#mP U_T4B|r}GfH'?$ yVJPIJ'>mʵOĄUqgnٌxaG%@$M, fP> ٹi7|w×\.k4?&cR.[a¿3)zlU~[<~aO^,l-寐_ʩY¿$V|Z<_ zcސaikq3 W1S/<\IiGu!YnٚƤHf pbEut Q〉Sj?>9cl3K4zJ^GMwQ8[+ʯjll4ulj*QtEc\ Q#/7Nr8!ǕcV|Pai2߲ڔQ?n߂L }&˴̤}l@*ƚ`?v(֘KUFl pNK,Cw}+%#AbLvpcU!g1^IfB^)}a?.Y{VR@ຢS T($l5R p[ Gv51]ͯ(?ڐ`Aq#`ADEFv=a´ fNN^2)mW<7~spN^jz! Pn寮PZ73Av%\W $WŔV: d}Yb4g?x(G_psF]$UŤó qFgb]Մ4Mr1ra˲|krm̡"dwpOE !10|f@ &dzr t@)Ȍ-uz'~gI8CzPV\~e5>{p)>CkE{,B}{ΝV%J.zQglc/HJ4Zڝmm"fxu71e96B]6{ 9y6n9UF VH.ǬNV-vfi\eCh"1 25Z+WP5Wff&x+S5bR_GGv}@#ImL $(pXU#Xx'( õ |& G@}XCUdKD>EBXL0{À=9J p[\NU%VS0'qO0ݒ{,ۅ MѨfdmXDṊrmm .6 d1wE" Ad`{<}Wkۃz\գXm9krgVC)P'I0fV)I` WeB#ǘc7]DE}4;dtktRk>>ȂGӱ!2i ~r)lj{r{a\vĂ8Q\r1۳V:|s Jw &PQF&#8B?/$^@O]$W7z@Mg]zR} D<'QKbScDduE£>-Vx7KR.ԹN,ӊK׳ռ:nd4~ʒĮG/"oPm(HS F!}&*8EeB`jɻe/G-sWYXvf;7R 2caFwk2T=lM/gfto%t)JW#ج,숣ܷǼx\16Arln54MaѦ{ۜb"CeY0U^϶CgGF ax7u+*ª eZ Hd&Đ/ݖ<Ǔ+!0*yjیfIZs℈y "E)*ދo ?+ J##iD) 8H(ahפ  ׯ^#.Rqߒ(L'#=#1jn~6YFX& ,[-߉ }7Nn#U1l#1ًi {{%'^ }l5.6L!o0Nq꺓X^R튞1"dB|#ho5Ź@yKJ/vϕPlo5aH ȅ'PjUUrއc5{jO*Wp9u5X6$TN4&Ksn6aUGe1Hgv"-'BlՠVu.> _ܮFTi꩘bjDWpAe&6C%YZ'` %%|5-zÆ婃V -p9]>~y\|2e4Qm] UuL`A׷g%~O2,~#rf(𲃖)V~ȜpaZ?#~_z|__:+OdH~{$, $֌ k&fV[ȉ=S{3ԦBbT{L,OK%MDkL/ْ+4}cQ-sMhVc4C~ j89@*cC F,ZOO16nmB&:-ڶ^ Tj f*mLu S7 R&5`)19^1k]9-DHj$I`1%`Wp2@dԵb>3"2z!vX7zP Bԕ]SJA*ApD˫w}a9CVyHt0W61J5\WVO]Aqf 0/Fy0uUU^OpV#XޗDCkQ$eڭ_^+]ꔸ̃|6 Ls <:ׇ?-j0w6dSO:$Gtsd>bT1Oz}<$~̖.|CO6pXs ܬyLOd6?C_nu7F8 L:0!)8Eu 斞7N 'ߗ[ʗ;-sCF crNV!Z7LOɜi3SᒟB8t}U Yp5Sfe&"\f͈%ZYZC-1ʩaB?g{su>#Hn-ö_ZR2Dl);U}o jgJ%7,c[^^j/Ɣ &\BL9Զ,מH&QNSYI~EUpjܬoyF6BW8Ā|֎|1N(n*i"f'Rh7c>y1>Dģ{moD ْf~ ;/TFْ+;H 9PS!N(Խ>wK@N)\1 B5 f GV?*R'o‰̓-lV?L,{vPf3P p?ްX&$?LU%Hume֏+~5uAdy R;, e|:4 5;0VW4oW&hG1s]  me|Ut=+utrͧҥaLu){c 1,,FYVq.^ǐGikPJ 9Yo#~7#ol9Xbhw]*;wo^ ^EsaTt="m  3d'Rl-P(e$32)E6iW?թ:UWitק@A+uXzO:* [gqvQy ΃[(*IIR5yN8ˆo6YL,ܾ97OvКrAy/dY;bvUz4l@&{2g [;I2eR؟#;5BC.ߴ+"[IRRSgؿ4cM|ndXtݢ4f#1hJ6-PH맹˫OW !:|Q`㟲U)˭?,vbє].r/1JKU^n_DL!6tf؝`2ʴ!<ŃOP"s.CB™;j¨ !O+.G{zynpS/ЂXgf:7F" ;'̉<) .yM` ECҺ۔s1T٭@=VL"p Xo {UP,d7kORWl#ķzbQ:k0X6bV9(=<,Mir +~7JQ.^?5\ʈn~%#uk>Aۃ[#τU圴+5^xO1ʈ>mԲkfbνY&͸sKܼ!sdlyvǟUCrf _0Z)ʐ˹ɀɸkcd1`D&B>btfxp.*]$!iqVw*3T~wwHn*naVF'$37ùՕ 鵥Fs3$MVԓrٟ}\u/2_%lGM(ݺa?P͌Z,i5g u!;yt?T&d^y 4PG&dYgQ\A35b+N~.#rM;6q7lk_ ΏMK"6_ k7BMcFG&Q;v:wi1{Ϛm'ݪn?蜫_Ǘ *^ $Ke~Lsd,$T=RkRwfnB1<1&{:(`1`HW Aey-6HbAs xaѫHL4A8HtO{m~M88tY-Lb:SzR yjrpF%`юF/wY>XABGɩ^KK,dj4ac>ʺ) qOPw xVS&:wǢb!@(^̟O9Ӊ݋Ic}M>E&!l2vo5*EJA2}ע Uz>KuL̫f& X$iSD*~O+*98N^I.'f ʐj؜T-&u<)恂$t&w M[r\'}aK;7ػ/ Yl$fㅶApnm'@9\' pj N+X"~aW0hnIW5}Q;/)Qx4}x@A1.9 lF6Y<ީl/1!30jS\_37%:I430j8-T̆6|yO:EUvb6g?ZuY&R5/#`&I&f^Ta;bl1lXv?8NhFgm{"rB.?.I pR8D2Q1e-~iPY<%F.Y#ʒq qe}/]6\kQKѬ9GUQϧ?-xhQp&Xqt@ =vtY:^ͭ'=jt8U/7QF "xΌ\mʨK se%Q %5Ge/2 /ִd C4F! gg臧?]\R)bSݷZ]K$XIi ˩2]8΅ 8+,*N}x^JHN]=oDm M^|@eRUO 8ǡx*-g!aGį N'{K<ǯ;XFH4M*uTwP|LJuw^|\ԡ @7fzt/7 iSo{:_MWJ-85m4w|9>ZQb;oU 98燃郎[rϬ fTP~qQUzK,[N"Z+'zK< %|K.v]"/ ";`d-T*r$А7I:ӡ^=gԩ0$!ΠN͕N*iͬ1r\fgXw~bK7} >Ӫc> ux܉|?I4++{7uk>N }AsǩtznT }#&b GSCq,̈́>԰K(VeZk`|M\>i4YlRA!J~4 .!AjsE!ߥEY 1`и>Kr-}?쫛:"N XÍrvǙt#ȄqUn/IpD1n2sP:GSphWw]$mlm7Ĉa0i\ g΀-DR^a"D\q*ڋ̃|5z ޠ gJxBW*36OMtOERq:-R4ӯ24N8%~DNVh4@ф(Pz<wcرacU?qsB1"8,`+pR!m <8kJ`A 2A N|h04^eK?: {89Ab$dց"v 쌅ggc`h_>6Y7jn~{XҴ3SL:mH97omʋ]r<OQZ1n!!$/B:,w¹xǟ|[ggÌhvZê:Ҩ4j[G-aVЌ#2 CɁ_+[8Z ]V~ 18Z;U #&aܥp+x셮NJ(ӋT` a;)B UέC CaC -^$ |dujm|-UϒMx累^ W2ǝXޜќQrƅv ⯓UWY_h(t0[umNsBFc ,|IJd`R)ʎb4s6kA_nDqUq KN+zw%#\ܷ:@u!GjfymZ]\˝{Mz/yw3ЬDMpiEMiT^opXsL ëti1v5plNsJ"f*җ,-o~1yn0TNa(+ =r,%WxYF0Đ~>ĸ0=*J`KqylNICE7R-0CR] Ҽo<ܞRR)IY$dVE6Al.