sssd-kcm-1.16.2-13.el7_6.8>t  DH`p\$ƨb;H.j3 UgvBJb20tV#8]s3*SQL$Q /-,p&1K! OŇ<=n_;@B|9B_jePshX14ooc{EˮhCoZj*W~XSMvT:I6 5no 99}4*ոXRa+K׼/seT)l.!J \SףS-GjJwiۥ^%aks#ق x(LZp'gqKk6J@ե%L%qFc&Ľ>0SY9̑i1MIwpo"UٛxB 㚛b4=oY:<$GX87N>GgC1\ g-jWYyT x {_[=g#j7`U(ud1d07ec8a7edba79d0b49500b58bf6e06d986295\$ƨv!MDEmgo/jBj}kc=,QdzںZVF;X`J>ŋimB} . 5/v|HJ#j o”)'Ђu^o37ھCB<:4% Б `6ΔUxT bP_!l/$a˓o+؜i) kw0=}Ӳ:Dx4s╅i|݄ Yu ,߂EgG}Q4g?e%OwXs]eYc9Ό5 cH+L'!'92VT]oW!?t|3N 8Ǐ_չe= [}c.\=[msvQԫQ0 b4ƒK35s0%^>p?`d   H .KQX4 B P l  ;^?? ?(58<9t:x8>?@GH$I@XLYT\x]^bpd5e:f=l?tXutvwHxdy7\Csssd-kcm1.16.213.el7_6.8An implementation of a Kerberos KCM serverAn implementation of a Kerberos KCM server. Use this package if you want to use the KCM: Kerberos credentials cache.\!x86-02.bsys.centos.orgҍCentOSGPLv3+CentOS BuildSystem Applications/Systemhttps://pagure.io/SSSD/sssd/linuxx86_64 if [ $1 -eq 1 ] ; then # Initial installation systemctl preset sssd-kcm.socket >/dev/null 2>&1 || : fi if [ $1 -eq 0 ] ; then # Package removal, not upgrade systemctl --no-reload disable sssd-kcm.socket > /dev/null 2>&1 || : systemctl stop sssd-kcm.socket > /dev/null 2>&1 || : fi systemctl daemon-reload >/dev/null 2>&1 || : if [ $1 -ge 1 ] ; then # Package upgrade, not uninstall systemctl try-restart sssd-kcm.socket >/dev/null 2>&1 || : fi systemctl daemon-reload >/dev/null 2>&1 || : if [ $1 -ge 1 ] ; then # Package upgrade, not uninstall systemctl try-restart sssd-kcm.service >/dev/null 2>&1 || : fi 큤A큤\\\ \\\\04a2af0a27631b76215f6cd6cf6305db78e371271c475ed485f4d563fe2f3d54d50c2b062a96fdc50ef141b24132b40a62b776e14ed89c824f51c45e7571ba105e2955e29ed46eb7045b14e09593a4201f3de54bf06ffa41f2a923130f2161d159b7cfd80d735189d55c44266f957de6fcf472311f476f6a6c288fd20eb0f03c75348ef7be0b40dc2cb27f9c5ea06edf850afb7c3e5dbab10083d6d53735767991b30e576e05441743fcce027767650f498cf10ccca12ce0bafe8505f0e87b6frootrootrootrootrootrootrootrootrootrootrootrootrootrootsssd-1.16.2-13.el7_6.8.src.rpmsssd-kcmsssd-kcm(x86-64) @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @ /bin/sh/bin/sh/bin/shlibbasicobjects.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcollection.so.2()(64bit)libcom_err.so.2()(64bit)libcurl.so.4()(64bit)libdbus-1.so.3()(64bit)libdbus-1.so.3(LIBDBUS_1_3)(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libglib-2.0.so.0()(64bit)libini_config.so.3()(64bit)libjansson.so.4()(64bit)libk5crypto.so.3()(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libldb.so.1()(64bit)libldb.so.1(LDB_0.9.10)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnssutil3.so()(64bit)libpcre.so.1()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libref_array.so.1()(64bit)librt.so.1()(64bit)libselinux.so.1()(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_cert.so()(64bit)libsss_certmap.so.0()(64bit)libsss_child.so()(64bit)libsss_crypt.so()(64bit)libsss_debug.so()(64bit)libsss_util.so()(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libuuid.so.1()(64bit)libuuid.so.1(UUID_1.0)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)sssd-commonrpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-11.16.2-13.el7_6.85.2-14.11.3\@\@\@\@\@\@[@[@[@[l,[b@[a[Y[Y[H@[E@[6@[0@[,[,[d@[[Z@Z@ZmZ@Z_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj - 1.16.2-13.8Michal Židek - 1.16.2-13.7Michal Židek - 1.16.2-13.6Michal Židek - 1.16.2-13.5Michal Židek - 1.16.2-13.4Michal Židek - 1.16.2-13.3Michal Židek - 1.16.2-13.2Michal Židek - 1.16.2-13.1Jakub Hrozek - 1.16.2-13Fabiano Fidêncio - 1.16.2-12Jakub Hrozek - 1.16.2-11Jakub Hrozek - 1.16.2-10Jakub Hrozek - 1.16.2-9Jakub Hrozek - 1.16.2-8Fabiano Fidêncio - 1.16.2-7Fabiano Fidêncio - 1.16.2-6Fabiano Fidêncio - 1.16.2-5Fabiano Fidêncio - 1.16.2-4Fabiano Fidêncio - 1.16.2-3Fabiano Fidêncio - 1.16.2-2Fabiano Fidêncio - 1.16.2-1Fabiano Fidêncio - 1.16.0-25Fabiano Fidêncio - 1.16.0-24Fabiano Fidêncio - 1.16.0-23Fabiano Fidêncio - 1.16.0-22Jakub Hrozek - 1.16.0-21Fabiano Fidêncio - 1.16.0-20Fabiano Fidêncio - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#1690759 - RHEL STIG pointing sssd Packaging issue [rhel-7.6.z] - Part 2.- Resolves: rhbz#1690759 - RHEL STIG pointing sssd Packaging issue [rhel-7.6.z]- Resolves: rhbz#1683578 - sssd_krb5_locator_plugin introduces delay in cifs.upcall krb5 calls [rhel-7.6.z]- Resolves: rhbz#1659507 - SSSD's LDAP authentication provider does not work if ID provider is authenticated with GSSAPI [rhel-7.6.z]- Resolves: rhbz#1659083 - SSSD must be cleared/restarted periodically in order to retrieve AD users through IPA Trust [rhel-7.6.z]- Resolves: rhbz#1656833 - sssd_nss memory leak [rhel-7.6.z]- Resolves: Bug 1649784 - SSSD not fetching all sudo rules from AD [rhel-7.6.z]- Resolves: rhbz#1645047 - sssd only sets the SELinux login context if it differs from the default [rhel-7.6.z]- Resolves: rhbz#1593756 - sssd needs to require a newer version of libtalloc and libtevent to avoid an issue in GPO processing- Resolves: rhbz#1610667 - sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key - Resolves: rhbz#1583360 - The IPA selinux provider can return an error if SELinux is completely disabled- Resolves: rhbz#1602781 - Local users failed to login with same password- Resolves: rhbz#1586127 - Spurious check in the sssd nss memcache can cause the memory cache to be skipped- Resolves: rhbz#1522928 - sssd doesn't allow user with expired password- Resolves: rhbz#1607313 - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails- Resolves: rhbz#1600822 - SSSD bails out saving desktop profiles in case an invalid profile is found- Resolves: rhbz#1582975 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers- Resolves: rhbz#1583725 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries - Resolves: rhbz#1416528 - sssd in cross realm trust configuration should be able to use AD KDCs from a client site defined in sssd.conf or a snippet - Resolves: rhbz#1592964 - Groups go missing with PAC enabled in sssd- Resolves: rhbz#1590603 - EMBARGOED CVE-2018-10852 sssd: information leak from the sssd-sudo responder [rhel-7] - Resolves: rhbz#1450778 - Full information regarding priority of lookup of principal in keytab not in man page- Resolves: rhbz#1494690 - kdcinfo