sssd-kcm-1.16.2-13.el7>t  DH`p[j$ƨ+@y.zB;}035E oUo0clfp! kW!ő] SEݑ/%~ %tʌ:ndb_Fr9֛\'4kV0eI16EXp#NF+eEM{"sVk ySm =06ݭ1 j ꦬey-nHsfjeM6}򼖦C\rOZqydRʈ>M'/yAc` ROR)y]C\97/ؓ@; u.NT-q5\2kdz.`Q*zx޶L r:OAj -FR, N|^$.*QT{A0Ƹ?W!;;4K6oI+d(oz >>?d   D *GMT0 > L h  7Zx?? ?()809H:v>?@GHIXY\]4^bdefltuv0wxy 7Csssd-kcm1.16.213.el7An implementation of a Kerberos KCM serverAn implementation of a Kerberos KCM server. Use this package if you want to use the KCM: Kerberos credentials cache.[!x86-01.bsys.centos.orgҕCentOSGPLv3+CentOS BuildSystem Applications/Systemhttps://pagure.io/SSSD/sssd/linuxx86_64 if [ $1 -eq 1 ] ; then # Initial installation systemctl preset sssd-kcm.socket >/dev/null 2>&1 || : fi if [ $1 -eq 0 ] ; then # Package removal, not upgrade systemctl --no-reload disable sssd-kcm.socket > /dev/null 2>&1 || : systemctl stop sssd-kcm.socket > /dev/null 2>&1 || : fi systemctl daemon-reload >/dev/null 2>&1 || : if [ $1 -ge 1 ] ; then # Package upgrade, not uninstall systemctl try-restart sssd-kcm.socket >/dev/null 2>&1 || : fi systemctl daemon-reload >/dev/null 2>&1 || : if [ $1 -ge 1 ] ; then # Package upgrade, not uninstall systemctl try-restart sssd-kcm.service >/dev/null 2>&1 || : fi 큤A큤[[[[[[[04a2af0a27631b76215f6cd6cf6305db78e371271c475ed485f4d563fe2f3d54d50c2b062a96fdc50ef141b24132b40a62b776e14ed89c824f51c45e7571ba103cd751e4e87146478a5278abee075984c15de40a18ddd1a397de5576cf59a74799b9cb9683e2bdee6ddde20c1b77a2236998ca7b6cde079d6c882f3ab1fb5a9364399f0a71557a095de8f45af3f23ba4a1345fd9279b126dd1b07668225048da91b30e576e05441743fcce027767650f498cf10ccca12ce0bafe8505f0e87b6frootrootrootrootrootrootrootrootrootrootrootrootrootrootsssd-1.16.2-13.el7.src.rpmsssd-kcmsssd-kcm(x86-64) @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   @ /bin/sh/bin/sh/bin/shlibbasicobjects.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcollection.so.2()(64bit)libcom_err.so.2()(64bit)libcurl.so.4()(64bit)libdbus-1.so.3()(64bit)libdbus-1.so.3(LIBDBUS_1_3)(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libdl.so.2()(64bit)libglib-2.0.so.0()(64bit)libini_config.so.3()(64bit)libjansson.so.4()(64bit)libk5crypto.so.3()(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libldb.so.1()(64bit)libldb.so.1(LDB_0.9.10)(64bit)libnspr4.so()(64bit)libnss3.so()(64bit)libnssutil3.so()(64bit)libpcre.so.1()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libref_array.so.1()(64bit)librt.so.1()(64bit)libselinux.so.1()(64bit)libsmime3.so()(64bit)libssl3.so()(64bit)libsss_cert.so()(64bit)libsss_certmap.so.0()(64bit)libsss_child.so()(64bit)libsss_crypt.so()(64bit)libsss_debug.so()(64bit)libsss_util.so()(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libuuid.so.1()(64bit)libuuid.so.1(UUID_1.0)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rtld(GNU_HASH)sssd-commonrpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-11.16.2-13.el75.2-14.11.3[@[l,[b@[a[Y[Y[H@[E@[6@[0@[,[,[d@[[Z@Z@ZmZ@Z_@Z_@Z@ZyZhu@Z3@Z2gZ.s@Z*~Z'Z!D@ZZ@Z Z @Z7ZNYZ@Y@YYJ_YJ_YC@YBvYBvY9<@Y9<@Y5GY5GY5GY5GY0Y0Y(Y(Y%uY%uY$$@Y$$@Y"Y;@YR@YR@Y Y @Y @YtYtYtYtYtYXXh@XXX@X@X@XsX@X@X@XۡXۡXXӸX,XCX@XX*X lX lX lW$WW;W;W;W֘W֘W@W^@WiWiWiW/@W/@W/@W/@WWWWQWQWQW@W@W@WhW@W@Wt@WE@WE@W@W@W@W@WW~W-@W-@W-@WW@WWu WgWDB@WDB@WDB@WBW;W;W@VbV͛@VTQ@VCV @V @V @V V@VBVBVBVBVBUUUU@UXU@U@U@UUUUUUUUL@UL@UU@U@U@UnU@U(U@U@UUmUmU@UJ@UU7@U7@U7@U @U@U@TE@TE@TE@Tи@Tr@Tr@Tr@Tr@T}T}T}T}T}T7T7TTC@TTZ@TZ@TT@Tp@Tp@T@T{T*@T*@TTT~@T~@TuTuTto@Tto@Tto@Tto@Tto@Tto@TmTmTmTmTl@Tl@Tl@Tl@TcKTa@T\@TZ@TZ@TR(@TG@TG@TG@TG@TG@TD@T6xTTT SS@S|@Sr @Sr @Sr @Sr @S;S;S2@S2@S,)S!S L@SSS@S@S@S@S@S @S @S @S @S @S @S @S @SSSRb@Rb@Rb@R@R@R@R@RURURUR߲RRRx@Rx@Rx@RΏ@RΏ@RΏ@R=R=RkRRRR@R@R@R@R@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@Rv@RpREs@REs@R7Q@Q@Q@Q@Q@QQLQکQQQo@Q)@Q@QQ@Q@QbQyQV@Q'@QQQnQZ@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj - 1.16.2-13Fabiano Fidêncio - 1.16.2-12Jakub Hrozek - 1.16.2-11Jakub Hrozek - 1.16.2-10Jakub Hrozek - 1.16.2-9Jakub Hrozek - 1.16.2-8Fabiano Fidêncio - 1.16.2-7Fabiano Fidêncio - 1.16.2-6Fabiano Fidêncio - 1.16.2-5Fabiano Fidêncio - 1.16.2-4Fabiano Fidêncio - 1.16.2-3Fabiano Fidêncio - 1.16.2-2Fabiano Fidêncio - 1.16.2-1Fabiano Fidêncio - 1.16.0-25Fabiano Fidêncio - 1.16.0-24Fabiano Fidêncio - 1.16.0-23Fabiano Fidêncio - 1.16.0-22Jakub Hrozek - 1.16.0-21Fabiano Fidêncio - 1.16.0-20Fabiano Fidêncio - 1.16.0-19Fabiano Fidêncio - 1.16.0-18Fabiano Fidêncio - 1.16.0-17Fabiano Fidêncio - 1.16.0-16Fabiano Fidêncio - 1.16.0-15Fabiano Fidêncio - 1.16.0-14Fabiano Fidêncio - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Fabiano Fidêncio - 1.16.0-11Fabiano Fidêncio - 1.16.0-10Fabiano Fidêncio - 1.16.0-9Fabiano Fidêncio - 1.16.0-8Fabiano Fidêncio - 1.16.0-7Fabiano Fidêncio - 1.16.0-6Fabiano Fidêncio - 1.16.0-5Fabiano Fidêncio - 1.16.0-4Fabiano Fidêncio - 1.16.0-3Fabiano Fidêncio - 1.16.0-2Fabiano Fidêncio - 1.16.0-1Jakub Hrozek - 1.15.2-51Jakub Hrozek - 1.15.2-50Jakub Hrozek - 1.15.2-49Jakub Hrozek - 1.15.2-48Jakub Hrozek - 1.15.2-47Jakub Hrozek - 1.15.2-46Jakub Hrozek - 1.15.2-45Jakub Hrozek - 1.15.2-44Jakub Hrozek - 1.15.2-43Jakub Hrozek - 1.15.2-42Jakub Hrozek - 1.15.2-41Jakub Hrozek - 1.15.2-40Jakub Hrozek - 1.15.2-39Jakub Hrozek - 1.15.2-38Jakub Hrozek - 1.15.2-37Jakub Hrozek - 1.15.2-36Jakub Hrozek - 1.15.2-35Jakub Hrozek - 1.15.2-34Jakub Hrozek - 1.15.2-33Jakub Hrozek - 1.15.2-32Jakub Hrozek - 1.15.2-31Sumit Bose - 1.15.2-30Jakub Hrozek - 1.15.2-29Jakub Hrozek - 1.15.2-28Jakub Hrozek - 1.15.2-25Jakub Hrozek - 1.15.2-24Lukas Slebodnik - 1.15.2-23Jakub Hrozek - 1.15.2-22Jakub Hrozek - 1.15.2-21Jakub Hrozek - 1.15.2-20Jakub Hrozek - 1.15.2-19Jakub Hrozek - 1.15.2-18Jakub Hrozek - 1.15.2-17Jakub Hrozek - 1.15.2-16Jakub Hrozek - 1.15.2-15Jakub Hrozek - 1.15.2-14Jakub Hrozek - 1.15.2-13Jakub Hrozek - 1.15.2-12Jakub Hrozek - 1.15.2-11Jakub Hrozek - 1.15.2-10Jakub Hrozek - 1.15.2-9Jakub Hrozek - 1.15.2-8Jakub Hrozek - 1.15.2-7Jakub Hrozek - 1.15.2-6Jakub Hrozek - 1.15.2-5Jakub Hrozek - 1.15.2-4Jakub Hrozek - 1.15.2-3Jakub Hrozek - 1.15.2-2Jakub Hrozek - 1.15.2-1Fabiano Fidêncio - 1.15.1-2Jakub Hrozek - 1.15.1-1Jakub Hrozek - 1.15.0-2Jakub Hrozek - 1.15.0-1Jakub Hrozek - 1.14.0-46Jakub Hrozek - 1.14.0-45Jakub Hrozek - 1.14.0-44Jakub Hrozek - 1.14.0-43Jakub Hrozek - 1.14.0-42Jakub Hrozek - 1.14.0-41Jakub Hrozek - 1.14.0-40Jakub Hrozek - 1.14.0-39Jakub Hrozek - 1.14.0-38Jakub Hrozek - 1.14.0-37Jakub Hrozek - 1.14.0-36Jakub Hrozek - 1.14.0-35Jakub Hrozek - 1.14.0-34Jakub Hrozek - 1.14.0-33Jakub Hrozek - 1.14.0-32Jakub Hrozek - 1.14.0-31Jakub Hrozek - 1.14.0-30Jakub Hrozek - 1.14.0-29Jakub Hrozek - 1.14.0-28Jakub Hrozek - 1.14.0-27Jakub Hrozek - 1.14.0-26Jakub Hrozek - 1.14.0-25Jakub Hrozek - 1.14.0-24Jakub Hrozek - 1.14.0-23Jakub Hrozek - 1.14.0-22Jakub Hrozek - 1.14.0-21Jakub Hrozek - 1.14.0-20Jakub Hrozek - 1.14.0-19Jakub Hrozek - 1.14.0-18Jakub Hrozek - 1.14.0-17Jakub Hrozek - 1.14.0-16Jakub Hrozek - 1.14.0-15Jakub Hrozek - 1.14.0-14Jakub Hrozek - 1.14.0-13Jakub Hrozek - 1.14.0-12Jakub Hrozek - 1.14.0-11Jakub Hrozek - 1.14.0-10Jakub Hrozek - 1.14.0-9Jakub Hrozek - 1.14.0-8Jakub Hrozek - 1.14.0-7Jakub Hrozek - 1.14.0-6Jakub Hrozek - 1.14.0-5Jakub Hrozek - 1.14.0-4Jakub Hrozek - 1.14.0-3Jakub Hrozek - 1.14.0-2Jakub Hrozek - 1.14.0-1Jakub Hrozek - 1.14.0beta1-2Jakub Hrozek - 1.14.0alpha-1Jakub Hrozek - 1.13.0-50Jakub Hrozek - 1.13.0-49Jakub Hrozek - 1.13.0-48Jakub Hrozek - 1.13.0-47Jakub Hrozek - 1.13.0-46Jakub Hrozek - 1.13.0-45Jakub Hrozek - 1.13.0-44Jakub Hrozek - 1.13.0-43Jakub Hrozek - 1.13.0-42Jakub Hrozek - 1.13.0-41Jakub Hrozek - 1.13.0-40Jakub Hrozek - 1.13.0-39Jakub Hrozek - 1.13.0-38Jakub Hrozek - 1.13.0-37Jakub Hrozek - 1.13.0-36Jakub Hrozek - 1.13.0-35Jakub Hrozek - 1.13.0-34Jakub Hrozek - 1.13.0-33Jakub Hrozek - 1.13.0-32Jakub Hrozek - 1.13.0-31Jakub Hrozek - 1.13.0-30Jakub Hrozek - 1.13.0-29Jakub Hrozek - 1.13.0-28Jakub Hrozek - 1.13.0-27Jakub Hrozek - 1.13.0-26Martin Kosek - 1.13.0-25Jakub Hrozek - 1.13.0-24Jakub Hrozek - 1.13.0-23Jakub Hrozek - 1.13.0-22Jakub Hrozek - 1.13.0-21Jakub Hrozek - 1.13.0-20Jakub Hrozek - 1.13.0-19Jakub Hrozek - 1.13.0-18Jakub Hrozek - 1.13.0-17Jakub Hrozek - 1.13.0-16Jakub Hrozek - 1.13.0-15Jakub Hrozek - 1.13.0-14Lukas Slebodnik - 1.13.0-13Jakub Hrozek - 1.13.0-12Jakub Hrozek - 1.13.0-11Jakub Hrozek - 1.13.0-10Jakub Hrozek - 1.13.0-9Jakub Hrozek - 1.13.0-8Jakub Hrozek - 1.13.0-7Jakub Hrozek - 1.13.0-6Jakub Hrozek - 1.13.0-5Jakub Hrozek - 1.13.0-4Jakub Hrozek - 1.13.0-3Jakub Hrozek - 1.13.0-2Jakub Hrozek - 1.13.0-1Jakub Hrozek - 1.13.0.3alphaJakub Hrozek - 1.13.0.2alphaJakub Hrozek - 1.13.0.1alphaJakub Hrozek - 1.12.2-61Jakub Hrozek - 1.12.2-60Jakub Hrozek - 1.12.2-59Jakub Hrozek - 1.12.2-58.6Jakub Hrozek - 1.12.2-58.5Jakub Hrozek - 1.12.2-58.4Jakub Hrozek - 1.12.2-58.3Jakub Hrozek - 1.12.2-58.2Jakub Hrozek - 1.12.2-58.1Jakub Hrozek - 1.12.2-57Jakub Hrozek - 1.12.2-56Jakub Hrozek - 1.12.2-55Jakub Hrozek - 1.12.2-54Jakub Hrozek - 1.12.2-53Jakub Hrozek - 1.12.2-52Jakub Hrozek - 1.12.2-51Jakub Hrozek - 1.12.2-50Jakub Hrozek - 1.12.2-49Jakub Hrozek - 1.12.2-48Jakub Hrozek - 1.12.2-47Jakub Hrozek - 1.12.2-46Jakub Hrozek - 1.12.2-45Jakub Hrozek - 1.12.2-44Jakub Hrozek - 1.12.2-43Jakub Hrozek - 1.12.2-42Jakub Hrozek - 1.12.2-41Jakub Hrozek - 1.12.2-40Sumit Bose - 1.12.2-39Sumit Bose - 1.12.2-38Sumit Bose - 1.12.2-37Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-35Jakub Hrozek - 1.12.2-34Jakub Hrozek - 1.12.2-33Jakub Hrozek - 1.12.2-32Jakub Hrozek - 1.12.2-31Jakub Hrozek - 1.12.2-30Jakub Hrozek - 1.12.2-29Jakub Hrozek - 1.12.2-28Jakub Hrozek - 1.12.2-27Jakub Hrozek - 1.12.2-26Jakub Hrozek - 1.12.2-25Jakub Hrozek - 1.12.2-24Jakub Hrozek - 1.12.2-23Jakub Hrozek - 1.12.2-22Jakub Hrozek - 1.12.2-21Jakub Hrozek - 1.12.2-20Jakub Hrozek - 1.12.2-19Jakub Hrozek - 1.12.2-18Jakub Hrozek - 1.12.2-17Jakub Hrozek - 1.12.2-16Jakub Hrozek - 1.12.2-15Jakub Hrozek - 1.12.2-14Jakub Hrozek - 1.12.2-13Jakub Hrozek - 1.12.2-12Jakub Hrozek - 1.12.2-11Jakub Hrozek - 1.12.2-10Jakub Hrozek - 1.12.2-9Jakub Hrozek - 1.12.2-8Jakub Hrozek - 1.12.2-7Jakub Hrozek - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-3Jakub Hrozek - 1.12.0-2Jakub Hrozek - 1.12.0-1Jakub Hrozek - 1.11.2-70Jakub Hrozek - 1.11.2-69Jakub Hrozek - 1.11.2-68Jakub Hrozek - 1.11.2-67Jakub Hrozek - 1.11.2-66Jakub Hrozek - 1.11.2-65Jakub Hrozek - 1.11.2-64Sumit Bose - 1.11.2-63Sumit Bose - 1.11.2-62Jakub Hrozek - 1.11.2-61Jakub Hrozek - 1.11.2-60Jakub Hrozek - 1.11.2-59Jakub Hrozek - 1.11.2-58Jakub Hrozek - 1.11.2-57Jakub Hrozek - 1.11.2-56Jakub Hrozek - 1.11.2-55Jakub Hrozek - 1.11.2-54Jakub Hrozek - 1.11.2-53Jakub Hrozek - 1.11.2-52Jakub Hrozek - 1.11.2-51Jakub Hrozek - 1.11.2-50Jakub Hrozek - 1.11.2-49Jakub Hrozek - 1.11.2-48Jakub Hrozek - 1.11.2-47Jakub Hrozek - 1.11.2-46Jakub Hrozek - 1.11.2-45Jakub Hrozek - 1.11.2-44Jakub Hrozek - 1.11.2-43Jakub Hrozek - 1.11.2-42Jakub Hrozek - 1.11.2-41Jakub Hrozek - 1.11.2-40Jakub Hrozek - 1.11.2-39Jakub Hrozek - 1.11.2-38Jakub Hrozek - 1.11.2-37Jakub Hrozek - 1.11.2-36Jakub Hrozek - 1.11.2-35Jakub Hrozek - 1.11.2-34Daniel Mach - 1.11.2-33Jakub Hrozek - 1.11.2-32Jakub Hrozek - 1.11.2-31Jakub Hrozek - 1.11.2-30Jakub Hrozek - 1.11.2-29Jakub Hrozek - 1.11.2-28Jakub Hrozek - 1.11.2-27Jakub Hrozek - 1.11.2-26Jakub Hrozek - 1.11.2-25Jakub Hrozek - 1.11.2-24Jakub Hrozek - 1.11.2-23Jakub Hrozek - 1.11.2-22Jakub Hrozek - 1.11.2-21Jakub Hrozek - 1.11.2-20Daniel Mach - 1.11.2-19Jakub Hrozek - 1.11.2-18Jakub Hrozek - 1.11.2-17Jakub Hrozek - 1.11.2-16Jakub Hrozek - 1.11.2-15Jakub Hrozek - 1.11.2-14Jakub Hrozek - 1.11.2-13Jakub Hrozek - 1.11.2-12Jakub Hrozek - 1.11.2-11Jakub Hrozek - 1.11.2-10Jakub Hrozek - 1.11.2-9Jakub Hrozek - 1.11.2-8Jakub Hrozek - 1.11.2-7Jakub Hrozek - 1.11.2-6Jakub Hrozek - 1.11.2-5Jakub Hrozek - 1.11.2-4Jakub Hrozek - 1.11.2-3Jakub Hrozek - 1.11.2-2Jakub Hrozek - 1.11.2-1Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-5Jakub Hrozek - 1.10.1-4Jakub Hrozek - 1.10.1-3Jakub Hrozek - 1.10.1-2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-18Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#1593756 - sssd needs to require a newer version of libtalloc and libtevent to avoid an issue in GPO processing- Resolves: rhbz#1610667 - sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key - Resolves: rhbz#1583360 - The IPA selinux provider can return an error if SELinux is completely disabled- Resolves: rhbz#1602781 - Local users failed to login with same password- Resolves: rhbz#1586127 - Spurious check in the sssd nss memcache can cause the memory cache to be skipped- Resolves: rhbz#1522928 - sssd doesn't allow user with expired password- Resolves: rhbz#1607313 - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails- Resolves: rhbz#1600822 - SSSD bails out saving desktop profiles in case an invalid profile is found- Resolves: rhbz#1582975 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers- Resolves: rhbz#1583725 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries - Resolves: rhbz#1416528 - sssd in cross realm trust configuration should be able to use AD KDCs from a client site defined in sssd.conf or a snippet - Resolves: rhbz#1592964 - Groups go missing with PAC enabled in sssd- Resolves: rhbz#1590603 - EMBARGOED CVE-2018-10852 sssd: information leak from the sssd-sudo responder [rhel-7] - Resolves: rhbz#1450778 - Full information regarding priority of lookup of principal in keytab not in man page- Resolves: rhbz#1494690 - kdcinfo files are not created for subdomains of a directly joined AD client - Resolves: rhbz#1583343 - Login with sshkeys stored in ipa not working after update to RHEL-7.5 - Resolves: rhbz#1527662 - Handle conflicting e-mail addresses more gracefully - Resolves: rhbz#1509691 - Document how to change the regular expression for SSSD so that group names with an @-sign can be parsed- Related: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch- Resolves: rhbz#1558498 - Rebase sssd to the latests upstream release of the 1.16 branch - Resolves: rhbz#1523019 - Reset password with two factor authentication fails - Resolves: rhbz#1534749 - Requesting an AD user's private group and then the user itself returns an emty homedir - Resolves: rhbz#1537272 - SSH public key authentication keeps working after keys are removed from ID view - Resolves: rhbz#1537279 - Certificate is not removed from cache when it's removed from the override - Resolves: rhbz#1562025 - externalUser sudo attribute must be fully-qualified - Resolves: rhbz#1577335 - /usr/libexec/sssd/sssd_autofs SIGABRT crash daily - Resolves: rhbz#1508530 - How should sudo behave without sudoHost attribute? - Resolves: rhbz#1546754 - The man page of sss_ssh_authorizedkeys can be enhanced to better explain how the keys are retrieved and how X.509 certificates can be used - Resolves: rhbz#1572790 - getgrgid/getpwuid fails in setups with multiple domains if the first domain uses mid_id/max_id - Resolves: rhbz#1561562 - sssd not honoring dyndns_server if the DNS update process is terminated with a signal - Resolves: rhbz#1583251 - home dir disappear in sssd cache on the IPA master for AD users - Resolves: rhbz#1514061 - ID override GID from Default Trust View is not properly resolved in case domain resolution order is set - Resolves: rhbz#1571466 - Utilizing domain_resolution_order in sssd.conf breaks SELinux user map - Resolves: rhbz#1571526 - SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'.- Resolves: rhbz#1547782 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process- Related: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1578291 - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION- Resolves: rhbz#1516266 - Give a more detailed debug and system-log message if krb5_init_context() failed - Resolves: rhbz#1503802 - Smartcard authentication fails if SSSD is offline and 'krb5_store_password_if_offline = True' - Resolves: rhbz#1385665 - Incorrect error code returned from krb5_child (updated) - Resolves: rhbz#1547234 - SSSD's GPO code ignores ad_site option - Resolves: rhbz#1459348 - extend sss-certmap man page regarding priority processing - Resolves: rhbz#1220767 - Group renaming issue when "id_provider = ldap" is set - Resolves: rhbz#1538555 - crash in nss_protocol_fill_netgrent. sssd_nss[19234]: segfault at 80 ip 000055612688c2a0 sp 00007ffddf9b9cd0 error 4 in sssd_nss[55612687e000+39000]- Resolves: rhbz#1565774 - After updating to RHEL 7.5 failing to clear the sssd cache- Resolves: rhbz#1566782 - memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash- Related: rhbzrhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1543348 - sssd_be consumes more memory on RHEL 7.4 systems. - Resolves: rhbz#1544943 - sssd goes offline when renewing expired ticket- Resolves: rhbz#1523282 - sssd used wrong search base with wrong AD server- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Related: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7]- Resolves: rhbz#1517971 - AD Domain goes offline immediately during subdomain initialization - IPA AD Trust - Related: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Related: rhbz#1327705 - [RFE] Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1527149 - AD provider - AD BUILTIN groups are cached with gidNumber = 0 - Related: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1525644 - dbus-send unable to find user by CAC cert- Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card- Resolves: rhbz#1512027 - NSS by-id requests are not checked against max_id/min_id ranges before triggering the backend- Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Resolves: rhbz#1523010 - IPA user able to authenticate with revoked cert on smart card - Resolves: rhbz#1520984 - getent output is not showing home directory for IPA AD trusted user - Related: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1421194 - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests- Resolves: rhbz#1482231 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: rhbz#1512508 - SSSD fails to fetch group information after switching IPA client to a non-default view- Resolves: rhbz#1490120 - SSSD complaining about corrupted mmap cache and logging error in /var/log/messages and /var/log/sssd/sssd_nss.log- Resolves: rhbz#1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation) - Resolves: rhbz#1482555 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. - Resolves: rhbz#888739 - Enumerating large number of users makes sssd_be hog the cpu for a long time. - Resolves: rhbz#1373547 - SSSD performance issue with malloc and brk calls - Resolves: rhbz#1472255 - Improve SSSD performance in the 7.5 release- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1432010 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Related: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available- Resolves: rhbz#1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available - Related: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1408294 - SSSD authentication fails when two IPA accounts share an email address without a clear way to debug the problem - Resolves: rhbz#1502686 - crash - /usr/libexec/sssd/sssd_nss in nss_setnetgrent_timeout- Related: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Related: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1473571 - ipa-extdom-extop plugin can exhaust DS worker threads- Resolves: rhbz#1484376 - [RFE] Add a configuration option to SSSD to disable the memory cache - Resolves: rhbz#1327705 - Automatic creation of user private groups on RHEL clients joined to AD via sssd [RHEL 7] - Resolves: rhbz#1505277 - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss - Resolves: rhbz#1462343 - document information on why SSSD does not use host-based security filtering when processing AD GPOs - Resolves: rhbz#1498734 - sssd_be stuck in an infinite loop after completing full refresh of sudo rules - Resolves: rhbz#1400614 - [RFE] sssd should remember DNS sites from first search - Resolves: rhbz#1460724 - SYSLOG_IDENTIFIER is different - Resolves: rhbz#1459609 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.- Resolves: rhbz#1469791 - Rebase SSSD to version 1.16+ - Resolves: rhbz#1132264 - Allow sssd to retrieve sudo rules of local users whose sudo rules stored in ldap server - Resolves: rhbz#1301740 - sssd can be marked offline if a trusted domain is not reachable - Resolves: rhbz#1399262 - Use TCP for kerberos with AD by default - Resolves: rhbz#1416150 - RFE: Log to syslog when sssd cannot contact servers, goes offline - Resolves: rhbz#1441908 - SELINUX: Use getseuserbyname to get IPA seuser - Resolves: rhbz#1454559 - python-sssdconfig doesn't parse hexadecimal debug _level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError - Resolves: rhbz#1456968 - MAN: document that attribute 'provider' is not allowed in section 'secrets' - Resolves: rhbz#1460689 - KCM/secrets: Storing many secrets in a rapid succession segfaults the secrets responder - Resolves: rhbz#1464049 - Idle nss file descriptors should be closed - Resolves: rhbz#1468610 - sssd_be is utilizing more CPU during sudo rules refresh - Resolves: rhbz#1474711 - Querying the AD domain for external domain's ID can mark the AD domain offline - Resolves: rhbz#1479398 - samba shares with sssd authentication broken on 7.4 - Resolves: rhbz#1479983 - id root triggers an LDAP lookup - Resolves: rhbz#1489895 - Issues with certificate mapping rules - Resolves: rhbz#1490501 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section - Resolves: rhbz#1490913 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only - Resolves: rhbz#1499659 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database [rhel-7.5] - Resolves: rhbz#1461899 - Loading enterprise principals doesn't work with a primed cache - Resolves: rhbz#1482674 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: rhbz#1486053 - Accessing IdM kerberos ticket fails while id mapping is applied - Resolves: rhbz#1486786 - sssd going in offline mode due to sudo search filter. - Resolves: rhbz#1500087 - SSSD creates bad override search filter due to AD Trust object with parenthesis - Resolves: rhbz#1502713 - SSSD can crash due to ABI changes in libldb >= 1.2.0 (1.1.30) - Resolves: rhbz#1461462 - sssd_client: add mutex protected call to the PAC responder - Resolves: rhbz#1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces - Resolves: rhbz#1525052 - sssd_krb5_localauth_plugin fails to fallback to otheri localname rules- Require the 7.5 libldb version which broke ABI - Related: rhbz#1469791 - Rebase SSSD to version 1.16+- Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain- Resolves: rhbz#1450107 - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled- Resolves: rhbz#1459846 - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication- Resolves: rhbz#1430415 - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in- Resolves: rhbz#1455254 - Make domain available as user attribute- Resolves: rhbz#1449731 - IPA client cannot change AD Trusted User password- Resolves: rhbz#1457927 - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15- Resolves: rhbz#1449728 - LDAP to IPA migration doesn't work in master- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1449729 - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD- Resolves: rhbz#1450094 - Properly support IPA's promptusername config option- Resolves: rhbz#1457644 - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer - Resolves: rhbz#1456531 - Option name typos are not detected with validator function of sssctl config-check command in domain sections- Resolves: rhbz#1428906 - sssd intermittently failing to resolve groups for an AD user in IPA-AD trust environment.- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail - Fix Coverity issues in patches for rhbz#1445445- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1446302 - crash in sssd-kcm due to a race-condition between two concurrent requests- Resolves: rhbz#1389796 - Smartcard authentication with UPN as logon name might fail- Resolves: rhbz#1306707 - Need better debug message when krb5_child returns an unhandled error, leading to a System Error PAM code- Resolves: rhbz#1446535 - Group resolution does not work in subdomain without ad_server option- Resolves: rhbz#1449726 - sss_nss_getlistbycert() does not return results from multiple domains - Resolves: rhbz#1447098 - sssd unable to search dbus for ipa user by certificate - Additional patch for rhbz#1440132- Reapply patch by Lukas Slebodnik to fix upgrade issues with libwbclient - Resolves: rhbz#1439457 - SSSD does not start after upgrade from 7.3 to 7.4 - Resolves: rhbz#1449107 - error: %pre(sssd-common-1.15.2-26.el7.x86_64) scriptlet failed, exit status 3- Resolves: rhbz#1440132 - fiter_users and filter_groups stop working properly in v 1.15 - Also apply an additional patch for rhbz#1441545- Resolves: rhbz#1445445 - Smart card login fails if same cert mapped to IdM user and AD user- Resolves: rhbz#1434992 - Wrong pam return code for user from subdomain with ad_access_filter- Resolves: rhbz#1430494 - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package- Resolves: rhbz#1427749 - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches- Resolves: rhbz#1446139 - Infopipe method ListByCertificate does not return the users with overrides- Resolves: rhbz#1441545 - With multiple subdomain sections id command output for user is not displayed for both domains- Resolves: rhbz#1428866 - Using ad_enabled_domains configuration option in sssd.conf causes nameservice lookups to fail.- Remove an unused variable from the sssd-secrets responder - Related: rhbz#1398701 - [sssd-secrets] https proxy talks plain http - Improve two DEBUG messages in the client trust code to aid troubleshooting - Fix standalone application domains - Related: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Allow completely server-side unqualified name resolution if the domain order is set, do not require any client-side changes - Related: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users- Resolves: rhbz#1402532 - D-Bus interface of sssd is giving inappropriate group information for trusted AD users- Resolves: rhbz#1431858 - Wrong principal found with ad provider and long host name- Resolves: rhbz#1415167 - pam_acct_mgmt with pam_sss.so fails in unprivileged container unless selinux_provider = none is used- Resolves: rhbz#1438388 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_pam killed by 6- Resolves: rhbz#1432112 - sssctl config-check does not give any error when default configuration file is not present- Resolves: rhbz#1438374 - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1427195 - sssd_nss consumes more memory until restarted or machine swaps- Resolves: rhbz#1414023 - Create troubleshooting tool to determine if a failure is in SSSD or not when using layered products like RH-SSO/CFME etc- Resolves: rhbz#1398701 - [sssd-secrets] https proxy talks plain http- Fix off-by-one error in the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1425891 - Support delivering non-POSIX users and groups through the IFP and PAM interfaces- Resolves: rhbz#1434991 - Issue processing ssh keys from certificates in ssh respoder- Resolves: rhbz#1330196 - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when IPA client resolves trusted AD domain users - Also backport some buildtime fixes for the KCM responder - Related: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1396012 - [RFE] KCM ccache daemon in SSSD- Resolves: rhbz#1340711 - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts- Update to upstream 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html - Resolves: rhbz#1418728 - IPA - sudo does not handle associated conflict entries - Resolves: rhbz#1386748 - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure - Resolves: rhbz#1214491 - [RFE] Make it possible to configure AD subdomain in the SSSD server mode- Drop "NOUPSTREAM: Bundle http-parser" patch Related: rhbz#1393819 - New package: http-parser- Update to upstream 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html - Resolves: rhbz#1327085 - Don't prompt for password if there is already one on the stack - Resolves: rhbz#1378722 - [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases - Resolves: rhbz#1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider - Resolves: rhbz#1416526 - Need correction in sssd-krb5 man page - Resolves: rhbz#1418752 - pam_sss crashes in do_pam_conversation if no conversation function is provided by the client app - Resolves: rhbz#1419356 - Fails to accept any sudo rules if there are two user entries in an ldap role with the same sudo user - Resolves: rhbz#1421622 - SSSD - Users/Groups are cached as mixed-case resulting in users unable to sign in- Fix several packaging issues, notably the p11_child is no longer setuid and the libwbclient used a wrong version number in the symlink- Update to upstream 1.15.0 - Resolves: rhbz#1393824 - Rebase SSSD to version 1.15 - Resolves: rhbz#1407960 - wbcLookupSid() fails in pdomain is NULL - Resolves: rhbz#1406437 - sssctl netgroup-show Cannot allocate memory - Resolves: rhbz#1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time - Resolves: rhbz#1393085 - bz - ldap group names don't resolve after upgrading sssd to 1.14.0 if ldap_nesting_level is set to 0 - Resolves: rhbz#1392444 - sssd_be keeps crashing - Resolves: rhbz#1392441 - sssd fails to start after upgrading to RHEL 7.3 - Resolves: rhbz#1382602 - autofs map resolution doesn't work offline - Resolves: rhbz#1380436 - sudo: ignore case on case insensitive domains - Resolves: rhbz#1378251 - Typo In SSSD-AD Man Page - Resolves: rhbz#1373427 - Clock skew makes SSSD return System Error - Resolves: rhbz#1306707 - Need better handling of "Server not found in Kerberos database" - Resolves: rhbz#1297462 - Don't include 'enable_only=sssd' in the localauth plugin config- Resolves: rhbz#1382598 - IPA: Uninitialized variable during subdomain check- Resolves: rhbz#1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain- Resolves: rhbz#1372075 - AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains- Resolves: rhbz#1376831 - sssd-common is missing dependency on sssd-sudo- Resolves: rhbz#1371631 - login using gdm calls for gdm-smartcard when smartcard authentication is not enabled- Resolves: rhbz#1373420 - sss_override fails to export- Resolves: rhbz#1375299 - sss_groupshow fails with error "No such group in local domain. Printing groups only allowed in local domain"- Resolves: rhbz#1375182 - SSSD goes offline when the LDAP server returns sizelimit exceeded- Resolves: rhbz#1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf- Resolves: rhbz#1373444 - unable to create group in sssd cache - Resolves: rhbz#1373577 - unable to add local user in sssd to a group in sssd- Resolves: rhbz#1369118 - Don't enable the default shadowtils domain in RHEL- Fix permissions for the private pipe directory - Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1371977 - resolving IPA nested user groups is broken in 1.14- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side- Apply forgotten patch - Resolves: rhbz#1368496 - sssd is not able to authenticate with alias - Resolves: rhbz#1366470 - sssd: throw away the timestamp cache if re-initializing the persistent cache - Fix deleting non-existent secret - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1362716 - selinux avc denial for vsftp login as ipa user- Resolves: rhbz#1368496 - sssd is not able to authenticate with alias- Resolves: rhbz#1364033 - sssd exits if clock is adjusted backwards after boot- Resolves: rhbz#1362023 - SSSD fails to start when ldap_user_extra_attrs contains mail- Resolves: rhbz#1368324 - libsss_autofs.so is packaged in two packages sssd-common and libsss_autofs- Fix RPM scriptlet plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Add socket-activation plumbing for the sssd-secrets responder - Related: rhbz#1311056 - Add a Secrets as a Service component- Own the secrets directory - Related: rhbz#1311056 - Add a Secrets as a Service component- Resolves: rhbz#1268874 - Add an option to disable checking for trusted domains in the subdomains provider- Resolves: rhbz#1271280 - sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)- Resolves: rhbz#1290500 - [feat] command to manually list fo_add_server_to_list information- Add several small fixes related to the config API - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Resolves: rhbz#1349900 - gpo search errors out and gpo_cache file is never created- Fix regressions in the simple access provider - Resolves: rhbz#1360806 - sssd does not start if sub-domain user is used with simple access provider - Apply a number of specfile patches to better match the upstream spefile - Related: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3- Cherry-pick patches from upstream that fix several regressions - Avoid checking local users in all cases - Resolves: rhbz#1353951 - sssd_pam leaks file descriptors- Resolves: rhbz#1364118 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11 - Resolves: rhbz#1361563 - Wrong pam error code returned for password change in offline mode- Resolves: rhbz#1309745 - Support multiple principals for IPA users- Resolves: rhbz#1304992 - Handle overriden name of members in the memberUid attribute- handle unresolvable sites more gracefully - Resolves: rhbz#1346011 - sssd is looking at a server in the GC of a subdomain, not the root domain. - fix compilation warnings in unit tests- fix capaths output - Resolves: rhbz#1344940 - GSSAPI error causes failures for child domain user logins across IPA - AD trust - also fix Coverity issues in the secrets responder and suppress noisy debug messages when setting the timestamp cache- Resolves: rhbz#1356577 - sssctl: Time stamps without time zone information- Resolves: rhbz#1354414 - New or modified ID-View User overrides are not visible unless rm -f /var/lib/sss/db/*cache*- Resolves: rhbz#1211631 - [RFE] Support of UPN for IdM trusted domains- Resolves: rhbz#1350520 - [abrt] sssd-common: ipa_dyndns_update_send(): sssd_be killed by SIGSEGV- Resolves: rhbz#1349882 - sssd does not work under non-root user - Also cherry-pick a few patches from upstream to fix config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Sync a few minor patches from upstream - Fix sssctl manpage - Fix nss-tests unit test on big-endian machines - Fix several issues in the config schema - Related: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- Bundle http-parser - Resolves: rhbz#1311056 - Add a Secrets as a Service component- Sync a few minor patches from upstream - Fix a failover issue - Resolves: rhbz#1334749 - sssd fails to mark a connection as bad on searches that time out- Explicitly BuildRequire newer ding-libs - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check)- New upstream release 1.14.0 - Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#835492 - [RFE] SSSD admin tool request - force reload - Resolves: rhbz#1072458 - [RFE] SSSD configuration file test tool (sssd_check) - Resolves: rhbz#1278691 - Please fix rfc2307 autofs schema defaults - Resolves: rhbz#1287209 - default_domain_suffix Appended to User Name - Resolves: rhbz#1300663 - Improve sudo protocol to support configurations with default_domain_suffix - Resolves: rhbz#1312275 - Support authentication indicators from IPA- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - Resolves: rhbz#790113 - [RFE] "include" directive in sssd.conf - Resolves: rhbz#874985 - [RFE] AD provider support for automount lookups - Resolves: rhbz#879333 - [RFE] SSSD admin tool request - status overview - Resolves: rhbz#1140022 - [RFE]Allow sssd to add a new option that would specify which server to update DNS with - Resolves: rhbz#1290380 - RFE: Improve SSSD performance in large environments - Resolves: rhbz#883886 - sssd: incorrect checks on length values during packet decoding - Resolves: rhbz#988207 - sssd does not detail which line in