sssd-krb5-common-2.7.3-1.el8 >  A bU]EAO7"wz|`#O;6xmaG`[nb+1$N6e|9AɆF)LLvTWVdAvG+ų5lŅ$Rφl1ݣ*y|R2cC13WbR+GVdQۜ-!rW'FnzF`F%D_:ܦd"uNF$w`Ѳj/QADMø&t8jdEǂy@&=`\q8`yMp\GqӼ;0 #ipcbϪoƒ]FD54WG r Lvԡv?4 5_7d 6 -,Vh '԰"R)CΟ(k ֶ-kmvŪa%6Ѕͼcr!im`7&vj]=y.[kO] p}JcGӹkk`ݵep\v‘be16362cb560c08ab9c48fbb958f093e54ce35f917f17fc3ed1730544dbecc188a236940965bd44fcb2d595b4e791c7682e1161c㬉bU]/7@d*զJϑy cր&@<(x6/E$Yt:54\jiD܏O騅U?={d9~9]ܦk:gzJ5Eq`; ǍyyJq z`,]y6YH쥺3Wc$GtApkQ5v5# ǣ>ܜȊ1ݵ~x^#,e9=wg> kWΔk Ƙ )dȯe&L)|-rU A޽퉄#i1 i %Cfbo0ր=%Ottwз~mMwZO3?4ļ6o9 xJ/W(ˍ`3SFȢѢ;=333cpl4㦉%TN9/Y <ϸwoO.;c`n\F]? kt>}QvotgIgi|i>pA~?~d  Z ';X^f   2  D  h  1      Dp8<A(P8X9:_"=xNGxX Hx| Ix XxYx\x ]x ^ybz9d{ee{jf{ml{ot{ u{ v{w} x} y})~~~~Csssd-krb5-common2.7.31.el8SSSD helpers needed for Kerberos and GSSAPI authenticationProvides helper processes that the LDAP and Kerberos back ends can use for Kerberos user or host authentication.bچaarch64-05.mbox.centos.orgCentOSCentOSGPLv3+CentOS Buildsys Applications/Systemhttps://github.com/SSSD/sssdlinuxaarch64getent group sssd >/dev/null || groupadd -r sssd getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd''!KAAA큤Abچbچbچbچbچ]bچ]bچbºbچTb879d7192758e20d520f52d9cdeb7d22527a6889e75a1df2f0b4c34feb3f824fa1dffbe7faf1b8932e583b6c9d27314e7e53a486e24459f1e9e2a1cd4e4ff2068ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903../../../../usr/libexec/sssd/krb5_child../../../../usr/libexec/sssd/ldap_childrootrootrootrootrootrootrootrootsssdrootrootrootrootsssdsssdrootrootsssdsssd-2.7.3-1.el8.src.rpmsssd-krb5-commonsssd-krb5-common(aarch-64)@@@@@@@@@@@@@@@@@@@@@    @/bin/shcyrus-sasl-gssapi(aarch-64)ld-linux-aarch64.so.1()(64bit)ld-linux-aarch64.so.1(GLIBC_2.17)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.25)(64bit)libc.so.6(GLIBC_2.28)(64bit)libcom_err.so.2()(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libjansson.so.4()(64bit)libjansson.so.4(libjansson.so.4)(64bit)libk5crypto.so.3()(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libsss_debug.so()(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)rtld(GNU_HASH)shadow-utilssssd-common3.0.4-14.6.0-14.0-15.2-12.7.3-1.el8sssd1.10.0-8.beta24.14.3bγba@baZ@a6aɪa@aKa@`.`@`[` @`&m`@`x@__@_@_#___[@_?@_-B@_@_@^@^@^^(@^oj@^ku^Y^S^J@^C^0"@^0"@^0"@^@^@^@]f@]f@] @] @]+]]Y]Y]|@]o@]k]k]Y=]Y=]Y=]Y=]Y=]M`@]M`@]M`@]D%]D%]D%]9]9]]]@]@\\`@\]o@\\\\\\\@\>@\>@\>@\\\\l@[Ѱ@[^[[ā@[ā@[ā@[;@[;@[;@[;@[;@[[@[@[@[@[@[t[#@[#@[@[@[qr[;e@["XZZ&Zw@Z Z$Zz@ZyZiZiZWQZWQZ%8Z@Z@YZ@Y@YYzYKYyYw2YRHYRHY@X-XX~@XO@X}@X@XX6@XWXOXXWW@WWW@WWv[@Wi,@W5W@W@V3VVVvV%@VqR@VO @V<@V/g@V$@V @V @UpU|@U4@UUUU@UzUzUzUL@UL@U.RU@TTT@T~T8TܕT@T@TTTq@T@T@Tp@TA@TuTto@TG@TD@TT @S0SS@S.SP@S @Sg@SrS!@SkqSkqSG@SFSCS!SSRRpRpR^R[RSRNREs@RD!R@R@RNQB@Q@QQQکQQQo@Q)@Q@QQ@Q@QbQbQV@Q'@QQQQnQZ@QU@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj - 2.7.3-1Alexey Tikhonov - 2.7.2-1Alexey Tikhonov - 2.7.0-2Alexey Tikhonov - 2.6.2-3Alexey Tikhonov - 2.6.2-2Alexey Tikhonov - 2.6.2-1Alexey Tikhonov - 2.6.1-2Alexey Tikhonov - 2.6.1-1Alexey Tikhonov - 2.5.2-2Alexey Tikhonov - 2.5.2-1Alexey Tikhonov - 2.5.1-2Alexey Tikhonov - 2.5.1-1Alexey Tikhonov - 2.5.0-1Alexey Tikhonov - 2.4.0-8Alexey Tikhonov - 2.4.0-7Alexey Tikhonov - 2.4.0-6Alexey Tikhonov - 2.4.0-5Alexey Tikhonov - 2.4.0-4Alexey Tikhonov - 2.4.0-3Alexey Tikhonov - 2.4.0-2Alexey Tikhonov - 2.4.0-1Alexey Tikhonov - 2.3.0-9Alexey Tikhonov - 2.3.0-8Alexey Tikhonov - 2.3.0-7Alexey Tikhonov - 2.3.0-6Alexey Tikhonov - 2.3.0-5Alexey Tikhonov - 2.3.0-4Alexey Tikhonov - 2.3.0-3Alexey Tikhonov - 2.3.0-2Alexey Tikhonov - 2.3.0-1Alexey Tikhonov - 2.2.3-19Alexey Tikhonov - 2.2.3-19Michal Židek - 2.2.3-18Alexey Tikhonov - 2.2.3-17Alexey Tikhonov - 2.2.3-16Michal Židek - 2.2.3-15Michal Židek - 2.2.3-14Michal Židek - 2.2.3-13Michal Židek - 2.2.3-12Michal Židek - 2.2.3-11Michal Židek - 2.2.3-10Michal Židek - 2.2.3-9Michal Židek - 2.2.3-8Michal Židek - 2.2.3-7Michal Židek - 2.2.3-6Michal Židek - 2.2.3-5Michal Židek - 2.2.3-4Michal Židek - 2.2.3-3Michal Židek - 2.2.3-2Michal Židek - 2.2.3-1Michal Židek - 2.2.2-1Michal Židek - 2.2.0-19Michal Židek - 2.2.0-18Michal Židek - 2.2.0-17Michal Židek - 2.2.0-16Michal Židek - 2.2.0-15Michal Židek - 2.2.0-14Michal Židek - 2.2.0-13Michal Židek - 2.2.0-12Michal Židek - 2.2.0-11Michal Židek - 2.2.0-10Michal Židek - 2.2.0-9Michal Židek - 2.2.0-8Michal Židek - 2.2.0-7Michal Židek - 2.2.0-6Jakub Hrozek - 2.2.0-5Jakub Hrozek - 2.2.0-4Jakub Hrozek - 2.2.0-3Jakub Hrozek - 2.2.0-2Michal Židek - 2.2.0-1Michal Židek - 2.1.0-1Michal Židek - 2.0.0-45Jakub Hrozek - 2.0.0-43Michal Židek - 2.0.0-42Michal Židek - 2.0.0-41Michal Židek - 2.0.0-40Michal Židek - 2.0.0-39Michal Židek - 2.0.0-38Michal Židek - 2.0.0-36Michal Židek - 2.0.0-35Michal Židek - 2.0.0-34Michal Židek - 2.0.0-33Michal Židek - 2.0.0-32Michal Židek - 2.0.0-31Michal Židek - 2.0.0-30Michal Židek - 2.0.0-29Michal Židek - 2.0.0-28Michal Židek - 2.0.0-27Michal Židek - 2.0.0-26Michal Židek - 2.0.0-25Michal Židek - 2.0.0-24Jakub Hrozek - 2.0.0-23Jakub Hrozek - 2.0.0-22Jakub Hrozek - 2.0.0-21Jakub Hrozek - 2.0.0-20Jakub Hrozek - 2.0.0-19Jakub Hrozek - 2.0.0-18Jakub Hrozek - 2.0.0-17Jakub Hrozek - 2.0.0-16Jakub Hrozek - 2.0.0-15Jakub Hrozek - 2.0.0-14Jakub Hrozek - 2.0.0-13Jakub Hrozek - 2.0.0-12Jakub Hrozek - 2.0.0-11Jakub Hrozek - 2.0.0-10Jakub Hrozek - 2.0.0-9Jakub Hrozek - 2.0.0-8Jakub Hrozek - 2.0.0-7Jakub Hrozek - 2.0.0-6Jakub Hrozek - 2.0.0-5Jakub Hrozek - 2.0.0-4Jakub Hrozek - 2.0.0-3Jakub Hrozek - 2.0.0-2Fabiano Fidêncio - 2.0.0-1Tomas Orsava - 1.16.2-2Fabiano Fidêncio - 1.16.2-1Fabiano Fidêncio - 1.16.1-3Fabiano Fidêncio - 1.16.1-2Fabiano Fidêncio - 1.16.1-1Lukas Slebodnik - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Lukas Slebodnik - 1.16.0-11Lukas Slebodnik - 1.16.0-10Igor Gnatenko - 1.16.0-9Lukas Slebodnik - 1.16.0-8Lukas Slebodnik - 1.16.0-7Björn Esser - 1.16.0-6Lukas Slebodnik - 1.16.0-5Lukas Slebodnik - 1.16.0-4Jakub Hrozek - 1.16.0-3Lukas Slebodnik - 1.16.0-2Lukas Slebodnik - 1.16.0-1Lukas Slebodnik - 1.15.3-5Lukas Slebodnik - 1.15.3-4Lukas Slebodnik - 1.15.3-3Fedora Release Engineering - 1.15.3-2Lukas Slebodnik - 1.15.3-1Lukas Slebodnik - 1.15.3-0.beta.5Lukas Slebodnik - 1.15.3-0.beta.4Lukas Slebodnik - 1.15.3-0.beta.3Lukas Slebodnik - 1.15.3-0.beta.2Lukas Slebodnik - 1.15.3-0.beta.1Lukas Slebodnik - 1.15.2-1Lukas Slebodnik - 1.15.1-1Jakub Hrozek - 1.15.0-4Lukas Slebodnik - 1.15.0-3Fedora Release Engineering - 1.15.0-2Lukas Slebodnik - 1.15.0-1Miro Hrončok - 1.14.2-3Lukas Slebodnik - 1.14.2-2Lukas Slebodnik - 1.14.2-1Lukas Slebodnik - 1.14.1-4Lukas Slebodnik - 1.14.1-3Lukas Slebodnik - 1.14.1-2Lukas Slebodnik - 1.14.1-1Stephen Gallagher - 1.14.0-5Fedora Release Engineering - 1.14.0-4Lukas Slebodnik - 1.14.0-3Lukas Slebodnik - 1.14.0-2.betaLukas Slebodnik - 1.14.0-1.alphaLukas Slebodnik - 1.13.4-3Lukas Slebodnik - 1.13.4-2Lukas Slebodnik - 1.13.4-1Lukas Slebodnik - 1.13.3-6Lukas Slebodnik - 1.13.3-5Fedora Release Engineering - 1.13.3-4Lukas Slebodnik - 1.13.3-3Lukas Slebodnik - 1.13.3-2Lukas Slebodnik - 1.13.3-1Lukas Slebodnik - 1.13.2-1Robert Kuska - 1.13.1-5Lukas Slebodnik - 1.13.1-4Lukas Slebodnik - 1.13.1-3Lukas Slebodnik - 1.13.1-2Lukas Slebodnik - 1.13.1-1Lukas Slebodnik - 1.13.0-6Lukas Slebodnik - 1.13.0-5Lukas Slebodnik - 1.13.0-4Lukas Slebodnik - 1.13.0-3Lukas Slebodnik - 1.13.0-2.alphaLukas Slebodnik - 1.13.0-1.alphaFedora Release Engineering - 1.12.5-4Lukas Slebodnik - 1.12.5-3Lukas Slebodnik - 1.12.5-2Lukas Slebodnik - 1.12.5-1Lukas Slebodnik - 1.12.4-8Lukas Slebodnik - 1.12.4-7Lukas Slebodnik - 1.12.4-6Lukas Slebodnik - 1.12.4-5Jakub Hrozek - 1.12.4-4Jakub Hrozek - 1.12.4-3Lukas Slebodnik - 1.12.4-2Lukas Slebodnik - 1.12.4-1Lukas Slebodnik - 1.12.3-7Lukas Slebodnik - 1.12.3-6Jakub Hrozek - 1.12.3-5Lukas Slebodnik - 1.12.3-4Lukas Slebodnik - 1.12.3-3Lukas Slebodnik - 1.12.3-2Lukas Slebodnik - 1.12.3-1Lukas Slebodnik - 1.12.2-8Sumit Bose - 1.12.2-7Lukas Slebodnik - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-7Fedora Release Engineering - 1.12.0-6Stephen Gallagher 1.12.0-5Jakub Hrozek - 1.12.0-1Fedora Release Engineering - 1.12.0-4.beta2Jakub Hrozek - 1.12.0-1.beta2Jakub Hrozek - 1.12.0-2.beta1Jakub Hrozek - 1.12.0-1.beta1Jakub Hrozek - 1.11.5.1-4Stephen Gallagher - 1.11.5.1-3Stephen Gallagher - 1.11.5.1-2Jakub Hrozek - 1.11.5.1-1Stephen Gallagher 1.11.5-2Jakub Hrozek - 1.11.5-1Sumit Bose - 1.11.4-3Jakub Hrozek - 1.11.4-2Jakub Hrozek - 1.11.4-1Jakub Hrozek - 1.11.3-2Jakub Hrozek - 1.11.3-1Jakub Hrozek - 1.11.2-1Sumit Bose - 1.11.1-5Sumit Bose - 1.11.1-4Jakub Hrozek - 1.11.1-3Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-3Jakub Hrozek - 1.11.0-2Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0-0.4.beta2Fedora Release Engineering - 1.11.0-0.3.beta2Jakub Hrozek - 1.11.0.2beta2Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta1Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Jakub Hrozek - 1.9.5-10Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 - Resolves: rhbz#2063016 - [sssd] RHEL 8.7 Tier 0 Localization- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 - Resolves: rhbz#2098620 - sdap_nested_group_deref_direct_process() triggers internal watchdog for large data sets - Resolves: rhbz#2098619 - [Improvement] add SSSD support for more than one CRL PEM file name with parameters certificate_verification and crl_file - Resolves: rhbz#2088817 - pam_sss_gss ceased to work after upgrade to 8.6 - Resolves: rhbz#2098616 - Add idp authentication indicator in man page of sssd.conf - Resolves: rhbz#2056035 - 'getent hosts' not return hosts if they have more than one CN in LDAP - Resolves: rhbz#2098615 - Regression "Missing internal domain data." when setting ad_domain to incorrect - Resolves: rhbz#2098617 - Harden kerberos ticket validation - Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 - Resolves: rhbz#2026799 - SSSD authenticating to LDAP with obfuscated password produces Invalid authtoken type message causing sssd_be to go offline (cross inter_ference of different provider plugins options) - Resolves: rhbz#2033347 - sssd error triggers backtrace : [write_krb5info_file_from_fo_server] (0x0020): [RID#73501] There is no server that can be written into kdc info file. - Resolves: rhbz#2056483 - [RFE] Add sssd internal krb5 plugin for authentication against external IdP via OAuth2 - Resolves: rhbz#2062689 - [Improvement] Add user and group version of sss_nss_getorigbyname() - Resolves: rhbz#2065692 - [RHEL8] Ship new sub-package called sssd-idp into sssd - Resolves: rhbz#2072050 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop - Resolves: rhbz#2072931 - Use right sdap_domain in ad_domain_info_send - Resolves: rhbz#2087088 - sssd does not enforce smartcard auth for kde screen locker - Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol - Resolves: rhbz#2087745 - 2FA prompting setting ineffective - Resolves: rhbz#2087746 - sssd fails GPO-based access if AD have setup with Japanese language- Resolves: rhbz#2039892 - 2.6.2 regression: Daemon crashes when resolving AD user names - Resolves: rhbz#1859315 - sssd does not use kerberos port that is set. - Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries - Resolves: rhbz#2035245 - AD Domain in the AD Forest Missing after sssd latest update - Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization- Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files (additional patch)- Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6 - Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files - Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries - Resolves: rhbz#1859315 - sssd does not use kerberos port that is set. - Resolves: rhbz#1961182 - Passwordless (GSSAPI) SSH not working due to missing "includedir /var/lib/sss/pubconf/krb5.include.d" directive in /etc/krb5.conf - Resolves: rhbz#2008829 - sssd_be segfault due to empty forest root name - Resolves: rhbz#2012263 - pam responder does not call initgroups to refresh the user entry - Resolves: rhbz#2012308 - Add client certificate validation D-Bus API - Resolves: rhbz#2012327 - Groups are missing while performing id lookup as SSSD switching to offline mode due to the wrong domain name in the ldap-pings(netlogon). - Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs - Resolves: rhbz#2013259 - [RHEL8] Add tevent chain ID logic into responders - Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization- Rebuild due to rhbz#2013596 - Rebase Samba to the the latest 4.15.x release- Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6 - Resolves: rhbz#1968340 - 'exclude_groups' option provided in SSSD for session recording (tlog) doesn't work as expected - Resolves: rhbz#1952569 - SSSD should use "hidden" temporary file in its krb locator - Resolves: rhbz#1917970 - proxy provider: secondary group is showing in sssd cache after group is removed - Resolves: rhbz#1636002 - socket-activated services start as the sssd user and then are unable to read the confdb - Resolves: rhbz#2021196 - Make backtrace less "chatty" (avoid duplicate backtraces) - Resolves: rhbz#2018432 - 2.5.x based SSSD adds more AD domains than it should based on the configuration file (not trusted and from a different forest) - Resolves: rhbz#2015070 - Consistency in defaults between OpenSSH and SSSD - Resolves: rhbz#2013297 - disabled root ad domain causes subdomains to be marked offline - Resolves: rhbz#2013294 - Lookup with fully-qualified name does not work with 'cache_first = True' - Resolves: rhbz#2013218 - autofs lookups for unknown mounts are delayed for 50s - Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs - Resolves: rhbz#2013024 - Add support for CKM_RSA_PKCS in smart card authentication. - Resolves: rhbz#2013006 - [RFE] support subid ranges managed by FreeIPA - Resolves: rhbz#2012308 - Add client certificate validation D-Bus API - Resolves: rhbz#2012122 - tps tests fail with cross dependency on sssd debuginfo package: removal of 'sssd-libwbclient-debuginfo' is missing- Resolves: rhbz#1975169 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-8] - Resolves: rhbz#1962042 - [sssd] RHEL 8.5 Tier 0 Localization- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 - Resolves: rhbz#1693379 - sssd_be and sss_cache too heavy on CPU - Resolves: rhbz#1909373 - Missing search index for `originalADgidNumber` - Resolves: rhbz#1954630 - [RFE] Improve debug messages by adding a unique tag for each request the backend is handling - Resolves: rhbz#1936891 - SSSD Error Msg Improvement: Bad address - Resolves: rhbz#1364596 - sssd still showing ipa user after removed from last group - Resolves: rhbz#1979404 - Changes made to /etc/pam.d/sssd-shadowutils are overwritten back to default on sssd-common package upgrade- Resolves: rhbz#1974257 - 'debug_microseconds' config option is broken - Resolves: rhbz#1936902 - SSSD Error Msg Improvement: Invalid argument - Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm (additional patches and rebuild)- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 - Resolves: rhbz#1942387 - Wrong default debug level of sssd tools - Resolves: rhbz#1917444 - SSSD Error Msg Improvement: Server resolution failed: [2]: No such file or directory - Resolves: rhbz#1917511 - SSSD Error Msg Improvement: Failed to resolve server 'server.example.com': Error reading file - Resolves: rhbz#1917535 - sssd.conf man page: parameter dns_resolver_server_timeout and dns_resolver_op_timeout - Resolves: rhbz#1940509 - [RFE] Health and Support Analyzer: Link frontend to backend requests - Resolves: rhbz#1649464 - auto_private_groups not working as expected with posix ipa/ad trust - Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection - Resolves: rhbz#1961215 - Invalid sssd-kcm return code if requested operation is not found - Resolves: rhbz#1837090 - SSSD fails nss_getby_name for IPA user with SID if the user has user private group - Resolves: rhbz#1879869 - sudo commands incorrectly exports the KRB5CCNAME environment variable - Resolves: rhbz#1962550 - sss_pac_make_request fails on systems joined to Active Directory. - Resolves: rhbz#1737489 - [RFE] SSSD should honor default Kerberos settings (keytab name) in /etc/krb5.conf- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 - Resolves: rhbz#1930535 - [abrt] [faf] sssd: monitor_service_shutdown(): /usr/sbin/sssd killed by 11 - Resolves: rhbz#1942387 - Wrong default debug level of sssd tools - Resolves: rhbz#1945888 - Inconsistant debug level for connection logging - Resolves: rhbz#1948657 - pam_sss_gss.so doesn't work with large kerberos tickets - Resolves: rhbz#1949149 - [RFE] Poor man's backtrace - Resolves: rhbz#1920500 - Authentication handshake (ldap_install_tls()) fails due to underlying openssl operation failing with EINTR - Resolves: rhbz#1923964 - [RFE] SSSD Error Msg Improvement: write_krb5info_file failed, authentication might fail. - Resolves: rhbz#1928648 - SSSD logs