files are not created for subdomains of a directly joined AD client - Resolves: rhbz#1583343 - Login with sshkeys stored in ipa not working after update to RHEL-7.5 - Resolves: rhbz#1527662 - Handle conflicting e-mail addresses more gracefully - Resolves: rhbz#1509691 - Document how to change the regular expression for SSSD so that group names with an @-sign can be parsed- Related: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch- Resolves: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch - Resolves: rhbz#1523019 - Reset password with two factor authentication fails - Resolves: rhbz#1534749 - Requesting an AD user's private group and then the user itself returns an emty homedir - Resolves: rhbz#1537272 - SSH public key authentication keeps working after keys are removed from ID view - Resolves: rhbz#1537279 - Certificate is not removed from cache when it's removed from the override - Resolves: rhbz#1562025 - externalUser sudo attribute must be fully-qualified - Resolves: rhbz#1577335 - /usr/libexec/sssd/sssd_autofs SIGABRT crash daily - Resolves: rhbz#1508530 - How should sudo behave without sudoHost attribute? - Resolves: rhbz#1546754 - The man page of sss_ssh_authorizedkeys can be enhanced to better explain how the keys are retrieved and how X.509 certificates can be used - Resolves: rhbz#1572790 - getgrgid/getpwuid fails in setups with multiple domains if the first domain uses mid_id/max_id - Resolves: rhbz#1561562 - sssd not honoring dyndns_server if the DNS update process is terminated with a signal - Resolves: rhbz#1583251 - home dir disappear in sssd cache on the IPA master for AD users - Resolves: rhbz#1514061 - ID override GID from Default Trust View is not properly resolved in case domain resolution order is set - Resolves: rhbz#1571466 - Utilizing domain_resolution_order in sssd.conf breaks SELinux user map - Resolves: rhbz#1571526 - SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'.- Resolves: rhbz#1547782 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process- Related: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1516266 - Give a more detailed debug and system-log message if krb5_init_context() failed - Resolves: rhbz#1503802 - Smartcard authentication fails if SSSD is offline and 'krb5_store_password_if_offline = True' - Resolves: rhbz#1385665 - Incorrect error code returned from krb5_child (updated) - Resolves: rhbz#1547234 - SSSD's GPO code ignores ad_site option - Resolves: rhbz#1459348 - extend sss-certmap man page regarding priority processing - Resolves: rhbz#1220767 - Group renaming issue when "id_provider = ldap" is set - Resolves: rhbz#1538555 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000]- Resolves: rhbz#1565774 - After updating to RHEL 7.5 failing to clear the sssd cache- Resolves: rhbz#1566782 - memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/sh/bin/sh/bin/shuk1.16.2-13.el7_6.81.16.2-13.el7_6.8sssd-kcm.servicesssd-kcm.socketsssd_kcmsssd-kcm.8.gzsssd-kcm.8.gzsssd-kcmkcm_default_ccache/usr/lib/systemd/system//usr/libexec/sssd//usr/share/man/man8//usr/share/man/uk/man8//usr/share//usr/share/sssd-kcm/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericcpioxz2x86_64-redhat-linux-gnuASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=a165f35b374dfbb04b6dc3dc7feee7512ca0a060, strippedtroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)directory7R4R0R8R!RRR6RR RRRRRR2R#RRR R RR7R.R%R RR R&R3RRRRR$R R+R)R,R*R(R'RRRRRR"R-R5R1RR/RRR<? 7zXZ !#,] b2u Q{K^ZBW!J^UώeJԮZбեÌ(@d.8 $|-,wS=g㢜о0 Jb!.:z!ςH-DhU|{UC#=:2p&b=FG¥Q@9jH g{ eXre\^[k_egz )1K -VEK~BӏiUOhlnq.`yOxFۉ>Z+ 0 Ӱ񄅤󪬸/)7 w eR4I DUzjTgl[u=~EO)3 Ae@uhۭ;h-q2p0pC^5Bv˒]Ng 8" qG`z}z#.G /weV:d9ݭSfB5BeSUc-ʥYf̎/wZAee^iDy\fbh8+k@jxiN/1 CmHg(&\+{"hQX%Z& NyFphYo QG|yo~V_?{O˾P,uw<7-`pbpC!1[v)2d )ڳ@mZW{^AƀBs@>Ef$d_ _֦O6T'RhÑdQ*m$.Oc0!)#{5*~F$ah!nBRiXw^]~a_Js*5hWdLASW 4"J:f-Q spᅹ$l#&+vIPAWފҨ!Q3[+ vw>[p8WFmo&`n+mۡTJ#liisEc~{ =n2alW-ygD07תhKO ?jBo=x`Ϛ"4io(Wq_*xؒ*ǤjU]##x4 A^EzۋM3^~g_0.Q9r-МW}QTy_'7>LP0?Ѥ?=21-L_ ;KFjP`V?vz^In} 4֠e# ށNM)wlZG^;9^ $08u 4 Ft~Z"<ѪZK'cLMya&QEb)\I4[-ZvU &c’Z3G@蒬/^DJ/>4ףy;ǣ@% YG?''eu,ƅYX.e5q^ee9eB2>ah^u"*ұt]{B:p RbfJg$:$@Y+ '*`,0+ [9{<؅0+V|-yvZ-M)Ƃ)39-*w؏z01@F:.Ǘ\Bsh25lCqZU=0oPl?Ս*1h$GHEw ZRzhbdѴkaE!oTFe7r tNs]wdrG,ѐILT"A5b wfW?2R>̥ۧy&}B4Kt2@M:29BxWTP*{&qT+RL흙'Z(j'Lwl@JX5g.ٱfJGE4&{oN.5rP]/օ=Blcwpq/eL&bDP6lL5d`VŒDv\GI@Zm'zxيcrJ9!ZM!F52أSI`816 so75ɣm!2]H!t귛w9+mXv[+-GrŻ+[%RlȶóTXʹMR% x{¡bVl[QPx/5ZtYW9 M2Kuq8Wh:'x^ \L 06\?M1euӖq:tcu)??ehF?m@wR35-L_s7pGWjTnU 4"n,IhD5ZX|_}^"f(#v+67BƏL>A+W)lSa@?-g"~S!8ep8L,ZWq PڡXzv)W?9gjdy6|:/,v0`:%!Wr? #jcioB2ߑϱcYb2 #G1Qz ?H?ySuoLU jÀmCm]6;x_B ҅P歓7w6.Acy۱R syBPvʇT*> u󍁾 8GRѝG)v\sY`w- tpMa NQb[XX_Wga;qvMy훐lH}aȚ3#{1Kog&1럗_PQ,ϗEm:( v?Jh+2Ori#.+ϋ?h9{ǣǥ~ioh#zg_^>{~^Ԟ"zyD+c- Ա&S Y(iv.($bWޯI..Гv[sG$Z Yl}`_+2+mfSUQ)"K\aIqjI NbG*cCDDП'b 5| ތ鄺J_7=%HBE{+h+3=O)r>}\R^mq/իfNTgŸ9+b((G'vcy1kKQ(fq)I~b+(@@ ܑ#x v3ZRYx 0 )@UZ髊`kߩE u"A*ew.c{XIʰ;s]B'DAAK/ѝ(b>{G]p¾j l>bn_ѳBViĿO` []5y2s:j>jaBk؎ l b t# -E&kfΤV]&^b<8@f ѮL3r'?KQ̃UU-YTu84{vY"`''(2gZ-g X \+"MXff^i˴ᅾ`[ZG̈́nLi~ồ@`|k1=2s+(fcm8z~jiG($L a?[]II9_{fxu[ʠfu%<& #jgq|4Fq,ȚewE1B=/2vQs3iQZH$sH^l)zQöww50dpYTlT19l5-Qޭ3:)O+b/_2͔\^e?ʯQ\VeF, g]T-Yȯ3@,$(N+= B!c\EUj!(8!vUl' nݡX+;&eB0>D⋫yG5EYutX]?H1+ndD@z}' ~@c } uW!9TuVcs?<\kܞBJ#3(jS/ (K׷iX1픘Rd+eVHnYQǃmpe%W=%b/mB$ceWQ$## P ~H|<$iy"rx 5aO0;${ -H4Lxsr^Ae;ϡisY^YэQܞ$o5<8 %4O0 WʀPyKVT\>aXQ,k@¸̲] O\ Í%@"[׷ĉō"dS9-Hco&㮥k4et߬k 56>n^$s?y ";b͙;-f3|lF_ i耡I2 YJq5"qI1a3R -،$('ccԜdM"o. )a.,EnZwk0@UJa8}^ɛ۝n3:J TZ Ϧ`!w:ZNgla?hhӛ6 iʅԼy73•axɚ=]&<ԝn[IԻ' Y|G 宷"na/ \'h{?ԴSL`{ɃbpT@)V#Te >r:\Bnv!N 7A7E >8${8x磛EUG(+^L<,pc:G>~9u\6v cz [j{㸧8nrn(5}惴 9q5i-VōȢph]AeM7}RZ^5F},-Y2RLe92f]#C ^ѽ&Cu;/=l`k?^I^n'93u;~ Ϛ9qDg]mݼ~>YmϵL5%lvN<c.@yCI`6y}.\C[ >ƻ =}x}^\3ʢ!m.[L=f" (I.\4@4V'Td2|gGM}=tG˟Uڦ $g6 l#x J,ISкZ„&(VhQ!MˆګReBL׏քëy#^[ 懷CJs%!&n]9Y 51*^-y#ܧ5Fdg{7ltU$ŕ0nMlVu_PȔ,@c⦱<(,Ę-HMwDtנQz#c$ oa@o~TqjH w-vH! T5G.W MxαԏAZ]p9J|kOg`?NJoAMNCw"w ;cD#g0!f-(~u%ev" `2+ȗXM/7[eΈNhP%E,=NF4HqIc%=[Pv\Ʌq Z7;zN(ۉX&iuo 7 &kp-Rp[{J? Ȋྠ%5x8wy=]swn X}牻2>&ӔI+Ga+f|G/X2thIxVfL`z0z.)U!Qg*Ɛl's_O(^;)S$eKO.UPǗ^AơJc- _1 F¢Gx1gs-R_WAmH'rbSq͌My(C#n5"*l6VztZ /O!N%or\HI訐X>:;`n8rk$PFqQwh;'c%:|Mĕ #'_5ˋ6|;w!