configuration is invalid - Resolves: rhbz#1007969 - sssd_cache does not remove have an option to remove the sssd database - Resolves: rhbz#1103249 - PAC responder needs much time to process large group lists - Resolves: rhbz#1118257 - Users in ipa groups, added to netgroups are not resovable - Resolves: rhbz#1269018 - Too much logging from sssd_be - Resolves: rhbz#1293695 - sssd mixup nested group from AD trusted domains - Resolves: rhbz#1308935 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user - Resolves: rhbz#1315766 - SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo - Resolves: rhbz#1316164 - SSSD fails to process GPO from Active Directory - Resolves: rhbz#1322458 - sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]- Resolves: rhbz#1290381 - Rebase SSSD to 1.14.x in RHEL-7.3 - The rebase includes fixes for the following bugzillas: - Resolves: rhbz#789477 - [RFE] SUDO: Support the IPA schema - Resolves: rhbz#1059972 - RFE: SSSD: Automatically assign new slices for any AD domain - Resolves: rhbz#1233200 - man sssd.conf should clarify details about subdomain_inherit option. - Resolves: rhbz#1238144 - Need better libhbac debuging added to sssd - Resolves: rhbz#1265366 - sss_override segfaults when accidentally adding --help flag to some commands - Resolves: rhbz#1269512 - sss_override: memory violation - Resolves: rhbz#1278566 - crash in sssd when non-Englsh locale is used and pam_strerror prints non-ASCII characters - Resolves: rhbz#1283686 - groups get deleted from the cache - Resolves: rhbz#1290378 - Smart Cards: Certificate in the ID View - Resolves: rhbz#1292238 - extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members - Resolves: rhbz#1292456 - sssd_be AD segfaults on missing A record - Resolves: rhbz#1294670 - Local users with local sudo rules causes LDAP queries - Resolves: rhbz#1296618 - Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore - Resolves: rhbz#1299553 - Cannot retrieve users after upgrade from 1.12 to 1.13 - Resolves: rhbz#1302821 - Cannot start sssd after switching to non-root - Resolves: rhbz#1310877 - [RFE] Support Automatic Renewing of Kerberos Host Keytabs - Resolves: rhbz#1313014 - sssd is not closing sockets properly - Resolves: rhbz#1318996 - SSSD does not fail over to next GC - Resolves: rhbz#1327270 - local overrides: issues with sub-domain users and mixed case names - Resolves: rhbz#1342547 - sssd-libwbclient: wbcSidsToUnixIds should not fail on lookup errors- Build the PAC plugin with krb5-1.14 - Related: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1336688 - sssd tries to resolve global catalog servers from AD forest sub-domains in AD-IPA trust setup- Resolves: rhbz#1290853 - [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.- Resolves: rhbz#1336706 - sssd_nss memory usage keeps growing when trying to retrieve non-existing netgroups- Resolves: rhbz#1296902 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.- Resolves: rhbz#1334159 - IPA provider crashes if a netgroup from a trusted domain is requested- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak- Resolves: rhbz#1308913 - sssd be memory leak in sssd's memberof plugin- Resolves: rhbz#1300740 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid- Resolves: rhbz#1284814 - sssd: [sysdb_add_user] (0x0400): Error: 17- Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id- Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.- Resolves: rhbz#1267836 - PAM responder crashed if user was not set- Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value- Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands- Resolves: rhbz#1263735 - Could not resolve AD user from root domain- Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found- Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users- Resolves: rhbz#1259512 - sss_override : The local override user is not found- Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code- Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider- Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help- Resolves: rhbz#1254518 - Fix crash in nss responder- Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'- Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes- Resolves: rhbz#1250415 - sssd: p11_child hardening- Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code- Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates- Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected- Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled- Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with "ImportError: No module named pysss"- More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards- Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw*- Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards- Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA- Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients- Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain- Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes- Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2- Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface- Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups- Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x- Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve- Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab- Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID- Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups- Initialize variable in the views code in one success and one failure path - Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Resolves: rhbz#1202170 - sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605- Handle case where there is no default and no rules - Resolves: rhbz#1192314 - With empty ipaselinuxusermapdefault security context on client is staff_u- Set a pointer in ldap_child to NULL to avoid warnings - Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security context on client is staff_u- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error- Run the restart in sssd-common posttrans - Explicitly require libwbclient - Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Resolves: rhbz#1187113 - sssd deamon was not running after RHEL 7.1 upgrade- Fix endianess bug in fill_id() - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1187192 - IPA initgroups don't work correctly in non-default view- Resolves: rhbz#1184982 - Need to set different umask in selinux_child- Bump the release number - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Add a patch dependency - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Process ghost members only once - Fix processing of universal groups with members from different domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1185188 - Uncached SIDs cannot be resolved- Handle GID override in MPG domains - Handle views with mixed-case domains - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Open socket to the PAC responder in krb5_child before dropping root - Related: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1184140 - Users saved throug extop don't have the originalMemberOf attribute- Resolves: rhbz#1182183 - pam_sss(sshd:auth): authentication failure with user from AD- Resolves: rhbz#889206 - On clock skew sssd returns system error- Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1177140 - gpo_child fails if "log level" is enabled in smb.conf - Related: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1175408 - SSSD should not fail authentication when only allow rules are used - Resolves: rhbz#1175705 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Resolves: rhbz#1171215 - Crash in function get_object_from_cache - Resolves: rhbz#1171383 - getent fails for posix group with AD users after login - Resolves: rhbz#1171382 - getent of AD universal group fails after group users login - Resolves: rhbz#1170300 - Access is not rejected for disabled domain - Resolves: rhbz#1162486 - Error processing external groups with getgrnam/getgrgid in the server mode - Resolves: rhbz#1168904 - gid is overridden by uid in default trust view- Resolves: rhbz#1169459 - sssd-ad: The man page description to enable GPO HBAC Policies are unclear - Related: rhbz#1113783 - sssd should run under unprivileged user- Rebuild to add several forgotten Patch entries - Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Remove Coverity warnings in krb5_child code - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1173482 - MAN: Document that only user names are checked for pam_trusted_users - Resolves: rhbz#1167324 - pam_sss domains option: User auth should fail when domains=- Don't error out on chpass with OTPs - Related: rhbz#1109756 - Rebase SSSD to 1.12- Resolves: rhbz#1124320 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default.- Resolves: rhbz#1169739 - selinuxusermap rule does not apply to trusted AD users - Enable running unit tests without cmocka - Related: rhbz#1113783 - sssd should run under unprivileged user- krb5_child and ldap_child do not call Kerberos calls as root - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1168735 - The Kerberos provider is not properly views-aware- Fix typo in libwbclient-devel alternatives invocation - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1166727 - pam_sss domains option: Untrusted users from the same domain are allowed to auth.- Handle migrating clients between views - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Use alternatives for libwbclient - Related: rhbz#1109331 - [RFE] Allow SSSD to be used with smbd shares- Resolves: rhbz#1165794 - sssd does not work with custom value of option re_expression- Add an option that describes where to put generated krb5 files to - Related: rhbz#1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12- Handle IPA group names returned from the extop plugin - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Resolves: rhbz#1165792 - automount segfaults in sss_nss_check_header- Resolves: rhbz#1163742 - "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.- Resolves: rhbz#1153593 - Manpage description of case_sensitive=preserving is incomplete- Support views for IPA users - Related: rhbz#891984 - [RFE] ID Views: Support migration from the sync solution to the trust solution- Update man page to clarify TGs should be disabled with a custom search base - Related: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Use upstreamed patches for the rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1153603 - Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving- Resolves: rhbz#1161741 - TokenGroups for LDAP provider breaks in corner cases- Resolves: rhbz#1162480 - dereferencing failure against openldap server- Move adding the user from pretrans to pre, copy adding the user to sssd-krb5-common and sssd-ipa as well in order to work around yum ordering issue - Related: rhbz#1113783 - sssd should run under unprivileged user- Resolves: rhbz#1113783 - sssd should run under unprivileged user- Fix two regressions in the new selinux_child process - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1132365 - Remove password from the PAM stack if OTP is used- Include the ldap_child and selinux_child patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Support overriding SSH public keys with views - Support extended attributes via the extop plugin - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137010 - disable midpoint refresh for netgroups if ptask refresh is enabled- Resolves: rhbz#1153518 - service lookups returned in lowercase with case_sensitive=preserving - Resolves: rhbz#1158809 - Enumeration shows only a single group multiple times- Include the responder and packaging patches for rootless sssd - Related: rhbz#1113783 - sssd should run under unprivileged user- Amend the sssd-ldap man page with info about lockout setup - Related: rhbz#1109756 - Rebase SSSD to 1.12 - Resolves: rhbz#1137014 - Shell fallback mechanism in SSSD - Resolves: rhbz#790854 - 4 functions with reference leaks within sssd (src/python/pyhbac.c)- Fix regressions caused by views patches when SSSD is connected to a pre-4.0 IPA server - Related: rhbz#1109756 - Rebase SSSD to 1.12- Add the low-level server changes for running as unprivileged user - Package the libsss_semange library needed for SELinux label changes - Related: rhbz#1113783 - sssd should run under unprivileged user - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Use libsemanage for SELinux label changes - Resolves: rhbz#1113784 - sssd should audit selinux user map changes- Rebase SSSD to 1.12.2 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Sync with upstream - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebuild against ding-libs with fixed SONAME - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.1 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Require ldb 2.1.17 - Related: rhbz#1133914 - Rebase libldb to version 1.1.17 or newer- Fix fully qualified IFP lookups - Related: rhbz#1109756 - Rebase SSSD to 1.12- Rebase SSSD to 1.12.0 - Related: rhbz#1109756 - Rebase SSSD to 1.12- Squash in upstream review comments about the PAC patch - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Backport a patch to allow krb5-utils-test to run as root - Related: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Resolves: rhbz#1097286 - Expanding home directory fails when the request comes from the PAC responder- Fix a DEBUG message, backport two related fixes - Related: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1090653 - segfault in sssd_be when second domain tree users are queried while joined to child domain- Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching- Resolves: rhbz#1077328 - other subdomains are unavailable when joined to a subdomain in the ad forest- Resolves: rhbz#1078877 - Valgrind: Invalid read of int while processing netgroup- Resolves: rhbz#1075092 - Password change w/ OTP generates error on success- Resolves: rhbz#1078840 - Error during password change- Resolves: rhbz#1075663 - SSSD should create the SELinux mapping file with format expected by pam_selinux- Related: rhbz#1075621 - Add another Kerberos error code to trigger IPA password migration- Related: rhbz#1073635 - IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in- Related: rhbz#1066096 - not retrieving homedirs of AD users with posix attributes- Related: rhbz#1072995 - AD group inconsistency when using AD provider in sssd-1.11-40- Resolves: rhbz#1073631 - sssd fails to handle expired passwords when OTP is used- Resolves: rhbz#1072067 - SSSD Does not cache SELinux map from FreeIPA correctly- Resolves: rhbz#1071903 - ipa-server-mode: Use lower-case user name component in home dir path- Resolves: rhbz#1068725 - Evaluate usage of sudo LDAP provider together with the AD provider- Fix idmap documentation - Bump idmap version info - Related: rhbz#1067361 - Check IPA idranges before saving them to the cache- Pull some follow up man page fixes from upstream - Related: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes - Related: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1060389 - Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes- Resolves: rhbz#1064908 - MAN: Remove misleading memberof example from ldap_access_filter example- Resolves: rhbz#1068723 - Setting int option to 0 yields the default value- Resolves: rhbz#1067361 - Check IPA idranges before saving them to the cache- Resolves: rhbz#1067476 - SSSD pam module accepts usernames with leading spaces- Resolves: rhbz#1033069 - Configuring two different provider types might start two parallel enumeration tasks- Resolves: rhbz#1068640 - 'IPA: Don't call tevent_req_post outside _send' should be added to RHEL7- Resolves: rhbz#1063977 - SSSD needs to enable FAST by default- Resolves: rhbz#1064582 - sss_cache does not reset the SYSDB_INITGR_EXPIRE attribute when expiring users- Resolves: rhbz#1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not- Resolves: rhbz#872177 - [RFE] subdomain homedir template should be configurable/use flatname by default- Resolves: rhbz#1059753 - Warn with a user-friendly error message when permissions on sssd.conf are incorrect- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1059253 - Man page states default_shell option supersedes other shell options but in fact override_shell does. - Use the right domain for AD site resolution - Related: rhbz#743503 - [RFE] sssd should support DNS sites- Resolves: rhbz#1028039 - AD Enumeration reads data from LDAP while regular lookups connect to GC- Resolves: rhbz#877438 - sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin- Mass rebuild 2014-01-24- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain- Resolves: rhbz#1054899 - explicitly suggest krb5_auth_timeout in a loud DEBUG message in case Kerberos authentication times out- Resolves: rhbz#1037653 - Enabling ldap_id_mapping doesn't exclude uidNumber in filter- Resolves: rhbz#1051360 - [FJ7.0 Bug]: [REG] sssd_be crashes when ldap_search_base cannot be parsed. - Fix a typo in the man page - Related: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1054639 - sssd_be aborts a request if it doesn't match any configured idmap domain - Fix return value when searching for AD domain flat names - Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1034920 - RHEL7 sssd not setting IPA AD trusted user homedir- Resolves: rhbz#1048102 - Access denied for users from gc domain when using format DOMAIN\user- Resolves: rhbz#1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings- Resolves: rhbz#1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20- Resolves: rhbz#1033133 - "System Error" when invalid ad_access_filter is used- Resolves: rhbz#1032983 - sssd_be crashes when ad_access_filter uses FOREST keyword. - Fix two memory leaks in the PAC responder (Related: rhbz#991065)- Resolves: rhbz#1048184 - Group lookup does not return member with multiple names after user lookup- Resolves: rhbz#1049533 - Group membership lookup issue- Mass rebuild 2013-12-27- Resolves: rhbz#894068 - sss_cache doesn't support subdomains- Re-initialize subdomains after provider startup - Related: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- The AD provider is able to resolve group memberships for groups with Global and Universal scope - Related: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog- Resolves: rhbz#1033096 - tokenGroups do not work reliable with Global Catalog - Resolves: rhbz#1030483 - Individual group search returned multiple results in GC lookups- Resolves: rhbz#1040969 - sssd_nss grows memory footprint when netgroups are requested- Resolves: rhbz#1023409 - Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"- Resolves: rhbz#1037936 - sssd_be crashes occasionally- Resolves: rhbz#1038637 - If SSSD starts offline, subdomains list is never read- Resolves: rhbz#1029631 - sssd_be crashes on manually adding a cleartext password to ldap_default_authtok- Resolves: rhbz#1036758 - SSSD: Allow for custom attributes in RDN when using id_provider = proxy- Resolves: rhbz#1034050 - Errors in domain log when saving user to sysdb- Resolves: rhbz#1036157 - sssd can't retrieve auto.master when using the "default_domain_suffix" option in- Resolves: rhbz#1028057 - Improve detection of the right domain when processing group with members from several domains- Resolves: rhbz#1033084 - sssd_be segfaults if empty grop is resolved using ad_matching_rule- Resolves: rhbz#1031562 - Incorrect mention of access_filter in sssd-ad manpage- Resolves: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- Skip netgroups that don't provide well-formed triplets - Related: rhbz#991549 - sssd fails to retrieve netgroups with multiple CN attributes- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2 - Resolves: rhbz#991065- Resolves: rhbz#1019882 - RHEL7 ipa ad trusted user lookups failed with sssd_be crash - Resolves: rhbz#1002597 - ad: unable to resolve membership when user is from different domain than group- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1 - Resolves: rhbz#991065 - Rebase SSSD to 1.11.0- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0 - Resolves: rhbz#991065- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2 - Related: rhbz#991065- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- Resolves: #983587 - sss_debuglevel did not increase verbosity in sssd_pac.log- Resolves: #983580 - Netgroups should ignore the 'use_fully_qualified_names' setting- Apply several important fixes from upstream 1.10 branch - Related: #966757 - SSSD failover doesn't work if the first DNS server in resolv.conf is unavailable- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- Remove libcmocka dependency- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Enable hardened build for RHEL7- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/sh/bin/sh/bin/shuk1.16.2-13.el71.16.2-13.el7sssd-kcm.servicesssd-kcm.socketsssd_kcmsssd-kcm.8.gzsssd-kcm.8.gzsssd-kcmkcm_default_ccache/usr/lib/systemd/system//usr/libexec/sssd//usr/share/man/man8//usr/share/man/uk/man8//usr/share//usr/share/sssd-kcm/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=genericcpioxz2x86_64-redhat-linux-gnuASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=cf1db4b11ccc64d5b5379a85e5bc11aa4faa6953, strippedtroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, from Unix, max compression)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, from Unix, max compression)directory7R4R0R8R!RRR6RR RRRRRR2R#RRR R RR7R.R%R RR R&R3RRRRR$R R+R)R,R*R(R'RRRRRR"R-R5R1RR/RRR<? 7zXZ !#,] b2u Q{KCUE"Q3G %-)'nu0Y$%v $ovwz7$,![l$YnC<㰠ŸMKAa`CdKщb;;.u0\y?dDiL굽R׃m3cIDs0jRLh|w8w@B_[!mK򁔽 s])k#SDAF'&M~c&h3_![08|G{J-]֫ꬼ"^Q'\ 4MQS;i & @fÙ`F¾{_ڑ9K wPIoU co2Wcxݣ,=&p%@gaEvኊ ӑqO: \}qv:l$\ܓ/q:j%AGi65K}[i@f gdž)qL =䉄<ζ.L)q X5-c?Q$ds8f|a ]UAhiʹ%[ lĻ]XB VgXJT9Lh0"}m948tT@T|M/塞3(Gy2e ގ\Lcdž0 W,H6H  &7(H_&Ln C&DLޯvA0(35k1+'b:UHprP΄{d )]OQDOYj)A Ts s_J7_?C8}x-uc70`+SWI7oQwR⇶+XWߖ:-ic7)?( c<9j zѯx\ g[8L@Hw IJi/𶻧9h?yzFMH=A j v8 k?h7:\jExHV=[$ķh^)4ckZ YG?OvLSHKw{T5ވi q#dИHU5(S5 ?jd}gT)#mY5@AЅc|#kit1%ۋqH%e.K/xTQAO-T~uec&{T|/=d1.Ol{Ij 쯬LfZU͍>owsr*bT 1Qot2`o\ʾzgyEjd2xKz֢VNi0oSE~CI}MJ$n+;%OOlꁗInL2=>U,zʞ{ Ij:ì&MSTTn6HÐ9o|/}F. NK3az^]N/00CNOqk9͗Jޯ*V[N7Ł/98lg& Y $e }kiJ,'?hM(0W[Mi&r6 u]ڷN›񂝔 "ud)9SݧM e~'D-;2?2OtĹTOPt!`\ Rh{y-1̧Bu*u^]b$Nh&kCw'.ob @ocb5f2zB8ڲ]VڨlOg")4.lVU pE+ $9b9Fi [ xUP/lT+͝ϥ㈕f,EA( ElsNy"&E4VpGvS^S)Y 9Ilں@DCX8?VHd+&cxɎbfA%5BV0{^xۍӀcuL[g>x1پ paI"=eHӒ讞1b>i7(o1$)K6JMTjˇ;fT 7--0 -[tHtVNQvŻp r m|+wՀK'~s8 KG,HWٜ gpB^o\h&^x OWa7!^HYوO[PCfR9/Jɜ>:rǰf7*KbB8Sѹp xpM82ѭ4E,XoUHkr. KG10\-$u~.6Љ08*w1(QOhqB&;.6 ?R@j=^8E\wtDՕSO?q<Ji-y{hYQX8iAjocZEFX)k4(L{~|/K,J4Y-8t /4.GU8:ڭXr:ipu  "BE)iLȓ-ݻ;ko}?f$Q+CsM쌺FuA)ȣt|%l Pl;K@^OfKҧrVUNYSthfwLq=/m䧫eD"YBbeei>!kag۟lCZQx?V|ZHhIU(^H,AV 6ucs><BVWx66oSgֹ? ^ԐQ)A㳡oӳ.|ybQX"gb<@OIW="O+MD/Nr.?4v&H"~#F.G!"TWѴ V2}(j Hun dX;#glGN43Q9g"K A+-ԯǺeP]laIQ";NRQ=[# S;HGz RB06֤v/[QQ3bi9oZZ9ظbyIV_4xAHF]'ä) ,E$vTwێP{kߨ9M@CF˺)""t31o Q~\G=2 os_ʈ7z rrt /Uv <C}#UbvX7+>in\kO g, C?+_Yc q+K;6 AJe*W #RE=3j)6"c^Mݥ3ɲq"S}?Qw1v Vw 2߿>ݵ=ôVby؎&`g -3#gXqBpdcyr·: qjﲘyg5p1q@`"UpHS"5aD9!Q`BgmB|`xWy vt #Mq"Flnvs KVO j-s6g]5zխ;+ӉWA/lmhO"~%cDI V憊|[*hCDOcݞ mqmKr2fi&c/ds0$AmO]! tJz3Tym$>י sA^lW#A~BCq 9=2G8YriBǹ%*t$lyG T>77 ~(ݝ+Kl63ypWV"zG.Aݙ__֠Ӊ1Vw!c8E$vx&6䔪MX)" cW2Bfˁ (7]õGG`<\5V;|I&h5hWyFw.!*5, AtJ @_:/E9߇J|^#R*?{ٻ"jWη1O%^#p@oZ!"Ck9 t(B¥[|fv2.]r 3WU{~ii6x ޱ[ uSoQ׊3$y'CCNM-Å&L{ZH"5ĘS-TvX+B56S oCKMp*%K Znmۆۛ'}*4¡|}FqQ#T:-D"Z;,'D1_f7%|KpaZ |H{|.[bOȟ\(-IG@[cVU yiלVu,n!IpL# ` @=X64gͿ;]!1ډ!s* ^H (6ˬ:pW,a0t$=c]{ PpĬuGϘU?c»3w1ݶV%+pG(명و\\i !TEp㷩JG٬0YAjyChtZԹ~~&㝖 .U%QKE@WGլ;i[{B7ȫɡw: eC#0O_19"~\\^ׂ-]wcN^[lnie29fPO" j C7‘>-50B; Ef[a˓ nqd*&\j"Z d-:G[>rOWSn8KMVPnЎ6=, ɄTOkI <'ALRL!+e}=5$la#>Qd_1;*JG8;66S?z)\҉uh1QT(}<[io{XmA%Gr3cZZvxN^>e2X_J:("L_RF[34fH=Rfzx]&-@2͘D#^Q-Uࡗ̌v39 9fve;^\2*pZ:NӬtr,p0>:[ڍGzFCoӴK2 *ֺ΂%JYi;Vߓ:NW6< "c sšw)Z:ԸqA k+"b_Eq_RkS;S? 3!ҹ,'A<"R9@૔g yzĔs[HA+-OGOe}}Pn@ ILTl'z>h;mFUZsYUӖmJ0&ID-G^δ h ?>x0'psM,j a$]pUҎR@@lp<'1wx\ îFxmħccp!8d(ĕZt1Й qL!