improvements: clarify which config option applies to each timeout in the logs - Resolves: rhbz#1632159 - sssd-kcm starts successfully for non existent socket_path - Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm - Resolves: rhbz#1925505 - [RFE] improve the sssd refresh timers for SUDO queries - Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection - Resolves: rhbz#1925561 - sssd-ldap(5) does not report how to disable the SUDO smart queries - Resolves: rhbz#1925621 - document impact of indices and of scope on performance of LDAP queries - Resolves: rhbz#1855320 - [RFE] RHEL8 sssd: inheritance of the case_sensitive parameter for subdomains. - Resolves: rhbz#1925608 - [RFE] make 'random_offset' addon to 'offline_timeout' option configurable - Resolves: rhbz#1447945 - man page / docs update required: if two certificate matching rules with the same priority match only one is used - Resolves: rhbz#1703436 - sssd not thread-safe in innetgr() - Resolves: rhbz#1713143 - SSSD does not translate the 2FA text labels("first factor" / "second factor") on GDM login and screensaver unlock screen - Resolves: rhbz#1888977 - sss_override: Usage limitations clarification in man page - Resolves: rhbz#1890177 - Clarify "single_prompt" option in "PROMPTING CONFIGURATION SECTION" section of sssd.conf man page - Resolves: rhbz#1902280 - fix sss_cache to also reset cached timestamp - Resolves: rhbz#1935683 - SSSD not detecting subdomain from AD forest (RHEL 8.3) - Resolves: rhbz#1937919 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7 - Resolves: rhbz#1944665 - No gpo found and ad_gpo_implicit_deny set to True still permits user login - Resolves: rhbz#1919942 - sss_override does not take precedence over override_homedir directive- Resolves: rhbz#1926622 - Add support to verify authentication indicators in pam_sss_gss - Resolves: rhbz#1926454 - First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0. - Resolves: rhbz#1893159 - Default debug level should report all errors / failures (additional patch)- Resolves: rhbz#1920001 - Do not add '%' to group names already prefixed with '%' in IPA sudo rules - Resolves: rhbz#1918433 - sssd unable to lookup certmap rules - Resolves: rhbz#1917382 - [abrt] [faf] sssd: dp_client_handshake_timeout(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1113639 - autofs: return a connection failure until maps have been fetched - Resolves: rhbz#1915395 - Memory leak in the simple access provider - Resolves: rhbz#1915319 - SSSD: SBUS: failures during servers startup - Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication (additional patches)- Resolves: rhbz#1631410 - Can't login with smartcard with multiple certs having same ID value - Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff (additional patches) - Resolves: rhbz#1893159 - Default debug level should report all errors / failures - Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication- Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process - Resolves: rhbz#1876658 - filter_groups option partially filters the group from 'id' output of the user because gidNumber still appears in 'id' output [RHEL 8] - Resolves: rhbz#1895001 - User lookups over the InfoPipe responder fail intermittently- Resolves: rhbz#1900733 - sssd_be segfaults at be_refresh_get_values_ex() due to NULL ptrs in results of sysdb_search_with_ts_attr() - Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process - Resolves: rhbz#1894540 - sssd component logging is now too generic in syslog/journal - Resolves: rhbz#1828483 - filtered ID is appearing due to strange negative cache behavior- This is to bump version to allow rebuild against rebased libldb.- Resolves: rhbz#1881992 - Rebase SSSD for RHEL 8.4 - Resolves: rhbz#1722842 - sssd-kcm does not store TGT with ssh login using GSSAPI - Resolves: rhbz#1734040 - sssd crash in ad_get_account_domain_search() - Resolves: rhbz#1784459 - [RFE] tlog does not allow to exclude some users from session recording - Resolves: rhbz#1791300 - sporadic sssd_be crash on s390x - Resolves: rhbz#1817122 - 'getent group ldapgroupname' doesn't show any LDAP users or some LDAP users when 'rfc2307bis' schema is used with SSSD. - Resolves: rhbz#1819012 - [RFE] Improve AD site discovery process - Resolves: rhbz#1846778 - [RfE] `/usr/libexec/sssd/p11_child` cmdline argument '--nssdb' might be confusing when SSSD was built against OpenSSL - Resolves: rhbz#1873715 - automount sssd issue when 2 automount maps have the same key (one un uppercase, one in lowercase) - Resolves: rhbz#1879860 - correction in sssd.conf:pam_response_filter man page - Resolves: rhbz#1881336 - [RFE] sssd-ldap man page modification for parameter "ldap_referrals" - Resolves: rhbz#1883488 - [RfE] Implement a new sssd.conf option to disable the filter for AD domain local groups from trusted domains - Resolves: rhbz#1884196 - [RFE] Add "enabled" option to domain section in config file - Resolves: rhbz#1884205 - KCM: Increase client idle timeout to 5 minutes - Resolves: rhbz#1884207 - [RFE] ldap: add new option ldap_library_debug_level - Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff - Resolves: rhbz#1884281 - Secondary LDAP group go missing from 'id' command - Resolves: rhbz#1884301 - [RFE] dyndns: suport asymmetric auth for nsupdate- Resolves: rhbz#1855323 - When ad_gpo_implicit_deny is True, it is permitting users to login when no gpo is applied- Resolves: rhbz#1868387 - system not enforcing GPO rule restriction. ad_gpo_implicit_deny = True is not working - Resolves: rhbz#1854951 - sss-certmap man page change to add clarification for