/;XI\ٔ")z..6X{iTZXdKN3>t d},4Z«y7b * 9dY+0;~kIY;B1c랪5<4"%zS .WMjۍDSb jFSJ!b#u|iC>AC=h6ҫDw`@y@Vۛ4c n:8_Wxԣѭfj;I+J-6 xq.Q[!r y肠!p;E^@hCBD)b$0zc|`4+4)3\6 Q 0IX-6-_p1e 0^눑Í*J W*17^.뀸T2E Po~ sg- bz'Z=\ɶx-/@ʺNGF 8dUT0f S+!t]ZAN9NXvPKg'q+<6nMiآ{a^uB 11g EI>6A9G C d&`RQq.Vכ3B[\(q,G)9`C;[bU] 0_%ҋHD_lY.F">QvV1 v Ѿh\ qԊ] B6#MS"6Lζϙ7OW`{[LD]èCR9IoVpS1󬞈p>rI!&Rʄno iwb!'toFz ˯v^*e8NĖyJ݆870XK.V~|+A4ᄉIEh_zyt$;#ϐ أ_+kO0l(iyOB&#PMwgLxscqlRQELނWWn30$` V.s9U-Zdjmo >)":7^Di~vž3[!8}1Djwd.C,ߜ%_cXT2KF+.N` śt@ [΃sӇpn@oHvBl4+Xr&p㤹bwޞ Blԡ6% Ff!Bҧp/V#M WvP)M:|$ni(p| LTeX^FzV3U)nMm:@S4wx[w evU3<"i޾[6q~OdĮơqwx}l# V̴&Q2M,!''j|nj,&O JX. 0,Rz68x;/z#Р]Vh) F>t~@0+;kMqtNmኲ7 S7E[S1hzQ#\?lBbM}Z {c38MkCg'7.eORwE{'-c HI#AywDe jVN}?Vl'()Tt3v{̄2%F?cQwE12'ClT@Ke_3vޕk4K/Fi`P$J*w&(i1sX@YIKһ |*&h>EWeljcQ8; MZe%- ڍI 6 V iK=̐LwdB-9R҃{!Dv~b93K{Y kSi9J3]󦠮N74.uBa%AU+;ǡ>}{ABi`]4@ `?D"$tvߣxo roH}ÝJ`պ"8M"} $%Sg [[)ThMN;dEfV-vIC|CdҒ%6(+TۖՑ)Lw&8EW9\z|п`>_K_Lo"&n[VB\zcyuqd14.vK ٍiƗC"u'ޑџν(@fw$-8dLqÆfh+IJR T&k mhFNbem>+Ѵrodum -xX/iw3:%1o\]pѲ]?_Hu A3#dfVg;X1{kz-3Aj—@LIh|)'F1FEA!ҩVbJ ]! ǁ&٧xiLmO!j>[vJ% S}d2NMXU@XU!p0贺:VɃL{Efpkt*K7*a{WLj'ZR,ΜX">غ|6zԺǜ8dQ]/9jPr\\Ee.z) v @;fFJ +ٺ7$I<j'g~;XsdG)k1䙨mnFP磠];~7qG{ӤBST$eqa 3ߺmeW {B }Z+8ГȨ ;K+.p:<ბ8qhQc谬o)  }FCpyGx _s)wh*0#t7H [к2ТM=MQy.2DUdB)%:!l4C"q?np/sTF~~HD-\$s)ׄwO4{@K=?D*vgQH(-@pi^Pz$ rJ8&#Q(bؕK[hAӚmW)T9V9N0 g"*GewJl9ǜ9)K%].1l7>ѐׯDU$,\<@b 7+AjnsڤlL)(K?YJ$1[jc $HleLzMPU~ gh 폆7(b\}8y ȡIɺEב,ؗc@uh{$ 2ځYjpJ*8GP0 DZp q(̣lQ^@LB Y~Q)*EBf]cKw2@ۜ'6wDc<(fxn]r^K`yf6ar K\k;;17nT#CґH)s}cLcfwP`7*cIUׄwv"{tV03Beҫ@˫=Z2ww&9a;u4s4SDoiIt3_RZsO(@ *Բb<\UYxn {zX4l;*ͳX6U8n=HջԠRrXlbZEɵW tC,6o7"Dxue-6rIu<ץhnڀTM~71ŕ1X.!)Y KisŃ8oj>UB{ A[O*8&:,DDޖ} lGCFUm\pWRxHv`Sc2N8+ɳ0NtxNˠ74A3WC_Irz&zzfe轥4 |%*83Mv G"0]q<cѯ9m1]fHU\XDd!PᡜZM- #sjh3nT [ڔ K / SrAk[)w8>],~99ryws(ŝIIߜ x?f-S h)wƃpd L;+[jx0 / |4 as5ӑe ?7Hy2J2BT]+b))NJIaklD<uX24u[v:* fTxN:Xhq p5:c%oqWT3b2CY/|]RS$STy"Yh9n!⪔F2ȮUEnĆdɳ9``Mf2}8 T!](HhkGTN舛*yd -"Wg\$n)ƒMՅqf=j t3W?~8}c늼%XkԲ8\_>A$HDc,FkQ?Dp!yڲ㫼.p"p# ԸWϏţ ]oL~1f&]S KFkG3 =*B6:kmm3pdO` W^MSc"ro~ ǯ vBp/#+U3XP4Lٍ 5~',wb@/)a?gZ_Jz]"` "x2ZG)M8J%zJqU4 :k?305!1Rn:.JP~~jbMѽ*c5^EqOu@W9hM -6s|" R1|*xyKHva4 %ZgPA6 n`Z?Ja[ɯ~m'"/$7~@&W< οLblԭARR(zu -ԱȀLÜhG~ x0@t"w /BR*u}<v/z@lL%*P\`MHzr;{'3ߋ6r{˜izv"M-6Qay#z@!p+LG7??04M݆惝}z| 'IhUT,XDiT%_{Q;q+DZ#fgXCه2ϘtRּ!b4zLo-\ heX?eEj\(G'RDjUH*+CtI^7f9ܢB~΢Îk֖{?ЌTلlφfhBWxS?OJ77?ܚ6ݑ1?d[k^s6gomJö0D+յ%\I&bcvt_2oұd?ɅM|Z_G3}ҠtQBgZ}ПQ]*<[oAWZW ̮׍{6pAnEъǬCne|vz<{p X%xa3Y2⥜$>>L,T 65}1K DF2"h%;jآ8Aƪi7Lghk|C|4 Ts-R[NKh m `] iA^鸂P=AYӑٜIw}LWujay`ӗŝ-FܭB##5h A¶x]~被v۳Uϼ" ؍)V'fRO,zXO8VuŃ[$|ރ)Ӭv瘘{IZ09_c܀YT ]ЈLVVu~/8 <єwn+WMVug}PZ:/ˌ~#(y:r-;rD*7 +(ͼٜ|EsyQImO>t@Jc`~a1ɮק!6R3# * ;݁ cXʟ$^) *p!̓ZR:@-nN!c0`sc!R^BD~32+[yYh1m'e'|J'}P]|+L⵨%1PqlD*YHsy+С~Ћ% i̿UhF!QG¨3؈(OpX\l:K*'/A's{!ͯWVKn)['#ߧt4Ӹcu.Nb*O$}/GF4ݷ>e\bK*%_׬[a؟ZE~Z@ƖQFw݈$bIrƾΠHq{Nfwٻbgf[eĕiJ1m@Y5OdTdv7 3QL0 $pO IzjՠYP4]?u|m*l_ˤQL(@1o-6IO}ujUqm}˜a$q5!|tL,#G2X2YaG*Y{X$0h׍g7RY7Ż Se N,4y9s\RF_O{:Sʼn}Me02Obooͨk4` uVJk PwٛX>utˉ3tg}%:Er g'KsyLК!uJ9=ڶlk54;^'A,Ӄ )a£q2D\ Ck[8/Hƶ,4AQ{<=T\'K7ςecpj6@k,wg=n#:1]S3H7*1)Ux\~'E`CFz^/Sg&vg/R3$ s8$2%C)8azUL7E-K(ݜKdp?^z_ۢm92zwUs_}!kNqhF-c<mQG!*=]% PxJT 5Pե m> hb& ODoUxavy{΀OGKd-$\F)v;&>o]ţc+c4zRQ}MaOCD g,J`/33 6-|x ؿو[/joW2K~plqi@h )--TahIUmc*4%lT[po> ZL'pϔ)iHjMIk(> vS!?~CV(FY]T}\VGO6'n0CPzArBd5&L7Xdx9_2q+}B !oj\gsccK^ TPV\w}m7U|j9@!CrCs Ufb>o'a`]1C-w/:j%.BMLu3dŧhORLjg*lttC]X-vmƉ:rzyFzm5 T_h f@őiA]$fjRk^{NÄH1Mw!Þ >ř>i#D@qWpcCCdb+)-_N"i!Y=TŝcV6z#!5IAsx(eۚuFlcQ"d2~cvvJw 寰cQOr4|v jƿSA?z4u=nZ84erBF*o?<>q!wu >eGsj jWi"˙հ/Q0sz#uu]! Y1Q *h*lE z`6!~Xг+Lh83^= Y?ǀz.&1bVxŗcʼ" <|q)@k`211IƼoS΢ je Uާ[^wi *]Fj8MlTD蚯r' =|5d7wa}nkXil YITdh`uBMVFT|d(F .X دjQH:WKґ5,< Cl"spMqלGk{o ȓoK&`y0F4sT+h^S к=o39 k,B}1uO'ML8:[ml5UsMTPfDGZJ6xtAOi[a/=JDGϊ]ٷvu/<5o?Ox"?'C;`ޠa>S{4 - ^YOG9L-IlX3Byvr b苾5|R+bW*?{zk6\J#"#F5rpDYD2 *vI%4ް_\8\>ԍ2~w6;LsяMy<)N9d@@{§\9 GqB~5ey2R=;\$_9/zM$n Zdt 2swY䜕u !4s+š,>/ci 'C~>|jeh@X+s,+~@reJY_}(4/hz=&Xiquo^oMڳjG7uMcS Yd׼a;5Q2[HƸMI)8b1ȨL@^Dsot#&Br򰞱ChCiQ *)| ite-C?TKހ`k2p2/_|wɋT)Bl4jnZ\^Mckw$e=DxE8hy'Y`q;<5ײZצD`y*D, 7~+RR3KHpxI9n47˵αjGav63NVi6sg/hg]mǿ5 !W \R^B)L ZwOߠCGצh. rؚf*zjmW+ٕ[ ež[qΡH"OٰkFPJ}[ 3 !}?Kqr6s ;""ݷ;3AOu2NR }㨪^uhq~H1v Jg qu@֯li}LY4!!Pv|-q牔vq 4S(:Ƒf!efbCa-='9gs5?*}ln~D 3~`c:MIÃ5BrfW(Bvgi┗ ֘Uuր"UqJ[/}u C05WכFgwϠ@UpA2Lҵ.5&]bcEQo@iZu2Xו&)RYڲfThzN*; ͨ!]4z7tPÊ]5 5ć৛+z"EJ]Fk֩%qP?<##Bvީ`_Ǒery@1qPjsO9KVD zSx6q5fʤI@h3m> P9^mC;t솊`{q _?Q+S ڸ7Ma-sv\q4wcJgs[p+aQLv0h<1hձ: Ro`g{nb \*E@(rIc%]g@g4Wh]P>j#F.U$?Nͫ8%+9"E.6W¤ *"w<+ýӅ#"N m߇}?8 2dYf.b4ym\ O!:!6:M"ϥhu%D)/V^g^ibߜPwGf NZWe5p9`g؏g5f z-Wgs_*~ ̨Su T2 ( D:Ş `*b )]ҏ%vqqsIT< S Y 2ZppzpH98૤B(<"0J6TO_a[ciKXWz <9ws>܏K3!w$ܲhhdV&|X˃+O:5uʈ(8M?-@chqDFρwA@&I~k76s%ÅA99GN mNՆ2篑-߶}sw< nhy6~.nhJHEHpoOp-6H]~$WNG`gy23#1e=]8\Vmւu%Vit :N/\SF<@BcS٨!ELHHTJfcd$ w^[3a]F" |Ԩ@JVz1 ~ͺnW4y ?'SLqnBH'(Q4ca@` %M8_Ìy&Y p .4o kZh|֊$d2!&tls-li|`!B?->"4g 0E,ip(aqzide?C'Ш蘊P@2yKju.[v"uGFCa,^Hٮnގ(=$ɟD1g |YM$mi'XN)(o;/"^>%F0ӴܔAȈ|P0xE<;y;֡2@_R~9\;Oth-ٵr}N W s0!xq| ?Hmu-KUd^Llڏ Kf|F<D+lN(8wr˱lٽc?@X=0eB, CKBw.}v8G0=pByftJw51TTxfu\I.0I-・|'j'r@ӹg3jy_WOd2%"t=2N?Iug&24_ۖ ~k.lbUB{ 'O!ɡռׅ ]>VWyag|щtr"#X/;"LEQ0%,}Oh;)':{9i=1{{r-HP KHr:PǬ]ſ4u;<_$_69̛mOYsĊd? p*jJcweaӚIM }0'l@8/PN;j{E8d/!Z :IBb6y>jDP"[RkLI5ef Bl^Z>kF*x8ZJ.Y )xwxcwƊvxX>gdamF/xmާ+"MrF "$c\(47^knp<.8^+8/:mgxrRW]k_+ï5 gDᬯ`*Y{8b<3΀RS̓9tǕ*哐JVrCpx~AdB8]BYEf(`OdG`9cޅ< C 1BIx . -jzp 9^2֢q 6r(p6Uw[ryrT('V4UgOZxn5]p#e<#kb)I"| > #sYV|=%PaFN{۷tu!EltDɸ欓@e4lHoh>ͪ t9jLFK~:Xl4tGNYU(-]ݣVw:pA_jTuYM0[nB۶*~l=fziخZ}B0{V3+#*rI%BS}m-ތ2J(ɕ&o:N\m ~=*~'oo9NbӁ,z~BpmZ3 &Ӏns ;d_NIt;Iͧ|pԇIJ@=HzܳU IcL"-ZYԡA==@h r^$2|o`dr|,({6%}EUζ8 ~rϞӃt"օIv{O8d3THеrZz#0NJSbUO` 8+|!C}cAs6d0zLEٌ?6f0+4낳pV?h_, qd`/yTgA+6M*IǽX?W.T}ܼi&Zm;4Vd[Ғ' ^?VWAe,ei<zTWug&{U0ІS!Qj^I*N' v DP@}^7M $/=v3(|brݤRe7anaK_JuGvZlK74 $u[YY׭AeVⲲpPC k,uQrEiO[p"O]t߈ty]9W!vDDز\֜ܮ.8;㢄\mZBbLv_9"Ȫw-yY;BJY|a'6Y mЧ씣$,.%n"̣IQX҉`SXw`hbn)lEqacDG%^Y,tc/o )!Otcgw'J]cXK/"msԡAX=I +1(Ы KIK?Vmr8Q0W1xbsE|.;j?v͟tB1clS4Tlxy*gVI9u')4F3;̴ղs?ԋFhWB|r QLg_"o~Դ҈ʶ~rܕ΋TO:li~n>a x ln 2DJJ%E~wf%vJkS=8:meeqAƓ񟂘\6:Po}%O|^aP9i~"bťkbfuCȩK.`""93[(e ]:S͕"P^qrX̓'֖!Yc/x\4jDP)pMwkhIm#fʌàx-) m8O!xUFwUyx!k9& W@j7=bL&BXkfOWުΣŜ͝\Y[BiK_2PȪ*\\{grG炔3.p+aYB8|yyD`A$?҆*?Y ]W:c=V[j[1%vV^Wa8G!9*.x?bJ?7\2ywc| rr\4N^HRZ;Ov<'UJ9uCcF;CqҊ&&(?:QVG}Kޖ7׉FJϠ'W$&Ǘ9ע5oBx(j:ʹE%& t<㛆?͵:(H WT2PM/AP^x)dz~柘0yP|T`q?xР::~dFاmW3с/cTV P=ߎt6MՇ$krl-6Z@uH$(:T ~9O5H*j1HfXt$;?fa?OXO<XʆY */\f}N4KqQ|-` -*I}vffg YZf#m~&FԷ%'v|X5+u52nh8i!/ S>_8i!O~">3އDW5c.M$e~ףG?