($ YMV^öA,}˅^TγZs#  K خl7_UA%>g~DamMJ<<7u2bZ=pIe۞6}G4uUJA33'(q{a#z -$hcP4OC_=3\w.,PM0:)nlne~NR Mb5OD2!aۡ4)GS;ݒl@cWV@=@>'zEmhle'ݥ̩ܤAĉ8 ˆ/yȯ`\X-O~N-32ٔ*5\L3USVOXJϐ%;&'NJxCk;.}ok"&v_^-b >y9Lfo=fPl~%ЫO ~^LuAcz>%D8A| iK?A].@.Ң: _LąˉEo̓EАiORbjE?/xhXT=!3g39۪lrq(tY~t(݆t1"/:]>)+fHP7LAgƄr :h QR mP=bw]U)>v kz-hz9`K{b@`PKC~y 9cRּ=O-5E_b{ʂ`b]fuTܥ[Who"Ӽlφi޺ اaܔ6A:ݔ7$!CqD !h57.w8q2a{v7Eȟ0NJPnf_qL7C+1(!/V\8%Wz;=GzlPQyKUc?oE"ips"oUVD{I3H7HMgRIjPrsQ,=p BE8%q1ˀ< 2 'dH0=&YéHw3g H}Sbj$L<Z&Nڻn]fH.ڧ>ހS?qʦQUPEbPET)fU!(/U-g vV/>zM(Di@< W)^=f<]#@d#>JA$ >Ol/z@r#ΣpC ޢ-ilۄk%oy/{ӢjU1%R@a,鷟#TMfxODQk`,CLqWb^HqKwAO,ec>2mIZ 7D˳չp Up3!!<(}L 1aI,SZ2%F"oL2hBbDAowvȧ%AߕUP(,t'㄁,rt-`ˁGrr01QXȴwM,D!6q^湆yniYs/KOrtsKz,ʮDQrY)֚ӏ&ȳOnlm7dM1-|5}bfbaub(Xb-w8l BVl2G8V6l3%";W &bwRX4c'SAήɏ&[EI;0@U_OF?x:tu6T56}.f.WH`qB662Mj2 Pݜ *NxV"% y&Ѱ9uBz5LF Nش<9ko:,csiD$CbE3ytpFzWRxòU?u(OO]QӇ[LX} eց2; Q^ͅ)ѺNOk7%_2uiUW Рspg?g@Ѳ$V$RIb7[ݧtPhLb\"σ`Mh"Fȍ 5  Ga?V|n`I2 kS`S2%).bG[k2jc&"8'AZW4-+Xekυ~NXٜ,,!Yř =kBퟨ%5`o@]=0csG.Q%5by'TŸj$ G @l{mCFPQ#k)ͭ rAS\g4\5= ^4aN0X[pXC޳&]s/+HgmW`[Zfosw '\]͚I(^vZ@(g , ^nsIR-fx?zWnoե-u{*htN^A6hX+AZ>Gf(g߿W4p}LXdCER0H @qx^4Uk} ՕA%@a ]#ƽ3 42. #sɅH߰;>:5TX.3'+<>KN=rb)">,3''J@p;PX.;b”|aTCPnKx@5QAK_Vĥ ?<"3ENղ͉uw'JWPa47 9}v-^ฃe2oQ;[8O֣۞]5V{=?7HG3ˆ˫$c顡wj vNBe>v=,JħCB\r&DNm>* PA3Bgwljo*lPm42:= z ǹ3 / 1ۨ6禕mŁ+-X饎pD6v 7Qg4mFjQ |KH$#iY5ghhsBC[3C+)V`ҜNe% ]o!|A<ٰe%,ˏraVqT@~וX`ކVdk")ok$(} W"yѦ^=\4X1N:ޭ׸Z'@? .H,. g\7/c[w;/~k >|?+4戰7des6/ga]1]7w {[b/2C~NGhNL3Rp##mFr܋'T׌" s(t,Qo:= #]bMh`5 TثSW,.t*ƦuQa%俄u'iLV- "Jn<5$•ޕ2]Kxlct{Mj48EZh8},mLe^{_&8=iַB 0]'X\qb^-'iuus,d"}(43!1 bWZҮXMu .+: ap,O |2-Qq~{i6(Oo@lUer$6Z!G\\8g65@x5+Fees?8 ( a#<|t1aݾX7caOp!]Z(9X9|z2hpq .k  W+JF0줛fr+I^M4[\C/J&]J-h-K0v(zgP?>{4\Y:A_9K4RuybttģwwM5 b)8PhFRCR}0fYC~xU~%D8`u HMH:%qyJMk-yzqܣyr@d(*(. )Nbm1d.3cijc8 ~]~my+L4/Ut* ^N1!G2wMq\ȁDUlf4%POtHÊqtmDoH/7K[֔&O&^ C5'`^-v}DI\\d dDoVL5nU4h [*<`TnKa,*J~uǻdB`Jn|-ďV}b a_qM&a/AUT[ Ht[ם]q??YDNrۓ+{'tՄTOIp`x8*[/%`įr g0Nn}ʂmg'r(u@խP~Ury1yHl$l㨎96#9)$aE`A^aoa[Xltaw&1hn< }ݥ&qTaG_7p]&_:{@"V MY)%KY l~bn FushGoY6(4s'O͇7V_IoSfHr2aR 7z4/nY LC0\˾Rw!/(w11gW8-)}C,yFma"Pj"NEOrWGcR56 Ht8MÞq9RGd j{KcUr $@d R@RLn=1<p>"pGwXI0zm^쑨O\7 uv%?5z`# 7}(\5V l ZMnD0hUzd3%NNZhR Vkb·)ܶFᣘZ59zڛ UF#9VfF\"AO3{C0}DSo*DV,kW/ &t6S3H%5; N qDdL>_!L)cbky*$_&Qblb `Qضn.vfeEjТ ‹ĶĆb>3~yI)zwr/$0O/Hmկҝ G ؙׅT(G<^\d}oozu+i*_i#'ZNga{¹r4$]mΙ*P nQ4$)s7R^֚kz]3v՜vbK}џ75_і,\΄*;TsMU5꛷ЩR<+]զY]4ثReY4%wDȰ^Dx3P u}o@H>D+6CL&en!dcETACTȺqS VO{K0ĥȋYJ/*CơH[T|1\p+eEΏhb[rC*00UT"4s'ijI*c䎣O Ha >~GT%k e k␾-C W03&^l]XjHW a] 7Q7}Kh9Hd%ZzK7D0uHy)IDק't/Cm.xη7(ԂI)^z8Uȝ8@ {E?oG/B'VG:QD1 yhm{ȶ{ά̹Wq揰[MylQ)%l\t1eŴҥy1Ն?bW& _ "宩ֶ웦 Y',vTd3èCc>ܡ ^fWUNӋS$owez.VyxSewtq&;њ/TkLN=[ަvfl\;;j-468֒d >cߒـ`a)//sYk|f[U"Bc6'wE'orᐝe@{"mv9& Ҡ6*@,ir :↥QVx/_Zݒs!xXjޘB8THJYvS$6ίz_ٹAF*A w iVPu&v(҅(JGIC ,U%ncg/^kM$\ȣp} =o2+ڈ^G&jFe" uWvf)S٫tN?ByꜤA98WeqAd W䎄Cd8r/k}?+^OƒQ״x'v\׭H-%2wP1v^g;Pk{u({|~Ad-ZxO?5V%K8M#ENUgz vx%<*Ѐ̰F >H"{`c$U䱢K@`6pT/شU,_ `1jC[:H`O;CFhI1G1(Ϣjf=EQm&O2m5/4$D^މUAQ-7آ ND˲툂YfݥӯɨR b~Zt[l@?וe. ȭU>瓌.Պpb<ւv݋ok)~iջ>clmuwY"2z/XL(ߜ%dlѱgqV)y~kB;$S1Q—qܿ=G)SЎ! ckziPm-Q}7 ~C~fgIqZcz$ 2{ʙu jo}Ǟ4I z4|$@vmE3Iva1 UbF'S.ۂA Ux{H2Y!խu 9޼Y*=vkNXҺ9Fu4Q3t̖1YwHO֫y1CW:ĴA(h7XS! ՚ƥ!GhV;%0QuPЈ eFekϦ l|t:05JMiZ"<|7\$ك9?L>T Yb&݈HCh 4Oz1SŠ ȋ쿚-\hߗn.9*}][P!>I4%Qpgx/Ǚ o2{Sc<7 ݙDe-qDPO^*z 'Š`*|J&4OK 涻v|k7\^ͦbݫFƧN60$f; P/jW/R&wĢע L&|)nIsNuy`꾂/hy,Ϥ}?&ɭոvk;ɋw;GZa _}_)f\$|%хK#r;0]Qp-I3ݻYI5fs[yF)F~4osWC PMȂ$v?]Z}9v0@wc7KM <߈|R O}?>fUT!