userPrincipalName attribute from AD schema - Resolves: rhbz#1856861 - False errors/warnings are logged in sssd.log file after enabling 2FA prompting settings in sssd.conf - Resolves: rhbz#1869683 - p11_child: default value of ocsp_dgst == sha256 doesn't conform RFC5019 and has to be changed to sha1- Resolves: rhbz#1723273 - RFE: Add option to specify alternate sssd config file location with "sssctl config-check" command. - Resolves: rhbz#1780404 - smartcards: special characters must be escaped when building search filter- Resolves: rhbz#1820574 - [sssd] RHEL 8.3 Tier 0 Localization- Resolves: rhbz#1821719 - sssd (sssd_be) is consuming 100% CPU, partially due to failing mem-cache - Fixed "requires/provides" rpmdiff warning- Resolves: rhbz#1815584 - id_provider = proxy proxy_lib_name = files returns * in password field, breaking PAM authentication - Resolves: rhbz#1794607 - SSSD must be able to resolve membership involving root with files provider - Resolves: rhbz#1803134 - Improve "unlock" time when user session already active- Resolves: rhbz#1829470 - `sssd.api.conf` and `sssd.api.d` should belong to `python-sssdconfig` package - Resolves: rhbz#1544457 - sssd fails to release file descriptor on child logs after receiving HUP - Resolves: rhbz#1824323 - SSSD user filtering is failing on RHEL 8 after "files" provider rebuilds cache - Resolves: rhbz#1827432 - When the passwd or group files are replaced, sssd stops monitoring the file for inotify events, and no updates are triggered - Resolves: rhbz#1835710 - Change the message "Please enter smart card" to "Please insert smart card" on GDM login with smart-card - Resolves: rhbz#1838037 - Oddjob-mkhomedir fails when using NSS compat - Resolves: rhbz#1845904 - gdm smart card authentication does not work shortly after disconnecting from network. - Resolves: rhbz#1845975 - sssd doesn't follow the link order of AD Group Policy Management - Resolves: rhbz#1845980 - sssd is failing to discover other subdomains in the forest if LDAP entries do not contain AD forest root information - Resolves: rhbz#1845987 - Document how to prevent invalid selinux context for default home directories in SSSD-AD direct integration. - Resolves: rhbz#1845994 - GDM failure loop when no user mapped for smart card - Resolves: rhbz#1846003 - GDM password prompt when cert mapped to multiple users and promptusername is False - Resolves: rhbz#1850961 - /usr/share/systemtap/tapset/sssd_functions.stp missing a comma- Resolves: rhbz#Bug 1723273 - RFE: Add option to specify alternate sssd config file location with "sssctl config-check" command.- Resolves: rhbz#1839037 - Rebase SSSD for RHEL 8.3 - Resolves: rhbz#1843872 - sssd 2.3.0 breaks AD auth due to GPO parsing failure - Resolves: rhbz#1834156 - sssd or sssd-ad not updating their dependencies on "yum update" which breaks working- Resolves: rhbz#1580506 - [RFE]: sssd to be able to read smartcard certificate EKU and perform an action based on value when generating SSH key from a certificate (additional patch)- Resolves: rhbz#1810634 - id command taking 1+ minute for returning user information- Resolves: rhbz#1580506 - [RFE]: sssd to be able to read smartcard certificate EKU and perform an action based on value when generating SSH key from a certificate- Resolves: rhbz#1718193 - p11_child should have an option to skip C_WaitForSlotEvent if the PKCS#11 module does not implement it properly- Resolves: rhbz#1792331 - sssd_be crashes when krb5_realm and krb5_server is omitted and auth_provider is krb5- Resolves: rhbz#1754996 - [sssd] Tier 0 Localization- Resolves: rhbz#1767514 - sssd requires timed sudoers ldap entries to be specified up to the seconds- Resolves: rhbz#1713368 - Add sssd-dbus package as a dependency of sssd-tools* Resolves: rhbz#1794016 - sssd_be frequent crash* Resolves: rhbz#1762415 - Force LDAPS over 636 with AD Access Provider* Resolves: rhbz#1583592 - [RFE] Add configurable randomness to SSSD ldap connection timeout* Resolves: rhbz#1783190 - [abrt] [faf] sssd: raise(): /usr/libexec/sssd/sssd_autofs killed by 6* Resolves: rhbz#1785214 - server/be: SIGTERM handling is incorrect* Resolves: rhbz#1785193 - Watchdog implementation or usage is incorrect* Resolves: rhbz#1704199 - pcscd rejecting sssd ldap_child as unauthorized* Resolves: rhbz#1744500 - [Doc]Provide explanation on escape character for match rules sss-certmap* Resolves: rhbz#1781728 - sssctl config-check command does not give proper error messages with line numbers* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release Increasing version number to pick latest libldb* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release PART2: Fix gating issue.* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release- Resolves: rhbz#1712875 - Old kerberos credentials active instead of valid new ones (kcm)- Resolves: rhbz#1744134 - New defect found in sssd-2.2.0-16.el8 - Also sync. kcm multihost tests with master- Resolves: rhbz#1676385 - pam_sss with smartcard auth does not create gnome keyring - Also apply a patch to fix gating tests issue- Resolves: rhbz#1736861 - dyndns_update = True is no longer enough to get the IP address of the machine updated in IPA upon sssd.service startup- Resolves: rhbz#1736265 - Smart Card auth of local user: endless loop if wrong PIN was provided- Resolves: rhbz#1736796 - sssd config option "default_domain_suffix" should not cause files domain entries to be qualified, this can break sudo access- Resolves: rhbz#1669407 - MAN: Document that PAM stack contains the systemd-user service in the account phase in RHEL-8- Resolves: rhbz#1448094 - sssd-kcm cannot handle big tickets- Resolves: rhbz#1733372 - permission denied on logs when running sssd as non-root user- Resolves: rhbz#1736483 - Sudo prompt for smart card authentication is missing the trailing colon- Resolves: rhbz#1382750 - Conflicting default timeout values- Resolves: rhbz#1699480 - Include libsss_nss_idmap-devel in the Builder repository - This just required a raise in release number and changelog for the record.