^72$$DF.oOv4XG, SÓ NsG)4f+X7sּ6$'CȺ>{g"Bqc5lB7O?fWG\@iFS L16&Ǜ$OV,nLCԐfeDraw6Nr55R9'>kSW/;. ZNs7U&f>fk*GX(w' J+XSI!3tk*-#MSk[rƾE㛻e*ܡkxW%͗c lJSN#L#b1 Ҭ.j9'"y`y;!-!s_K4:F1hk9E 0:Q~ɣ.Νa[ IP14}KFgݰ< /(,wV9gLuمAIG[0〢332qӨ +6hĐ`K*vS ͅz}T[͞ ,\6OAȂ[gP|-HImy+uhO4X GK)/+gߘa-u:bY0۷YEq!tGfgWI36eY/Hi蠖9|YUnQ2~@Rqaʣ] Z8fqۇHgIoF!`)S,3uG9T i =nMm^7;^]ڪ goλDϛD1,TV 9B? Bmi^Bs EYwFPEJ"*r6 UlQF&lc mK/=lw.K_(JT{ك"Kiw,A}ehQjk%z}JniO*vmUBkE[KF%`Y/8Vq{dR*l_S9g s$6(zyȒQ)0#Z~ZJ?L}t( 7i܊QB#%ۂWS6%j&'!TN{Tqzך%lh>#X0D?&>{~* x-|KH'9laᒭG)KrO8U\Ht+o(Ȧ4*D[!6uEnL y"[<ۊS( O:'bg┱hv'_߃ @>vO; Z]%D02,⇄VH& P/&'ˈ7Al6ӰYaRȀlUSb"], k~ bO~J'פ^ulc_Tmk_ēچ ä_I@FHo-:ab0RUÈq. 4UuW4|Z@,$KLH1mn#.U伧)~EkpK EI]v)/Ȋ|Щ 4"IOQu㓿ȋs,LPt{ä^|ԗQz?94OsP WW˿>4A!FST~U^^̢뗚8+w ful[aa=ebNYϿуF΂7L(څQ,}Fb> ZGGͯ iJJʄ[9$1\.H| ī ;pֺc8ơ U @gH|é?Ggb-)\-,v60EOK5\FgZm\Gí?Wp7/HV|IDy@ȡb2(rS2Kvs;@ܬ8EdmCƧWSW;QcGF&lu8͋Խ;tUMkǯ=4珸r3 9 G̙EQa  (ʡ̹$._/ @;T[w/7#N)̥GN@+Ej)'buHc>{Ѯub(]u}O/:-b% :BQa UȲaęFLsLu 3Ɲ٫@^+e]cUFb&\ĉ-|Ƴץk4\*dŚczBQS^7*N rC%(a"rpԠU/VBUݐy^΄0D]L1*2GRJQq|aΪaWTsmE#5;, S 1[mÃz1\.LT'&bA:4qƱ,wͩGJuO.Y*:%*Ԟ^lOʉuTGwe8 JoܞjnXIDVCe&xSywt.i3 Ɥ5=nIR5;7Y, ʸG#u#c o6£TD{2$QP7βD浪'#ڲ4 j$B`h.ӹ[F%PG٥: Nu nG7X/u!yd:KZ . T?s1?I[I'H|zo<Zr>]аúOt5Va`('|HE/mE#JOxr GN}}m:@'V:(TuT ⬕ 5s7J]Bn5`JZ!kW\Ov'GLt3. QS rOzDf25TR3U 7Y7uRU0KTSiAfDmJM"~r&gNJڂ]ZJp f/]v%D 9GR(%8pyɃ׈C1m&&iO󬗀qk (}לR 4Ptm6yڀ"LJi uto8 vշS=-MyոN:QZudp)R|Mw3AnG"77tisZYh 089[=Eb 6`vu *NDˢEL"A+ `QmYT{ŠVo#,,7 +'yQ?AbM> c**n~i^=$W<u L!*/>'WVgz!d*2:sKwbZH-N9Qg [Ms^Bq51*h>yE*σEH+MJ*L=RC39ڭu, L_!蚓a( 4Lt3)?0xik"9 7 w|H|8%;ݽ|cBOS/|<14)Wdfv֭'sJX)pS%7@4BL ڲhVNL4(&[o՗6T Տ0=v(pO̚6iyM' M;'Jyp[gNEҦ?#٤w:D]uF4vuqPTk)T{FV[3۽ln"HuX Z[><\׎7hy#ئ?J.PfJ#l"رIGJ>SgjkB( GO8Lpm[ލ^kcFfTWdpBD1\If"?QyևLbP$۶G>BEx[*v[yQCz1 5bܜzzd#?" IXoOP'v"x.Ҭ]9^EIGuAHHٕN%"a6=2hRB:c|eqo@K!IHwoVŕg{zs𕎵b`F]syEXgcN8Iƿw4a*bJrunib4r:qGXV}4t{!<'s#T4& Ig7- ,^nqNfPRS `ȳ ))V?c`-v@Ds'y;`Z:r+颷Ԝ( pRݫ 텭=." IZdr"M?mƵ? KM̤pgjuȽ"&nFazvO|cTSnM656ƕoX6KE?GSYC i>~" \;޳Gf;0SjN'LjdUzA8 êܭ6sċ< @qձM$0nM/{~Yl-`<@զ7IV@4840 =U_`oe~Z>Ah rVh&=_7 ۺBƂT-,^sp@wxEAxy?eZ9%4~tJI aPv\˹%2ūvtkG7{n(AчMRuW(9I#F}$v:)8].'Ĉ,e*#X\ ?F$y)uj憓+Ţ\pY֎QVDGy\ti4G"?K0cߖ'7}BۈShc_=֙`A_A!Q!-av|YMTrP*/fp] BEC: mEӀ1T-N@+`2կsG*e֡f neOGQKr;`&Ha-CY_G,h:IJKV)^m6Vd}bd$8(X>:$DI4"К~фL]^FB$48cutlvT3B~@kĵ^J5TsB_S~n\CB-^,(n<(kt/r!7%N_M"RyW7v%jSe,.Wyԫ?YfO])Sea@i /i?q?Б;j`F2T/iBJDs^n12;WAv70*r@oIL j F 2^!. e|ta'^#&r'{& SB(I!u=뤄>KĆј*3),25z~Xo@ ox0h +b-Ktt9gad|M qbciwFUpM_޻ZI &fLa)nKrQ$9˱i^.TeYVF ]-s~76xw a};RO@M{3%9M4PG:BٻB:`@"ד_.ޥnrpG3L/|Dv;uWZX&yOuMHUd[2ODFxb[! ζ_TKcy^+t[Vf#|hyLe&5'8Gkqu,ZtR1ӕ2?;+mqiRE\kkv+>q15̏.k6 Js^gl0CYVD5ھYn6>5U-T$R1'/cp7isŬT(9R!sNU|6)ɩ- NX6 CHXո4qn F@&FN?{ LnM4Y VWy&RxPCLb+`4~ m,w;1G]aop6 6=@kץfZRh#tv[UhW4n  =ׁU Gc ;#F@q/f$I;L'?' ~q*`Zbnf`LH<=8VJ෠6p\b5I:&Wo ?- l&j]EHR4.:дBu^E?KfMk(&ۣ\W@wOVw-S)n_k /ńW 6YaNxڗ=K0AnHP*a|@30 <\NV,uja[V(y$: ~;{%ٺ}g4ΘR-q3FGb銝L y==I&z>dPC޻T+zfȖQޞ%ifb &y[S9lK#s+.{"̑"c𳊝kf >B ]؃)66 q*BQp)DxQcE7UV7siq%a 4w-_3 3U/wQ0}z^/0em|t?_XE=9~:UJ hWIAI:\f\ס'ιb ) u~Q1h_E*{.F1P*Qyhssz!zB]ܦ{ZgW'ܲ?(ʔh, X;BԽ_KbK;|Mo)Ko_jMbO o}G-ΞrEDmH3l yo_yPeթ{#,*q7"Ā [@JS;NL&mjz.kg e2ԋk'tAS^,\.HPdI٪9Kku-{*ڼgVڦ#T^.]?) x#mzE|wwpQjV9g'Z3gJ`\U>},YIC _-)]^EMHB^%h9[Sd'7?$d|C[v7N}ٟĿNέ@,OV_vI e^-^| 5m.*2;6@8ˑ 5mJ}3Ҿ&V m,|}m:QA4l,ԇFx{n@=t, 8J >ivl{6$% z{]B?& yM(\ʨvTdbН]V,^t"3 plCR;c(6E5Wc>Y^_ \wwKZ ū<.c2H=շ{pu?xDCrOLh ~fu1(d9q{'"y2Ѽ =ĸ(A|meZ"m";O4 Ds @{o)F3܄Q;89QF0 ,D8w 0l+=_%e؊G%nl)}?9t|:re; Lq@8T6gllcVtC]tQ [ru=d8/0zn{Gݢ82Mo9ݺ^ͯuI70 @0?Pcϡ.}X`E"Ti:5;^=exEM=8$y ^#9G!06Ԓ}|\n1"d IWl t-QZг6" Uj8CM9<[C Nk]§jv+0Lt0.|BciUu8@ B{Sx$Of@ڴHNe;*ػ6h8[.rğD8]&|P*Bt0k>_IGq w/r5N\\Q\q鿯G3{]([:15'dAWXFrpH)j.ic|hL\$]}G#H`yWI< 8j=, r# gѭ0"ʒ]0&S=kq)?I.f)Rˏ.9Dgؕdlո3U^z.6gh処YE >ѡg]W5(WϞ JOoTr`[#i?uZU }d2*kصt Axv:r N)9k )muƘFډިzY;" OtF DZyu5Vu?{VKD)%3b5"I뒄21؋RTZFDjqoj̵#Wi^k1WB\(BXMq]mYr:n$d6=ąRm6r[u^l.!ᙢN9ϥ!t}nKGկC`T\%m\`T6'Q08= "8 $ lZrS(-̌+S-A>;Z6L"|({j9}T2J?H-nJL׵OAnYBȾ+@n;TֽkP W7lkڙ45{ weRaEODZD,B6:ӱF*y_GeD*Zp;3VzIs"YYsI4 MO1YuD ٣U-2pC ).uHIgnیNW+Vf3nKn[1\sb9 )~~Q=Չfs_X ,#)IV`)'~92k 1>2tXx:u*+4{p)ՈcQWmsgpyZoհaq<ښ#B-v@Z-^xFʇ=m7A@,MPB3 h$X cipd5@%.L;Mǿ?E 3 psJRUjT#*2~);S`5) 4Mᒗj<V/h,t}&G %>qHп>"[NIN:ǰr^Btu{7)|x,1]K,Koh5s!ӗ$f1f2tW»3P>  U829dt~NvMb UP|VvLEǧfT=5ܴ6&05k8վf6/w%%"7F#gY.JmO*6@*|> :Zu1Ԕf53f!)DfJ0/%!uWćkBlUCX=CE->+_Ip7 12 Ҏ Wh>zR2@[K=Q]Db0)$|*]QE)D8ɕCP=qn?s3L!zy>q@< `2m7+8maI}wfٴӔvXm)=}bPUg6_}GaPYeP+R004-C_ɘ@d%r4vt>Pl[opˠ*[Cf,os(O$,ޮ8brf<#wORB3ݧ ; ~:;ót~fQd[o?m E$_JE`i)=0gb^R..^hpT$<0Y[ Z/or=!t1"~ԮX"®W5MPmht.6He1[|\Cj1 Dɷk.C~@5nSL# bнį4)KFcF;Ѯ)= H( q?bIQhEhֿ?ơ< П! b  z5 \|n&aYn 6w  M64ii]bC̞i#rq(74ǕKI<&MOZʬ*L&bs![e#), K: {Kp*6FA P5SUriAao4_5LXdݎgRI(sB<6XQS+ 0/Dһ۵1m2׎b6&?+δT=j@0 !F&㥼Jvk%Y类gH'ЙǡV\{/hdotF50h~]-;khMKy@lah|GYcŝWɎڍo^aya L%FpuQ`-C*^#V\OF"KSIeO)Ɛ_gG!da_78"Iifx)n\+[r;Ţh^Tr1xXV<9F⹻XLk("=es4ZU̝c\jc?Se,WZa<̖ɄpYj;9DW; Vy CA)s2cNN0*z Sڗΐ`$|~_/!ڠLc%~{CTL'('vF2ϧp'S3JLB?!ljaIruA s?p(}t&NwhB) %3JGQ[ַJ!.чz,7㖐\4"d#㋱>Öm-V~aE|5#E.2/-wǬnMV&>R@܂noJh`sRԄIXu9bT$ F0<|ryJe ·⋵z.To _qɇ &ܦ ^Xcɩ^]ЌXm$Q4HiL'bMem RaxڪإM`\r'\ZI1VX4La)Fd{ oIk ǂTd@. ӸxL#C66V1jMfl)BORj*_0wґ"K&r"MJ𻚴%z`fb%e~Ԅo6MEbf~r0L_ ʱN@35~7'TDC$d}eirQ,<65&F @NѣbY YgOc/Fa ,ZؒݒK(S:f;&y> Bn ʖ4EoMq* Rpz$|s?fJ$(P>vg<дTꃚ߁ ޟNsz%>+qa4TrcQSIPe}0y`ƙcgna'-Xw\Ժٹ8MlVK,v}`~ ^Z@BD||nE+j佞λVcIk64mA̹BujOk#sYu-!Iq4\q4iMa6D^J۴(g&Ԥ ʟ9^1_$zgg)9q_](UR(+nt,e_/;k:hR7Ld';lX)ݗF]8y^)l9]V<0ҿC7[0uD׿ 7{ڐVU=iuvTG&˳m6#%zR9@~QV`AVd8y =cZ3ʻET͗q5 >Lc$o59S+ ioqx sXVYI^݃ckYTNlB,˳'iH|19v?,p8$K&ָ*p엉M #X-n~>0Yp7$G4KF`GD+GZXo"%3% (|dtO9BB`DHE@18X[HsUc4>ۅf:zR4Xa#?l1x.-bn dhdµr+$BIoZTW0v L;mBOHnNRY$ gp]#Fq((BDoʮΞ *)+,i1&ଛ^!߂0"߸|g>7i(rr(:#*.՞dDNJG}W[LdiM Fл}$ڀnϯH 9iQc28e K 7w%P(mpiES*!*(d&EF2kim΄~pQV kY!b-c&(Ш.ozhc p+;05ܱu,‹^q&Cm9 M9*ݎ]miG?wt1e8 uǨެKP.V?_Z &v/XC5De'WV)2TZpۙrC# mkdX1JO2IZ|%F2+8#TL0}rz|ͧ7b%4LrOo%zE2?`Ծ-货|/yCmhllzA76> \hͶwKr .FTfV$p}jLZG5TN]_߯U @؅ $Mo[skkwXR^*?ÊBH\!|]'S6F&ށf/B Th'ɕԗU>9H>jBPtE=p|b{(R `Tr<ىBoi&X>F N8s o5]S _ԐEg3ž52*:.z-7u,S)}h7*֝=Sw;snBzXI%~z>'|&AkN2o3<=^R3">gO/C~}I~I6 㳈ѰmHˆ'(Ge9OI3*PƘ ҆&C?M}@-ii 0SVpG!hd+E雈cJ;U Y&QQڭR"S 4%MD\f9WKCD'v|Hwap%8a{WACK84Y'[KmPGXPvBTuS=\;$u♚%W>񑍠Rգ+8;aOLr V'ɸi2dZRH@Y,6jQɽڑ0J,2e m0| W FJպ*cPkP 34RoRr "VO=N)!ދr} &ds YP$ۯQDOGWHjY'~J餬IV9DGl< c:ßk&4l& CQ>H[т^=0.$.Uf-h7&Mȭo+֨cIq+g\oa I5ˀG!b=Mu/yyo"l31Np߻3reQ)L؄.N+~~S0 fkÕKeWZ_&D0~PA~yͺz%k0,z}Yz5x¡ ˁ=:}j8?FC_`C_ArCvPS ~uxV[.