^߉uHV14UN%"zv=u(6xxPJoLͥ#tl;ccܒGQuypMpɵGbqjX\<&6ZL|2Qö*܍٣M+Bߕ}wN5G}%&= 㘟1e73) p(륢^U̯iPv XAJ'tް.A}xMl|RZ[p+ZJ3>(oOQ9G,~rGL ?$>K)O͵|1޺b2ESyx 98/ ahZ5̨J^T4uknON[Ď\]pkPydȝuUy!D61`H9!hH_[9y xrX)/t$ zZUtMQZft9S M c'1]lľ1mrOScnqՂ'qw[q ?c& [5Nnk~+ic J^z" F:Z|b4]6&I(w~inϵg;7pfpE-g[NOʁ!c?=<]wNJ.:>>˺tȯS74v.DFwP7nv(cU o0M*jV;Q -99x Tw _&nT?_.Сe8N\Ӣh[7'B-{I6,Y&kW"чoe}3h/[ T2LJ A{;]`Z{EҜid *P`w۲A6@עe|5OF$2SyEbL5ϛ#:_#8J7j 3،Sm.f?;;FQ܅%$I%Σ#]1RI^nI|35VIq%$h3ee3>ukM꒗X-0EH1Jnϸ&r6)v t5D>fN!F w+kL!ܿm?K030qQIF<5DUѢCn {btJHmgߵR5֛ M !ϡ&.R2yURLtĘ)4'9==kl3H6p9e1MtR/Í L=fV/?cÏюqYj-/>fa|KHޡC Ŭ73~]+*G~Fڋ?d){g%_@(~'}SRӢ,3K?_6<"4Ƣ >2UzI6\ H:n#4jXB3凎ysKO$w9F*7_o0]jшh#W ;t3Z\rUޘo,5۶ 9m3bA`{zM}Dt$?d-1ψ?oKusJǭ<2KKv撟0qaޡWCH;yjA sytkHʶ\FZYxHcR2 5՗_RI[f0ظhJ 4@N9Iq:&0ҀufA7 ?ТmD}ۀ8[Lf۲{EsU*YrgaO4$.xMMVw*y= t|w8%.!鍏v X*UR5 ˙>|'hjru6qXm2'D\/&AF"ʢ{Gt}Sfe6! p<@/Qv+JUU D_ wP q8X7p5X/do oV NǍR09wBaҘ&yQE!^3T/A-Ae@K~-F?ȧ}OGWҢ.A߰+iMKz }gxX{ܯJNzTt"x{nF4cDX)X10('⇸_bwTV] ,sy]^Yv` sQ]HA./A|yriWˠ.uW8X3˟Tlq?¨Ue\ ʍA|{:fPQ@]-Hl9hZJXy{r&A].dxJܦ7 e悮-npyXl[5mqkUTix,q'^Ɣ:;Ʌ"bmP|#ugxr\6xZ|DIId`{i'J.ˤc(hoΡ t\9}p#1 8i2F;HeY͕K+kY3]18 oEІCNL ^SIW*BG.F|&nr?)u̎gbDh*9`~49ibhzu1^@Ubr-^,Q/=:4 AJ __1<N9ld@ )LΡyzTK-)1#^W8!H=ZsmdZݒ1/!~ 0}Wkv۵vbyqʵ-m q#$q)3h];1ߧHl s61EŃ3^#;D[VYsJUe_0@2lKFTLg> [9&*Xf jc% 3u0(%yz* ?^1ڡlً3Е6;ע]]?lH\[$3 N')-}`\xp;zit?%@Zw6tZˠCgUؒyC;҆nPir$kM(y&q'qy3`)sYZj/ g1Ȕ+i_ߖWfYVk&[. +!ruȌh+bAES5YFGBG|~mzQr/ن/!"ʈ:s~gEpZMEI%hu-ՠ5ֹ%YT&>5.⑃J*fZҍB! xt楃D΅8¡D1CM0&[ hd俽em60)P{Ŗ}ӳ X Y,7fp@ykŠw l*شmVF} ۗ駴 ! [!B?R@8[+r J;W6k8Dr(ծC(12/"RPũ.sf3ȥtSMhҹe0w[pۅŗ/Κl)vͣ\ 2U 驔z(Mg!z_fűb/ adc^z6XbdWU_Yg7jQ{n^t+`<'q QsŸ ]CSiq5QI:{($\!qeCT bMXq+r B᷌ 3J+[w(%a@g Bqob;WXE 2ҧU;_iT~SIJ+Jl/ۅ# mD;Rq咤UQdYex͉C+c2E#auʬܘR;cpƢEȋPT~.:,£e~t'];([HdD< A#GFD-XK 6;TÛ|t\bT8qV}t@i ƅr$D_MVP귱96Jn P#f& SAZW' .We7cP5MAaEO; 6ֆj.Ί$-4GЇOxmȪt DN@)(GKqW<=jV.)>y {vo4Qh,dG0襘G,gLz|JWz" izEPaǎYI*rW* H㼱NMĒڗț۹e:ɓ%xت{jY#L@_OεEqYpa vߣ_㻝2;`M#GKA-1 }8ZdVF\M!l C ѩyMEaz33bsPķbgX Xq){{m>ixjlm@h"8 Uh&xu=&TJ8ؑRxu;O$:@$>z1/;DA%l՝.%/'V~l-&.RP%CuUG\IW+QX AHp[G&kQճ_&W ,D$6@Ǝ:qp"}a2`>n_$;t~Je@ y8j:GXdْ~w/XSGD-g |H<*|S8r޺|ZџOڡk bU0|n޾ux6-̵;p1_5o,`I8u*н#C6"Ex?ɔ*һ{ o{޴(J뀩OޝBګ>eDcļP"LM.$->ih== 挒bGїM̜wF`c\5A'\sD증nL>c\m#gdg,PIW+YԵjB D$ 8;A2nJVG83f 7n䡰]8-g5N]/#*T3X!*F3ɷ+uh.ezR۸|M&MUzr㬢DRݶpt:~M%\hArAC,:U7sɋLZ>Fibh,vf/]@5Y#F7xu@ƽ<q~zAJB[2#y`%hXIB Qz؟7A\V @ɗ|L%誺BXB}s`FS8ؗڣΗٺaX8uӈM, J*`fd=;1QQ~]1lCіAyx>v/ĻqOi- h򾴤@M!]xEhwZ2\r?CM3~ɑl+ WXpa]^AQ9RǽEfxf#xJMbH(;:,v[=i ]epť, .ZjZ=#Dzz_a’ l.,~R;3mN^4~Aj=n<#SD+:# D[9<xS| s &% dm 0W8JŪ#-<@>^@H k Qڐ2~!b`ߟeWW:(/|Pi] QFGnհyʶ-ZIJE3 of@V DFgAԶ`FJ.*@$Q&][\V[,?d%*!޺0T߾%!_LS#ۂz Dګ1P#p ]}G]U2o;נ0ax1 >諌Ȭ,>-5&)+,>p,p-t o=DެR0dCj@㊇0t#M'i)yAp4}b ߏx4GP]"O]Kfwc9~90Sd1 ^n狀sIC)\t$Y,ey{#iU[Ū4 77;w%AM%{׵>%_'mU(Ap@b3Sn 7VT;` V':KKhjfk큿EH:Ur@t*h$m/K5UUR>x*ǐWb̸C m&Xz$㡣>/Gq3.y&Qbd 1| $h/|r&ڽPOhJv %$q~aS ?0SUsc /d{kfjHOɃ=\\1.V:P-8_{0Doe햋ꇛj鰢0\֐* = )@=QqeDXY+or >}?6E}_T5lQ^p9AeKt*{4yƒm/V}Fb_s +GCG%KT9LJaC7xLp2tcBo &hGIs Ceܕ- yQaTwEG4#(&7aa lAw CjW{!d}ʠj4?fIH9q4ʮ^$`]bL͈?%JZW+S,ɩ)HFIߡJ/n;YIQ6G}v 2Rxjf 9b[Xs?Cym"Lneh LyFzyW(]K/rw>vq`7̍e(>]D= X! $<ҸH<}e;;Xn!6=hӃZ~58?:`nƋf23# ;%QjpuܧԺڕg`" T+rbMGYe˃lh*sE5rqǼ0lp"~3t<:D5L;$=TRDiMtj`ٯʱsHPM7ƣ`[Ң'E`TL(^U<+{7d$5~UM7£Gs7Krn,^ ;|^08=5 rxPׅ0Cԓ̚(,1Sc+_Bs>F\ _ٓʓU+&8hxBl2E4Ϋ9<JHFn0A 7/eTm=w2jhܵI)C98>OsCyz@cr/u 1;<>!MTw\7!N d5g)ꇸLW!>xS" {f/=(}>4'-qeXvF>&Bt琀*~*bOؔ'NA> +$Z'،}iGwj}W.5= s7&~FSibT 6#cdȜ'WaC%tlÁ-}™^=5OcuOM!˛٬4kZְxnUޮSӉe32! ZzwP/1;h_޷0LΣ{"ܭ2"Fk"av ہS[bykJh?J j;ά3߇Ri{f%XH.?