- Resolves: rhbz#1711318 - p11_child::sign_data() function implementation is not FIPS140 compliant- Resolves: rhbz#1726945 - negative cache does not use values from 'filter_users' config option for known domains- Resolves: rhbz#1729055 - sssd does not pass correct rules to sudo- Resolves: rhbz#1283798 - sssd failover does not work on connecting to non-responsive ldaps:// server- Resolves: rhbz#1725168 - sssd-proxy crashes resolving groups with no members- Resolves: rhbz#1673443 - sssd man pages: The default value of "ldap_user_home_directory" is not mentioned with AD server configuration- Resolves: rhbz#1687281 Rebase sssd in RHEL-8.1 to the latest upstream release- Resolves: rhbz#1687281 Rebase sssd in RHEL-8.1 to the latest upstream release- Replace ARRAY_SIZE with N_ELEMENTS to reflect samba changes. This is done here in order to unblock gating changes before rebase. - Related: rhbz#1682305- Resolves: rhbz#1672780 - gdm login not prompting for username when smart card maps to multiple users- Resolves: rhbz#1645291 - Perform some basic ccache initialization as part of gen_new to avoid a subsequent switch call failure-Resolves: rhbz#1659498 - Re-setting the trusted AD domain fails due to wrong subdomain service name being used-Resolves: rhbz#1660083 - extraAttributes is org.freedesktop.DBus.Error. UnknownProperty: Unknown property- Resolves: rhbz#1661183 - SSSD 2.0 has drastically lower sbus timeout than 1.x, this can result in time outs- Resolves: rhbz#1578014 - sssd does not work under non-root user - Note: Actually the patches were in the 2.0.0-37, this one just adds this changelog because it was missing.- Resolves: rhbz#1652563 - incorrect example in the man page of idmap_sss suggests using * for backend sss- Resolves: rhbz#1466503 - Snippets are not used when sssd.conf does not exist- Resolves: rhbz#1622008 - Error message when IPA server uninstall calls kdestroy caused by KCM returning a wrong error code during the delete operation- Resolves: rhbz#1646113 - Missing concise documentation about valid options for sssd-files-provider- Resolves: rhbz#1625670 - sssd needs to require a newer version of libtalloc and libtevent to avoid an issue in GPO processing- Resolves: 1658813 - PKINIT with KCM does not work- Resolves: 1657898 - SSSD must be cleared/restarted periodically in order to retrieve AD users through IPA Trust- Resolves: rhbz#1655459 - [abrt] [faf] sssd: raise(): /usr/libexec/sssd/proxy_child killed by 6- Resolves: rhbz#1652719 - [SECURITY] sssd returns '/' for emtpy home directories- Resolves: rhbz#1657979 - SSSD's LDAP authentication provider does not work if ID provider is authenticated with GSSAPI- Resolves: rhbz#1657980 - sssd_nss memory leak- Resolves: rhbz#1645566 - SSSD 2.x does not sanitize domain name properly for D-bus, resulting in a crash- Resolves: rhbz#1646168 - sssctl access-report always prints an error message - Resolves: rhbz#1643053 - Restarting the sssd-kcm service should reload the configuration without having to restart the whole sssd - Resolves: rhbz#1640576 - sssctl reports incorrect information about local user's cache entry expiration time - Resolves: rhbz#1645238 - Unable to su to root when logged in as a local user - Resolves: rhbz#1639411 - sssd support for for smartcards using ECC keys- Resolves: rhbz#1642508 - sssd ifp crash when trying to access ipa webui with smart card- Resolves: rhbz#1642372 - SSSD Python getgrouplist API was removed but required for IPA- Related: rhbz#1638150 - session not recording for local user when groups defined - Also add silence a Coverity warning, which is related to rhbz#1637131- Related: rhbz#1637513 - sssd crashes when refreshing expired sudo rules- Add OSCP checks for p11_child - Related: rhbz#1615417 - [RFE] Add Smart Card authentication for local users- Related: rhbz#1638006 - Files: The files provider always enumerates which causes duplicate when running getent passwd- Related: rhbz#1637131 - pam_unix unable to match fully qualified username provided by sssd during smartcard auth using gdm- Related: rhbz#1620123 - [RFE] Add option to specify a Smartcard with a PKCS#11 URI- Related: rhbz#1611011 - Support for "require smartcard for login option"- Related: rhbz#1635595 - Cant login with smartcard with multiple certs- Backport more sbus2 fixes - Related: rhbz#1623878 - crash related to sbus_router_destructor()- Resolves: rhbz#1636397 - SSSD not fetching all sudo rules from AD- Resolves: rhbz#1628122 - Printing incorrect information about domain with sssctl utility- Resolves: rhbz#1626001 - SSSD should log to syslog if a domain is not started due to a misconfiguration- Resolves: rhbz#1624785 - Remove references of sss_user/group/add/del commands in man pages since local provider is deprecated- Resolves: rhbz#1628126 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_be killed by 11 crash func _dbus_list_unlink- Resolves: rhbz#1628503 - sssd only sets the SELinux login context if it differs from the default- Resolves: rhbz#1625842 id_provider= local causes SSSD to abort startup- Resolves: rhbz#1615590 - Do not rely on "python" for el8- Resolves: rhbz#1615417 - [RFE] Add Smart Card authentication