~:"Gt-2V?1P e:L@Nao޴ mTa ?M(P*7IأVUV/3lk<2 ơ٥M2)#?4Hw~c?F*"nॄ"Y *0BS™)\Ϝ9_;%n3oGkv2'ܧ.Q_zg aǏ7c֏ g,(f?D8A~d  8}Xr:["i&:]mr.V")/>)~hIWX0'K_f^`Y`"^5#\Saܳ@s heC^@]Bٺ'QUJ Oge;M2=>Lɐm˦ \YwtvI+]@UCwEQFAvh@jN0_>}uBa^% 'Uy5uk0x`DO`!ۻ[U:2FoՆ6{s&%]JӆK_mF5! nGyg$^dUć"+$4XZ1|"=?K'?%Wjz |@>~ET65밪T>9SCŶ>/)[^Y!Aݪ=V^nGM&[LIzIXwkAf<4bӍjTNA= X nx7dQ`rϚfCVY.'1a EmrnPem !JyQɌgH."3 ;hkl9"Z=V~[QHA8> %VAGF8&Įfy5ݻbaYV[i>}8 '=Omֺٗ%ICvtT5!7*݌Adu Õ͗SKmȍLM2VrDەYtMXoVr " VsՆ(\2`jϚiJz/22~3$]žPGdfc2|Š]z,N &!DŠZ:AK& gzB5^.REsU&o^uK[gϩއڲaZl˧h@?eEõE,iJZT^M},vBՅ Γal;۶G73Q*,5\ 5/ ݂k(u vWJ`/i^fg9n>m\y=h]V$70nw2rNRs>g yƉYZSFY#rn5S=m71RWʯ,.7p0R߷u< %rK{pDž(zJbc_qU lPƝ -|NB-C(.&JvDEGn_֦_|$hWu\9uר,:!t!gö2P$^kYRQ} ݄*wnEMq25Ul="R(n}C] h|N呃u5 6W R✗.j}sY@ڷCvѾpio;k<ZLI2ȐbP;k[Gei!u d_ i )W)v6t3 [G ^`Hŝ̨ Y R\k:'@'XBa_7ۗGp]EHm!ilzRa1ڡ!VI^l>Y-ԛ1m8,1>KԊrd];="QgXfpgžu3TMZIO:N EDWDsy(xKKeYנVvdlbՁi9 >¿uн~ q%¢xM4#a9Vڗ}>Akvk^La TEAb d,xg3BgއfB$:A? na∢gKB:X$ }4F\ɦq~;lR Wɞ@1SԻzM `ʛ(#:E&ſj7V}wkk+;ێwWыHCk]"z24NlEIsܠKΐlڈt4"][,F`vAG$hAo^*) VU0VeQÈU~79|>]U"QOj4fү<k7UFB2 >QE;=%{L\YiR"i?rGKrrg|=cokU).Ч1wiB-pu yx_odM.N(V%#1~+߭krHl*A1V7SVh?:_^|pypYCaT݂}oMaLo!^ a?ƣ$pt*n ;Y+hhr,lPͫ2zhS^,7XHsBCN٬/ns5M(̗!' AYN*p ^ŪAD0cKTrO#B? q9}ůy]gj>6>&#t|L+Q/A9i9A;SV})dm,rN3JWfR5i>i0ɼkÁK!iwNE!Kw\c!cfS-[#zTZgkQٍ%WAPI]a 3ۅ IH6$2%*1B>l1|c`ι 7$vzFRfiAч4R2G ?i^uח-3G7"qM'|\XţGc-6J0^$92EkPp P4WJ5aؒ*T0NEPuO*REVՠ%?Vu?C^"&߄~xU~ <jH\yƻi RG/&Xui1 Eo[D (uQDP""mߩnEEz0[6ǿ^Q[% n`qVC h"dCSQ4+#CP뜺5Ja:zF  Wߗm**d$wx%>{K׎'!ch;ҴlxR\^IRxghHD"<'ZyN(F  TE =$i:ZA,}%;#T  l#~W|D/m0< 5T"<(Y[TDp>9M w:{g"bz QLSc9%,3mw[ A)l|o\k 4C`!jS8MdHs:SuLV!UC.@a252J~jGb>p~Mkph]V8zǒ20&jA !z}ɌrVxE6a4T_ckw@Ab{fwOý{dn8*kh0 gƗ:fGm ~N)1ߢ^/kI8uOb׹&D.6"$³3󡝎 `4=+`rskjN7q;b0ͽ]D[x 92=} zSxqy3yY~.IC ئbuŠeiCI^CބF֒V}.uDit-b1t)0fcu"?;~n`vP6؅SҸ>$4CF2oh#a,֕|ޅv0 j鿹%\` n#|?mZ\eV$' eUL.P8q˓Qi<噥2%Ҏu7c=UmlL]1!Ar*ISHUnO؅8 [ՈHD\*2'gR+ @ߣ& =IZț1(!BhuPmlD u^/t(Ľ^#&;tz{ꨋ2)_=VIy޻љ?3Mw׳ YGrT'55]*)!^;>@l"WQE4_GE WLy񜱢ceY(Ŏ'hfmGIC1NW[萻JJZHYD 0yD? ~U YS,\Fp?(;׎߶1/p(zxgQ9d=[/*P2&+Rd 7M<TCYxu.b1'<~]Y~!5X_ۛ^UǀrPiMF{T4v=dm;!~PqrA )\>'!fbzebWC?dmr5''VMKݟChwGk!%@ ـ5-p c(vX#B\E 4=F>pRaQ'^`@:چXHq̴waO{X*L*&~Be>o2faP0pbqʽr[.֍9_{\Э2pTW^?#$+r㰎*i@^|Œ)(uH#"=5 ILvMDZ&Jy3~cI.e_}W8GDg×_ /dz󙀒 -9PO1Ivـӻ?EVS,DrY=jb*+brbJi@Sټ=߅ZtLvF>]@XO5lV L$|.Qx`F!0,~.*Jz5)` ܊'7l&=(ƿbjU%ib7`.wR }Y˩((ۤ@_Oܭbffy_Jn8CphŢ8M=#-2^p *3K$LK,j@4-"=EXiQ.c3Sn(>Zpyt&9 O ]2uSb DەC zV_pm"#fKߪ >9 :d !/~5{ѷwĿ~vug`XtӨFkw!Ioz3ġLнVmfzӂ/*.Ր bK)EF.4`UZ̪N֋.G[`S'1xhDM֙=yCLѼH|N)c N 9kerŭOc ܭZ!bg~' 63h[4AW9 mhjnEi’9Bvxm3Z9.4 R`Lk>)Lǧ}1'Dώm|˗ ب1M)O߶s,Eܟ}$xOk&^ &Kv’Fat&OrHUx>vu})U_C{S[$f~ޥ~e9!R}HweeY,.vMX6fjf$3HJL͝#AC >7F){Os$+qwI?fs3^3li,^xHֶf[Gk[%EO 3$u]떼^ƣio\U*J -tP^7laUi &qf~n̹>" E>dlx ,Z1`*$EO*ci;pQ1K Od?HK L8ϭuCߟ vzPȫ4 kE l'{hgWH`>CVdH]/eSt2eY1A 8lXG,NOjH qCH%^)ZX^YQu^HG=۳ߜB(A$0%;n:Υ}<}TWܕgdOSmAs4;a$?Ǭ='f{]Hy:D0g̔g L-MO%ĝ>JeZx]ciDƓ]&aCkK5Pp,UV3d X6_s`Ȗ5 .V]=zq):'$C1O,%IH7}%FE֥T$+.VS !SJp}t>CbD7/O&RiG }=m/&K`L ͏`)ԍ If.bh?`kXB8jab0wnl$T7*ێ*i]CC a[]H J"J\HchXX,a 2 yBZϯO{ˈ+K͠f6 M غ|$K`ʹT%>;qC `[3ruI1N lʶMX,: dkQf62Ϝ3D:q.8Sq)?fCB8_ށ$i:dhn :װ|Ƞ΀AtX U냤Җ^_|O>y~*Dl.?"hTΨWμ#{x_e~NmLgu*<+L`olh+ViTM6 d&1$ן1/# 6&2ECBk B3!7JLJg*f D ֶd̏ 跏W逍ig"E " ;}Dg`,60!|j,\Y`p[8BIM60F!roUy#t AZ_ YbOxEQ[VodIOAn qIES?d5•047l܂$u2 661h:"PũSF#nbk/$~=:e>?NB_i UK9Jmz?H?2`Y`9;w$6<܉Aw9p @]U{qDŽĕxH;w;sXV7X_54B_8.KTƦ3R*턳:U5Ob]R?f9ewx3MX7SIĐ2lKђeL_o]wH?Q8-/Bԝ[! tj\:rRBt{<^f]#Cjy:y X7|%ݺys X3/~=F@qZE~('H)D#Cjom1kJazE"&\s Z{mݡ+ /!J4˾n^ȉ`ɞU/jS$AB଒#d)ZrW3uphXvJx <4Mɾ'\(tmE>PCp8Ի)YU^_eksu#Hy3@#Z[RQQcCCf< k.Bt^MjRAG`!YuHJ%(\= va,4^bҼMH%GfAU7p4GO}aMLUCyW쀓<3CZ^Hq:Whvi[_Fg/P vRI(*z/B (dI7AO9˪Muq+r/bOEA&XdhKTQŒ0SP4ɺ2Rx ehfhE\N*~p 뛺ݫg.<~#ثX:Ѡљh݇w!v +罵':kd.%?D's\QρA*yMC+Bu5>fAG53NB<h\,r@)M81~[d S˕O'Yض'ҩoPZ_$e ݽuTr>≙N'~A"}m}GziD 8X\*[r~,^=)Ѭ_o%)BO?ρӆMÜv VȜUh8DR #{:qgZ+|W 8 e7DH<4"bq *8^Ȥ悯q笫njίñK,ui2Kxt\'T rB9`*JA`%__82B=0/8Ѓ:&y)BǯL0WXy;TOcw.@iST\ްiط~\+nm7-V0_fZba0+}'4qƁ5NbOˤG׳33~ۥ=+^m;FqJD"r#Ɓ'Q3!SS4@^^x:3s/{o{"rWh4O<Č"Ҧ4Z$<ȕxip$ZdzSЫ Hc8Y9aByD AGql#hID@ J]Y2h`hXEVÔj#=frTekHG$9Z}.>)˛ uC] (Fmk(<&mu%e#.gc=vJ=t>% LN.HWP1k{$뢓;Y4z {;N)54]ǾWE5(SÈG@,{`ǯˍJo+ 6R{d jW+i ݫ$68nig2[rq<$Z.+`s >OZv-k z܊^GtVrJ GvJvLB=zSLvͿl k l/.ݐ!yTˈBdhzR yr)r/A0O+I|Ɏ;c=;ڤz+ޱiQP6!CqQDۣϪT"j2巼 qpœ+(^HIa/0YޱD7'pydJ&K׌l?%&tv*q^;Ičl#-it*ܳ}I-ݸњX,wEB7~=7D[ofam4(=pKL+]ck+cj(^U NmҏN]:9*jf\H8V/?-NU7Vw1x==/KZQĞƨQ06, ahTN0O|GVxk;Jd8=cí>тL`+r 4j'rn\C0#D%f8Y`SpDYnTOU[eje y܃yqW .]Aq13\ Dݓw) D_P\^GkH,!C4My?*TpJTmRE%2bvDt,+StOWvπزy]#h9M:2O<ߋzG 3 O:*U fhy$:p4yN0BZƜ%)u4gsu$NWJk#Y6,4 W5G0y`5+a~c6{sbxn Y56={d5)8^_+U}\P(cZKU`}4?xAyQ\% *- 9^YDUEwop6*|33ϭMHۡOK I%|l]:ov‰ΞbY\NFK0lq`~ )kdd:^5zs1iE%l93h^d scI镞zNGkXh4'zײ =Ꟙ h:>/;/\Jr=<_x#MN|S }ESj\>pH:z˳`#Gʉ& [ǁLE,fsmfI[kBR;h?(z񗢵!*S_OcNJDn]k͊$y{I0Y"x m .^lˋS{l`^OH7>*/SEquK42W|B=+KbW*$` d p$+i.8&Vby#0,=܊ЋԣUKwm\Ipfg_<1$s9op.H adnf͏m☸y7~`#}n0b_Mk,P>8 5X K;CS dSIC,<&ƾ0q lc7"v9Ɂ% ` !!jƝ~8ޕwƁ,Ewl"b|W!,:7w,0W 1_',Lk'1\s5)\N̿"'p>YZ~%$1 1cLhct\O?(nipAnPoMkI+,\~E Ss4-<|PTX֯mӖӸ`̭c4I%+_@QU>?]t7=Zo |'s;Bcri* I"z oYov1nE+OQ}\8hhJt1HKA!52ؖNDaT>i7}? x᷉bWgt?&-4%j2^k/"ert?FY2 3PoaK 7Ѫͥ 9M0kŁtvown9:phge8ѳ7', # WC .p@&Yi_ѢN[W Gޒ?oOQ01sP鲠g | }c뒣?IBNh(oXn' c5D\٫@t6^ ^2agc>B j|vGb녡yf>_![PdH$8UEܹB=Z0@x(D5[*/d'D$kr|өmD8ב73P͔x 7$>졸FeRN𘱗t hy6jSn)Ovy+ndgDQ8Cxdl=,& ^cG2 vAZ=KLp1"9ٳaYk@#":|bVMaҘ0  綳ϾaTekFڟ=q1 K|iB~=IQ;s/~Dz.īkDC/"S3t?M -S▔^W\)YSW/Ö'CZ}(Iwi{kyycWq \rՏhg ݖNcpu5P,rԔuўmjCVcGi8 e*5]L=$x 1H**O(8 yLS]Qs>PsGp[=n $repS;c5E_TRlP4Qjr6;2&Nn}ߵKO!>iWYI_BˌNg}K!Qhx6g X!b*:rSZ>oS3d:Q}aTKŽRj}҈~eT|9W ܏ӕ3x}8kL0tE"DG՝DDp2IVu$7{k7DQyA 1" |xprVS= Mmۈ@!=uiҢ 4f' SLb8VE:1[ğ**ק4i~wd֛F(XڇAu谒TӉe>4XLj"h더?U@RnLDA€B2#yfP8 z_-0!g/.ʚjD>|ۧpStT+|$A^vJłLUnB s9bӼ7c_k(q[[m, o.A-cU$p s<|i%iVקLqCZϙ #,'ŭ* mjvY`ӎU.)6N%X%+)/ r W<+8]& A&.\thǙS4Go\KCi@| uGV»bV(r qQ&*+p8,o>BO͒ g=6<w 13EY~ ㏂8ɭ"(:YT` am>eOO)YNπjMEkW$ Qw1r8"Z`?c[G|flGACkX<,6i'W qwA !INw-Po}ExzVT'yJ$@'|J \9agV@YQTaz LDuR"AˢLq"ZI|LR־>`pX:zm?rל@k5rↂa֋p'q / WbunAGBa5wRsFW4onp7z?/X{ :HXdؾ:VśKvEgW^ =^xP3` ̲&HLZ)Xd V/i|؍c~LDu xXc:կJ<\ 2 >GZ.8ސ:oNYbTUdfd06IƆ Ɯ n~hHۺ;Bfyh=s5[ $DWTD=sۃޏhъѣsXwϤ%os~S[{_?)F]bY4 նa0Uy׼Wr6;2K;uG/h9Lx- h;8( %*Q8HdW !X,-慠e &쀻uEi(uF.㔾{O;ny($/(ϬOOkrᶹ$2mRezfaAtMXwq_ |DJ GN@|`Ӻ:K'y)'d T$mujzQI${Eg/x yQXΗlh V߷ 8Yڢ&5KԬ̓I0M1BOh"$"bx(J#b*e,VvJB-BXﶖ\a[n l%^hhPik=GsÅM79Ɨ6#CYHX]T*)^".OpZxOvvlm~g .ɠWk7,>J5H%ҽ!Hy`c`ƾh8Tg-++t"ՍOl'"0W}mĪ>iE)\(y4UЍzזgg@M>y^?yAinOx/j?"uĀX;F ͩ 13S1a;O&g)m8CuG]DoD-: ,D|gR\:PRH`Û1V]DiSGAm[hkng" '>PVyO7a7ho(|% CI˞w^ \.g dC>|1)|\K츃rg iNOuě2ڍ;LvX"*FsjGmBEһkc7GON;v 43D~*"'1^' %Y ;f꠲3)≠Y#Yǡϰ"RPa4U|Zm}m@}$4>mQ f(ữoX9I1, dCu2_=4 #pUwcǛ׏L 0N*16nԫ8db\-hYlN3|PhSflaS\k6egd.Qt.c`(w.