$- r- ͑SnGe2GJf_J<^~ ,ІpҲK\(jKv-VR̫LB):8~`4oƱ&XC>هߺ~t΋Z4&jOo[A+5F3`=^k4Fefrq_g7*{[Le]Ҕ„aq{T YnۛuJnƇD1vÇ ~xsgD\f;9u_Ln  ]Ƚ]Zm ?j2k%s0C).$>/fr:NCA'epcI-C nIϖ"'hJdNs"|X30("(= I2(gzޝKbiv4PjYH7S祲 ~ˉe*Jr}w ݉0H9nrCFd1为y=8VUHڢuYY~jKAOTr1t]Q Z:8G{WoR8N_ln1m~H$@xs-~nCF9q 6 mOW>zvC_ &Ej%%J1v̹L\Es$7|w6=!ۉ J̴r$aJuilz:IbW-Ρe]2DtTQ :V吝)4xЍ d}dnh$?W=#+F] {HiFvRK0vlFMy0mXqDsӸ:fCI';6 oa+lhsFl)4:!g2]*{g ݻdX^!دӿdu%1zcз RPj_R& t0(Gc & .@gQ:q 4n۠7\$;əOZvj9*P߹NKjW1Uo $YSːB ۽2 `G~P1aY eEH:)dmC*\VPŨx l1s3O`"#0#MMK$xhe01|pEB`CN*pXHNC5Ø4KЛ #m1+H7!RhF!gr3EaݦM8>+Kx\gyuB~jd(B"i `o7"Ĭm皐ܡ@PTMˑoe7HrEҞM/ۦtOKG)0q*c[KV}mҽdG|*]4,bXcc+gZjjKqQ CFOh"?=-U\ *J Qg3 54?(dNv+$Pv_"CDMA?-dXxo췽+D#3'B~7x8`VT|Cˏ"`QX4fmX\{Дv]9xKEӌ#jU39AHl𻆶 ^Dq-! N9xd+XTh;B<S=V{'1n.1S , $WkYe&i :akۑɷ*4֓$Qqhj}Y]b5'l{k.$UWA T]MOgZU:vc_x^]Mo}:!9BFe~:8'l%7_zjIC3$ *_3jzt+R_OR!X]!I[WOky}QRR%I)gS횕Y? nf[ld ` Ŏc7].W  ]u X|T9[BJ4"SZX8" EyY11G UvһTvN좴?=HBa.[RdEk`q~?DC)5"}+aN8lyl;c /#x, I(܋}IvG~'^9՛f/?`vF-y>qz5ҵup.QMu鿉 Eu=C{DnE\܎x5L _Ω<)[brLEs"\#S˽ww$-BzZIGuvvG0cE,Rs2gݢeުF,u*.NxȾm.q?\~T_1B̬YH`u:  \j.M9VPB*B۟v4wT3^b_쥮S!!epϞ&Z`^A/nᵄ e_EvxC>rJㅨϋS7%v NN7~Cw8@tb+amrdk&S !vNi#ݾ7 _vA#FNQlTO =!l`ZB3)(5NyIv, tO wLnL@FcB8I2O* zMFINxW| vCơZѕm$әIR%5Z3c4b,b`Ŕι!VB~TOx!ѓ*[y."[T9n .*[Q6bu?cI춃>)VΈ㾧db-]DeW\66u9'd&7l_<_-ƙێa{g`^5*] p9KYE"y2 0yU3fLc.t^}ёF=)/ޥՙo=ɐHyq+Pe9+/ Az=J*; Qo{ڈS("2gTa/DU n1e{ ޑgĂ/}Uږ:$bp,3#+O[ }qa+tpV߷7cnv7 $<(SΜ˱Po*ƞ! h%:mpl_Xm<9tj!!pl!Eݵ'y_8J&N.]FmyTd[ QWaP盆xX͸l}J #j@am~M߄LJx X r^Ϯu-/=d\q_\ 5э"a3GP"HW29Ai.\ Eso:ն r؟uM{1&>'j'F(ߕgΒv{lP ŀ9%CG dUmy@ p*pWfJCL;#]_I'!IIu'sc".?5LRőO[ bV 'Mv+{weT\plavnX\Wao$ TD3\PL کJ>]1"ĊzQ W+@5yVR#yȤWnlj) f(;//dmҝKoNo PQ*_xh2O 'Q[ %JhHY}; ?,݆3|q@&us~L#+~ Xj5jl GK##"">gl;FGBl^Z*(o#t9 !8o =ZpJC?aa:M s-OR,4Iu('}(O_п9 ^~/DB9I!!sHxaC7hQ?x<MxX-U}~liak¬ WZtLQk#<.a t 3q9ZѲK߬fuz.QZR}=$dFNl I%vZS|eQ5DhApToPxRĝΧuH b"ݰW;^eE 8N jH-^8qeWg$÷Mj&,8gJ6) s<7Wb?f;=_p~K_b}/n?q=kfl~ p0YnIK}TYNm眥 >*[swQ.}.bo뿘R{P8琷/bsl'6)DÚAm &ժ>93:]X`„; uRINQHta,ĆTјմg5A8iޭHڟY;o1G.;p qpV4JlR%\&oe7V~OaC "rz (H m?ϕ-zR<#x (gmm$sԐrwPT /19uMozH)]߫%B&YIr+fLY/[8wC|5@;{R76 1{=LBPJ rm8|h >䞚%2eXҘ*^ܤ/:'ټUr1˜D -c5~'%[jFx4n~Fu f?$w߫;m_W4#\㛬bd/!?Kf]"1}bl !r405))Z9̰8gXE$ qt-^1ANOe^.MO_qg}(eKDw4eͥICV28}uY&^Ly@LDF@S0q*l\ (mQ{B44K$NxPtOD shQ4ⅢdQo[$D.K\8AY:=EcW,'/JHkyzFI%4DH^?3`?U|}.mGFLytઐH*byx}izd kKr 镍n&Dz2@j>B]@؈/6(sA7>YK[I?In4 LӾ$6R=h ϻ M?[cəQnOɉD.{f('Q}<["*Qd3cf7:ހ{؅+:}W7jNJgM;aw6Мɬ9ky޽i )EPhiтQڏJUb+|+qN}  CdG_fOrtVC-^()KjSZr?RL"9_F &?k=Ǥ_'7礴@S7jR}Yj!^{tDxվ} }浤j,;㻗.Z?M$r-j7" f˺OԏR+wYnl+]`{!,` /ѕv^ITGM`ui|>ŸorРum F!q9Nqũ],w=c{i1u0G"CCl.3X}:k08Ɋ|ی{o +6 Tzuje;#йԶʗr̈T^S/ V쁛玆}^=;TJ('Qn(ëuy$T@`Ϩ']G7EyGd1%}{p۱Nʮ4LS?&J l`iZRU犷#7@5q@*VU|d7䮺An%M>"2eQ?z+8Q\?[|D\#f_,3&!P|mMhv=vJUuN[F7Aou2\-TLN c=<#b|l8jn2:w>17_`nWѢj oګ ,.tj8_^I3Z~EA߅"q\ NAU >,28Cz2?i+ b]k=~'<(?zy?bV'agpQ ~P uhXCKl^YiTR큆~-73K}=GYhXVk|kuz&i%ɪ唨̙u@ Y<pR0~>l L(lpn@Jy}>W1`F'acƺ{Ar .3jѻ/R /Cabm EqԐ wX&, Y`O+V+$CO#,LuH϶BV.E-exo:1 -czϓQG "@L*E ;4r*' OS&OIvylm*uVx]j>P!SSK_OYjŰ0Jpr -u Kv7=" ̖yO\,Հ^Eb!k+dK^k&,~W>ΗtC :Ƕbaפ`nшg?s5 3"*2ܱWʳh1hXc'uLFm*a+ "úU9jJԓ>9/f45m@!5Q~˜eP79N&AUۜ'H` 'I<(n݄&~5+EGsBξs}^_Vx#Vvk]YQ$ɸe\E gTo? LJT"V؜}c /d'KPq5jd1ʸ,W.7 I)Q{JQ'9c;h>2 xQѩH\:ul wJ8VU5B"$'${NiUiE [r ~a pHGFK ⶝ۋ@h3(Mtȕwc-QhaSŚEGp+ fҙkx88%7e2_ <ZӧF(ffpB(ie={hKgi`hF+MXkEsi^,ԽuevFÃ(jFsWzvn3[AE.>~6^T`ᵨf*ϕd'x-lߞBr|آ[cB0[-nT ϶%aw\T~RiK$1F|w'&?ٺ5㒦"}KK \L 5jޮrP#Qls%Ӎ77InW@(_iݐhVCbqyTعb 9; n`s+,*9~BdUz"ꠣ󩶸$&>,[V>Y@RG jiܨ'{H#M,WUCjDZTB9Hm3Re %FGm8y-ڲ!93ʙΎy5IÅ7)f (3UJ,C. ^4A\7pٱ}{2E4+Mi:5$:Nqj\= ;Lψz`_9N ֕&*|5Aqa{v BɄ={ۓ@]tmSae\t%vbsܭRr(Xճ?