Ԉ@R E΃9;ڟKu>c 2T0u$w*o02_J1%9(q^XQ>:dn/tI1a`f ~_: MI NJJhŠTGl@9uD^B`Mulz%S*Hy[Pؑ dlOl{͉zmtȾn;ت14.h3ol]Ksh eJ~Cv%CGP9 ;傿REQEԬ7U}.Mg4hMÇ+cPߤިڵ˖B=yP$X?Kw|3dm-^`͢H5R(37%Q?.S Dzـz*`3-U>04ky%PA$B:Gdlpp#wPTOvIqjx een4Dk_梣O~ 081~?VBk=xF?GeYCFXfsD]uWSIF'_(Hgq%my:m ϮX|`ZTM u_5~+)MC2blF%}3Gߠwx ֘3͉fkv!*uYr=:ඇ"GpĖh'rUB*29v4;|u:*Qyu)jp{7]M5VrYz2x)иu9CخNOۤ;oﮨ4:@ß1o(S+>,1RYNqA9-am[9SSe]P%3oqe!xDyo4\2PCXS"Gtn8$wr\3r%Ҭp3eRا65pP&?oRЎ)*VD<>FMUKW5XL.(7Lt 7β5F#B G![Zq@ۻ$0 B$ڜ3L%~i-NSCU#+TJpot߸GI%r[q.A@Xڲ. є䨰@+3bɕY%d<@-cF[pd ?>{0U: QmjVkOj,`C-X*ek;ǘ(X+%wbӴOO6;#ST/[ B K.9]N)֕'s]Uf8;`}jC֜hP ^P*׃ ʸ [ھ8ޱ(/`Q,9WLkq9sEIQqkJ2v9^HOў&q(Ѡy[\3 bxn[xXy>\1eU {DTf]YZHkP A^afKzůg!kѲ&;<*5H櫞|spۋI 7VX_/3bTc0 #DI#L 1Nͤ (wҎrwsUbZxdi3H*> ]9eoAto}\}I)LR-zQJ:K3'4,b}R3[()*\ӡ\해# n< .0!C6xscJKs1Wr|I)~6Q u%T@[GF9hZBvK '?#kOqJ%ŵ8 F>u8W4)x鹂#ۻ[qު< O? ̬9.7GB%th$5&^V/T~Rt 6.koLne.H 7/hukT5E&RWM8|P0fʟUw:{YD(n r j߇b?|zxc٫g͂v̭n*ަ5zKKN1bP\tڔ2b[o vp;Ũ/U達}j%%5&Iѫ/]w*S8( cHńb{Qq9Ddy~Ab\׺ۧ{>*D+++C@Yޜ?%lA²W(52 }ߣw-&&/6YDX`O"oH ponatO " @_?_Boed3bkFG>brx5+Q퓓nNX/Pᰶԓu+P63e@i3iNbc֭\|&1zebS<ٕ3xm: 丗rtZqc\K#[m'&X촵>O-) 鱗uyDۭU@/ i2xZS*!Z{ tsv0b )7~Us[Ǚ;lb~1^2-~ GT0yRǩ~/I%=%lE\w! tȈF=))'M~Erblo6z}cbun{fƫ]v}RGg2G+]~Oṕ' :K3biIZgݽrrM##_JUBU#h4G>+o"B-@² MS/!Q)m6ʤJc=~ `t2yZ. y UQ›G =agw"k=A'q]ƨdqP?OD]4J$ME~"H&,Yx, ?5>X%Aqx-PZ:690y\|` r@5e#2݈yy Џ cofҺ5hzvԋZƳb7xM7>.j8@3|vّN=t@ 1VYcMD#d#kdm1Ɨ5&7g h@yQ!NU!>XtշwC]\,ȲG Qk`g2y5YOlsQ+ۭn[4Nk;ޤ@HFZs"f|aC1TD쮮+d=ЪB oVxɖx0+\p -e9`43gu6~#5Mm(P,L \dΔNRC޾sWzOYwBGm) Iڲ}]SFj9c7$3# Q,ӥK v0\I8bkM`GcD ҫ*q ۓ]Br(_ㆸP' ?~EkM=ЅЅ=k˓.ZZ-ޢohI˵lX1l8d[/w!_mY Hu|6 iGJϫqܰl:j9# h\Fsh)pBK1S=_5EvV˟ۙ.v5QΒ%fu3~QH\Fn-CR~i?~-UdZ?`RWcˁI#b{/nU6?x wa}f}ff}׽{:WyԨCg\}AU@-VΈWO]p|6LB쪫ލ/MֆZ|_m(=h|O N:DQ4}R<>R O:&WZ4bwPVnyߔMiFLi~hg^+NDZt~@ck(:Vm4|%o$#z,o(E^, v rNR6>%QH9iKNn&.@m:&~^ۺ;W5lT.&w_Q &[*w VECyk7J؝:֮㇙'8.1>bi%^.`xs&?@eVw&trT&fGuL&BhzA4jI6I$3NKq)q_lU_w^=)ÝDX3,O6MU+>WPe(n/W?j ü?]JY]E6~ D{ӖٺK2쑩F5˯ \y=u^!hvx9Z3=0 "h 9rZooJt[ofb> L.~ש8h|Xz=g,sU 23TTA[Vcw|EBz"քR_H0*Tܒx0쫔ENQd0nH4OY#]fjvCh8bΟO{HҵRZVa-5 rNAx$#YS`-A 9<@tG:y! R'#Sl:j^F68QEQmٜ m=iD&0s N@L"O.=x:=$  .#/HꙪgboAک,B4osgb$TSľչ[M?'#K|͢9-oNTZi<ܩ:aoE=:ƍ_ ,b:o?e7CUn$ SmQ*iIzWI敮kmN :dsY |=]|$@D_\;,'m"551XbM=|/l>Zђsb,5ﱌ4o2!w=m2 _ ٌu ^Ø|e',F HDmWИ2@`vƯ336UҘCz{T, wrg $?GY/ C~!^.)a^Lw(#xӭߎIUS/Z]&0sIW;P6o5vˑnwp7:@^Z) 4xNA@c;X(0h4*uyI\u0lkn{R͈g9qr=%diiIGњ4Q{6C^e(wZ^EkO"e†kHz>AZҗ9uT+V<8FJjhUa4$ @kkO5zOf:8=ΣCe;=Rё~2qt0@` SGMw-i}qcXo9!O=w_I4גpݷZ*ƛPZ*' uE4۷ѓ>+,G z`M`/0IIk JUrYϮH6ϒ9G=3fՑEH3틉Sz}eIb7?9.[IfH|Cv7>18%aIz46=1Y]UKHH6c6NfI/*Hs1DPcc6,gVBwwloLVs0yr6o]^- (ὤJ &n~aXm~;.V3~6k__@,eۗi#/BFGX{D(*BT}(j [{r-/zҥuX`]v `Lg#іB!!Zٚ{ښ0*/-q{9zli`UA~Wű괳ǐK5@}c!;HAGSg;%ScmpS1Zc}ݲ#痩OsCv]FAزלWY+'r)aƔvy/}KKp_Aog/PX{2b'e|tSdW31S lvOWĐ#ǯދ dx69SZK1t cRxcgmPla"n"hC-lMPN|W|?j į X2PI Рil;Ϧo>L 8B~NBi*$s|}Cd%L(ن(5^ǐ8'. duNdy~=cyn7cG{ H\QsSU[dӑƯ{}\mEVk9]e/~;ž0XpOQ̙˚_,}iH3zSB- '\q{-z#o^w Dw7+gYuJt#URJM"=`YO3J~b5˛-NZ:ܠZlUH)-(] rʢGLJ5fTCGoNn .ah_Sn9{t.Y!Q$}扽PWER qwbW "P}Ņ'M4͠||>[gBO7SqͩH YVXfЈ"}{#A*? _Jڱ0{4ݞ&k:3"z<!x 7i67BWΎp÷Xw!y ODXAX˽I%Ë|  cϸuS$cy H͔fCj+.Ȅy##>D5K [~]Kwbnh 2wT6Y/hueWlE;f~Ӓ4%Vxc UC3N'D"}0 h69'͛nxtu<;kg9j ®[wn:<-5hф $<#?/ ) PFy$mՒs fvd{/Wp¯y.^gJ͑c?YZ"]Vr*x>65, /b|ЍNj^ 7 6ph[84Rk}<5?n?UN1t VҘRJωu 5˙(X|K_!$HT|=P8߫惡AMjµ 8ڪ3=&$;c\vW]^fD-/Nggx&^;0sqݝc (:$~`lraۡa l;`RO3)<;\]!9׸**[$awK{Va"q3uOy$1q͜uB.*KRz͋h?\'DG߇]ދzf{-믡9QcD.tg+ tsïCZKgR V5>+T{: ?n`Иuث-a 3 Amܠ 8nMK;p<.ݑ FbT3#ID H04}vr{{[rf(/ 88LPwmg48Fj.kv3RG5GʮT# BEJo'WXk)b~F+bz˗G# /W/%kЙ[N=X+L9WȖR곸.)|UFxj )\`*[V?x*-/5՟[^A"F-~ӋuY-5 %)]( #*E6#/#ě8lR~^ ˢ8 rN1!c2/YMO$fKAiYB85'-ܺā}aizHy72v{W2fJaK5s2(d)2<1гU ,aD_n;9_>qf B5p«" .u {xFzNkAeT{%\Daֹ)1B̳p0 f!XNu8wBPaR%4ǎ\$Zfk!/V)VV9M]]FmRE*[mHTwBS'i-mVoT )0dZҟIpN܎9<O3ȿ0亚ig:$P [a\ (LQ ؅ʌTNp,e3qI^:knnΛTZxxZ7NbMRH}=vN.CXftV8еe֎ka|IʗBws6ه0RyqeC2~O-uǠ牢qd&C 6ŠK7_eTkwKi{8_$ᖟ+obh{t.5׭bz[Fi2#[™+!"&%I/I*2y;!1[e2#PnR,% 8pxAޘ 4g؂ļqkaL&Z%O c8|P~NYX[YL\FiH,v%Rm\udhnFtXLoFXt-<)^`[|M4لDI_*P,'x/P5JvehYWƤ'祢8i (D["ǩѐ7C2̖if-2[lvHZ߆0::+ʃ5U^73$8`p=/:/WSeqSJi:YL/Y%!]d^`.A(!r"K3 ,ݱAHET?eC)U fVȧWߚi i0X&XR?8N<фRЩX(nE׃O' ]:,(?d"n\]WY7Ե,F_"(%R {C''Pbh`|LXkQָRR'Hk0L KZ,bOXB Pd1TYrbݙ`Ro,Dg,e$# H;U (*!H+PI3fu3It(Ϡu+vIpP0->ӒUU-q¿a٩/ص_IaYd'j? B4"cNtv[+k˾.^'q.6|17\![AFHܛ*#xn m сiK[8͙dp~q:%މbm-t3vuU4dxYaǜ;S&u""FS`|eu@ 5 4IY[킺"-@ L2qW; Bf`}@F@;%s G*Ko͟[(Pٍy $袷1]gVGd"kSw5'upWh:1]>$v 3hP=xE JGOݭm6O&ȿh&62^%O$d?.‚UrbpJpoxϗ^mJ`ޅ0D[2хK8 h#\K6:Of+ܪ|hO%}4\ @AD C*edqJO\`BXy sfam cP\_  8z]8ċ)[j{$15>B+͡>zQXwO39zV%9[ΗR``s=4.7izL;},mc!L"K'Y@!~V @_M8WR[S4ր3y%|+~,%DɺE3ac.7$)WzcQ#nmy3bɉq$N?+~֯.!&~m7^{9t+6R&Ā`jI8KW.1^-(ZhsČhmMU4>t_Hl9~gVuQWy|C:cc~ (g&i[7QxSӓ7YeNZT^)w<11*|xN;j5D$%DÝxJ0p8φ f,z-/k50石y[/fj9fþW529g,IS /n J1Lts*# ~H)=b6bv2p^e?G2t`eƚ%Se/ ӝXa~ 9RnR+t##iu<=IVZxt/|9XŝebTM]yw _d?w*]iXV(wcdR V#krSF-[+И, *!hLὃ%/ZVTyX2 L'_hWDz6&oJ 0z12j1 &v #@&ˇ-{/1gھOd8\f3N4u*R([B䴟gФm.>l `N4O*YO ʫևo-@I .XnVwʌ7yq#A[‹$x.IɃ~k(S~ymKYUc vt4E屈:@.|$Sbgv}"'9emL7D S^x VֈdMCgljziO9 7H[PZ]sww~ˇw|] UN\_@'ˬv带LN7,=Bv(`2&D(yHy}G]t&M┭AX<*'[{ΟR`׷FF/4c9CLZk3xC*Q[_&Nt,N)pSLA24YzUKgevآ6 p#_/Bo^[6tޙEp7H[ek#3d>8 $mཝZLPE 3̂= QJRh̃,U/XYF`=BI$,'/b "i;{ws=Xu9l%hǩJ]ñg@[rneu{lw 9m*g_Q- :6B"%$" T.jg?4x_qh_G,zhp8WXgڊiDˊK恠t.lLgֶY8͝.^V 1Uep7VDۚ.{[ݢ~76/}ư,ԙ]b#%I ʶo?H5Xd]-n^;N̔q:K{ CGAhq\K)H96t|A\,$ Ƥ#\OqoɜEi6BgW3I[o{7uRm_$\[ _Sp.'RIWg%<#nKܤgJAb\)<.8~T?rCEVe2^8A+A={8R?\ę6x| Flx3ZW3@~1ފP A21Epdإ`/> dQ.T$)]44 ᓵmVhyV=c5s+,ek 웘xSk`!SZ.)v%hʓG1xr^=O+B~/ě͠#n޾td bzZl7ָ{|]'@]"`~]y{7$U6-g6d {{J>F!|(szap_v)qMrӶG{3qYrl |RZv5`3LJڀ˲9(m .SEyK,W5U6g @~UV,!0Bː)Y<Ss7$榄mL>Kuqi]eŬIµ!GL6X ˧c7s瞗GH:JSx.c=X?*JLL}\{CWQ?HCMt~Zu4D}X }%bengnT!tldc5RF$H*25j"9-lH"OƤRQ|DeYYߠ_$1Gu@T+e(ϼߕ<2BU2V `wIψCFGFeo|i`*Ώc=P_o.!0kufs7yI*]Oֱ'#Pǩw2+lIt52PqL[gLut'sPIKb#"!|1)S‡)G,y~w^R fJ{m W)6䅉Z6() վ Ԅ2 Q/?$3M}r˓Xb( "MGFΞeFYH&0G*Ej)2{]zkR8V db3:%5q?D{-qLeL鈠̺E3\WMP Gm(G(7RnʼnVۤRrff6 $oI;ݬۗKo0E연:l B\oHm=tGd:3!fGvYg>eqN`ZDž>'mzMpBh(E]K-$!;sDCW~$PîjL桃W&BY^I&2L"M>(5?ֽ9kn uZ5ThrҿK5Z 2 :;jrNz&ih/Djrešos4e =ЫI Ջ"/{6эޮxtfm"rȡPRf}ߏk(GWڕu&>{FVwf q,Wn}9OPUgBXΙS7&o0ˆ2Iୢ Θ^DžL#T~yjC0Id}rE s%] !2m"MuaD*!;Xg8z˝E^B* .B֥0D-wzx 9A/{/9^FJf ﰯ EФE4]֎u@/Cel'hqc~k1a>tETsFJ~'`;&Rf$2dATYOBbْʗHiÇb"fC~"nJ%W֡-^^4I(ϝ'_3]*Ɵ`^2B4+2em h&k%Vh\g,uNǨNt^+25[ S"d@9r{qx88T &uqO o7C $03= @,d+;g&iEoh5fr{,ulވH:~o V_OvFW[WzR6^u0(ϰI} (Lld{?uExUXQظ%IVUB~~ztą}C+2l;{|AnƳC<<"2=N\vf:/+!L} {.W+n0wr%/4?p7B ksːSp3>{"…4/ )Eb2;0mwcC*+FrނpRN5f[(Z_PMq+ x̆s VE}3MD98] %縤0bD]qao tذbWxN<,=gي ,eƛK-[:#wpq̉ oWRz}9bkKg5J|p>iI95С,%<>)r۶F+]lWpƩs7MѫoԪf eŠ+dRK)\l6y~(jAgL=,O$ohx}݁jIH-*b{FT]@AGv D{"pDMV('pO$F$j#R@5 q;c맬iaCQ%: W**{YGP`K>$" #1D!% LEm?V;  T_~՝:&Al oDpk2|5= /?#%zF>uojF%N&nDywz8;ؙ>UMBX@XdseTrEKx6yD36-Ж J :HçH70LmŸrK6` ז菔5VHmJ'aݕ` tN&c0K8Bͱ0>~%*AuJ*oOm6s(""UjpZlNB\acyW:(' ಻ޤO7̫a05BėFg4/_̹ga%((V.?LCݱhi<$ZC^ +U) ^U h WYYvazA$[Hz9a Ņ}ES:?/m^0MW7f/Il?VC}TM᎛p+g][)?'GTs68kWGrRaJ2#(ù37ŏȕMDv- K,O1b[ٹV4 "\9wI^(Na.9R}}y37'}rSS1O_QKʑߓR{Js)y j{iNzDzy%<@{،^XlϞrpӨS)y.Hluioa ں 2_ e,xB"MN-j! wzTL&(6C>Wv/ ҉2k B| f ^6隣i@=3l6`X4u+rm-"&2Z\(]?ZEڟM@@ѯ7lأYRQp\ãRhYb6u;gcoˠI, x70D+܉D˷c?%RBl_ H~V -o.Uݝ_1• 9=Oa#LM>Z楇x5øC""rԠKrr}fziCg;s)*UGtSyxd l),٤[RkM-UL]~4&r|t.jyKT#85ٙPHR:Iϳqp]}@VwucOJ]{N*q(r&J77bl )(?8y:sc2N[t:Kt0pSjR^PHEh OJ$Cռ@ 5"nRpgGk͝(Ēn6T}z84LC(k j:=kjyvɨ3[l^!lXaD/R3?3)h$&nSH;bAt N ˈ]_Eh|1çB~뜮`ߛ {+0,,X\ mFLJqHk (6հh!] |60IHwBfѸr Fn0 ,Xp]btvɯ$o/&B[iq*$aS3@@JGW:Je@Wpw[M"1,bV^hڹ&rkrP5mb"gRY7Uece™mD-}P,z;Le|Ø6/'V.܅O="~C25>ډsI[8s 5-?`'V1wI5n03L\xq`K`XL9ISFy5jT!q}jnzR+ :aJ}g #XcCRj-忷:p8G(@KjQT{6c-p6-YB|Bg,fRI .uU mnd-1o7{K`u'JԏOk S|`u#yo^WG0e9 f. Wøtr qyQs {0VN<#[XQqg:S K0qHu y̅J0Mʯ^S}xf+j+X68h %bҪLg|Iϱ 9F(G CVjpMR.<#o_u Ý0PLi* 0mtqo a5jhޮq0F~Oh;e=H4C( '0N3>6'P"Hрp[nLhz?79%ihcp)$w)oaԤz@].u&G?Y0Am'siWʿ̖BFL  RK/1][]hfviİeQ]|+9qZhOޥhb7цjS`P?B.Ɗ\sa{kǛ%';՟2c;PGmgc3čF_*BfE?=;HV,%_nu,6u[pWl|dLt @%t2l|$bJļ|8U~ޛG bHD‚8|ձ4^lԸh5z4 :HKHY{oOd9N$\6eHU׆X3#60w"t"qzf=PE#w۲jvP;ˆCƻA^K@(SnV5Dz+d=A[8dC3Y’}#;YYE38_8ˬ˄_<+}=!;i5N)2#-LjWS&Ce4wݽΙo9"1~:'.c%d, 9x}[5+4?R3beQBKnc\y8@v6`Zq !սI3J$j7G| >mϨ<\rT `$PG8lQ}ڣ{vbF56kN<_tl?}}RhYk_7%GqaJMPQlhbbu5(K!m)&Yfȡ@!PsHʊkJ L#?mpdEдq(@ko T~~1#а0@r(М ?_[EǢ`GB'aE@Y<mXGTkTVTS!9nU4`}걭s3:KqaYFDö=On5'f( _=wBx`S=74T&bb.WxV7j՟FH 2M dW`Flmׄ K'!T]YwRBU]>j)Yu]8}ꈾ  a7՚dDoRki {Zm ^hx+Ս#F"!#ӒrsńDoo 8G*,BŞR_EU7԰eaSw %ޒ3GMDiZ1/KX=%-l:[5"Sš8 z <;nHX, F a3w^)72-Zb-Y7J* xJSf16ރ^7Ur?5է㞛zEqʽKS_Q r!]Ox۔ŇOɭTJAb*I.rBpXQ e-pڸ[C ;͞0IrWL  k4;c`^+Ɛ[ڣT5⓸?1P_ѓW[EG6إP=yYaHk)܊7\sN,7^I{ћ]h =%ydas#B4f6 ?I;b+jvm5ܩ %'SPUEɫb#/SGz&tI)%m8Q* dcK‡!I8&5N;5geV:ZsX )#DnG8fjuX&߰״,H-?.GM8OjHZƒigX+ c@W $.Sv:;zڌ QyZ֦7X9E<Կ*7-1 ݒDM֦~~:V+uIA]{&谥 S }yr"ÒEn@r)'gZ(Z|Kal K~;"-$M(3<yy*{/k"Fj;֞=,_(t/ EӼ13=~4[&xȦ_RACg 7ba24*a_qjvH_QXbufkLA?EkMbAk*H릴ysH"X?aAf ̂rv`,Y{|hmkGxs&zޙ{i7#CTm,I.|/eTR*]' Bnsgtqr*;J*Hl:Vn 9kEKZV{<? HHF\ڸtDt4aR/]36US 9 |%6cOYlG>Tv|1"]#j.`&-b)\CY!'p/ύDY"aMGAAJ@ 'ˁ *HK\32X5p鸼<*F>Qs{u9[z2zG2%rK@LKmhHįb\|e[L=53cA[2$q>a9I'WOD}ۧD6l/~b=aV,/?D`R%E;9n͍j[؝a4r5XpJ3еMߞ_dq"3 }2E>2+TQ01q\э+mck4L~ N xccjď]Y'8sb!uSò˗~(k\YUn)hgJT d{ys=^`lP|2- PK#zU8LRC^-<<%qGIYk0Mk]lsL!+?/՞%2RB>zFnIU3Y똵IwN3$:_<_v37Y2fN܇ ŬdTvdQ͏cX |+`}HkR?cD#d!za@V籵V 9 :ciU!H}FF`=(sb!1+Dr͇@#L0N(hwK Ɔh_,ёxt5_^P~qNgLkcJ9W<(s&m#ڙ;V 6 tAqca bfAԩ3`֝lx~[ PX<؜ TATMb/Fzpho^,R$.qop}U$=HowX'ʖ\mR;!4]J3ԝg;)f bqxmkbgiIdd0ܔSJEGm!:e 3Ɣ1CMwcR5uߥ7ZjiJ|C3_֤߭]c0Ba&%pyMQd!R+VMm<5XڿVMi)9h3H3M/Iw(eVVbK!2LOR{(+K?"g?YM-4j6 #\8 $'fC<|EOw36J VYvˎwnVv,u|Q0['q&lOk,̑tuƈyc1#XS|џнUWۢc8ZdŏyfQ?ĞsZ;m[@Td"bR=+6z nAKH\MJ5k4F?0WH; *ZUY_@naMg{O[5$P,3Dc߼+~uEUcQN:j,FZa*VcV?iL"E' L%([ s#rdʧoؠ<5@:Idgba^[_o> >%{ivwYT4B:ЬZQ@Mź6)TFZm/$UI׋1Mhuicș:`z`ll;]$985XDIITT-Q'@!yg~*wmΫu0[#(h[jԤ<(K\Jb޷N㙟;H ӆi+ifEڟ+!]WI?n~bSf3Cǀqţ~T Z'8ȹ6IJڙr}-aGZTaB$eZ ,5ŭxDE)z}}yPjq 6{!d`C5{O~ȑCzTTL=1 !x.$<V?oҕ,A 1KDzIONT$*hb='x1tKRma*037 6Uێr@Xϊ;;`,!šrnܖyP ch> ZJPk<Ӑ[|B0ZoW0F.>Û^a|BeC.Rt 9 G֧L¨U￸~f&ӆB8RQdxd.K?cШRʰ(GCpG$eskOɆf1GsZV (8c]&sˆd>ʋMf>r Zec -s+("NLRUYJJj&mib!^}/Kk p T!r™g[1lqO{պ7>5޾De^δc,.*#き̣dbkr# zNUБengf@ akE)N\XPZL1@t;{l :{ Wk1}cL>,;zfoX``cq Ƥ6i4g=1e+\Xw gƳڇZ.j+c^pk;!Fh}o^U`QT(J>(>K 'T`&s6rک$uG,V`ﷻޠhrUT ${ O $ڞ4oÛh&9{"os>wI/u/J!gYxJ_ZSMK4MS A nR:e7WzJpE`C9|\|kZ/Wh[Y3AylF<RnMj="긽\|{uz4 (t [dHpT$9y4xՑF1|^y RMo_#,-5C@u^R@;LZ5=TOgsn0sg'3#񠂞Kh0nNΩ^ u"]vqWYa:<8Mq>]L7 çy$ 4`TmE iS0˥8898)q9(/cj0I^ 9-ZռR-BX2Ӭ Hj BF cR**XXL9[=.PN.Ȏ>(96QM;ONe?6hm2k10\E*)]95:)@/w^b2vY;}^Q(ln CIpN5GmeA&o9' `a}Gӷ&|ur9N9qbɋJ)"]Wf.eH\̒1 MZVO])wIPJgqob1-PLdjF6.t/ox``d6pJr&&(|cEWۮgT<kwќc"0NՖ O]i]EA^VGK/#5ije!y=)jыP^Vs(?9T%S(ۯL@, M􏍫B1L:M -7a\lD 2Y*rx OJAh⋦Fi:ml&~Wc#4@lSȹ?bL.NWt/%cҼ(.A4u^El$fAf6"q9KZҳ:dG583$H6s.Lط+zf,nKfMOHx9 El?>/VomN%#i5Yŵ"MC u1}B 7s@ TV)mnZ]cHyi $<3-G [(Zd`1wXjd]~Sny>['=vh_mX0*yw Gd Ի}.ӟ: B ! )3sHFp<|>gB8/k[8.fj5c;q GeU(*5([5R}2[ ]1ڔ|6\ǐAv4A"Z>} GÑ3E=%YT.{Nu|x3\5ckʤwmA=o ]` q)zB7c5g/.#\_D>?RS&MG~H`#4hNV&W];;_@B|JV'degsd\$2ʷzU)S&cgu+qUFB@^|6G ";)0(sic kli<ɇckr^iIB|Saf`fkb)n1bKpLGY?1Z nn܃E])nG1 )-ƷG `e}Cir=z2?pdP# O&Jd@_;v,o*f1۔`Yz {`Ⱦ}[G=fp8%W{P<8 (s\S")ӣV^:g#l4DcKEC1=}t ~֣CK0|Y@/^`ŤdSBhԑlǩwo n`)R&^I5O1pPl`igO(=Ro>X"kߚKgãF.yG ʘ( t;?x;uFݚ&WR>hɭnv '7}r6 R\xMO݁6j2N9ɽ3ʳ~b}<׺g 8^T^xJ=o1DSw߼WLrei49ҒLҒWY,(ch([?5E_h tBLbqQiQ E\8gj$.>%*KȱNfڌ;`:ix0H}c PBB3/Vf2;7+g DL6p# ~+bK}9vsWS(t6l??F[΢@u/:؏5ζzĭ4W/$dʙ䅃[zY KXLNN( _hqk^4_ 0IPf&*Q$pEFeB!5n䉋IBZPwE{Osd%JdAEU; '9# zמ3vcga u3"kz CQqD(r]6Q3ᵀT6Z$Gm H:i^AB3{sd%€>bn]JlgHI+%& DAv,7q}k(~O8֡v%7f|VҒᴑ29&80~TTszD['&Na4iѥlF(/%șPe]ʼp߯j*z/#O>P;ijAy_,eE/ͮ]š ^Lt˝P0'4SwXPŌ}{ѶiKK܂,kȝL}:E^R;]_TDM'S wk c/Hbhk;3!<&mZc0ʦFcMؚ6~(|y0ƬfUhK!g.r} ~]`@?OKva`9,<JUBE kfpٺ<eKP&ݙ#`nJ4J\xXqzJ~qdEL]Pe(C?lZQq;$7<1Z7ٹzȾI{ܾ7rY˃Vj60e Oٳ$dT:/DT2f̱ahfgX&Fu{ C0XQqI`ĉ؊9j_ R?^ud *a@oDHUvGD 뚱 6N 0 󰦣e MnB!z%u͢" | ʆ O>m7+)L1.G(T6cv:hBkLXI,1mP_Dwb㿊 wRc; IwӤyaQz ' l \(S\Xu{}w7đv%d"Z95V2 :#Dه4ny ++{W[^TwⴊYHH?sMx(  l|ZJy5Q55Ht@辨Q);NH2.ZHes^J֞N`J{H48.v8;H2*g,Iϑh(J'Gk`^|5+! Hb+yߘ-e^I_Ҋ{IF9.z]Oucھ8, p0sG+|*ˠ(=h a!x8'K dE[fvþF)?v-&b_[5@F7b_ GDk6}Uw:2Ow0itݽ2zE10p6B_ґo7 |H)mꥏxn~C y𓥖&!ێѫT!dD?TE)u8&Eb֭`0?}1aR828})$WOׂz7j2NU\b}l*ӎf(ȅ l@8Rq՛v~u(l\|E"ou;M{y*Hkd|Lrq}SjVvRUtWU)qL{usޒj)gHjM gAنӓ8w6f$_ґkB1 bKDwC+ٟHB?S _U畔+ËK o~+=uqNiJraL)˰(ti^t!ODL 4T$V4>~ Szc1v[2CO䌓`,Cҙ8O8haqT~iQjig ԏ;38C1C1%*%Fީi_e6xs/buַ >\cAj0dȉ1 XkAuӶ9g͘ivR={(|:8U-bBVRxKfdl.?Qi1tnhn尯LА!/HLMPlK|ۗDyWWꂖ >/Ҷ}mնk?& /?bzkiB8ҶVLP&͸LAL"_h $Pt+?{ɼEw*G$: T@.&7r=KFTAh}jI?T}>5bĭ&Lnx4c4H qMqpt$;HPs^s&~Xl Z{Z\2 *r&N>{Y\:w Fh"1:Rh*. xM[c"9rgIҟݟ'naǸrgH̳P%erk)EVfp5z/ Scjl쾍: k#kKpqef?\Ԭ%yt$4!܍AhȗFoi ^'wV\IVBr7HXC5E5?ֲQK{#?+_?[쐲*:clg3f* 's{2#{M1mi7女צ8N lTb14+s#k$lrjכxGJ?dA%Gl-nЊ!eo9 pݥ6$~ R {9V9Kkʹi zL!X!:0 QEmVTk$u@"Pv5_`*յ|f`͒p{-oB,l$MwƻZJpVćmi)`%.