@k OZCdsOhVb)1NSc_rSb eC IxWѬsh#pcl]w;7]\rRy\s?L(H16|N !$W*^;?E M%CX[@Q{<%h?ĀLZrkR;#Iu]hſIXEȄP}}'1`>1x؅_aTwBz.68$=p8̓;+tD5֧dddAaz'?Blok\xY.C"qBU(m*a`d6 udO 휙li/ zvID#٣3-xW~(A# ])l&2NʛLƀ:2_ VrNb ~] hi;-|vzq+M0#{$yy_})9#?no{dt.3*Y3I-g7aitnS[T6,"E]GWӠ/|^- % X~ׄ}z1Qy<ϥgq;Go{M"ҼU %v}I{5Fu(Y&D&Di 6myapfeu0EK<ְ agci:h<8|O`Y(3966ML?~'B<1}j0)eZr6 od=?fpa@̷ /G=Y77ߩ'NPl)rN GNĪ0G7bS|+S s#Rp4NaDm_98 퇫vJsٴ!^$u&|#,=UFKc4}7GCl`6:h,$qW2S_jeS'm**X0V2"~ C5 ZRoAs2S ˹>BR]klR ՠS{c {h; 6Үӹc -~n`wt(")$sʜsǓ^F`墧~Ω#>h NمV32[1樟b#QZ!rC@9[{,$ S\Iy 6 Dy.1N:Τe ̰(DyRɍZqWSVESX]\, 4t-n]9y%\m sنirV{3F(᧚˃Ƌ+8*wNU0ت<8,ʘ> ,ʤVZc{H#EqmנCg3#cܞ9J14X/,n(_Xdy緢^0ΤKHJVa^ GDŽ+ lVăo֧,21DEy7+d}GB$SńUjmY`<noI*]!q)Jվp׃j{vy3#t&%Gt$E,P{~=N2[|u= ÷C:@اTLS] PNuI9+Is%B%H擉5oUjkZ ,(T k?,|=[7}s~=[e,8i=6|:42瘥gB4hO'4ul7HRhxAPp L)y@8>Ց VM6ڱ?;CHx.'mP$kjl6О! =) Ǘ&ЦRM}aT_6,[ST:C5`ȈP?c q Qo-뙿!4l7A-xkv]9{\d9z$M+ >P?8d8tTxw; $CEd!}kl'ys ;O`0Nb(UΙF^1, m~+^Ѩo Xw4O<潁 Y蔜A.RgaqmVb&؆^X -и)J6b!^,jYջ+S$i{_rdL'Lt0OG{$:5qoN.Jj~O Gxff &}xl:Y+{!uȗZWAslHD,fʭ; Kzm+cS1KD$\+h׉xCV)܄!޵BGV0s簢/r4j7ULi&L"|3?OU; K=T3bsG]?sDFE,0˱3c8AY!F뱬 69$ kx\qy5pgL  !H/xyTmp友Hfp,oUFԤ R;>-#x.yh;3)ū.7|UmMijxw0 *\v00BËuw \x(C4^.;;Za=Mŭj"У n!Dq(Fwy"c2"o2äKѤ_NJt Hjh5,f*R}>(0RpoϬh *&yPu0v-FaJk_,\Lax״:\ja.׻3kHB0he~rKGC/y;Yyo>rEͿ#ˬPEPyځK~=(4}!] ;2-0ҫ|GJpn,,[ 敏8S΀r^&‰ ,4\%]c{DhM<'h@//nRG#;2qm:xRwq}WZuq#͊?aX~] Fkᬘdu*F_4HET?!ޯe}5xEE zb icu2$ (u,FA8ʜ v*M@h!,pK2X5b^U[s;`n7T:H3jAs/ŠQ~M_}!* 3%8Mv!'8䁚' /?o r@|WpL9jݖ%^/A]- 8ɲ D/&٠.Ȁ.#& ;a>$T FaQ չƺu}t>C9Bߒ-ݽp:oDBuW DS)4}-|Sma60_};r͚ӏś:7Z0 wzEEΘEFr\@HN?dgt4ZP|$ޡRBr5V,e˝pDP}ށ9$=$}х\CdlfBW܆Z%l:K(AdK[Dhhk|2&ExSmd2|(U)]!*;Mw&e.- Jy f%-v  snoDĵɤmzaK? xL ۪z{a|]%/2gҫAh) McUi0%Fs6?)]>RQ$ɭlJ& ŤJ4;zq9@m7*ۍ bژ3 oăHHihV\u95wc}=~A  CfƗ nYw.՛* $F121)Q%Ƣ?F]!O2ճ=K??U=f lڰ"dzC:3hi7uY7dw( A2LRxYh0>aGjʘ*D/Us#0榳Iى[‚ԅ3P#>ئ!yTndxPqܳyYғcko 뭟œ4ﺇcv\xqo~1I1ls"͈Ą]^co_źfԺPPֺbQh1:+5;r JC/X {Gxmd<%%5-<%aew,L@֯ s$9ʦc<T44OsW¼r9$LVyH6C(,  <qq&V>+AH1u?@F&CaX@tjj3I+j6~Ctte/R5$1+k+5ؤ 3OJ"]@Y(~PF"K$_a38 Czy6U+>tV٘Whʏ5y &\y-jf=% :PvxpAX` X1\8@4$#&'kM Vz`9eX- V'X;Re?R [+4Yh{p {C$uBYߵ|Uӟ ?J&Ō='~qZ44L8"$,e?(wV[iw2!A}s۪ZV3hqq}f"r=JO3r<^r-?i>}i |,%pnU{8ȋL-bk?FUe#ѹ^41q5{@mVޅ)Fm滋$i.Gz\۹&)OO`˩0V6-[\-fLL"*Ш0%C&@7gy Z=`5YA30@\.pLDC?FVD'd*Y D=C죗z &Cъhɽ!Y|n6F+aEapYBMamOs$-6Bu@T9Sew QI̋M"^\U&",ftYkCi3s`b1 g/I%zP-(gKș|mpH1ULbA@E 0" 4` Y[3k%dMYccVvb8|_n.7MUrF"JۻtV[ @j/2h6\mmK8hpIdژOf5jsm(Dqž큢гh\pw7(Z梉=4u/Q2ڑ FN0Wɾ1PYiAZ3j;Àna{I֢r #%Rq(+:$n./+$F`؁2>F +Z`Mz4 Ae)$1‡+.$w|k&U3H5~m}zuvoJ:]CXs;wo^8+;8Nn )?28YZÒlL3#UY1zVNBk8!uHO,Xz,-NJ x[A`4K ?W) *{gwAo&lE:trQ&"ȌX<߷\9B폽^#53-ݸV4%Q 3/*/x'd|8T۳hM5!?գBԈ ]o*yu*( !"h,.a}%[]H9j}c{AVYe>!N^x[BU+>صJS[IۮvSb?.Ƴ&BߔeĚAaxcPCum#q { ڬjOj4nTW{Մ[ha2p/Z6KzrG^twi"VuV<߃xKrq0B*c A^˴ɨ&_ZE8j?ܗSK S؉끎\<+S);d7s{wޟ A\ڃlK 2+q48B8K46eBunڿԪc~US!e [@i"$=-T:}N~В&ܪS*L̡!3XՋSAhNVҽ!`iV zʁy зcGKVXH}ѮvO,wKȘ]Lg^ SΒ+LInTx>?|kx$^IĮM[}#%RDhΕPZ„{HWGUbY)*JFbV$>rIl\'..e|G=R. ܛKś)a?: bIޱEBz7~}{O=BYwads/k޻I7@V ,'V\Wcß _z0SVCkD5e1(鎫al"\9qk?q kOͥW:,Ob) 㡿)5O<!{AfKx>9%`z/ʴEN-@!fV鞺%Hϫr'RD?lvl!6zб]L\cXs碝Z!.0^x`{J3'qd-K@.'\( !D㖃Jf; m&g`JZ;ʿ cP .UgP;YL cY^#zemRA#ۍ*OIV,f0K#Q\tR ,H]>8:"C ~שh[h O#uܰ p1)pYI$c0._KEE::lW%S?PDn@}=N~*wAeա)n.M}$翼˜ng"crl ]t= 1Nv=3q囑 kr3>/<u0\z 7?0k=ЎJCj׊T!ʈ3ټݦ,g3'lx'980VMf=෽CAUV' `05 eq 6U 99!ғLtް 5H n>uŨ7}SX^w* ]/x 9j-8b<ޖtAg|gšd[wxØe๯a Qd:5$(d<$^eoi*A1GfBΝi.дVpç]"p1gTN7f\fHj6AQ* Ojnux7KXT;3d{lK5uA1B^#9@ ȸ2_>k, 4ՠve9(${?e78K\ZZ(hM1S`ތ|j9<5N&3-]|XB:bg.VYaSdۤĆ_6i64yP$]A7K% &R9Xe_4kGƊE*w_sTfiz\l@8~ )5{Qwi@09Jf!~37Gvd`pW^݃9cF*31WR14*6h]/qڎwHvh l&ɬhN%j{c~3 6Fд`ˆ=0XIvN E/!+bz?apv9LgfW `#Eyl M,poCHण%'h:ߞ_e%ZN u޷!7)'i$Y "x6םvػ|E^B)ZN(14].(t ;՘uN?]YF,Z{WKxk_sc%FݍYrF刀|+X q5[#q.tCYPڸ[S>w bf 7zCDd iT+rrβkSݓS$hZ@RJGedz)z!el(gUU9B7>/ˆc0`rrM͛`w _>V < #hdsW]фh &5hϬ}߀SͮG~ٱ>;F݇hP4yg 9`*)5{*Jgo&HyTĜR'<0_⨖u%m2ʤeRV~wm9[E JdyķnIM=6X;GWQcc zPQ2PY}kei~a+ȼŸ3~`MėQɜCцDAsLAz2̡,<@MVi sUd ]9b[XŶ6֒IPB/=Ԑ#17Ϗ/kgpL>A%VIE!rIROTuH  O՗sP;Z=NmP{5ﴇ-E8j(=[ѽ0sl(jj t uCD= `љT?ѥ,\H:&V]nd~'+@}zOJE</vP9X 'SQG`r)Z3X\G3/N?Q{8Q]hXUڂp$)-quߎceLu1@4 ߳?<-w쓔|msNk#n \ra#jU/A,qmSG&hmb y ;yp\cenV,i l!0pڟJ+- [9kC &n+h/ʏAAΙH1:G6Q.m|IK gJgr)aR:T2K'+Œ$*?Gk8t(-Q߮ ?GewAjo@wfK"];^߻QQv,̤6*B$n 67rFUmfuCWŊrROq۝鉞jGUOV=͸Bp`M5بjH5»yqʲŹrŮ#H1TO  ^h,鶚 jEDv;2j/׆&ml4x)O0wI9oHNŗ*p ۈ'!24GC4 SHXE4*\j>c_X,-R^5"QĭjE:ymatl<+ 2xͭpQn.׆ݿ1||rewM7;tJ&j8>8D #rlFS>~9_|P܃ۍn&Ajv.+鿵syD3?N YBHdѵm9r_ǜH{yuchx2;}W$Y`CAR&;9~jqR(ЉJ)̞H0JjYil[syC6)j,J0Ufw7}UDq"\fJ5:}ZeSȖO{;Usu%GĐ̩_.Mg(S!$z21$=) ;i l-R+()kj2eceQ̃LqvٚS/~;Ѯr]q_y[;hIՌe73Fd1>U= 5h'Y.ARd&܈Udm+QpbKt"{ӳuٟKTLjjGflj3O)[{}wƏfV#_zֵdZc'ulk$`= 諃.BdKin YCr+3zj-uL(u)n+y [TL! 嫂^)뷑6[m23xsP.Ú[dpL',E9hg6UX DT|&p0~b˭Q=:阑,vH%<4=×xE Lefj3F^!|1%wܱyRߠ5Dv%"[m1:IV3ZvC2v/pVOŶ[$/]݅鵔 SB2 q 4,"2Dۖ%k8+c3I(|*TEF+SKAzjsOlսϊRabow{fbX9v0e*ct͛;N3B+KSG{K焮կ'p#8",Kƃqʙ+ޡ9OC@ MkL6,ّh1leZwXIvؓY&PPd/%*wj 8 3}:B dJI.#:a%'LCb&xtnϊS(VKj&jDCˍb)N&oA _Cу0ڸ{"٤a~g8;\f5r2I_wE}d)Q1ߡDnC}XhOsoi'\?,J<Ś+/! EJFi7~+ [+C@gJԽ]M=VI&AGJ`9lWNj/֝ ND := _CRLunP~OW9w zVcOPfj㼕|4 cG0ӟݑǽݢp x{VIX'j)&To!7B ^O ;{Ȭ_k£_كT L&;&+JpŎy;nnr2e?}k x0?u'j/Ta\YtP7) o` ͼ}^/} U02#lR=yswY`c/LJ~(`Z V/xM.wEC%Ք8نKt oyPŞhQ/ #bJlǓMb(bǮg:Bc\nj{Q epve_;Z%;CI}nsg\U@(ǪwG=&C=ꖬ/z\tL|7/JnCnN* ^'>R5r1|[?uCYYeOHr0Jjms9%+ҨL!Cݱ& kZR^EC<ʠZrmtO n9o0HxMyTtOnZMmTRP{?Ta6K8gM%=˖P/b̑*y \vZ&N;mehSNؖmMy!n TT˗?-#Sb61 iy15҃\ZPL֜faoJFnUBS %JfaKlƣL/+7h@ʲ5܂r7LW#(Ro)܆nK'B39n"dPX^#)Mt%NӣE>A&!N%U ma\D'ETŬJe(PLJUvؔ{$ ߖJ-';1\!XqLMY-< 238q%*D 24Uh^]jiEM!LxEG=' N`ّU!!xbX8]D[/ނ4u1` .JI,Zn. Օ_t܄  ҿ"")TRP޹P^tmNkD lD[ HqLYcyrܰ 0UG,(FE,AzB6gC >ˤz=9Cf[1feޜ‚4lWmj(6f#G1Wcr7,ҬdJhAWa&M{U~ag/;-;,cF9>You,^}(qUe^_&Sօpr=ww =FC%0+?X6 >_ĻQVJqbz3$~9X#>{0zF (cd *Ox6+&w!¦'wgN~MyȿD"6,6` [`(YmMO(ķgݍ3mϒ2*Bw^ b,kNjǾISehUMz8z/fVm5@ÌO˽8̖"pVbGLZW ~@eb`VnS=+l1H e}pS)w$F=Y `m 3Ōr| (>ŝV`kBĴܨp5GVbGbxX6><|okÒ)-%v /E}'~ZhsLhfN L0 .I2|,fKAB)PԽґdDz>2d"-l aĚj^,l:ӏ@ğʚOXnNZ\?:ݎMMF%۝$%H)UCn/4[#CN퐤uH vWb ;[>.N-Tvžgx4US J1@ yr0S&X3* UQ8G~ㅥ8oiQGU7Ng$َONPPP%G1/On6f)N ~y2-:~>O /.uAuOM$mfgz#If=si/{2{}5_nBylb󣮲:y~n:{ ߻+#Y(hAh5@WElg}oLqKo@dD6_wS{+D3ZI^"L!ђ=͆,[@mm:M8Nq 4&(3ESLX "[B"devD8L뻣k-ׄ]{~1}9Wɭ"A3-|霃 B}?C g) ͕݅AelE{ϣ=k-C]*fɉ|D2͖RNysY!DI<liS6LDuP+4}Vó}vv<V2njLuĆ}x]pF[l!a984 q(m <2y~Tz"9m®f^/PK0Vvq q[i^Ga $Fw8['*U6!-u!K\VJo^Ea M~m1$K_NMgPKŀJy)jW cܮAz dMF"oR ϗhε6~nnO4CCgw+p%#•ʓLEzm׈W,@]=B̓t?F`gAd@y`0Ĩ#5Gkr ,`ܬByjÇk*)d`=۵SEޱ]ƫ؟