%V}2>x]G8X>MQ8jp "Û_;vc{M,jDR2d9S%ɐ{ ;;ezfR ;fHR۸ip msغwDgseA1q`q4`Qt6ae\A T+, ڽ`4TY&܀1Vo|P Ik: {53]λ]SL)D`pv>}ok)2' "hVh>*j{}Y=$k>_;1nI`?~^˳W2wX =B(]\G A|Lvn (cӼY E<īk"=,NGg¶%m5K3 -`@GEq'ZumI5N0!V4Nҧ5 Z)6͙;]b* hʕnG%ʬtC'sŗfRJ2QWC%:/7葖ScXwѮ̍|M`W8* If }?}}fII}-OPp7meKB/Ag+\9Euh( $T"?_Vt0lzQЃk&*}VMgڳG{TiA_ybâ^w՝Oج5oc/NXJ6 {t8O ewʾ3ve w 9.w3" TDRpy9)"~!놄>Tm%:4'R\^Θds$'{zVgQ۴n3_}/<jJ͎Δȗ%/ ؂U Wc QdX>Mq[x4kʲۖ}\bRhh.oLLMӽwmXo|2]:XsoT;Q?$܋3I{dBϛ /q.pJ L0nM(ZŽ[2t+1-Hr)Vdv'$"hR] t(BE{4{w+OzL`N^Y5a$lAzbG/NM*{".& 0[5Q V}`ob0 ߖ>,i` 8f)݀w8j_uY/d˽/a QQ&I#AhF4ƿ<ӏ H \j煊c~% {,Z7\]mnqs xcG%]0jd+UQðLT7AY]RD;Qb5)WTu NY> -*ݰOkgA 7VQX.{]ɮϤ#eǩt mA ia"NQu\8lr2ukP-P[XCPWC=ngNBmpsmBe\cO;w6YM\RVyx1u=ܙ["_m9㬶r@,a[_R?qehww@+{q缄\<<ų,Hԍe3 0&W0Dh@Z1VD!;o.txau8aj e{ǚS2ZOHZK,{EMP;xWh27Z O_ 4DF-HdxLS(bÀ@/7LC".K=.+pvx^ǀ|A\Ǩ+Atp<ް}ӝGA4W %΢_@G02_SxXݢwN}m#]ah?j.*H݅F.ʤuW*vL/Z ^K'cg8gʌ`{e\7]!bTɝKe#';qyș*ŒKO$\T ~|⺻ AXmGu$yn02uA|R~.p%#TA'0\&7Һ8' ^jdD+j1GէR|?j~}?!%{OLu!t`f$'3Prv>0XsYbc$^%nl|1!oEo=I¶\#o$AO͓^e=nF{@tVsNY#* hS p]s\*ze|* xp,5RؾBa%0hI+WԖ=۳}NUKFK%*]ErTʿ?|dgsb/ݱ幔lU>tuA"%8 ~)gK&T = `P~h:*P+9 E|b:ǰNI4eZa9 *ҡvt"胇+<㊁# Bn*z5߻s6!R2iq^Qӄ37z|蔻'֒ JKȾJ}d_T5ΊI Ija峒DϨ',.u)0q ZOxvFoae: Ձy$ X}cbgeaC~@agQxHyq`Ki%v8Sєe0:crN,Z<1gzj.ҧ6RFf<x/ybJ'dlEcJV%'ǠΧTx[,%J;@&_o)? kز{QVr;C,ԥ8܏")asؖa8UJK +f|AzyJ8099JsQ"W1NmGS>Ҫ RNtއeiQarG8?s),΄)^ @U1xHd_$dÉ . ^AzN"g€<\<3Skrau 8W6wژTl6YF[&l.d7쫑Ҫz@oZ*TYH蝍%~" P̡qb&}IB 8APAΆmLsb%p%1q H&$)9o(j)}DN͊@G}T@_OߎK*~PƱׁ9SM)%J3C ;U{N/ 1Gw^A9i|(_|rh;i&ڲ&x(n͂%CB蚿xH7a!Iw~~lՌ׋mw=C]@„ y6cbK(WGQQHQ,p:2/4$}q҆=(t:ݨZ}ۚ[ڹ/e(55~>Im{XVt-+MN$3U4ޢ+˕&)$ [ A g.y]X> YrVWnF2'LG<(Q4#{׀s>`$SVonBdL҅ODWb)bQ䑪kŹ-mVbkw^征{2zD$Eg@h AMW\,_CEY0 8kFq R)xC0"1vEeVC`v;ڙ5[Cl2mra~H٭PF/1oDy|C1t]11ۿ@eFK*f 2WbZ#·vA0a:10jwT@8J?_*N}5"HiUϲcU YI)R )n/B~]i"S ?ks[r rj+!(EIAOsծaP?פ$1di䲛/:xzY7 Q Y{,XoP5 $Fe@ROIDIiAX1`C6tns6x1sO/1|G[#{{wHO1?| |w:2 !ĥ9Če1*vu+k~3Bt,=zq E$`NK]ON)EE4JSY_s_Qy~Sx>fc:d!<83 d^ʲH *"\Txb(뫚{ɻgLb:SSm@2E[7VUaw5G+䓉Ao |Q(,`VPR _fCy<_=U=g].zWֈM^B9G?XSq23=j/#pn,? $~k Vr[m\#uKGb:YwC-B+l* Dij܎^Ki. 75I˽bifɵU|sAy&cK@sEAyG t[¤b#"#ʅQ% e {x ^tG(B5!үAE2F8}Q99Wnu΁d% 0r_pᎫI *+q?| :f_wъu3>&xҙcr۰cѧGҏ*?:-on;FK|L.‹|(@s ҍ |v|BIյN]):q[M؉Pf8N# BbOe]yp v=P$/N_^k}ZoYfl< rHM6 }θFw&L#B@/T+bFknȡk-pW|ǃ {GaU8`>udtV~ۂq`=YuV_m.7@ ~c)>ȴ7$T<_#dqMNL0>0̈́.dҙţjpϰƢD9ߤM 6p͢[AcUD!wD,V+O9P6>s$;jQZNWP:FEZK'MG2wJgp$9WZƇ2|}< @1oe},2PSkm$N6>`zҽBܫZz3QpE}N`hcN1:ڏY"(N~IQ6GD8Tw܃ $ȘfrV pn"`s©S& qiFr3cu$aBCY1ߐ=8z 9@177بlB"읇 :{sRaLZ 0 bQSiğ_/uDŽF )Q/834/}RvWNz4((PA"1kLPt6ݯ߆ + w?SA4t;ϝ _l!~*%fC-\9O Z]tlU. Ba D9Z9ЅX( V+@_Sd Gs_|9ɾ򇿧;dPQoOFM*> -6v*p*>Cjt0aDQ*tTd% , *DYHфyRL"!I {n&՛CC, ` ɦъ7K Y[,̖5oz 1r,vN#59a7HU7\s 0Nf,'-`;n;ȁѾʄ^2av\Υ+0Q4q A- c? z}i$ 4b+StlF)삣UD:ZD~yYGO-΄:;h4 "=J1s6<>w|yk4Zy̺b<SZ4}Y8NPʲ7@"SH5B%ݱQT8XnqMINrcm[$9ߏ[H0^5;< H}m Uz?v'yAkzliZ ir &R't"}!@ oGQٱQr(5=pBD0|[|ֵpIns^ܓ0Oڜ y SZvZz_1dq,ܰdk,4ҍ+,F!}!1vW]%'kڌ(@ v|ۦXwدлRZQlHEH}I2f>vTD6(A{T?DɊ:^6tA/|:P6_̌كGΪ6p#B* d_a,@Acx[9lyHx qdfnN(-"%>Uvz~A: qkhbM_:J; Fd ,v* 3Wp̖gܚfg-RY)>.R:kYX}| |\3X8qjx= N0F}9XU INE\rZ 9]햅`o;uDa'ZrՎ=Jυn?Onlb*~J!FFu]sSf~oZ(\8gRs/҇@hF .~ Ы4S][eP f. r^I}j$\ $(vjUmech%%6q]2mT3[Q{T B\JܢZ/6=OTd飠M(vi3q/hxq+ &1"Tј՞z;TT''C|uˬ !DFA#Q |Hʺ[DVfrrR)@SzgB=@j~5~.-D5>Bxb 5S6&q$dELυ!|㝷|h`O>^bSu$zd87oJ5& aiXA82#5bm\݁7p=+PHR 4C>ܸ:9:XӖC=|CQ6;NaDZ@|Zv%C~mm@oc%v~Q%x TOqІ xPF/iյVK ~ !>jg٫ji&,OIqi廧J^@?Q _?Hn~ptwv ͙(228m ;ė{ⷎ o%ZNqZwf'j0QĮܛ3UݖHYI5h1ݽUwȒc Л]XQ*H׿I Z!mX RꡀFg'"zEܕ%ڧ]HdjvO u)"͊U=!