for local users- Resolves: rhbz#1623878 - crash related to sbus_router_destructor()- Resolves: rhbz#1622026 - sssd 2.0 regression: Kerberos authentication fails with the KCM ccache- Resolves: rhbz#1615460 - Rebase SSSD to the latest released version- Switch hardcoded python3 shebangs into the %{__python3} macro- Update to 1.16.2 release - Cleanup unused global definitions - Remove python2 references from the spec file - Resolves: rhbz#1585313 - Kerberos with sssd-kcm is not working on s390x- Resolves: upstream#3684 - A group is not updated if its member is removed with the cleanup task, but the group does not change - Resolves: upstream#3558 - sudo: report error when two rules share cn - Tone down shutdown messages for socket activated responders - IPA: Qualify the externalUser sudo attribute - Resolves: upstream#3550 - refresh_expired_interval does not work with netgrous in 1.15 - Resolves: upstream#3402 - Support alternative sources for the files provider - Resolves: upstream#3646 - SSSD's GPO code ignores ad_site option - Resolves: upstream#3679 - Make nss netgroup requests more robust - Resolves: upstream#3634 - sssctl COMMAND --help fails if sssd is not configured - Resolves: upstream#3469 - extend sss-certmap man page regarding priority processing - Improve docs/debug message about GC detection - Resolves: upstream#3715 - ipa 389-ds-base crash in krb5-libs - k5_copy_etypes list out of bound? - Resolves: upstream#2653 - Group renaming issue when "id_provider = ldap" is set. - Document which principal does the AD provider use - Resolves: upstream#3680 - GPO: SSSD fails to process GPOs If a rule is defined, but contains no SIDs - Resolves: upstream#3520 - Files provider supports only BE_FILTER_ENUM - Resolves: rhbz#1540703 - FreeIPA/SSSD implicit_file sssd_nss error: The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Fatal]- Resolves: upstream#3573 - sssd won't show netgroups with blank domain - Resolves: upstream#3660 - confdb_expand_app_domains() always fails - Resolves: upstream#3658 - Application domain is not interpreted correctly - Resolves: upstream#3687 - KCM: Don't pass a non null terminated string to json_loads() - Resolves: upstream#3386 - KCM: Payload buffer is too small - Resolves: upstream#3666 - Fix usage of str.decode() in our tests - A few KCM misc fixes- New upstream release 1.16.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_1.html- Resolves: upstream#3621 - backport bug found by static analyzers- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Resolves: upstream#3621 - FleetCommander integration must not require capability DAC_OVERRIDE- Resolves: upstream#3618 - selinux_child segfaults in a docker container- Resolves: rhbz#1431153 - sssd: libsss_proxy.so needs to be linked with -ldl- Fix systemd executions/requirements- Fix building on rawhide. Remove -Wl,-z,defs from LDFLAGS- Fix building of sssd-nfs-idmap with libnfsidmap.so.1- Rebuilt for libnfsidmap.so.1- Resolves: upstream#3523 - ABRT crash - /usr/libexec/sssd/sssd_nss in setnetgrent_result_timeout - Resolves: upstream#3588 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: failure in glibc tests https://sourceware.org/bugzilla/show_bug.cgi?id=22530 - Resolves: upstream#3451 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds - Resolves: upstream#3285 - SSSD needs restart after incorrect clock is corrected with AD - Resolves: upstream#3586 - Give a more detailed debug and system-log message if krb5_init_context() failed - Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Backport few upstream features from 1.16.1- Resolves: rhbz#1494002 - sssd_nss crashed in cache_req_search_domains_next- Backport extended NSS API from upstream master branch- Resolves: upstream#3529 - sssd-kcm Fix restart during/after upgrade- New upstream release 1.16.0 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_0.html- Resolves: rhbz#1499354 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database access on the sock_file system_bus_socket- Resolves: rhbz#1488327 - SELinux is preventing selinux_child from write access on the sock_file system_bus_socket - Resolves: rhbz#1490402 - SSSD does not create /var/lib/sss/deskprofile and fails to download desktop profile data - Resolves: upstream#3485 - getsidbyid does not work with 1.15.3 - Resolves: upstream#3488 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: upstream#3501 - Accessing IdM kerberos ticket fails while id mapping is applied- Backport few upstream patches/fixes- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild- New upstream release 1.15.3 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_3.html- Rebuild with libldb-1.2.0- Fix build issues: Update expided certificate in unit tests- Resolves: rhbz#1445680 - Properly fall back to local Smartcard authentication - Resolves: rhbz#1437199 - sssd-nfs-idmap-1.15.2-1.fc25.x86_64 conflicts with file from package sssd-common-1.15.1-1.fc25.x86_64 - Resolves: rhbz#1063278 - sss_ssh_knownhostsproxy doesn't fall back to ipv4- Fix issue with IPA + SELinux in containers - Resolves: upstream https://fedorahosted.org/sssd/ticket/3297- Backport upstream patches for 1.15.3 pre-release - required for building freeipa-4.5.x in rawhide- New upstream release 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html- New upstream release 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html- Cherry-pick patches from upstream that enable the files provider - Enable the files domain - Retire patch 0501-Partially-revert-CONFIG-Use-default-config-when-none.patch which is superseded by the files domain autoconfiguration - Related: rhbz#1357418 - SSSD fast cache for local users- Add missing %license macro- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild- New upstream release 1.15.