$jq3oN e#2  i"ҼhNcs PK=#YujvVAzM-r>Yedk7siC(L38T -;ŚzW8!Q[;,B;' Ƒk6>%@p{ hN4W3-xfya-A"\*7'G_Yֲl+ B.4/RywDܑhB}¨}RN@ykDW#xa1eFn3ߎl5Ibӂ<0!pBvcC5fmXbGc#s$vN5*AF qweqBhPvX2/sh~ ds #)3;ZU?^F1rV J%Ee"82Ϫ}8U'z̬3T&cAb=W#?$}WQZ|,2AY@A#\빰)"MbFnjȸ&92% ^N@68"8m̫v U\Zφi,~!Kn wo}Q4㡧AJ.z sfl=Ł`2 &mƃ\Þ>:Edz u[B y}s5Pራ48[\ Y<0U%}AgKioxK#]HM#4QEb9C{K ҿ}u6l.~~*ҥOgiFLf zz*q;<w+q J7ƪ~#,CNnZ&%).LV9MRʼnA-`Z3ss&<[4(2L4Hb^gfE 3HIy'hz'6<=N}}Tcf; Z }~< #h>v;L"I ))W4ܿ KC9C23vc/{<[ ̆%*1nR60c|N³YVGu˖D%XA`fmӘ"`wbh0V= ׯ(cr*4_rDWg{ʃgKɟa 6"as0jQPO[:vBZPj%xS+| /6/҄3wlP\N[F 0ܼ2\!Q׺g*%(2:0P)>Y90/W}gkwׇlN\!S+Mfn?NӿO{08wӖ`zL` ,t-x2S VSP\GR^ vҎ-E m$/J;ߣ%2s_'kϲҚQc_7B񇭄{3`[ RrT2fI:~UD(-=Dd]d `u+ZK/צּN86 nmWSo #0}ʘXָ`i8Jz€ I.A+[jZ$.qJis;Jd ׭,c&܌MOBeg;,':ڴQRXdQ~u^̫e~%dq|KōhͮՐjHbd\&6Jس;GB?l#u_Q!s3xŻx() HNTi a)R-ai%I)/@?ŸQ뭈ΔRoSUt\n â˃2FlQpe5-I5d9Y!F^nڳw96l7ւW} ڬsgPho?VA 黛螏..-"eۧi7x'9@MF).;P]i!_>zrXfoHZ {ϳ bkO<-kN{vɓ{cY`g*i M]#7>d6P;%8DzNj}KriYУU' ɪj{ۛ)Oa9 3tyk)@wWZ 4BFtPI 608p}PݻԬmIOe2MuFZ|ىh<`8Z|kf~PD]vĸIy[nWK^\lEx3mZ% #l+$t+<'"TZ> JP.R^ytFM Fl36(K03J";[{ÒD{$>6tf+˧2Lի-č2$l NY3V?rլAc/Xsq9K\+h %Y؁|R (@BZ -Ʌ,9Ж-QEU+ǮU[.@* eg<2V}G U k~dRt8׈6y]rs٣W1 Rnu 3M ӻAXyR)#WPo[vO?Ѐ|xLe]b;DYgvgaMY>^gRh=N7rt>Jل͢z/ҮY$p+QϚSH>5=j-c(1=_ ݵҰ# KهŖqdE0=·0U 5_5n#g+z/4% <+;DXzrmyUF%VEve=s lW?xf H-u2'y,59]:!T2A(_0Z[ho:A@(tެCĸFֻ4{z07<ᖸdO8 Buq6; I&6ףJ]*۳HoaǚaDԦЀW˞\P;Cǁ9DAFgvla]dCEpdhoD|R CsMԦ FQveʛnr9"#:IlWMᴻ3]H#q-m& Y]j4 .\FB-LD͓p!%Bteޯ,[@D5DM%1d@)ܲ1 ԍ|}0dUމja-*R7&ϥ)nlkIYS+¦_:*\Ѐx:w4$HGF *_ɶI/p(˓' -Zg40+J@k,L0UvWi0!Yz͚I5.2q7nw5#RPcsӎȂ5+jX\WC}d CԮXA LaҨ옠b+]zm΀RsK]#򍔾"ʼG1ހ?c#!4BžGK Kw8? ֜Zv6|~\umyp=x-WlR@kz#Rlz/I[pELV8y2[T0x59ziN*ث}4,wJ&Yusb_}<%U]2 q-܇1ZdT@9C0OOd* -4`&nSe<$3M̤NגxAXkfO`rd;mӜږ鸇!>;AüQG;~a%bG(-.o. `9/)so6ύ9?W۷=` D(pꘐӓʌ=9f{vjn+ T$3l_ , 0* 5+B躔 B. 43YGn )]rU^40Wؽ[ S3Y> D%o4aq?BVPM#MⰊD-DB~rM:Jr:8yOޔꮻh>e#±IB% tr,U-RIp=Ad6R\\:t8Z@A .v%i$KmUBb忟9be![U.ʏ5|nw`~t7C\$swX.Ԉ`7Ry#b3j9wok&Zge&~] \%^T:zjN)a>/zz ?&ۍsLH(̄۵ |,q,P2 n e J1{71he&-N)gEPJ߄@!NZ ^ѴWk:\;"-MHI;Zkq-EN`mm3b2}j.`F縇-vJcnhUK{h$ٚfҌsfg(\` u+AXuLYK7^Y[y ZVNJ "9{b09#3ǰ.Cu؇8`)v>z xHFjLQ^/\ Ä]{Vfb)-Rd;4NQFd'A U* VZ*7sSh KȒz'۝ʐWdMw:qDWׯB2ֳ&/]c1>q s_ A2H[CQ[DQ]L¹pY2BD&kTj:Yt.d21;%[2Rz%BXVrDS;U+Iٱ(S·2CZQ[&S0]Ì w-LEluS'8`0ډf,2ji OOvn`;S`fQ, CqN V#]P=% 9IG[k(Ћ5Jj䅂%a,fܮT{v.O,޷;;W{r.jۓhl`:ާh*; =*}M yq$KJkboVϫ hX2uT=Q¼@)z wĿQF/::.q52F~pcC6̬6h;+xxST[c%vE!ȋA\gcsvqLN5[ 0'%lLq򶉶+:hOzKvO6 "Up;B82~~\f`Z \ەR،a41t]4^<Qg?lȺrdԜh0(6%d\;()>r5ʫmU)0F .P s?Cdq,'+QǦ\q--볇@{7Wf8)3M{La|LhrxW[# `ԏ0TXdJO)p8HZgjn;ĩoz~髧t%#Gi T~Φ]ߎ <"գ~un[D,p^1MǎK)Z!&4 ssMg`cȡmwu)< ٵyq40L O-I"@n1#gPa-7F <ԏ~Sؙ0m_ *ofྲྀ6D Ō.U~MΖq=Z!N/?"{rn C {qm dzt}Tc]L+ Z ~ R ݫ y&P7b !V6) gRL;@ɾfi {i@ԭDo.%K %>~kM^hz%Rqú[:5Mt0p^(1 <:girvBmWEv^ωc gFs XXlhjWaR=əLD4c˺b* +g:Đ0?DK0Hў@o%p#*GS kp)vէqQ%v8Yh#7*^SŇw,KBb xK1:>Xь#bǏە*IӼj+ z9Qs CqL4Ww 4l0s-e:Mr~upypi VM_TOݓ+]#b,xU2һ]P+c:Ox:dfF %o\5?7swo W`@>sc3G"eHԦJ$T1 H ty:ZPxMlJu8qMIDφbh~Yx7,1+1S +8eu1>1}F>J6@DxRFwR +!kL;-ݏ9wSw䜵<'Y7XЇB[@_{Nc~!ln'Tẉ,d- &QӀbDFǚC+ƥ7SHǕwx%k?PpSL=DGe '@7gpԖ&=?_d^6a{Dž(GWm52e-p|>RM+ tV^ 4&FEQ-^T a$Y08{OZ{mP>7mQ{$=g2p:)M^[Ca!x:FB|n4׳BŘ4 |~k(4sqe}/qoh bk=KJ3|FɫsӗB{7?IK2pna1{ޞWY؟vgq!P .d%vbP9hT9X9 ՘Dfy2xiiDF|*GQcwUJv󴖰꩙\R*tSP,]qMBɑq9GFh:3uh";1S*d vG.8Sʆǟ/2Brf%||D_-aAHvLM(fZ\e]ni =fHPlM18 A`~>4})<7 g5tE ~=A!_+"d͂<&T*&z^|FXꍾ>N]yPwB։NgU0^#vo ӹRIMB np(A%DPNujʠ }BP~@S7t!E~zBVlU"! }3J-`{{,)΄Df0N׼IMl#i_ B=2A[ ^6-.5k\Iyu74&/O{6URk]ƃu{3<#]PFRrNI&^8]p,R]Zl-#* ǗO3`#OBFP &ǿwYr@@NTzK3Z#ag"k]3H2)@+6/F?µ^3gdcNt"?9OE!dM ]3&xu<>F2K*["ȩRAO< aU Tqg e >Bq.[dr6`IL۩ZDwxMkd=׫ง}w; +􅪠Aq'm\G}$/ Qbh%[:% A>jFQB2\t]? 2B^ g ǶՖ fQKՎ$v'A`ݸ8 V#Iܜj-7KkWi;2Ը0'w6>`ȾJ%#GQ4hXUڌlPH$oz['ܺSZt?q!h9ie9U E(wC&zf.B-r 38ҩ8R$Ke\MKEqZQ2b7Ka:#sn#ׯ܈r-2@-\j5'afz[Vq|_T@M=HNj'ɯ c178pc%UE;mѸigU D74m?2>w߫c!%ʶAz[| UPřU/6].zg?AOc5aPz6( 6F\U(Pd/6?_ JaR'ӓ> S,?R#Z(!zZg9Fqp ._@"vw~H и؋Ţ[p;zueAn[ ,8r L§slz !49@=e ȳJPb0%$3K[9ip~ov$U\h. 9HYrW@-tm27Hu忁]:g_x(*s6X8\4]O|[Ɋ65i\4x;ͭ~MP=ӼDdt:D<+Y96 :z2M7 7]K)csJ _}P׿KOF?ͤ& RwR;%USgK)ݱrQo`!y&M]$Bj G"H%U+3TUG^(nŜH%2GH\m`MÄRh #s=au9Ҏ\h~;>Xj =veю|x\ =qa8V *UnvCP }+{ >dΤ؃C^ yrjJ~s%">mI(qxl2Nh隣̲x&Mݦm!?u1/"@?ƴaa^ZiRz'9\CqMXZ2Pwo;)0*e!N\p<~^o\W037^5~B?\bDut=8(ͤr&$1{>#8N/ASngqGģ>M W#㆓i<ϊ3c=#!CgSPD٤{T0H]oN&xn7ORkoeObJEgVIw>Lzb?[=I??'ĕk9Ųt˂vuRW}N3,=XVMHo@Y< 舛J|A[}/O`d֢n6P䅸SFS.]O?S饹ކ4rbs6N}p-  F\TryrZ{=B-Y/(!/{7h^7j%Ůt w_K#&5~4, 5L n?vP~7 KԐuO{2?Cb%l-?YIl}(+Mv5D(GofR,L66}7G~x[7. Wٞkm̕ɹ jgDivSzouHBC]dzf zJޅtIsv'qa;'b"!ɉ$+sUx=pG~z ՞yĖ3 pG+W+[fS)SKkA8Y ᄗC1L_:DvŶ(уg^+~V<9%K%f\q~nNZYxcص E./Fa;44YCjIB+$IÅ{aլ;we(:5ەl}(D)W6uRnΏb{׀[@YȄYGs>Jk8DE p*F+|Dop$U6 LJW;,ew3_b2yrF _8#Uн|ʂ@s*U ԁ]pjL 9+N$at!ꫲSHP‚Od-S8IZgý7K)kx*+"iv<^0Dhu%?wvM1 g ~bll]!ɥc]l/N.w^&zHS*& T{a) ٰ"{S~^bd/)p ޵l XIV,5rorRq,4j.iBU.݊o! 674v-fql.Iz6g/n?Cی.ZxW1Fw8m}l&ؖw4YK)9[ +H FXL#}$*%~=Qc 4p z\Qkpk-r#iݛsHp8Bb@c|)XTtDgG{NR:^츒qjE3)Cʼ*ʓz pi#ɋ -bȍ뇖h|\SBX_C3RI# 2CCmx:)Im ϴX#Tqҩp6JkɋM7N`^2NεiЂ6AA[t1%-JqC,zϐ1U7,/ IZIc(Zu p|D5WdCXR֘jǭr$DѨM(9,ٴ2a;7>`5yPg y|iQWX]ʃOn^Ob^{56M/Fx6QWĐbVO^'w>k8-$>e[~kzͫ+czmEْ_Qm$f5{9L IG 8Q K֘MxFn ѯ}U7MMQebu9; [T!RķM|$y瞧 Bߪ&&gH ^Yc}=poRpSb}f*p/*Qffs4v)3LlxQ8 ֬.i^d2EŦnI^ r R v1<[ SFN KKUS(qKJ9CrU+䎔W^8A7v->*('ϏY+R\:$tW'+THB\3_)JqEl v4P0P C9CztrJK!-0(]rK<&iC7BBe37dG) !xG e{ǹmj9a%t* 3 .6HR2 C,*l;PøV+2?QGΌ`Ù>E#(mI *߭l+"kj 2-2+?(x3^m=|*+M.[1ekTm^ۜI@&v]ČcNi8D˰1h0eqt bY+SM90LƋgY` jK[@?QffҾA]491Sa u/G0$]ӎtzT}kJ`GBM";ejs*FpZNȦttZr<*eLEƕ\ML"w^o G*݆!O*^D .pawoK'ڦ#.?J5O>g*.Ok*`w.R.QEh,(=ߏ]e!K?cD9g7ʺŷhh)%wm%h4҃p 9 -7ֳ7%71N=]>:yԲTцXWjMXo x\e>9Ssuw`aS1m$hģ.uw^Q v 3[ 7 0]E~>f6AmOSy+*`[ vԜ ˌ;'ݞee&N܇`>YȲ@ZŜ*0=t=_`drGXUǎj Tp|ptYC)W[Y0o!@bZN]er@}D~,?RN7ZI\{zTd v|^0z nte]ñĂǀިkEhD;@#r`ZV,/{٣M⿩Y,+ CƁ/qw 9_,a ȋxP?DKæY\?6@Sn Qj@U1 &7ש)̼$cc}n}܏nX9ŏqrɩ9\dtZt6M_Ƃmf?/ N`P̟>dp8A ) GSq$5a2LJ6VP-g#)zW 2Iow}V&w6iu)iovƚ̒<.%ZI+ãnN.g'/گ-@Ginh`5iczYZN& Jcϛr94(3yN4 v%Q|Q|ִ.De);b9fD 8ƶYk$(ZQ/B<垀մtf3&>J|]ldQd<J"EnnkL~1jǗ[`+=s .ד.2%\C(Q񥯵s W L.C"  X " Kh=bxD}<﫭P"刾 }eYu 8^] )f(=4PkukS+P^=.K(H i I1Nmd\8mVF@ۜm& ~˥rgt-jr XVD?#No xoN$8˓8z 1Aُ = 'SjvcaG*׻wy !|L~FeTpצ,`+*K%ApPD nt=tr7jNH2'|^)/z8"Z7XcD"iI lXgVk8vP UsE,+HKdwqy(y, qQ)G~ +Rs8 bgrដ~_D}pW;<ڀ cty6$1" 2H#u=(q|(W̟1o8]F~hlsѮp&WKeLOILKLs@sWVDUQS.25<DKN9\CH#Z?4h?rkK#TTFFr-^zZ3Dj8ɵFKM[e=e$le}>ȫ\܏`xK5>!bg8:[V@2DV: DAzf.&Wj ׃qHbtlhE⯲5ߩQ\NoCWF-WyW.9P2_Wց/4 GW iӫZ&q"M=Qphs"d䅑tAzy-MWhc.펽B?xϐSih1"HٯꘖwÀΨv#`{f} 4.Kj/dʠA:bAʼ+B]׮|>Qr9FW] #ElVᤗɿ Dz*O*Sr~ z\zsyx;bssvFbmFn(ٖE̫_ޑȦI2fT*sz?_"@Z/Jz΍:iokpRg*@+ kOj9̎׭Ɏ὾7|TbH-1Ђ(YGv/L{ݢl2F VءV]!OwH!