&ᬤ+"j]zZ̹U3 -QCw HkC-qR-S*n˿  IZq0ucYɨΦLfS")|^eR~kR'fbΣڂv9MJIB_mJ g@ n|;w*TIM+8k7cǦk1\}: HGI+w4Y?U8P4 CVAdB!Yƃ&{b0(`9AӨ\jHXcF԰NJ6aqBa]٭|AӎZfgl8#\8':ZzaEmg+]o3-]G\7n2}S=xh{#݈ R"B5@ bok`ջ2͜[.rb컋9C=d&R28lX7دkƝ=qǖ{.y)6ÃikLM]ayb_!A 73m g&Q~uC/HF]ѵsfXi_ˏ&~YŵC\+9\ gʚW='9.b⛤!ޯCƃpw>x b-DJRrt:w@zXrfMhBPOp{⽊Y>’:yWВœc75,lƧSc ٕZ}+(Z`%J T!Ѿ+Oqڌ/5S#mMs +`'`Yu[§ͬDa-t8zx3mz1L&A}F̗s,:^&p=߱;l$:fT14M"q&<(eoT}ݛi\N0ݾ!& M|5`R$:@ 'j6oi],:x&1Oxsn@cڊL$7;{.3`yM7Pag=PP<'5 y^mi4N/A| ) Wˠqizxn;Qe r`fk&SC8(#34XO&^yH^=,=@ ,(9E3-Ph7HRN"@c.lPe2ʷFwb32Y Sߩ}J+^{~9LC_f,9q;<tr`&iOz|JZk<_ ZsB 6VIDE\Hq)G3Qr9t/C +?tBO$ʨޑ'ȑmڈ"l/nytON]ӬhɊxB@+ON1P73evr= RoYݒr'Εiw%lՁJ0kâ,C倄vSYMzA''|YheSjMy/_,Rd3cmql/:͠3iDql~"x_lp) 4AB.M"~>C.oYE?2#1_m/ 7+T'y8"VDWֶv4C/GuW1)&ߝ]d!xqwFfI/YIShQx$}t*{ [xvǀ;MWХyHuM{pVub[>i|_X@Ϳ ]W[sd2KC=ͬtlˑu`dpOwmo|rȄUct= _ C>gqjHFͻf2P+-!-0} []q~~VI[һ>(r?>(aC8':!zk ©/zl+ x`̝դ[/cX[@\.O`.YeOXd(߭DK ёX%=l1JwޜQF+VO BJVLPIYHr-w[s=0ytEJ*'SiDSAk1p< ú&MsrG3JZoG,ԃ ;@:!gȡufP&@ H5r0RϬk>h?Z&AXC}o{@#\)-MLv=v}N72 ClFM.#{Z9dvPE+ k{|'N})&AްE@ЋThv"M\/+""#bxZ;1L.eJbR}v9kWvk!v0Pc{tW.O{np`I7h&$xa#ag;u1 nҊiL}1jG*cA?9׮n?tGƒS Sd"r#>mlZ8zi^c<&!Tⶽ#_?`(hmy8уuR|;`[-DSjX.y-D7A2rg*A֖Ag@}B7J|IA֋e.p2I)UrbQ Eh$"L e,j\4IX}?9 +~00]se/\C#b wFXkS{͆M.N:'f9m$ 1O.G[uEnˑϚ=:웃X/K:]dV8Kev 49򠚣ZXcXQmJ"ruCK *WhVxW %X%dn!EWTdxkٰg_-ݝ<"@/t{~pC.PC>8S\jy>Hf!5@{Rp> cvCJ$r4!]QZA/,j"՛<߁tR!%qՏZ[ܺ)jB*t+^;!r["Hgcoq(JA$f a;<4jʚ ]ݲ,6 Bݩqx9Qel&8'q<3ܫ"hKNtGCǗ hn,`D]O wZj6?N ZDZAQ484\W{P0F)ʈwT֦kRk#V!`I%zd -G<'QO *ɭXZG1wE- +qȟMj|wV^hx7g)H2ԗ "| >s8xi+O0m׊#}R,:oNlo~sN ydWZk8S嵼 L+aAŪ ! u_yG;Hp؆46몁@K/M@:(k410-R$~&> S<&~i`@1ÛYwϏ7Ӗo}6|% q^bS/׈U͑+O=u@?s MjjlQ KϩOȆmgez^ ޱ^MBrZOEe_y؃FVCpkg3Yy-Dϖ=}Ѯg:!-i ,B1K vd)noBZNJ׶Q`}>He0 >ZCIÞ1 2ed 0g]AdBC=x-T%}Ns.˭']Ih~6l2Da`3iY8힫s| ,K fHSϚ%D"`a<ŊO<K hFŎL)KҊ@![RFl7w ]7U}8f?llEX?Υ3{_[+v+Vwp +zX]sUb[B#5ƮK$lM{2S"Ex\Wݙ+)OFyy?᫄EVyYEYc_"UzkE:TwvM9V3>ޯҥpo$vw5:J⁊iQ#oO=\Sap Q U 4#.-!RSX@lrw%9fKԈM[,¢Ag*)y3smRw hLVd('B9=jRC))hsY KuzK=mS^Ldܥ^HZV FV^_b{Nx1-uly3k%e>~#񠹶zPRR;ehK3lxUpblUiVk3=qNj@!6Q>J U/$2\V50놋ܓMvoh@fEWר6qv[>JS"_U4Vh=_;8O%%]_%>܁ҴQ+;VrWYn cbwv#ח9>mC|XkSP])_4!^[l=@Y%^jBh\ '+Sh7@Ήq=iy:mgKs4uԷs=A Ai, 8"G kO,<{ ܧUxdl÷ xtFZ NzS<\ycQFp>A%I+ju`E~_ѝ;YVNIy.He] ګOm_B5 [ߟ,;úQ!1'#PzꅆA$@s93&3J$}bFp\#c,W DI03ASx#wh<$̳S0T?=áe9 <f:$ڜx[ߔm%٥r,>Ϸjݐi~KZBWͣm}v!dOzuxp!y UӤxgvO+!tVIb2OV`m51KX0|٧ S@9pڠu;E˜\I]-e7]R.–ÐxP}p?0Nê yc~$] ˖edIiT/s n"?rױc6$(X*wX|Y1č4@j}D,3MBsf?{s:TǦm lKbkM:n$X'9(oĥx/7C4yG3yvp lEI!)cfݞKR޶bݻ,婄4 \ Iƒd`$Μ5.\&W($]v-SjRLoz Cwǝ>A!˿Hӧ{Y{f=[T<]5v;@Qr^"tHYxZmF#7qw>T1ƺSуF/00r9K.qPpa!LM&Ko:,s͸WI{ѿ qH"v{6 E,yXAfLATu*2O[bηȁ~vTfђ2#ï9"~m֡ oY"LnJG42!WP̸{%;¶]Q?9ZnkffpTbЊKW6҆OC2Gx9azO]]ݍ z!`k )^ːCp]P 0m")4ɫi [y}W{q+Z!ӸY=ߪ@͌ bbVu2Onbn(l%j,w}Ao=_r7<^Lݩ_ZOpN";NQ^aj&W{ =Y#>hlƵ&7xjh8OikhwB̈WWvWy!II)PCE3} oj Y蝶'ڍ9sPafxvN@PBDVU A6F7 z+k!1fɶS`:f\klHT!oWÕd5yk9Nftr&2q>x }47goHC. ]*J^T$ :.fK`냻ngzɿŲ&&L蠤|̰М! zeۈo͑EN ˆ#kC/2l4mj}~YpgoW3O8km)YC m "?ryb.̊UnZ>reb>kt-:γ̆J\xɒ3M<DqRkwQ|mw|8(%ՔNi4YBy8+BG/^J.V[e&B$k*K~Q/J'N'\<ͭ5oK*TdRH/767Ol{kJcn9ҦDcyXivfe+`<,ϥJ?ZNb8-q~j9ƙӧn;\dkƜ HtyJ9!bKOʷ;1 ED=$n_T9'94e!ZA^~sHLި!w+CQO\;.h~4dFQ-zA4>?p/X-ئ=z*+*"BlJ*R_z-0Dk_RXAf_ȆwFfNO%j :!P^x-to|0R_^OWpGpmm4.еNC, ׶a5)$*6-Z/ZW<\Ln~;U5Z_8{xu U@V?K)L7׾OWHdf0{aҷ^hY`Q3}L6{TTaO- gzxPlO`"WLrL03v YQپ}HsK_t~`i^gEQgȟAB>M:|HIK+abKcfgznĮ˟Rú+)&!Ҝ^L)`Ey)^_2TYԸ &^jPKTzr{2=@8*f7[b2꒝䊰N/d@͏L!$RSc~|p!x}͉Q>tWO/1t5X.~ܦp[T*gO"`$8N{W*ihTA]4z 5D 9;f|QQ@يlqبNRI"'ޢ-(Gd~2ndˍL RPI,ˋ ᚰ#hub}P/uxP/sI0\'NmoOB hˠ QudND)/p=Çu9ܑ-< BMd.