(eqXu=ʂ">V w-(oRpx<ۖ9#ԂjV(K@ `3Õl#ֻOZH8CދhJ+Ϟ<g4/F3(AwTL] ` OޏWMJ9LZ BgBJ?_~QҬG>l,yO4|zG(GlɢmviوIW;#Jgw. Ub Os{ D;  A jX-aW~Ճ'e(0@mJgP}at,y+-S~r@xc{lɺvCS'tUl38bۼdCb8hS3 O:̩OGO~~4u"*ya` ūJ!ќҡ.T N$nw(4!u5h7,B ڑIWckFXGW[fᄎ6-ZQ) bƱAz,44H4͏p# X^ƶ}2fYG0̴0%x_Wz##^Z3<jP/DADŽ-y^+=Iա0PRARDg6Y)2#/|hyb7wƑ:g4@l vq|9Oj^wAI x%L}*PViܫཨ&s^\I!5+s M Ҳ/u*>Oҏ‡8p]7hg"pA(`f'"۫rI3tD2; :n~-={k<>=X kS(3R`D_ 31X˧}~k3&aյUISuuT!<Y{~4Zm Nqk'ҧ0fV`ؾA{K]zO:MC~" ݖ;*7"#E\~% 3T;Kᄷ}Ѐߞ3? }KPD.5vEbOLy7s~X'[#*6oʌxi)J\=xP$, iF1ۃQpp{/sph@σA}ZS9_ZVa=f-ΩO+¼Yv6+u9[!(R֚rTl37 WP3i`ԥKĂnj$ '9uQn?k/>ƹ 곴Q ]M65CΝ1|Ú)e 8?i~u(  >Cx*'Tر/c8դT(|> V&aHsf 4AH辉F0ȉ9G~(e*:OG[H}t݊mȃ#3Lh7.` l"6f؟O]H;7r1pAk=$`%GA|nhwX%fgIg[$TB@bJC*t+MAD"ڑ:qk睸v5ȡ}!l+vllVV@GwK_ 2/*tsBXNFxän0\+iۈ@)U@_, yXm`'(do^#BQ"c M"+$J@^R$IHMfrm J4{46|L[a2@RZ]ˊixbո{*at@⏁YTg&s#gX>J טg ʒɣ^ܣ/H=Ȭeq:d,oEJsczp FR0QLsz\śKS?|tuY!a76䛢Z &̠_݇F b`◰?ëeS.]f%wHȩ݈D֢#0K$lVZUުſ B! `D 6iNH&o^I )qoqP :nGЊ e ׾v )"4L~&K|!$PJǍḍ揍b0^HJУN#ciUѐK^i;3*zO9Ef[j.dW*Qܥ,M+ X  jy٫F mD6z*1 O!Wfraa=76ΌdOgKiV|A©1չGjif8_[^G~zƢj]K`U>"[ u#VJdiENyqQ%QO9-E=vd9ƓmMuX@'6%<:43><X@ pUݻ@q~>Ja˛Gڊj >תZ^X;`ب؇ cY}.(ʉ}7h&vJB6ܮS-Fg !XXXXPF!BLm%LR:Lߒ/Cp[_dv1轹&Bv')(MB^ 4$xo1L'vA7ѹR }$94AscrÑF ?xk/Ƴ)~i]FhNBy&_NdhBs٢=Ըk: ;#z֩@:8aDxv~}N8hDdܱv 2?v9: 4yx~L8&PxP.DF3% .{ \b\+IWT5N mUc+3(|[Nv!4SR%E([P; ֈ)=_K4uT.y'wz(v T u<(Sm2㔽|_}coRh∠و=St/h pqD3#DUͬsDNzHC8}ĉz9`<@ q !NFBk W)M=nnlS:_Iu ?pe΄-ʺ ,4Ifjڅ9Ölޣx kAph|pl!IiuN RiO*kRY no]Ⱦ>mȞոa9xVqQǏ|"v&ؠbV^NoC R?Im&xUR0V,|1(~fJ-$k6T0m:E\r"cPMϐaAC Hcz)=_ѐZ|bcќǞiQ~/74<&V.EZbƪCYOd+lK]╬b<'/c&w^ ~UدcusћJg֧ƞ΃V}`~ŹV?b3 {&k,;@/-;@wA8\vfJ{+Yy e + 8`ŗǁ0ھYuҙQ{jHS9̡[o@0 I2h94YK)5UUuʎl>"9D(7ݘL¯}ز K? 5lS9)q 22%;q:~&͆+[)^yoAW2$οeD,оu3QZo7n %UWA*f$ՖvWVsWK󗫗 {hZ=KR`1zfy+2K bᥛ/(P~,ф9*&*[f?\M,~_HZj2Eҕ+Q(_fXa[y\t^^>f ({ ,#k\$f4/%?kw#zZ@Ly/UzР߱$D$}T,RU, ф -A,YVZJ>kKt2%nr\\q 2]%Ky'b^wQzLsc#:V}ϳ(dcG`y&*tt)pY©=<W^Ncxa+F\c۹eфt7*&=6S?!Я*Em;{0ģQhvy~xxzR U0U6ãPit&MQ|o@5,2߃m3:Y2&w$U $wX˨YJkTr mS*܆rlMWYus*j Md!az4S }ºb6&jp|a2VuL +#˒KӜdIpCpd>Qg#i%U)јikJ.KFÙ׸cȨ O_nRb"f]zU2M VW br%re7@R o3i~H-i GƩgokm>,DJQBGӁSi-Ju1 GVqey-QPΏ7gpdb/蛆}'bg,x㵀 w]Cs"EKaV(TQ m.n#t[q^?v/: ^={av`|H@9׃`9ژ}jH>b3]3QYg%ӑű+'Όj ZSE s$s2TG{2/i_xp*VQs뉕+$̇_4aXu*lg*8 `Th+9 0#*6賐Sr,NAxd_qA0;W3k"HD'_D7ׅ+ao팂jR*|a|uŭmzk5bvmd8k)iQfG/į]S>}HaA:H]{7_4U=; g|Z/!tdCظcf4!xUb.QZӅrl 9ؘd}{[7Qf@n<嵨{޼^OQsG=^ 1I Ͱ)xܳ#し&f I ļ7D 1dVB$"6z*mB- M5(@Z{ř^`f'H O3GT?$5r"U2Ik`e_/{D$ܶc;ʢ8P,Og &4$siLZ8 $Eg"ͷ8L@1Gp g?ြ-/~9ODz.[)&(v#6I M |s1V*n 7 tF|S7;LH8-ۯiڔؖkvhZ6ov oKS-c.Œ 桱-,o>́.P.i!׿E{5"3 - k`N29NNPޚw#& ` 6w>qthQMe2pc$9& fmWk !d3;̢7м#6U%^7}:HwMcf=+-`T5YΙ$J$#-b:99!͑pöx>•۱ͥ>AiBfY<<*XUmjY̼{lkȌ'DW0A='xzٛ9§z3#8>yr dgp{e~ F_i``9Z䍜g1On?oѣH}La)tkb!ygʗX~I-X'v{ yg_yDX~e/XgZ ܘx8؇qrk(훛Vvw]Y=\ v.CiW{{kMej`6}{FG 3 M1uYWu\ Ycqb,O~ㇰ&$X勎pCuPhdYJy𐏚hB̗#SCfMpp/bO=žwL.JtBYK]4oUmyeA҃8o&t.kv[k靼ED* _aF76Ԟ@d51t#-6F'{I-?E$ ̀B:bvjTE2Q -+>C'ހ ׭!OAiZJ A,DnB&fT\oze&a F|Ew@6D7UYA1a7v]ǻK%>/X10+nj @^8z/f:m̧.8˒KIUۈ>X^+癙yYV70@%4V{l@Fb  ;TEG#BL| vF.jLXǂ K;FcJ6;=͵BE}`&n-kPeTnKDX[gUlC]"L" %螏OK).'A\&h{|BNmmw0L,ЦL$w.5@-NF y KCemVM9te;W1H2AꐧL]' -deҭg Dv*71`6@$)CKZ>LC Pk841ꞗZ5gxڏ.o# J` _x!m=9~[}Yls{/:/600.D >,@d׉'E0,xsOԂQd\ ~f`z 9yK W<:Hå}sGtɘRͰ(f/`n3PQVCz[QhsuM94oFD N&_ Viixdڍ{xxB'TX"2cC@<׷eBK;T^ЗYyه1(GŠ4/CQw*";}mS3,y`:>&FR_ҜYhbf|H?{hwEJ=QlpUEGqJ)B{܂?cqRSK$ݘ7AXX謧c= ZCgP jR,V?6p66 z;a8)[*#6¨&/<׾kge,u #[=98q:_6yI9Vh(hJF&'Q>&~QA>E[`Zjt[lX K}n[z1G _THlצI^ͪoA=qBׄ:Uˆ(_FElY%R6soǯIYRGI}4 Fz$]FEK:vp0q!%~y)j)R.Vz\T5&ϴpt,`.9w7⃮("3[|)vH@$RʭT 1?:v+u*6 ɤk"YBZLQ㉶x"(07vQj98OO@Y2$$/l =[!r(trǎC/z&%{ a :ևt2u5 )- 3 _pV;o1,wNK2CF^YRXZ*1wJ|ggqL1:af&y+hƈh|Mpqb!;>&zEH& %:=J;ͼLs"zWe)a vZ[K{1\-&c(cx4-?L<fkzvW"]Rs!SXԝd7\X/[,ww.,KM ?V %Z8j_*ȭ[]]}$]?X nU20R!qd r61mu,lU8TNu6ǞAL6SnKdsHςAd%3}XuaK:- ٤ːGtɇ^Lw ^NRݑ*oZ= feXuN,Hbn߂z`fcJ>XݞW:bw$&},|Ww(Sf,B5h1vQ '{+Kq$[Q-kF߻69B4o#^&1V)}zJvvVW/4M'-pm&xӚLPLabq?Gþ}FNQ%!C׌|, #p=jG8tLq-Bu@|قn٘ 1[Ɇ8JlZx#ࣰ~J7 P'8D10Rd۔^'O!ZZKYThzi~~H`34.vsk_h|MS7? HFQ!Lr涕(."߯k'wC4~Qy}Cê.w @VX s OUr-@N ĥ=N~6\Eғ>j,ktrt-qЎ*uUƸ.">:Ch#/FX.𽨫MۗeGhQtL?O+|V}nE }p5@3a_b]X FB}1'Kn戓~IVMs/5FD["Pt6Q{5Sś !QrU@l8ZX|xl1-T3z 3 hy*Ky|_%L)+NO&oHv]mY ⣏Kizc6Yv*lh`AndkY:PjpG<2GfLxr7OSrQfnslސcL&?d_%~JrSQ$0OMdgGW?B義bv{BI7~'׽U-ŠuTա\Q Zo3pN<푊rtbȰ*<=&[xE5ja~;LU28\m7C_{ghqGjߥV< ^#mb+ivK}X gdוuYCƪb1ƺdh9) E&l0_ _|—8_qY"Gcݣ N$QD녳K Eq-OQ&(v6Z'& bj;=uLhm̊cSă>X}^^B%O|Gztc3d "tH0`M? 6ǣaI`Ϙ<}x`ɂX4-#̣ t4:L0<qOؾn;فD$a_yA!:߽ݻԆ"یlz=-QuYY[Yb6^°кḘ,psVg!t&`A3XdPXKH0u6ga` h7XtsH);HQ(d%á;5|DȀM Uq6ӶXfn"\Z!XA_![*z1ߊ$Ĉc|ƲvI;>6*2`Ez$D5W H!RE)XyD&x23=t:& /L,}Jʴˣ.Ruyb|>ks@)0Qsj=պƾ&n/:ܘ w<ߒm2oPkCWpn%/12ד@,(-inWGnNMmYn=$MZ"w~nU&l;~ᢁ5nWWyҼ٠# .WOq๯" ڍ[Xyq%x>mN̥&b,*b4}j&+Cёeգ ."e;_9q=]FdwNIr6t"%'jDՉ^7fe̿d!.IZ{үw 910ܞdP<aУ>D6gGGEO9eM-{ VH>T+OLU7Y!\i _[¼Sn!Ȗie$0(Knwĭ^k86^nq= ƼL{51q2B"!y /ڳaUj77&S=O$?HIVc᷵_8 EN4~6- =31Rg),4ob'=vU ʿ`5^tDXfܷ8 7蔺HgƭQU%}940`Gf|Ff[avzgհ[1 a8 k!zOd:s0cB@,$I (Hr:]..!3Hvu?0~՚(WEx?y!y| fj>_PRdk K ROdݒn>=Ph-Z1xڗKOn}oTq ^a~~MȢ-~V 7c>='ӑ"-.* ]lp`BՅ$_rB13P&Ŀ޽9X۵#O| fb$S`QZƏhDr0ie6аZI7]VVbِ![8[kCo%Hg1vMnIї\cfXz!\F1.6+CM. d(vao`78tJ ?HMD(6*a(4` 1yħM!Tf5gyo1TixɊd.6Ò^y/ss9 D A,^99;26S^Ejzsl>,Tf&wGazBvNq g!&mKEEgb%1琴?Q,켻 pՀ0sR@q,x)aƖ@x:fYM8ʵCl:,6Ͻ愇A;O@ V&qKbC܂x WH e]{A񶨐F+"%V$%+P#7FYʉYip'<.U[,4Wkm8(fȤ1o:sRw솪w ƐoAqB#252dW 5kaX>,@M.=w}~~p<` Դv.u3RgwPP[Oa&MP3<ղ[<ۨ)?}h`P ^?NbBPS5x \(&F` lp/&2uf2^6}Faa,.(0u3p=0h}rm Y-4ܥV` [5Vb+缆upFER+B)GȖP>~C9g`Ϛ)-SoakdP^|e47=4d5J'32!N٨w3!%F_*0"h'%2wz](&P|H-5#j! fM>4h'3D9{ F5ƛJ> l[cr?-H9`KWɬR@mG@y_"pd+)੎*'&hM9:sŔ~\%Ԁ1C5MlG Ӈ ԗ%v'CXVE~#?KS@?SEE[KCPqtقIMPp6xFه|kawDͱĥXҘgḈrPjkrO,bi"\)Ohfu0Jr%Q`irQ 2cͪ|9w6GjӉ5ƶPW8ݜ~f߂Ay?fNyR~&vZm 1Xd} üVrnf%rdf'O Vs!CMeCa& I D `c|5PĦ Ua=G*Asƃ":U*i.Zaazvs-F'J S7 |7 ^ӬT$wBm=x#gS˿Ӓ&@\gͫ`#ddX;%ʤ|Ęj]jl8b~[k-ikDG,WĪd3,rCva )v榀+4tE,DFeW]Q!* NX##kL r SW.cHY_Y@C]U#(VĚe?9 \Dy{2Q润/.5J4n2|tυ9V hYSMB.7DUF(ˤЌ.SN`n-Ŭ.$h:(葖 5{5.%Oe0z2iAHp|mdS/*('=xQ”.5*g+-sd0,E`s`u6,J2*oG6^޵q|%N'%D!ދgSwRoU4RMAT$kF((P4:W"$B=#o~eZI}0.H, sȈ3 zkYnkZ&v `n6I(X&swtJFPS~TJ~< 'n82K5#E8:"9W?>毈#5m@QR+ 3Vra/Vn^EqkRh<,bA_d@b SO DLghVRk'[E%=vsQ c&8A\pt+Զ {p6a\~q~6uFХW0w]lF2kBA*$L,;!,ekq\>=>6E**),ݨK.%ɧesف&Jے*2'pd*\i+leh?7y( B*a8fi~HU(ѯu37^g\r`qٖ":naa4_ɍg(0J 9O`'Y$:=~5PXQ#\+يgB;1]<`ru['Ǐ`CtJK硼3Cfi7A ~5ݹFYXfո"a2fO#B9C봙:WtVOGpYXBˌwFJNOjonsLAۡCYijcskg#ּ g̽2jDWIu yӁL'+ e>pVN~5=1 >9% =KCʢX\ |̕ZyB.7c]3?Q+ Ӛ};%.wz7Ȏn.x)Ta;-;`Kni_Q =5hY E0KXt`f}f3G!Mq^RXa{yY̖ +p7ʊA:Ѯxhq ̈́ڳqTB؊LԾ;QG墈/vOg)RϱB/i 8rD⻺0mrN+dz?R")!Pݎb͗eoqRHٴ t`AZ8Z e 0XCyR+Sڦ.+TV&{eSUJY%IAhݙ>W0>ZbwZ3RB2XR38#=h͹ D$&0I(Y_*z"*qMءvڄe0=VL7VT}@6]{"O%CV9{yWvW4[GR%Lh/]M"?5Lrժ8;l!X};sZ8:9{Nnۜ`K E1íQvDamT8]pF"7/3v#(o'*-WJںVAc "ɭiG9<[uܽ?`tJ:)M#*Oc;έ ]=X |b5ZF2c8}cLrGԯƈcDZ.tיH}Qd}A漂A[S2n0[?I}0nGO‡V^ׯJQ`<.@& qlmn"Y%"'E'\<'&b%5RN> IF#4MoHTkb69[c Twc_\MK 8 ;ιKv]+/D/~ٴUtTNKgf8eZY?VIMqB "4xG&N]g,pbI>bN?#%po+J]K5[-KP16c:H۽LLU'Fy.&huNb<HSfu>0'֭MՂ|SQ27 Lh"W$yZU5Rh㳏][<[3F3[|ިCǣ[Ov~kiDnkgb;|v)/ tsJHDSkYl샹LţTjdك}m/rn'Gw.&l~#GYzDh.LnZg +Ą-sE@]:!hhќǽ{*AQUEla<jTtwYSlB/n8T eQUx@?vN0Agl۪\`?e6x GpbΥ_H7@wKݢnLR$B]zotuqT(#7MqߋFl;,62 E 0uY& Lu2MU,#boǽI٢Ŗ2۸@{< w6 7CyYqЊS X mQEF [D ABf~Nmҏ}qΪo:Z%-F`BLad=[y'ŀ{cHGc;xpY-=:Y [eKٺ7:515*7PW,Q:H!)%(A͏̞˦;Ɵ 6&7G1K#?hkr{Z{꼛L uE7BMהьT'zT8qFUlrE)Y}pUMZJ5:*#LPsX8g46E)s ^$@:~jF UYUaפ<2l>üв75n|q 2'F-~oU'ͩ'VB d<^s>nbczۏֵpfC =>y1@PEte0ޔ&+g0J #{RÂ0+.DgjIAh+hG1믥#DOz6iGRtؙ.d&Q*w4k|MXjÜبQKT)L:iH9Q&<62vj.#OSԊ$vpW=zc&%"9ɍ4~3=/ rgWۑw\ .G v8D1&&֟+H "Y~Ԧ\͖++*b&L]e扸/L߼t꫗-x}7g}콢WV@*>igz8&g;DQl d9B +=żW mUe ) , 1B,}A}!#T"l ن΋Y5J4z NC2Zǜ{C}08=Ic$ݶL̡2_D"::Zu_.(hB1((LҖ9$2Mc0%}::V<_m9CٴvuƆRW.rhHc;BQ|(~td9?An ZAz'X^rȑ"HD2D85V@Ls!ȍWS`۩^1C[oZWF&K;)?'HxVNfV2wHAྴCYöu{&^'AF{!]YC Xtxi{u؛*c(zLs)Z Ui,(dN[FyK|!V$MtJNcǞGC'M8*,$_uZC[k\zJ YHI&`'x2 N9=>l܁/n^83M#5usWpv,u B֌vT֟N77.7͋r4@`#_ ,~Bok- >iVftv'mEj]WQ8 Jh/sCL?*o UyD~ C[6d5[0!h.;"Z:@{pŷ8kv Fj ,b|H A."{uXlJ(9XVz\HWbj&SBfSd7- \:^FsXڞƚ'j.B~Wc޲_](b8+U×%؃]߿{$vd*EsڟF% _g!|:SuݕvO&<}*H Mh8 u3mQ4 ('9ց/5ҧ 2vtKKϰ ^ACfYF*>]«O.Ε,-LƈKc 1?Zb6'nkF$6; i"F#X4xDc2"%&paA)t]|?O3Aj'ӂկc{Q>2YmGLמ"vHI}c:vFpZfyȔjhVnҠixh" %1s``yH%UNЖ?Bz{XZKnjbnww|L#2W.)_ R>w%׍JαhjQz,D͒[jR3[]քgBmMa߮1=L{iNjB֯&C"%D9UMNgw6zPH:OcUO8ptBႀ}+,}NcW%k+''"|MrRǗΘ`IT:EXe~bCQ*2+"t[P(|bG"Qnl}AB=B/ FmMy\2 R9EyeZʮ|};r @v#i6z.6CH,ʕBH,KF`\YI$6$jo؜7ڏ qB0*M3qLUy[HuC."ǴZRJb2թ:xԣl2>3Se" ;JΒ :pj $ {9M P D`"zcam> 'z57h1&l3eoܒh7·tFov_6 [ydPcD:%v*Bޅ۝o\ګ!nTcnP)C(hJtKU!20?_=Wq'-dsǟ(<ƸV;6Hc"<MJY6Dbqc'/~Kَ"+ Q`*@: æwM&&.,x#s5Rv(䪡9@6ϸ/cFG96\&t&->SWzHEvۯxN!(K$3Πq?+nKɵe?虝JȤu; PIlՍU)5փ.ʌp<޳.h 18u팊|7mbVΪ) f8%fpbsO|-e eC u,.Y{L&J|Jb|ٝ6&5j_t >ͳGu-5 &]/蘑3K3kPUv)-G]CU*'a c/ƠR: Id*> vbt4foUY_7%LVY0@:âE0\ʂ@ Tң'oiC3jt6~ Xf37*0lJ"ffi!:[~MJ3)(0+8G0:1tQG\D,PL*]z]ֲN7:!*Ak.qjRRMp'fZ*sh%vdzYeLEFF*nY&}tG!W 2w( Q-QC>V$$3SmU6u^ɉ# "N!l#{.K4e-iUP:n%4HI%XJ??@ I]|bhř0\46&bZM8[9%F%o%I9s-pd0*UaӿZRV['r|`oDY톁9hVu^ڨ(p4HD&bN،tN`KFj2HxSh?? #HK>km_pb/"ICH(320D!!n_;Iަ `ED}2As^9ie%r2II˿+Ry@Em_Jа^;GdGe{# %вU*GUd3,8C2!=*SU-? 4ӂq'kD&T֧hT ve$ƸXv3v };s2#6 ̔TZIC֨LmC&3hYv=kZq_-bGՅ3/rS,[HAAwC}*Db}ƇE{^ۣ^׃h8(d+O#a8ЃHǼ9Zl9Dm<P"CbRԙEIʞjT.g ߫~+fK<}(5g?ichth"D5d%6Ɨ풼ɘVJWB"iݾ7Hu>dzB Xu"eC[@-- -'-srka_pCsqNhg |isDqSR P+ғea?!Ȳ<"-Ad6I:1]ߌC{?MWMS˅=ՎNXO<8EꕌtT*7~bXtDSڼ>8-%׆S;}욫G'u)􆟧qe=' qfkړf<"pե8TEImn_bNL^Pu5&6 w-x϶Ka;*⧽M?C F7Ҥc;ijd/eޢ<]WM2tee IZm*UERu=+CR~P"ʇlp+6>䀣I&Vx% Pp׉ZC` KłJFZ ѮX>OlΏu}L.=///ҡr`T}n*D1)lReB' e+"Da!fNeXkX!"WHu"U70M(g~i' R,e<{N6`Xy$Gr>Xjd[6.2Fc;WxnpD;:"+a&6K HMn}۽jfm?vj^PMQ Y*{9侓O@ W A+2%~]Q;2ku֩0Sp61 4oz\N4L6I(D7Ϋ%2u -S<͍ք|u7]ݢp =TlU/BQDõѠ";{e`S4){ Wkl").+KJ[FO7 gy땃XIX[C'PXKӟPlC=sc%z$#Oqݙ]-;L 㯮T>#?t|)4_gCb=v<'. IU^ pl-Phv7 f ):%-?\0_ʏzhM;^mn\ӇX'#L^zK0\Mn@;8 iFO~.ͤZ*?·ōʦ+n0/ +2, /ebY8Q4wP+Hup hRr^6I"mVȅ-rK)(Q=h;~uO9aXQZVgS8y5] /ЗӅnfQ^Kb:Is&QZJqM)8vw?mƍ&QWL:pJ3DqB2̴'Ue-iٱx\%*S/4t !ۂ|#j4ȏi I3B\AlJQD<=$zLĭr^ '^sMJ5[9ŜJŋXfcb@,.H>lqQeΒss>x+ <`UVg22&}ע74}3963i(8"P81I.뼐CDul}IKz<϶0"eӇEMnߵapA-6+f4.}kS*_#(Q`oL.y s#Yѳ'0hk¦SG\q^5YFSlczb()iEjzp<5u w;4p.le5f!=U"s9 tP!A*XEjO;]_4b)mj}x0G';)#I^ocst闩(OfT_I?N巻vϏ]"2QSF@u U#rI8\|n v(Ov QI '| ^ P7z(Z'FWŖ"GV7iev1ɡosJo>svl߄"(¬p3IчĨʄxYB;wtܗu0fJn1[iZ&Z"~4Úu<*JT 6,xK{yAU@ٺAӫ?}H0l1\RRptP\Β;61[W‘s$|ڬDq4@'*k:3xv(Q0D `% Ru@hy6϶a "P&Nm@;xT:T%mg!Yn-;jN?3YWU3֫|&rtוd9:8c_mRY奐vsR]}|G"n;(%50FzJo!wk=t5lPs t@p.> 7Jb*>Q'H,PcB"lWRސiw `AdKV{8 訽Fd1SG xI?#3:|yɂ#Z9ch*e9.?9w†H0k gagοÖ( 2Sr;&Ӯp"v2.L2ɣϴl{+EMxY\-A@_`o|fgtNDR{Z˽5~k;:P.07G AK-p/:POM9yձ)u_>@h!-];:uv9`b tf_X\E=: iSfju~PC+ :OQ^x0wAjt:7ɻg47Hؤr^_ P=YAsQdݟqMϽ~B*~6U]dmѭ֥rS2K©QoG]E a؍NKUչߞʸ jV0ه` 0[cEƌmqQ_L&=^)ɷ πOO2느k?.*.qe=Ӊ9 ,i[);f>Z00Y(꡿K1IiG)<3="*0noֵwЇgNp:-9E!pE0(w6q-W*3K'6ޞ/r3yuR ;Fqz h\I'N)L#Ff+}p `Ca3[ YƘ6 -k}z ZZ:a 2<&iMY7[bz:oS6ם<ְS2٦?u[ CN3:0Ly}mb4CLS}:I_iX/n/8PN7xK5-]ؾpw{޲*VY\԰D)%d̓Toa]v;ג wSD0+@B  )9#M={"^ n~NO^B-29k|ڦA+-žr[ؤkNC;!'z2Y9=0TA!ƼȖ}d I\xf]6Mۺ BFJRXj$+N`d# #9!ь5m1[MQbuа3aCjJ|@F6`u{fRffDn%?*RGRU V|rkЦkgk[F R Nw#6jz{|fhA3dNC +O;1ނn7b1Q"c}m=OӭmFP@Y,PU4Ѹ+) ox?Dnxg`V5q)"PR܃ V= 1"[B%@;}-xU[a!KO ݲ]p/f 8R Rl0W7oP*S+ot,'%<;LͶpJa@K9H7`pk7'}pc/^6AVڇm]1Z3c\<F'L[;l/|%Ru]_ ì:і k_eG wΕI9 I$ Y J9uEQgG)#3D2"iz5nͶ8Ư얛Ml`>I`U*=mI2V:e;'ȳzx ) '0{࿅VlTKP 0_tH\Nlp?o8R\FLk7ݮOOhӦќg8 .nih``iy?Ŧ͵fz8\ce}XҁW}Z]WL3FU*ѣfɶ@yϠ^w#Ϲz7emEs&:X| Qc 7 D<N|jl AU9r\/пBT;x4R ֺjWN(r=KrT oJjPitbc+ﺩ.Ir5M1bn "tM.Ba%1jF9oTr9:(2glu;[;*A}+Cls&R[/轷7 ZYVg$cgämPz3r5ڻ:%2&TV@q1dtm+5Ȃa-kj~LJ>|'˻6$L2qSH8E?97?ȐԑGO;QD]fbclE;΍jf c@E]7C@꼨m8_M&`1@X^5?bdȐ1,N1|򫷬Ww_w}e!6v55ְ,O4%r3yo pme6c.ڏ=>`Q6OV xZX|)ST^֩б4f>%}APҾσc.RGwK&ܬMk:WLMb%E,Ԡ8tSYA Czu[ڦ 7O{ L}gYel+ۍ;DE+hSm2=w#QM2c WRoǂ H bw Rc;..!!BpEz,lƋoA-l|E~,4OǪPo,bSl Ɠ5[nt#\_*F ͈-е_\ v~g"% nǓD͂s+*פ}k dƲ1HYnU0 k"K޲RUbvѡ0u*QwNIg0TiAq%W&5Iݭ!xŌ| 叠*ÎSnǂN^wϞQ84.DOb{\K$ ɝW&puoa5)2DW-eUb%5 4%!k#R3Xgf$i0#S(#?"&tv{h58J8}^D:rUS1g׊KZ 6O\YYM|}SoY,ozI8\v̹ vZ2Rz~1{?)VPŘO,B@W'**\ Y2cAY"IgxR00"g hmZWX+ z+"fB=j%NAC&xO7׀ SޒY/=;+"5>1N^mI^@1- aI#umeWtpCJ:5νqJ˻f_u)y~υ@uﲼ8=Xl>{OsNƥ~5ψ9bzJCf4:A3 UQVTTkě& zZn(]$Ѣ,qzAʼi_L%brPyەѝ*Ǜqat2 <rIUv&ч|O8_>;d]W ծL?Y`OTO^'+F[ą@?dy|gȗ86QWTG@I?˯X.0VҶP}Se4%a,4*gJP*4Vj10`EϚ&NiOcz-W%Ub-ermsBMP90{_括WCV XDO,H^R~h;"hWnW 99ԷAEWċ ~FC/Q`k3ȗ.U )"րBuӝq$i[– B^AwsSfE0+}g,}n^^u#c2-G`Dm*W# L)B_M:k Հwa cG4%k3.bv44*:ϕ"9^s}jgĉ UQq DxHyDwE=R~;b\ 0>\!:-&{,W 3‘*2G7w]mGسr(DEK~J?y@."d[ohiHɅT㲐y~*'xB&(L~ { b4 {JSBJ%w0P*A_֕<$Lj?矌C ̟`]/NV9P`xTHRg+Cg!~tNƎ`E5,p%;Amʴl>LɸO؊~s?[d*]egMNbM.t1U@t#Q| 4x@bWnΘG#!1{)'afU > &}5 duW_ *xH(=g&F&4|o^`m|#6E-JMj*/=piƊ-!73*fn7vh.F~L')c%vEdkb/<86WW]^3@gũ{7UgҀ! d80vu(=eFUm(t^-6.@{IAש߼U^;SF3e|Xk%C])Nb꼶cjEF+mZ*#9K:<>ƻ]Qf͐%;x_bF%̒) \dy 45/ek_}ρOLy=ǣ [(\qOfpFX"'Nߌ}hW3>)a2emm*J3_6p3uth#”m2ar[|x"$s2?U_YJQ&K8ap[Z7s~(ZǛO8w+Aɬ$jYx))ȧ 4_RAۧoA"ErGqz=t@a{ < Cxȹi/v?'KGCQVv7"H%V3w$pw 4> ̚tgLMzS5k?La/ҤgӁQH .2E 7%^W}7&2xu%|~}((me(]t FM[3yl1IH)`=.