_:BҴ pHR兆 xgIX%:y,pJAܚ~k?sCBkݤO2)ݔ(F">@Q~tNr"e8ص2,@z> Thiv,1;y[ $Z ^iZH&@vAˮ|`{RB~u)52Tȶמ IVÆƱ6-,ś2g9a9Xʩ ?JPW9\U:PC'R L5 ,Y%㞤U CCGw2&$}Rx UD66F<+\흙Pg?YcWPBpYyQ RT5Qq `JX5XPݿ0}uÎ^ǿMVWTer*=22į?y)j͋1+vAq %0SQWd9>n >"']7Zn e=M#})7 ~W?_33&U<+l&g"XV\[`:zTm7⯹uLE]jw@܂{v\C9YU3sđyaH@ 'p[\T_ 4<`@>vnJ4}N^@/jcB@%]Z{ÒezQqF\GB+[Aur@SÚ?|T'ZXu/l$x2#L`<2)j"oGLc3PT :4G޴ȶ[utږyw|r [ fR t P6* FWnr´pHX1{{CܩRh$}z;,X=7  don]הHXVm />V]+'4JʫLyʖV7=cpI /,e6isI ܈X<l6$pT)(MFD`}s((>\)bsG=ї-N 2s΋4=3WMk$85s4[3Rxà%DRo[% !rӭ0U <%h2bu$ KP}h )JSM:fB`,q#emb ~~,~2ŃY sε%Aط)!s1@xs:j?wG c8 S 51" ,̻I?zNa#iJ?qWoPik3IZeb(%Lr(͍6 ^ϡ6*k7Af-/VXי@],g,}aj#sHLOyK '}#FujTCJۃTm>i]3ce@< 6!̄E`u᭄q#ٳqT5 =~ qC+Tұok\ Q(S{Qrmkzz ɨWG;C0bp[ i?z2~9gW_,cE #u+^;xW,Fe9q_b#ڔfwyPݔPfių0u;%8AVlWG_[fpKzB.yZfS_E~F7fQAW@)`QDR4I"~6Aō49Yh;bӉ!QR1ʦU7qyhFq~Bzu([t1+sf#I6hZMޢLև*ua ȏGPWGsN/І{ 3JZqQpE/]m`-n-TÁp4vS,umg2kb(&ԒhAJn,؂H-zJnC sn@e+c<Q=8G7TɨRu1Baʦ:IBZ V>f8eep+9 ;Lډܳۼ6w"䒑%tЙ#'/DkBMU~6|=N3<|!B*􃝬D|1xPh}20=IG_v8$hl@'{a; a$qs({1[sPH33?r{.~a,P|*qBnVU n$\NftFC%Iˍdlxz]h;]a+}Yp/hCKw1>`Q8[AKa+Ze> GӰQVPf(0Gކqz }60-pT^QX@.J}p Y'ԋMZWxHZ? k$nG (l;%pmYVYNViBwoB3{&r)6 tp8ڐvk4rgroMgM ?f4 "++Nr(ٞ%YHL{h04`, Jר{G2杻.Nk'uh!/ϰOg5RCHi" moL7@ѧSolEP=PgzJ3kvq]~#du6bcI@!nﰅK0mlRGv}zwrbo.jժ2睜-M-ںHK&Z MPrd]BT,&CI6~^6 j$lΥA ͅ+]5~ 2&jp{nZ,\a%c*YګK"zOχ͋JIG(VNDzdl~6{zfhh-U9s*=(Ģb=p9ÂFA  7"bw{z:AL!ѽp4zvnw|Ͼ :픋Js_mxQaKYOGVHrPz $@P.N@_Dkn",^D@@ _En ] N ք;p!_ *(8%gUqM0soM{I|Z Ce.= =Gh2xV2"Th̏}xv>e<%LU٨"k^a6Q$1l bz4  <#֖DW::aMFhbbˁyX)]Z_{*^˴K gsiú(^q}7z&Z{ S.s/ P1/7L]kON-B;P@͵:Wq~)0k]|CةmhF]F aƢ`tꮝwl vs!,'4fJ< Qk,b_ z5IGv _2ajnO_?n h "ή|i mJrz}i,fC+sgB 'PkqIP&"2*k#GBH cwXʛ\d>fLv;aaa1m]l@|l3/]wf;pkk'{Yd"&EXa  dZyʲ!Nh84oE:Ln]/ [8CoX}_GF `,=6ؗ2㌥ iQL=\WT%3m%C⿃D:RH˨>}A[o_]0oi~ 0vK!h)^Ub;gFߝ ,GS`K 5ɒEex 0fUK]ԋrx5N^+rWɽa@.o/~c)61nI&{賈_=;>bK@l\J8e†3I *ÐaP部kZHf#FI-4J8Jd.(Zt4g!mڵenz^FJ74߄͝YĕL0l'qɄtH~/dZ OZW͂-o(~RMo>*h!YXjٵ󑻂7Ј4Yb($f`ؑîZ\ {"GdM`xEc=~8kEęJ֩QZ J!R~J{ZH :l7bj쟛L8e ;Y| !1M}^2]>%>4j鏖#wLB!qd8s #lzLc3o{y"]ظW?{.Si눶ЖMKvC[gGtΓ |-ǃoW0yr%L12%ǿ8eqT}A$/fc+ UJ (\y!p-8T^hDv(f9XL40͍󹽘퟾iYEe uUxEzMpEQ=ENe#Pky'-Z 6 r8vCPmBhӷC?N~G &1*[jqc*K!fcϝ;(?Z, ]"Tw]txYVdXn~CΔX".pY髍?lD}5~c[o`U+ .ؖnjz}cb&M/4N Jue/.X, 5$W`A't{~#)Nj3LV.n$ߍTѵ$Ww#8=[  r3<FGS3QdTӉuVD|Kߪ;<{&h zCKs_"(_)j]1܇*ÕE^L8"0J:ұ蝧S~>gyaM& W(gJ8crA1sepUaxuٻzŕex,\q8h;VK ҬO5+Tm Jy @7haҊ}%9Sb~bCHb9EN|apSw\Pr_| Z% |17[B߬;ȑc׷~ #Gy%Mmª|,VV3K)80bkHb zѠyZ?ټ?p&$F.cjfM"AgV_hz|MN#6f%Zu(JĔfy2$/gDf^UXjy.yr^BY#Nv߸`{rl(bVl]p;;,9w܇.\+bVJ۫6|$j~Թ$ [,ζ2PBu4g[vN;;Xj{'rex#g(K 1IO,􍍬N~~ɔ5؃JMq̲|Qh?]n5B?3$F/Y\/gwa1s]نHGLxrCXc;[omyՆJrD[-4c`x0TxS_mu񌖝u q{gf8C* !!YDŽc竳'ZjWa:/Ml'R>_Vs抺; )٘Ԗ5.5Lf*kLx.sJhAU] FTB$OjjUܭ 1[aGo*lZz55xE4'GR̦)K4IT:׸62<8K"tŁgq| Dꩭ:`L掟Mb'w6B :$E8K .;tҋQ*,jtB'Tk(;>iYBo]9H:oUAAVo[RsļhmY܇xR&.qq!~4Ӌx_⏤YUL'Ϙ#^aW}'˼ռ̮+b1t[(O/@7|qQca;3 u͠l,5> .ZUY8\)I `j:?'==Ġ&zQ V]zxcGbT3d] e6JHQ\=EWt2] z!:ye@U4Ol'*k!xGʼ~ ]rr%z;߳g/nN\†̊g}ϼPMFBi:@2?:/C:s#Eݾ}esqm qzjb{1p9t\'K[Ǟ 4XxJBZʏ=4v30tCdYOUO>.ㅃ!"c2ŗU&DB;kXE2HMzb\%đ S^N:`Fxj|]nĺ`0uf/w}GFXsO|%d3u 3 _ >Ů**vC Ee3NtP*fʡت.%&6Ox ǴI[uۏCt_-$Sm76esR{Uni<)dRG{<n'n4 MδW('/nmrPZ)(؞|uۥYi9E6iqLoAl3IBl xYZwգBzSm:\*QW*StC$v:Pva%;DMCEW,fVV4y,u9d|:> {jLRˀe2)ߓHmtu;+l33W4)V@u0JQ?N 6FQN)u2ڑA9N:SxARw?ojh<D;<[r&id*곢? eXAq=2•F%}J˙%M  YX1Id ܉iڅpNM0y$+\Bസlp_c)])0ki!\tdԚR,LAg`ݝJ09K`?v}N4 <ɴqJ?u˗G2VۿqvſX<>/p7XS=J ;WD)7 bû[܊pLO^9{{F8w`Ct`h@ٍ&+_L_JeInx"v7~tvimh:s-*Ԏ5^f&%+P3>G[ *'Ǟikڲ5I}Uu4(PXDU˄h? qQ0@P)9p31YyؑIpe9t=}isΆ שF{Ρ[;%9Y;Hi)o|&Z_g-QFZaHpIZ!w5XAqz/ay1Oy}<[z,zYQKXt/Ye ú3Mw6_{H_H>:!UFNM$/ pe5Ȃ_Ar/~H]ˬu y勏w}v:P)#hJJɚOwwf?;Vy2MCË_`Gz-f`Ħ/Z邗3kXCs$Lk (febXz>4@w}b=v6bW~;\X$ dWʷqk2{}x=æl~VٰWRy"r2gm 󋕇>q,E*ѧz#^w]|c1KWvHN2v:YuQ;O\k\ uv)q X-?x<(mUY{z䵲pR[+0$2 XnT V ͵zˆ焒\-9k3b` P?X@u};yFޅh){~:;~`RyUsj.>nˁM>cBd:jrєF4H${ 2do/54}οZ4+v\ĄBnP̶wbQ2pB^*kxS}-–^!ky9S U pieOSY?!E@k/h}&dXk2%ȼuX RV\'բ]Ӝ:vE ڵ|hSVՍWYOY׮b-DN\4Q$O,z-UAKAdޢȲ-Oŗ> բi )Eޠ9H(qC3i)ٽSpƄ+>vbpw#Y͡Ӎ 6c8%RO{ cu"xpF.{BKjB4o0e_ ]@|B̌X[KwOHgW=VXMΚsnV#ivx*n Z܁ؑC5Nlgc{9U!, ^.\#`&Eu>nRLtL QX<=%Ȑ7է թWWZoXN?0ޑWۣ#Sjϰ-y$Ť?β ,h@oq ũ'4QȆȑ|x̯~eL _!@ي:ǡ恅qA#dzWSSx}f}ꡢ%!gvxB.>̾A,ۆ6\gZT !x*&Ôeu,M`2]$A? ْ y= +OLE9[ce](io:j а}&ÛdB49dz.Z /A&!Xr3M gx84EF G_U~JLpMn "cʞQz cT~*ZL&x[/j“,mJ5RO[bD Ag$DyhK-i-nP>а?³"Uy<ݣ9l"$UMKۍBE|`쇑3gG*M^3٧`ϧߺAX6H5EXq  Y|ٖd$Wܡ:5T-̢R5Cn |j!Mĩy -dZ_{=$JXmyJ \.Q)1ֆI2}mV~(p\m{Kwy&N\02<>YΕxjemJK6ĩFNQJ77`_ ?z:۾ b~Aұ gt>LZAVu^!p\BV b}T6qJv7O ~ q_~K:Hop53 v};xeZ}|_Ex-пo}nTk#[ 5%%wPz;^›5Qwbb({TCD :%T4iJ"-hht5zK~YqhuerZqHhe2`RQ*Uy pl 8r%w+x\vcW]ԅa̧! 6_G}l׌_WcW[T)AƘI>^wM] PpٓگI^YD0 mU>zG?>;k"JA An . :ռ}ٲ(;- $QƇiD ŰWݸ%mp.N6:^D.o8kw;B^ >\-_Qq+?2 4+8yVA_-VmIT/Rߜ0%|k @qcRB}Py¡ȡy &PjPbF'P:Y|[%"V1*ӀsE=!#u1ud|Y&Q16*blzgKY_sK ]BjWdU cc dTQ[arjA4=QuK ݓԚ||TAR^h ZP$o L*ny (f\#9y^7euPZ.Ixצ}bx'ֿ? ,#58 V[խ!&B6F6>'\"9(73'Jf㊆i&D0r~imAFV!kE3 f듿Qgۀ%^N:I@dFQ nju~RVDfͩq _;M^"\YQ:a6tʎZ I|U j[/_""jZP'}@PTҜir n\6B Q9M&R$#mt?yE)0~7ZE=;k҆[sz@U!Kt`FeIP&#ml2ؔW.\Kfa/&"IaJy"xDB.qJ'JUA thPWCρ&FOe& l'6}x$p#7n϶^hzX d̗Hy9'9 4tXFڅ͚{ lL敔 ŕq˶7 +FiT;͝0:Fg{U`}!鸉y7r8TPeVER!pm#VVAK(]7<{hkiCd$)!T?j?Ț9t6\KEEq foHXZI9y4>mBKRcOB<>LΒ2**Mrph?C w,}uͧx&䌲(]6θOo]z;qѹЙҵz4̺٧iV0 <=Sxa' 0tW~F'|@^H#LNRW)kMD}5rx2m56*= M]=dg60ͨȮ4._Yi#J9U AEmqvY.ƙԇ1x*4ܾٴ pj=,Fs`1?aߘ,F:WiIͰͱW7_e+ŨoP!;:ʕ0s=r[S? b2ڿp:br(o۽TYkI[$+տ/9XcgAjjwE'j2RL_#j8pu`i,}hEg{;_Q$rd}lIi-bZ qcTܘ# '.sJ:ݣɢ EPB} I;.d<QKù8k;B`;Y*$5K+otXpG"~{odLi'^YcWuJws-4O/1Uܜ|*ol>@3oB%3&cɼӽ\#G.ƆK8'SۍkcŌM`ܬ!=mzmOtEnP*BeA PtnIH@cynWݘ[xLmKgO)Ah~ɟD`*K>t}SE mS^0qћi,* zn@M0B8-d}!C[ߍF:HW  vuDbiyL$єl$XKi&@n%Q[ݩ'# GldALJcW6~7ɯgN5$-^'{O~ZKg ˨5K q>H]&cٍp 'B(Ud# :6cbC+$q2iFh)^6AJ Z+$cN 7?:MzE::$$=gA3VY/d@ć= lo΅ƃA |'(15i<3NnΔ. SHLDS.G,EsYj-[K9¥P&mxfۢ@=Z|J% Ntx/Q x^y8$&ac7g~P&7J (1[ r9W\Y8UGbW]ElW1BR*oC|ihqsg:bCEF<.'ޞeyOdaMshgOF[?x I%32C]$M OܻwsQO@ײe'LJ3aJ-鸘/2jJtff3 $q>tY+rne(CUy5tKD[w!;ڪ CF.ٙd&MP?J 4 0.Y,0qH)ߒu_2X5`65U٩ םy 3/2PB1˱bZxCz(5m]orvuW OWJM.сEAh;1n R(5$8m;3l:5>s@o}|F>*Gߑwlke)f@#[a m47r-,#OBnʹ.z $zc=J$,f~=za6ЛW~וҖQuDmb b y9zs3[aI WD`^?wϦ҇ *𛟂8G3,m" xe_Y$kJ$@f1Ht^w)* @wK<̊}Q!d֢;9$v0/)ǺHAMu3締]qիYܔ- 0V;S9l!'CAC۞ A`@cCdd?k;e!ߓ ֽ~>,iYÓP N UNe+W}|zX3R%:K"=1w"qDModSuA~q%hVr>ØY, GX|uF tX>h7U\"f̀Q8u^@|56ccۯ x.I DY4"4#?|Jy®_Y+P(a'RuXcp`oH!=_*~@?0aGs|߶%$q.%F|M V5e̪\*4cv` Tm}y},w%5֫ػiYw}]lAWߠA(M픯Ç^18OFaS5 uш] 6BJ] H% eYx}2 3rM%jq5^K6'f~^7n'Zi!G6f Vv3U~)BSߪ9x,Tͱbt]mnw@<}G6L2!U&+.5zmjQGzf>?.>; Ewȷ]sʫ~V}y۴Ll^ms\gU-٧ݛ-S>ā ôs;M{|G4{Vv8m*ۮrtg E}א410CKD9yP-V])ϛG~ߙNBJ :t03m6jX 9x3)\j )% =)-l}"&lג 5nwJ~xj$nVXy~Gylb