^f"IDOD{B*keD0sD/hi؞PxHJZK 2itQyu` zDYћ# 2`%{|%}}n9b為tw5Ufi ZYTC/g~ |(5/-hm#q`Q)`0`q"vL l{avj/)̳gD >arB>Y4׾iMpԍͽm~Wr=RGwX={1a%|iW?WI:꙳8P8rSC7'T}v3OH2>_iQ׋0Ϛk5A`,á濨3^X")c\7pl\CrGԣ#FԓxzhMQc(h0*q X0`2X"x%$l𻻢R =E%CHHt8,&οa^f]M0WO4!@qr,ld>u}ΎAⴢκ o aOjR(9]z4"uur㤾.C> F(sܱ2A6=8<&TxeoQjo@ɺi96bs՚0@PQ— Q\ߕp˛Q.N<nK8oͯ,tj߫ \ RUd93S AU=&} Gmkn ?bFfҦ>_<â~Yhm F|eη+qֲ"1TA^E 1eԠl az?jPjܚ`VtYG0R8r1NX F ƭEa$]zB$agBU}/ t2\h[S&,X#H4ZV]L"%zNc [xGGO4Gh'$*1R1HiԑN8iDxŁ6|K@o>'2kRX%%m^ô` .vЃ>wF{@E6Ū5CJKy |jkoA^c(8q j1_pDmXxʉ7vK๏?ʻ&p_}B+,0'C#«+NBܟݝ`՝Ta4V= KGfFz牫B{Բi i0* v%#Zܒx`CIi^*D& %Њ0yYQ |bתKI=-q8ONԠ]jѪZFJ ^1iX2MhĊIeT hoMƌ1AO>#ӱJ/8#11p#X/_7[ۑԌMmj[HI[sr 6Uk~"dt&2r~Š,[0];I~ s#$y+Un7l펾kÛ cs=QR,|FamCh6庍5q1꾬E85Pc2W:bߵw︱cOӊDKhUU 4#˦F74 Hx&qa[Mu8QF>M fTpKE 2I>DSKUyXw=k!&QO\\>ײLbײ8Y |k#vwdB"9 htns=P*=9LD%dnF^wu8ljI0jlHinQЧhm 6UX¡賡jFNֱ$L<_ki6b\"| O_>\E׍~.#n9"QՒUj# zjZZ5`^X6cKQQ/s DOr i }l&RKh֗B?Yl3t*NQWA1 %.Yw|HRW(Pk1 v} 3ڇllt*8Lʐeqt7r%c8'hj$Frtwj."|_F:QLn_8NPFu,y DY $Ujak;jaAnMnj%/v6 \3RܔGi`U9Ĩ΀G޸Sb,}.`R2Qo,WRgPpMA~Qdzs v@c9c QG& Ffj\$d:|Zq4?YpxYQI/G|o(;r˻͜xu%~F@M0hp% _Mw]\@`o2CC+l}$ ƿ_ x4G ޥ(2*ܸ?uxo3à= dXd()[E)?H;;lZm;~ 6j^@5#Au",Qob.V6Ȗ43NoIFo2J?RA _K!٢#c3`G}dz 揣Luf_Ms`lcl _AMn@sOdULjb!]ˮE_="|h$yfnBsZ̢p0,>96 AQSUg .Iyx#O<*!S.*[I̍%y}B7ՊkI TKbI!]8癆8ew8qMxV.G!sK3'{Gl{z6gij'3L/?kB-:t}1'p[O/S'Sjv6p ?K0%m|oHᩊ砢lhL]Α!|ky_S]dDG9ߞ< 6[e 5N/ݮ>2I9,U]mH1) qcVRwQ4zE]Il}F Z`sE+g-S戣{Jj}KaiE4kAw_8&"Y*[5.1z)rRC`dIMx)wGr" U1Xtd`]K ϝ +فj"bz|M YC"ߟ-C =ԟTu7?2Od=:7xT`*X>*UߧkJiI֓+#XHpXۯ'?Z7}G)%W(]tVa&d!bfG& M.F}*ԞirIXĶv,@h8o&-͏H3qvlPw&!ސMa.BjMjT-z:+7`RU-됯HTEZgC8#ԱB0p!A ڢh֒Xvs>Á$>rWԧ&Ŕ/\#Eizg^mV6"\XWl*o=tEIQ ,⸝h 8+$꼑AosA|Iyp uêzk#drX{ij9à9*5Z_h< t++_AMC\h1Smgg*?#\3V}ח]w%4ٿҟi pd 3qQɁiO|ko|O;V%Xz {a$'WkNPZlյS1>*>cf}o~4ώ9,5Aats#55t!I0-@tz0޴7/:sA+J2x$?.yY=6hI>yjEcÞ%h̉d揦SWBXruSX=LdgB#5z.AxMq `3 9H\ꪪ2xDުJw6=A/ >^<3u}JW`M" xnK-n kڋyPhl$MR15 QDI[T2w ts/J٘Jb8ٴ8l j4 p XM&qة*.;l#'z UCelVӬ%IAPؓǷcmc6 ZkZv?jV TJkV' SDq@]6KpˢjqHmmXU#gmXO7̚Uo!KF\(n$dE^ JX%[ʨ{d ?? 9B]pk܊(mk)LSx7ͭ3R[p7Jc`}[}X4>^PAhx C4&C ,WE]ly2]fQZo5tvLZ< ) S %=MMڲ(Wv`W$ Uivն 9MR#8ي[B')/]]Aĉ`+ŒQS Vg{#tvqqrkQIyVޙbzt>Thgȗ&x6iMv5߽ti괔:+&{"ɕ]CV)6<^Xz͉&;=EDQhq ywEnˏe ij&!% D;2sbȰ(N@Ƥ/Ҙ!ZDM$#7mWPb&g,ZK":IF]Vùз?O =sm ̙`A =['&+iAhK߁Pι匴pߕlB1B7^ʻez``'pGO_wK ǿ+PLb|/na6^ Pac"3BJ HL6 emiy7|ٴwZv<bsҹ{K$aa g 4ne8[Uu{MS^Y+(B8I?&Q),h%s+v\^`as{~Z*T*} * =d٦4+˭#eI<4grn3N&W&މ@ @3JY.W@MAԿ񈨔PNkނ@#(Kl<"g6b(5`֡/$t@umukC~"Ւ˯EQ.fhzLHTtF} ` P:Ao\g%um mK*A¦šWMEW䅚@d -M%gR4i]Pd9$v+gDzl'ŎbtZk %LF8I/e F,Ēz1u۵%2m~{KJA(ˉ5_+q$G^{;\TC (QD-TZ[dL0폺:*#jU.`0Gss$ٞ.)qȤ]+f a-9O ~%H74 :Hy%xN u]z!z뤏 =k%jۺ)8TC;Z)1}!"kUS]Iյ).۵F]צ˄-ઁ,d7N{e_UĦ9l3UM5!kXf ͥ1w;-* ~Q>xBϞCJ+O4aL($]4$) m@RoR8^nu ADfi!`X, r]nݸi΀WT:p'f,4XVT=?n79A۾ QBmG]JL9 ߴŽviVL2 cl;%Dul`f{#{Ź w[DI9 hT/߫kL7N33w3z:|54`4\0DۓPM5kE6~g `IJI03ؒhJ=ko@ MrдUϼUz?~\goC- h0K2,۹5QJ3^Ä$[4[_u1XkAFQԝ2 [t_:l_ 2*kKnjh{xUvT!3)Ex4~EQI,)&[ua>ϦcyjO* އ~˽ݎqBfAB|d7iu+g❘`GأE]?0 7-GJ2홇 Ј+uR-K )P_f7Su}KW&6CZ[l1ǻAwrTK FsW#Sdod^փh ""I2r=nb;Sfǫ?0-@ gڒ:>AzQW">MA%qFU}8s)mTKP.dݢ6ïfXEdӰQOGOǺ ߵàI$YE+y%*41Ҳtf=|_xy0(n~D5{4O炒PZͽ\G,U_@5e_vOh7V:P *yLK28+AN!Ԫ:S _[ we  GyiEˤ}g 3]35Z'FAj4Em=P:3gxr5$HN d)U |7$Z)GFzbe@6!e;%CgfƱ)\58!|FXf>A/ꁴP>o&/@ܘ'Muka\)ӎhm*M>÷!D\bB_3ׁY7 O.=ܧ6+gU5-̊2DD3{M ͺTXs1 tWF?|Ld'a4FGҾJSpW̐(xqӠ?НmMŌ9l q.=xD1:|-G-va&r2Z7tb}vR#>M҇QEĔ5݊[*+Aw$hfS!dνZ kBB?3A0;R/'~T\fŃD\#H&ag& 8@S `ڱ 6p3ϲSb#t͚p J)!7H"[ߝ)KM,wKyr*@7#ͳ/L,Ϗic![uX֮ =KhZ@[G]*0:K 2j Yѹ"Q67p@Bo;s=P,tTBIp6r 2IQZ/ֻV4l5q.U^NřM$j g6(|$Zgwό=ZWo;kCQ`1-g_ voOHؘ Fimc d m.