Ϳ"Ɣ#O]g:|ɪUVI6cUO\@C Hiř\n;l8rlkbYտ@WQnSQho١"2w*a'8:$G&(%+io^wTĬ4!t̘D2}.^k~6Twfn!^4tb{ !bPm]A>z:ZV3vwO AO#y @h^XH4*鱮WuZ Q1#X2%?!\È<{Kj:&/+\ˈ e&^]*- Hm߻1x k4r#bSݭ8rƮmk%Acc0W'ym:!Xufo  "C//[Y4K`[Ogz B|C0̈́۽UM^b2Ɂq3ijG1@ӵ LmA19C/qAx<ﴩ 47TF$+/z@8O+Dfb!@t}~:At-%76sþ2ȇ|$`Yeyd< _L:t: h\K4DzV-ꯆ àBK^b>n;M$l6';r9df`.Gf;7y^*kp^+na1+ Qu` QZm0ሯ,L p<]gQ|OqVBxfQ.IZM2DǶ6ݳVE`ܹ>:m9& @!@f P,P N&/j3TG(2%ܮX|y0F;K!uR9tG @^^o!TJG+%WurBa C66E k7\!O%钲 mkʢMO=l %"UG 5`4GȟK kqj☭0ּrX{:6dTKf hzo[oܫOp0,j|rzA y0tM7&SƆE8gfSUR6xN ,jX-M8siā~ȵ= @r'Vߏ+e&K_gcOu ŝ ,̳rxKp'I ^lU+OYdzK,=MpL哼 uCEZЛ$G0TuJJTQ ubb2yȂ꺾.)CC#!3;yN%ig"ZdE?.>MJK V3j.;0K@>Ygڂ<3-uhָp)CMJKCg*LP ,q$x-x!we'ȝItpG?P ]U?=5Elo!syI&#Aڎ=Ic dF4ٺEZ]1~GŸ{0>fQT>JV0Aay,URXa8箉-8+IɫG6oKBz LU[l]7?ފ\Nd ^{-W-kZM > fFܮjs K#r_kG^U )QޚsI'r%%}oiM\-:b )#Ė殱 B ?p$0:<'jmCdh۴v YS]9ܙ{{~ݐ&.^DGwc|Bל*Ksv?ʴS lN j5A(u[y6>}x~ňR76f ع$4  >Ok2P+YYu/ 1MB`r[5TM. #[Ə: (0b>-1xcU흈f<ΠCg {i>hN>-"L[ ~_z9Le3+5Jr>p< q EwgA{pՉMAtEN;õQDO\^U9єfP^CGJ`g;^q [.H k\@2fzaY= ԰px_QV}`95v ㌨{,s,Ǻ+\r2 ؝f#gPWx")[N,#^m{;(5| asV-!:qmwx[3{иJսNv|Mm^HkKURyP]h)mIsO8^K //s%+46R Tx+SɋJoE?}]Bl>+^DMɸ\ b#8쟉Ij]E"&k=nlCɬEdb:TN($ EW"6Y֘G([8-92*Ӛl9)i;MK7Bk0a0al2*L~VN9Bz r(W|)&[VrU/یB q)¡W-(6}yh>(?U aI5Mb?ƽC~јEHȨOg+i_=cS-LEty+MU%ΙCBCxFSTGath:CI<=yPKx>:Y̸Ů<om @KܼU!ƚi~8Yq3Sц$,חS"Yf+&(cxiʙA*((0abp8nGTN*cνu.ŜGXiJ&{r!v˚ LNg!Rx\f௄qx6HBaߣ&m8b"Ud7 6@% MZb,<Ď#H#3BT"6[(HhU[‘\qҷrԽ>Aٽ’;>x^3>UNeaJ:]rk_Xҍ>ȅXuq:vKi7{aeߠԩ+GB] !x3‘#RwJِX\G+:k"0JsK;0VC2ڱ#:83 !QN_o ,P v~A>&IL nj^ɾOtw]{nUsBc[dR)de:l. YcQ>냨jZ+pN +ˬ,^/.xT 7DCՐ3?Y٢R\ h8+*ΜO_Q#!,1BaOF'"14Q"ah j5ߊhcXYL<"-Lt fuBe9DjeI3a!!DaYNEBRQ8ZY)J5g\}֡xi>RPԉ˅(KL`X{<#B%KUf/boC,>sن(v5EFQ=6q9O$hjQ ,)<қB_T :$ -HGqB 6 މ.}u镆&8o]y+DW3;F.$jlMx!#۴ \T&DGл^Y~Y|h]bY#M7 ~Krˏ0ƨZ*XX' 7zCA?SCT#]TLbh-EmC>}D2)FeIӴ]kRڧlZ Y &IfԸ.&@kު줄G˹n+"A8 ՆޕkS_% 2"BӮ>R&}^_Sr i"4ldOuI#VeDpG/"j F$isjhơDNJ?ilթuIw*ewWC,ӒƋ-L'`Vt6M[%Mao?cQٯLnȨr8+N@x:BAXQyrc@xYMEƽ6fiQnEs M~KT\;kf .=,@.3(Y0 ̢v %=7_ޭl:Xmb3c+d6 0`ЎcUJSߛ[qPPjo.@B"3QXm38α(\ [3o4<]Z&|\uPE;VVa07J(dwsXEDghWj)8KO뿙_TIC!yhn:-]wk3syBKi ^=$68WwX-˴zK$Z{{w,nO>TT0šuG/8GXO 1!g4N;8%8t*Cxofn8[n\z}>B=6XQ4)0*kL{ {'U,a_v(?+jHPEndx0H!\שq}B/ O(Hl@ AM N>N> U"]9h . kϡƑbmـp#4dwk&Yu!Ct[`s(%+ѧ҉G`|[X~ GrE2kiz{GcX$s'ygB| 2EC-DynyRbHXeVM3?:s\~PKw^I-TmIFJK Ģ k,r!zx~ asO޺F!*KPwipw<@&WKebH8}TjLA{LPR2O`B/r.4A*X'ڊd-v7avޖCWc?6uV} hel'2Ggzu3Вq)Hg Buφ 5wAu,֝=W ]ɤz8"܏%6F.KMz[T䄎53 r{dT} 8A"CP?*I_:GQO؊(Jbن"8gσ+_= NS"DF%q p*[e9۰~0Щ>{^KF]s=PT7DԨe: 4g 0_ E3TxW2ܭTUsԵLB%6sY8Swjm^%A܎s>Gو1xUC`I&Q O\ARM_ƃLCNl%nQ"1E!"pͽϨMЀb3c[ڤ)f&HХzϑqUl''.,gIٓUja FL<C˜9Hd1D3L= ztBYшʘgw.F8و=#AѣO`X]{h;Y*O(d~:̩jZ4oy㰧 Ήr7 e$#LHR{rd_; aMg&s>C`5S+KmH݌gcv;G} z#Z!72:VX4c*1&w[:^{3ZѥjDBoȇ GSD*nA.WpXv:PCJoHoB5, w1vDLfL gq;#15b^Sv󕋩Sm?0I9نpP_2D͇&<ܜJ;?N} Y~'HSpl[g#h31V,,1CA̎2.*R-h4]n[yFոj>uP❀ƓԌ9OS8zP#Z $-6ѷVҸ:ڮogKfB:.](䳞,c`ur@ /҃֐"^HhWM*esK+wوIwLPΏ%x/ q3hxÁOMvf}fFsnuo`Dp;ѽcu]!r}pí˃ "])1[ة hsIӉХFy* cw4e㒙YۻOy`&5mN4b[-|7> ug:+.| (f^K[S^I\@+&GjWW󸯭ǕE5y L\qʿ*Cv&@ F5mGanjsrwR¬`YKpzt$/,ͲM>Fav7s憯G~ա}27`:8y~O5hsyċ4S7"auה0!UpwRϡ[CI2$-T@.W;0l{-08nEf&-ɂݛP YYmkpE6f}>tmϺcZiއJةVA<0p]e};qO; ǡ&[7(/>x<1 TB\M75*Yai6ͼe3ˉɿ=_j CCɥ5)(1A[p,uAdi'\MZ&߅wckVŲ`٨!Cr2^8")|-U@*MVp3f8ˌYM^ ՟!7 Re1j oGdc64"'dG: i{IJqi oo4 o/O!ޏ$5YBɅb,&[DEtGk(׫Wr\뭠L?_d':kLQ7JnZ޻oJrG.9r/ a7k1P<,IszC&̫ OSpm止|J\YGH~pH8Ongrd0 ez QpDHO.ה/7B":;?ۦ9$z:Z>n/lem=.&q&91 ]mN.E\)WLA[5Q.EwvA9 zڈzԛW>qm'黟ɏ@nPwp ()OkQ_GiI=Uw.yg9ɋg"QtWJAĢ8c"a[/M?/sMUbydAO 7*q*h ib8igN:iK:̝C1vsC+"5uy-BJ RM)SPJ}'T鶦Y(oӵq7B)?t~dA=) smi0N[ǀ-{ڝl l &@`Ckr(D(tȪ0ud,6RL/}Ub9 %P_¢9܍}Ѝctb9iX }{ (}]8`_ؗRGf4|! l{=3Gp:I32utV5L^j N[b&#Y:töAL|٦ ;z\o^XS=LpS>|35CAX1ܸ`WEܽ0}Wſ$6qG%}Q+BL$ɎU[TXURC]O\Of85iKдbN6[sMϺ(C -Mg6r~vju^mG|:}Yy~ ):i/p45,"bQ׻fRfd鯨K 2 g'nVDwpe* V/;6zDsX6tr:_a_,sRZL|g]Q k;)g9)tcl]!f- EimoKiB!ÎTylCwg`0=QqE ]$ 36n㙹yp}f\Y> 6,̈lv,le6;6@FoĕUx`qiFKQh.Ξ 89+-k_26[dݑpgM.Td4e1WZ."wŸ}`j'6GExo oo*368to_Sv"$SQ^e;eaɒ̛?HZF#ϝjf旨1G\X /Pxoo ~)F4 Ce`È?=_$~'6=gLn a#1pV3 a>sn֔k+R!3=!fZP#duwI2Me>'6_yѾXpi&8_A]s੫ ۛx!'R7ckvSe).ciTwmޮo~`d_7>_[@'nnP\D Nq{I* rp~OHCh .<[)@9Tp) Z{1=I0!3qx^WΤ`}u!V}Gľ"a<roЙW&#&/R"z(Fs ]T`YDĂ]Bj{49J=FteeߪY{_f ܱ-y8;W!߰%;Tvs:DV uTu %L~$u6B *- KLgM;_øӣk(4H#LWv&J`/!NjޖL"5xWs9Gt6YR159(5EcC 0\ѩl𮮗_ ,(8/ g {iik_-̩FkGΣWu}snsRgPEWswCV_sR.v//4HtJ'sU"? ?Rz6 qʮAe V~>\w`!?6ڂ/Ґ"S:YOWDd;jt[DOϖO.6h 4Bk'Nmdā2a]MJ=.]>~]؏7"/adl.)NluM~"$۳ <%!>4[eyu/(Ƹ)WxPP~BĀ FV`r!GvUQ?mpus c6JM6k&KmމgCJ'Ɍithrb Qa}+Jҷ d׶DS XF׳\_sŲ 6=ѳ&;s^g[a*OEʅ7KmV[NAp.Q5Qv,f#i% WIDu}F>ayܗ>T@>M/ 5KNLH8`Vvi3%8xTo% =)=%wXы!P8JNs]33dCy!%+PFkѲm3-}*Ap8V/,6.\L0pJjܩ93+~8Ԃ1?^j<_쇙EP ]F%p̫սV{uĴ'-Fְwc w)ۦ.uی*]3a#lɩLcV[N7l " p w ]B=lXb~V<_45^|bX:FB/nSHœ][B&ydz#N?L 󽈆Kصw1:Y=)8oE>ʇ5Tr.>xt 0Y9WחsًCIp,cТ5Cf\O!?[A//rPxK.%1?5k烔0 mW)2,7Iǂl 00'H eN扯P+tАTaf.MٮsC}NdSLw9}Sv,jmGiJTY-p^WGp8bzouJč%ݷRv~y!U{PDf[鉑+쌭)S:@ #ߙL'ɀ;DE^;!-6*_T{n"M+Mcauct:#j#$cI1>:N^X")-SD$\%mAXqB?y4Zxdyv'pgQ.ͨV'1 in7M~ā7r/Qd4 7zAzp-q>Bu c6w kw?3}Y[M3 a=R-GD,lY zS;&!SpCnD\xzMFUGIkUH1G?* ݇0Y JCɗXj=wL#6BI$<-.0{)!N8 Gn>[ v!܂vǒ2R὾g`W-g3ŒR9-' si[u@1\Bpg۔?f/\BDF wql|8 -d7>~ؓ[ ?ەL[{ck0J\߼/T\#U |rqvo1mŒEɘXAW|C.^'rq9ɽ23ՀbV=|$4T&,_g~ H"Q"pmaQ=$ sK dE' d<#,qe= y(D r |kE/Kthb-& t%ZE?44'kQb (wܵ"jZq/|e6r\cUCKbtRS׿1O4E5r0l@8_hp(dzNq} إS~K𭰏M6D.,(hBfͲAHwj-L>[8bܡ({bmeY@P.- |?$Nr C6 /03, vOu J&#,\-b}r̄ɗ,rj&E׊ɡ<\ZTeab]sEUXL]isj!W1j6Ӎf]\M 8pRQ)&m(Ȣf)INƒBM"sh$t͢tGgVx%Ji^ bLY[D}) ԏA(|Xz{o|j:vG#eIF *sMd *[X\ypw[DGVp^4YŢwLEo|H";+r]Ʌ @ӭf2n:&<3 b@(TZ7}[䶄g!a-4fu f#,Sp/Y0sb! >F'E<:xêv ቛ'RSLڑ݌ڎAj!My\+ppP:t!UyN}L<:Թ3Y-? BL77]T7ˮc'Y* (L o ȀxF;goS^m~C K11E/J|mnqPDsCrJ⿌4 :$ʼnsGa"KB:dx g]/_"%M1l1klxM\OnCj2e,,i;B L#;# ډ8[/A5#oXDSa|a3J>ϵ pne[ ~eΌ"Ka?z1}SWE7iJCMǀ&&!ժ [At9e罽E"8͋fTp.oa͍+XB2|}i YȘYUYv1dt8d'anrKufC2AV۞.x[wTO9n w:>͗O$F4ET7A|ś2dVд8C1CY q3zKCUZq`&$C`4q5Z<+Wemv0FGa?pG8}9ʣ}EB_ L%K:nPL]Z<]I LB,u~SU*վ:k{L=vK/̊!*u&onחDvEeْGǛDcDd<Ӎ-mQ8͹s,v$['>bWgBc(|)3 GB7!<ƻLo\yq=a<_&] Atu4p;Xt T)ߪAEBIk5*p.vg}&)J!:]"Ap݅R^@+mN-_d{jϽ`>vV"cǙz|md@v`?7rN@jx5΁'t348x=\lcqmgyYc7xV}曠ӝ(҉b,BjGRv1lpDվ6L!U<P\vtJVG9Krg&װH=psT0h|i ݜ8āi$2;_ a3ʷW  s"ZEշ e> ɛIaǢ_ r`#~L0gŰm&S@d\=c{8=cu#H۸N4oLE,p$(["oBlE*H]ȏZs{O2w9%DGU[o^n~gZܥ]>4HhRI1) %py#xc Q-(hU׬o&socXDZ-ߨ*"Hg_o+4h1&nX6[PeXnjzjbEzcڴ7 [%?4#/χ.L\!^ eB8>VIzb] {< =/wM]SYnn+ktǔ}Noh*oǕX/6DAO*žak0T:Xth60oag e)Uk6'<|r I(2'!-Nw.ݾtHGkґ~x%v`'KguX_h-(r!==~3 CvVG$4|C9]=n- x'Chnvڛ~heDWj+WSvW1KuDGT)RDy1R+چ3Ԝi=< CzBmLSjߚ *nR#RŲβc-䥊 _.hokf#Λ:lrZU b3Ag3a Uie@ߦksX28 vS0eAV495 kH>!M¿? z^`RwP::И9jἱ#>*OR,v@ABx~W㢍 m1q_-ptʨgՑ08\DBuP-ٮzy?^ o(w/[,^`>  @}u Z؈:\tku%Sɧؙ3B́dUokBsؐ _R|M$?Lke6>T^M9;ȳ*rJ|vЀ* jЉtBr;j!) |%>p.sY~җ(!+0~ef7^T~-?Ibѐ8pҊ3ZOL:n|g^sN ?'"yth]y5e7R 2-y n{- )*XbicB*u瀲S޲*CSgK9h$<_kڟmU5ʪ"U[ƑqNi̷?td9n >ė/{KI>uܑpKL^m` Bfܮ})H$ tdOy㚺Ҭ'-c7r$?'BoI%GCZRۡ_<ؼP`y)0U+ E1O`UtdrݣH6:X,vlICgzV7(}gn}$5,+]4v4r2U\\_lj4"C E]V_{vJ* $I,3P]{*(̠ ˑVڢ w}}@F+-yJm-=:i 9 | V;_ ѹ5ޛ77~=#ٝWg#}bŷX X.tP?>@e_ؘ[ IjS&_JisZX剆g^_. 1ہgܘv:"B)P.LKG3}O!J~Iy&?LIv|B oֹwKX GBơ(KA,a:c2! ;5pk҅/3y#07zYH bN`1D rSapckiUD LI*m;uue ijۤk8ZJLue[ ON~1n8 1jbr~#rȤd Q[)zËsG.3k m`ͿuӪ4 WI@ڣZN@q.vY +2np< Ɠ\^tJr%USuo=hkg  -EBc' $#(r^Hp=@4 :z)Ԍ A,tk~ׂۗʋ 1S?8OYjr$}=\Q=Eȉ >VS<NL9Ƭ&.V;kE5^.<3"hͯeeJAPy̰dudG2@-_m')Mӧ*>n LOw^MJk.'KC8$ '5umhԯW&G^eE4mgCࡃݪq4O\'{g|0WĠCOB3?G Xz k?U:P}NoɥfOP 9+W"‹{Pzz\SP0*Q[J212HUl?>rPK!]Q~+,?S!-WOuOK"54,賧WҸ@-H 7|7[APvǘnrKk&T&rEvLQBbԠ'wmΆ)2E$p$'eV{CLIsoulo9ޓ&]bYuaĞ[e ڋo8(mp Ng`Ҝ;.o=I"M?kͤDs']JJχ9jzm@U!C²r.TD._%]ќ;nؗ;4P2k;Fɤ i|s'BG5W<0;;#/vXѐpZW5銜 ԭ$?d PVVd1JQG օBpH7O8À[9f,0pܥPMLB[jE'zDYE%j)1 ^~ ^CFk+Pͧ ۘt1O\2:8^**7hhxڴc睽PඕpȫD|qOFVqgf5RԊ@C1ߡ)O;d'^*f>[EBy b۵FJ12~9p:B60Tl-QπJXk{4FR"*Ѷ\;eJ H? ڔ5#,kIY3Bop 88"-2HC m (5oZ4WtnjOrļ-ۛX 5DH,%qڂu͵MیKש/^=7"iL$٥N!(&#QWou!IВ؂#zžoρndL>$ͮbas]"9P24ldGH4$ape*ի]-]NGbHwfJ|@pظ.[ QU_P;t#1ݾޟ)Q0u[|FW_g';n}WTx/}Y,V2HTs]jҔN&B>oqXȧM tAom}XW! MvH)`0#]=H4RKEߥ7FweueIOA>?lj,xۻD|i`JPPh,"5pf1;DMg$[o{ \5ڽB&KomfX5kJL?Vtg/Jmߢ P,)1H/]eSC(dݹQ1r=|ni# ғ9+oau3FZ.- (7"nٕE3bٸ]>;?l"ӟN`6{o^鱁2]Aih'E>ӂëUtzsl2`r‘m[/*Q8m n_"R|TBo,n Sl-;44!@lh=|20CY{ҫu; tks~$YqK.4NJ0kX,֙wQP 2W7ZQueE`X>^zqz.ƢDt$)[b4,nyBí^OS2-f?j,yo"gX*<7Z푮% *%6KpJI<Pv C c %8@.'D"u&D5 #i_AEaYJBEUgizёRF}ZpX !8%&R`:f)k+ͰUA{;quډ6(:>>Z57xZ !M܍Vp)5y:GC霵m7V{ym[g1hd-L-5R{xQ-R宸"% ӕ[cQFړf'PsQmj-L^j'p~=X d0ςֲ[4%# H|RxYrvQ4jǪU UuFc8?aIqAY|,\׳'ڟЗ {5H:ezwh~6Ѩe"esqB{"'hsVf@D,}jDՏQVF x# ]9(!gv4= d;t.O˥90wN}BЀPJ3H{ muu X%B"T8^ أƛ_J>! 7jr 0}fc9RVzџw1*͘yLDZ`[4(Y.YG~qmnW),N$$!'YI T]R &XӁڬ%ڲ⛙_,Щ1)9V̹tFb_ʖ6cDt+4n|=(awi*j4x,*3ޢGqyL?şwOA+H\?7Éb[͜v_ gq@L:hdAu]-Svq,%Ns+1,Ii oSr{GY46aȔ8]aUY:^'sHp9XɵMX##ޕ+)t'r.buf|#2Kڦ}(i8vcآPG#vJ2e[XlqnKo7O!wpZWR<,YUR+5"{J+0|t=mnzRJ ތF&:,>aȃ[|q`ue;t@) pgǥ #|7A]q*~y/?qcLYk:LvMTӀwбQV{*MaUH%[t!{UJo +!RՆK8|'a:[+|^rxIQgb.=S.)Z?CtѕgK^edeu^~+ipJc̋ʝG-DoV֤ubPZ & }XFr PŊx{Z:rMw )@sܧи3ɼM϶w& :9o??ءΤJAJ#h~gO!+g ًRқ$?5VAHCS˳ZuS(vna|o]n*b};:ݭQYJr ΜOro넿ҢAm,i]P"sC0 xYо?0h&<%su~ZJǘ~(t9,L GmX38: _Q^+$ F!= ҟ{~)8A63- :cg )5-5 !D1BIa2pa8 G63kyeAy?n1̥\~Mv͞qVx7q6n|~IIȔ&+vR'@ pRk8y>$b//vJ2֞5B ߲`E(%8 d; aDQD۽e".xJ"0qZs%H nEf;{mT'`Zz8}/%gZQ"$*B'L޶pCH>ys ELZ$ hLLK}H P_6{t?8l: PaH醝u) rw[?`q8MY#4ZkO^x(k ZՎeN+ bیk(."݆D6іvp4X_%Hִqr)F"f[2ƿn7E4A%ZeX}Wo4.Ԓ//ҨhĂWHV "`#bJwRsj^,^MM/҂;dp7Dq6ѧ^>EBc$8VsiЦ;+;v#$FNiD3n%FB!# ZY+F;L:۾xR1Aڬi00?lLaI v꧓;@fH=uQHuCNXR r34|!ĮxIO9ĖȒ> 4F/tɯ-Y˾ |E,6đzM' [@a7P5̨H9ؗ&ZzG⮊6*CDYsݞdƝ{>|P`:dl=Vyg R@ä֦}eJ|Wcqs|W͔7:vi/@0 *̻y0:vlRUFq":,l Ct| f' .:<>;sܲ}BOvf#-(P]]jdј{8es2RX.-$ɷ?.)Ml7ʎB%CR +πãE':QciP4+$hmO&$Y.(W͘ZSmNuT4qq3/k:Fz7uaCi61IŌEg}H5g׳N_Q6/@m*tV,. EF3T]<,qu̎;!"3-2zpMR\[4:^2e9ڶU,&]<(  Ò F؃C%DhHU(f^W0)c AT,G6\D-VmqOh:nZKn-C#֨zP c OKYP%]`Ho<\hnbIp+_S5?׃ Y9ErRZ #~ IB9ҟ /:t :Cj>[t|es?HS<3c/-2V[ SocRlv.|6<'e\y)|Ni<|j/CfjS qkOۅd2Sop%$ptiN9 GQէW2˼VO)K?/9D˰MH(]˧p 4,yyJ?:98?Sotj=fԲK9Վ%]2gFAaGG,t*Dj8w"zE@ViVD78 &P@`!\O۰{,@V+SoIH_o}!CYl` [kNbLhZP^j[w0E}gFVX˲Dyc]@!n@uH &ged狈ml+6:"g <1гj\*qXMlhj/Jad[Smd;.+1/J9NƟSTG_ й'/bb5۴3jw7g =r%Ugdj@14Ӫ`NY48ivxM.򨸪zKBu*7.^V VW@ﱴNE3#tNp CF3YzHv=P<Bȼ DdX ,ſ9k qo%u@VkN"eSMkA V qe3`}&gHCА W2 Kݞ]O[uAFp*0/`nj)]QeG- TB}iM\0I; +?'էr ޗwGr{T[8dhGk7vՅHk[%\ a_40 58,&N0lј#?C~nH<bN&mmbݬLjDh@R +|YN oJt##9@N͚PiiƟx V!uqoG` ]>f&,)^6Ax閶XwdO?rmz mJˡ@|]qSQ#> Xk=W+Np`aOCX64:ۄaWgmn?kzq $0YQҰ~nx `*<^?vTPnomz%ChO>||7WH,Ǟ3Ex`U=ޔ#NIVzU^\sOݬ mb ?NomDkӔeЖnN+3v/cgzOSM$*{C%xkN"VAܼ^׍R ◩YuT%PPOfJީ"^b<}Gށ}?2n 9F␥"_j%R_Zqȇ)Vce7@ ^U|9f$`VBoA[?`é v=OOenkE3}Zb{1f߬q%E|tzVid6 g/ e? "eAg}W`o({\|!b'1L"1lx.$|""hK9*L[:bF4$~1zЙ>y,{t9)!s9oh[q@zCQڦ^,tC#cN7 tav){p|[AaYoᔖLc}x>r .mlJyq1D7 rR/ A_K%yJ6&MPU\;L%Q@=)K]\Hy+yEcL`>[Rz36ܩBهL@n}Am=ړ>;['b[ HagIT/;]z}FI xPi)4#q[R ǜb H9Aj\;55MJOo@u-xG퐲֢/H{N6֖#V ,P ksn~{K1!^{|Ƚ2pj`FZE6Q"҉(N.'e[?e> h?f+ 8 26/97hM@ԥy%eU.~dJ=GeJBeUwc@(B %s㸆ä1|YBgU :(.XR.x1˳Bk;SAJ&[vh.%ƺ/*)d:LuQx?Fp=՝45lq3.~>LlU>wvGg.3R~qfL0iϑV9OBaiǕVJ)UE*:Xm9t>Nh<:zb̂xضK[x'"<2}W ƴe^P()aZzfQ}~i%Wߑ؟+iI0 w5v̳9yЃfaK]nLMv2ȣshaEv2{^O @r4 "YHj.FA6)+S,jLۈgrDwzf }VC%IJ}{rhf[ъli6։' b$ _.eL{mĜ  {Ćz?U(^5SOU=sdODĔQfgh=!v^ѱ=o^* cVNEOcS/&/1J7J2~.jxce*mOb&?q?s{({UF eT7ojkr)SUIBoA5W wp8]+p`0wRs\):& GV\5FLBozǁexw'ܨhpʃxY"|{pׁcuBŅCQovn+1H8jiRKEx 7UZ.Qiv?Ĩvwc]ʫE0nB>Xeْ\z6.6hFpt<GF7Yd +]]лeثԯ? ᅠ5A>ҳPc]ӯjfij޶2فƉf!.ì6˖d M65Y#YlK4|YnqїQ0Ƈ)p6 5J#˨VtHFRChz^h9x'\weiR(RуvMyWn!ye駊} TLc$LHe(xr}KvB2I܌6!v.ɼ}/UO*EqU Ƭ\,fZ=I0LIW,7BL?]ƭY{d*mNJO|EaBlr{XRYy eLU?fx'ݭkT*y4n`3̫QTO,#Hn^jLy s]R *! $G% %>iJuN2T#-~YOscܨa-|Aw^tǙ2K@!ҁ(d#K .<<W_+Tc%<3m4yu1ʫԎ{jVm[ei{+5<.'2(?z5Ϸ:b[;t-@jQӼM ^!݉ܲ8ٳG,| ӌ/(Kw{'nM29^)ĵ~B$0Ip.Pz"b{JGTyǁi% iyw<=OZZcM ,ṏ=N+Ǧ~=w4;*`N sGO#=T*(P, A;OWu*YEb} >$%nsmf 8"ԳG<1u*)~n^AV=/oSH(p`geʂưP`޺9)c]^oǴD??G#'j/;l;d;'`E;'<-u+(PԿe0TL@$.:1u*;/0UI&d Hq"Φ'X6 ܡ-21NX`[gg>T9T rm-5"޶-w˓JUsi"?fg !.\c?=6fQ4lòl 8*1Fۡ$)Hh󁏛c:: "غ/7soJ 'dJ H.ITR,rrVN!KQ]E;`N(ф #~pCj+sGwIk{2v߲K&p[Vs )/j+ au 1RL̀X_Ef mGn٭LEeJ<<͙ZmL1'G뛡i:~4t6M a~`;qIMN,)@9vz{8C}ۀ\8q?KtKM ];N,/ogi:Ʊ:99P-*NCW5OT2X2ur+5Ty ~!̶@r& sN:n=}VfJV`*\h1LD,' ڲE{ deJ5#gWSG7 p`M0fX)-K(qp'UVi( .v'LnP&fxGzL> Dݡ!O{Mu xXt2rYׄ{o^ƳR;*S)*:vWPo,1Yjƈ:#!-.ԁʁ A 2F3T'՝?bm qG8nת2`` qVK2ᆐ>m.8?$=sn\-,39$U;8]JNQz=fq ,?WC⁢,Z*&EOJ3N2gN|~@<օ'L[Cn4V-nc0ͳr'ag/gv3q1R6ŵzgp|G]U _u̿haWx(1(jL=|A/q,;y.G\{0Nj,TQ*+>6Basֺth ˚ sP*oΉE"[C 6m7m5]}839@~*zN˻kc2٫dQs0ia(nX8tM K Uk"_јdk,@) Cy5(LT +!\?beQ?NjYc"775h@j]X 6ϥ:}dӺJGVSpA)\ref:s}ؓ.yل =cFxvhmT M"B2ԙ;DMI‘6)Y[51Y-vṒFU;YHiX㯴M6)MX8t>MMj{a9N/ 1>q|Dn8[A~lta$JV0m0t |48TxN}Ga{~=ΏY7$1U'Gl#Yv&T*Eڦ9ya_<ԌD("ZX0ˣ ~ޚXN$Fixk'px_*ab?G LZR@ehzJmߩ1O_B¡-l fkcD`;ٷEB}GZZFJœ77=b9Ѹ਻@xL0 7H-G1Ġb +2E#0~xW`0zT@W_&?Q.SR$o!tn (fiUiKn] U`X߲og{kyPGN4$ep`&Upv+@K.}FJd^x36>O@j H+GT~{ 0Z5Of;?ɤ񭭃dad[z [BU?aSH~MWBMخˀVYM-wtnoENC줭z IYף2R3 J"y4af!DaE1%$ nA$ϙ!J58 <T3FȾUg^ 1HH DgR XPeWKn*ǚlX7;Όqu͉ϓT _| Sʤm[4 Gl6glA_d 3倿sVXN{iԭFV^yTC4z YZ