}wyq bp6f6zʅ@4g W+p\[_!qC>qugz]K*E)4((@QATUN G_2>Sljw\X7aéDk,K-[NrKxO*B8RY,sGE7/'ۇI3Wk On>\NԿW2;nCFL`9$n>?yZ\B." *cl9fMI>Fy[`nCPyp"v?ʪR0YfЦ?_|U=2wCݦկKOywڼ >ђ99 \)XW p'qX4<J8lhPB_&9%'n¥o[dbX :h 'ǰКh6l<3DF~d7٦X&(,ͪ2"j=Z~"Ny|g\ `$VaL`|Z# xiHc~vAfY`[(Q1WؽMCDY A%8I4k>M*z\߮fQDJM>rdQI;¬t@92(R0pxDlKA<9$9شvsM|v g09\ 0 KvV 8#XQQ*K3]#<: ReMYO; ^I$b7;fxNJwӯv$ja^eĤъإrɈJ:9 uSPrۛ(!xF> 5Mp:)>傉\QuKјsq(1D1|Ob:1Ҫ1J-i[k_#ih%[Y+Ɖ02&jY?]›A݇mz3ItjNV}^Y_>23:+3F@Q1Lۤ3 H~+Dfj99t' hvByj r̬;Tn]%h*aGfˍC H{m K3ӲAW/=gDȄ,ֹj9ʪϠ Jr7;54XHXKMa>0?# Mjɨe~,(Ò6 tƔ#;V_ax&jtv8Rߣ5I"pr.]z3<W, .ҽT+Ss!Ѻl|5/3Z@!2׎_A&:ˑcUaŨsthmmdS;K _ɮ:ZM&dff{"p0 jUEr]Up]hlJz>+C`ߡ/R+ .Xr .Ӷڬ+/dbmA8uyKfl`dD+oܐDkna*Cq|L7zt^ (W%ʕ3@X(z=Sx]/7*T!묕̲k= 5 ^)S{>'tzFILUBo" /F@Mm#z 4Ƿ Sjhn'C-?M Zu|uk HFHԙ[nq[_;Ԟ_|/[L_Q3R.?H!z$vJ> 'Nޖl RsTsǕ[*&eQe!y)Ml8R&~Q ٠?{|8L^c~Y 6-+͂3%ʈgpuGV7Ok4+SWb0*BĮ?_JgF֦qጧyM5H&(:K-=mG~ɅKK_*_ -I}NR(B2~BNț+0G,6PI>X5DOb}ʷkeR믒ꖋ){?( P[9r E{}jFRg,aUmi/fIXc^iR$iCtf: |C6bu5_ٞҿ zHviK 5mIDn_;=R,C,pj,0Z> A3! h4Qf~ړjQ57z^Mj%Ko|hT_9P+&%i`Sw&s$grN**)>y*Zy>iXl4ҊF˺w  >B*D7H' 1Vu`b6|+~>6[waIrzG &@\[ګuî3Tv#y_о?MMT opWJsYS^:&@dȃ Gx3Pv mN M,0 Bt'r\p~ ֨Lwx@nNePeͳN{2W2lQjQPڲZ D.ɢiQ7Cv~`}i5㌜|~gi 4rQu{ RF7Cj j<2t;4 `TƟ/ԯbDԨ+);2&f*eWP–" f!H+ά6SiYdVʚ%'&ZzQdǟAoFL&0%tppHͳ<֤),]DlEZe^$ӐY\\A#  e)Es#m7պu{wx* |=k*b 5!"fiϗi齫|NP_E-IjȢjjk(*퇀5 Yts&h ,Ͻԏ #k$G,Z J [)L$v "xDB@\\e'}m1I:v|w@nZ-S{>"V;ߧ̰HV9L*:a0L)V IZ`%gu2+Ef$>Y͔8.'ë8C<=h*t *"%Zm~LV}'<>,JHgyڜ5olVjx#? v}Mtm)`%A̱,ءљO<'! aT?k ( *'D_gYMZ4LmnVh`q3Dԗ +Hd\>͘F{뺜 >qʕ}+.VWჂ';,)Nq5BqXc8O]@@kM82 !bd[?kkCh٢atQs8AzM2N:nN+F,}(DsMOzw¶& Xw#vyVy1I% (nEvmkغa(mp0?-EQ%jlF\"V6'),/ 0 c)tc|z')+QXs) >qRM 艮?{{H>P֖ӎsCM`yeu}Q\j42"8 re9o>˵@Eǽ$q <=:hzCzዬX&Cq}"2F=7rEW<.M0O:)Yз OjE{-4Vᣜa&P"n7#ιiI6Ր,$ սΛ?-:!]̪4%%zļpETpjJVp6*+,ꕚ v-%u>wn_ G"~B%\ \j{>"ּo l.HȡFSugkv0:?7v_ z䊾_}H&.>~*i(V)FLu_fcst0sUar'hbkוNrH-od n?\/О8}gT /%8:I@stŷ MA}q*1P'b]SArVa JN?}9Y2|_hfDnي ;7w7_qw̐P3]ޏ ~E2 %Ξƽr$ oڗ%mlԶ_2$M6F($83ʬ lcGAӹe,Kx2 ,2]=E"}1ޚT(S4zP97.?U?B!B?EYH^0܎hǭ)h!iվ1i'ϞIY(ogWUw6MK?61Fc{ZQ|k8G`:R>,@kOmTt:vE9kR_H=b[Ƿz`[ æhs6u["5l9hDA9BXTx鹔S#~FIW#‡{O2P) N:Ϟm\CFӚ:[HYGA4gLEO]2jj&noʞvT:ok2kD:_d{cb%0j,;3n>0h0zMpR>^)#vר otv##s FJjW}OJ $;?. ^o@U$|=Ӂ[ !ck^d)ƨu\%^$Q.{m4 $y @"^77:@w@76\>=vV뎑"_٤m45*wIsj6ۨbҾMj3_/%4ϛxqͧQP6@ԙonΗ)KB6I}Dg4<#w7 `7z IYo^NЉnXdd_nߢI_)$`6 .7䚝C ؒN8 HJإEڔ,GJG#o콽3?%gtn]؍Y6^X+A4TfPX^ 5c-Ǜg6ZJepK`8 v4.g~Tˆ0 KDwe({h$oDHz@Qv9EUܼz*Rk+0~lV|;q\~k06 4:&^GƊllx ^P T7çs1rX a EIN %rn /M,op;!WĬ'dVn#C~=8m 1 ׯ 84/sČ7ζą`jDdFXi錛7 H u&Z^/d+ ֹbS'ﱑҢ[zP1 ijSdHy0c]\Kj // _(T uU"MKMsmX`Wc)Hwp}Gw %QNȨl}XŊ*e#GHx)J;׎#R?s"hnP{I*.\?ol4HЎ҅m/{x@JʊRi(\\Yc;휶rAm @a `-0y5 $=gL .Ǡ7U:J'tf0YĞm.Q4Z*1~S ̺GeXoh#76mnݡl\oԝw(=ۆ#w$\F OrnJ.nĸ&0[TZl1Ƽb/~ _lWƘ86XMŞK^e|LGy45/] n^lT//XoR>^2PZ=I}'F.!mf[q6I[p _i֕||"fFM]Σ|Tg d\EaÉ1%9٭QVr~> 1)mk,dFo-ɏr;zVR{w]pEtx OVИFI0>ʁX.. Y# &]gKPPY)EWY'1Glfbp7y}YՈ#Qr/M}MaB9*䢬zx-6KSB@,!x fgN\lhc [SrztfJ8V*&`V-o#2-gB\J9^NQ)'`wRp9<0|ֶ9SL 2h !4وl؏MT X750PFh]_$AX#3w Y,\C *ܮQ%\A `S QZS\4 2\%ҦC]_2v Hd ƫyjR4/SM/u+Wn=#n㈣-x2Sȍ0)", :1 TST>j@aUFx ]uϽQt.,Fy<=|9?1M:$?<93PGڱI]|/N'@%v!үSWr]ttG>E'8o I^$Q ->I!(&1ZO11Eg#jn^5$a_Λ.mFJϣQ9{')BgsA4˕Urٺ["!#@.7( ;KB]dFr ]Ek)+])NW=nfpmI+Ea @l22^ @#M$2U^([ 0oZ0Cqy'<o6t<^U[׏ߘ}Y`"M95T! ⥫$wc9sʘoh d\D/|L0-AEqSH1y%a3%ak19jAN߮s5{Bǂ t<#ݧ0sJ1ki||Hb)Y U" ]@]nH&+(G`IZ|ƣ=(g*sO>E )a[-HqEҀhơ[gJԈ?Dj7Yul.2^^PAtBشN GMz?խ 1jl R\ $LJ?),b':?%A^jhPJE+~u`Ws8 NIC6 榺+^A7V#Z .tfdʧR$NjX9 v4y7qąYlw:lI$ p ʛAzRX#gAg8Mζ YZ