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.15.0- Rebuild for Python 3.6- Resolves: rhbz#1369130 - nss_sss should not link against libpthread - Resolves: rhbz#1392916 - sssd failes to start after update - Resolves: rhbz#1398789 - SELinux is preventing sssd from 'write' accesses on the directory /etc/sssd- New upstream release 1.14.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.2- libwbclient-sssd: update interface to version 0.13- Fix regression with krb5_map_user - Resolves: rhbz#1375552 - krb5_map_user doesn't seem effective anymore - Resolves: rhbz#1349286 - authconfig fails with SSSDConfig.NoDomainError: default if nonexistent domain is mentioned- Backport important patches from upstream 1.14.2 prerelease - Resolves: upstream #3154 - sssd exits if clock is adjusted backwards after boot - Resolves: upstream #3163 - resolving IPA nested user group is broken in 1.14- New upstream release 1.14.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.1- Add workaround patch for RHBZ #1366403- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages- New upstream release 1.14.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0- New upstream release 1.14 beta - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0beta- New upstream release 1.14 alpha - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0alpha- Resolves: rhbz#1335639 - [abrt] sssd-dbus: ldb_msg_find_element(): sssd_ifp killed by SIGSEGV- Resolves: rhbz#1328108 - Protocol error with FreeIPA on CentOS 6- New upstream release 1.13.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.4- Resolves: rhbz#1276868 - Sudo PAM Login should support multiple password prompts (e.g. Password + Token) - Resolves: rhbz#1313041 - ssh with sssd proxy fails with "Connection closed by remote host" if locale not available- Resolves: rhbz#1310664 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid - Resolves: rhbz#1301303 - sss_obfuscate: SyntaxError: Missing parentheses in call to 'print'- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild- Additional upstream fixes- Resolves: rhbz#1256849 - SUDO: Support the IPA schema- New upstream release 1.13.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.3- New upstream release 1.13.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.2- Rebuilt for Python3.5 rebuild- Fix building pac responder with the krb5-1.14- python-sssdconfig: Fix parssing sssd.conf without config_file_version - Resolves: upstream #2837 - REGRESSION: ipa-client-automout failed- Fix few segfaults - Resolves: upstream #2811 - PAM responder crashed if user was not set - Resolves: upstream #2810 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- New upstream release 1.13.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.1- Fix OTP bug - Resolves: upstream #2729 - Do not send SSS_OTP if both factors were entered separately- Backport upstream patches required by FreeIPA 4.2.1- Fix ipa-migration bug - Resolves: upstream #2719 - IPA: returned unknown dp error code with disabled migration mode- New upstream release 1.13.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.0- Unify return type of list_active_domains for python{2,3}- New upstream release 1.13 alpha - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.0alpha- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild- Fix libwbclient alternatives- Backport important patches from upstream 1.13 prerelease- New upstream release 1.12.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.5- Backport important patches from upstream 1.13 prerelease - Resolves: rhbz#1060325 - Does sssd-ad use the most suitable attribute for group name - Resolves: upstream #2335 - Investigate using the krb5 responder for driving the PAM conversation with OTPs - Enable cmocka tests for secondary architectures- Backport patches from upstream 1.12.5 prerelease - contains many fixes- Fix slow login with ipa and SELinux - Resolves: upstream #2624 - Only set the selinux context if the context differs from the local one- Fix regressions with ipa and SELinux - Resolves: upstream #2587 - With empty ipaselinuxusermapdefault security context on client is staff_u- Also relax libldb Requires - Remove --enable-ldb-version-check- Relax libldb BuildRequires to be greater-or-equal- Add support for python3 bindings - Add requirement to python3 or python3 bindings - Resolves: rhbz#1014594 - sssd: Support Python 3- New upstream release 1.12.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.4- Backport patches with Python3 support from upstream- Fix double free in monitor - Resolves: rhbz#1186887 [abrt] sssd-common: talloc_abort(): sssd killed by SIGABRT- Rebuild for new libldb- Decrease priority of sssd-libwbclient 20 -> 5 - It should be lower than priority of samba veriosn of libwbclient. - https://bugzilla.redhat.com/show_bug.cgi?id=1175511#c18- Apply a number of patches from upstream to fix issues found 1.12.3 - Resolves: rhbz#1176373 - dyndns_iface does not accept multiple interfaces, or isn't documented to be able to - Resolves: rhbz#988068 - getpwnam_r fails for non-existing users when sssd is not running - Resolves: upstream #2557 authentication failure with user from AD- Resolves: rhbz#1164156 - libsss_simpleifp should pull sssd-dbus - Resolves: rhbz#1179379 - gzip: stdin: file size changed while zipping when rotating logfile- New upstream release 1.12.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.3 - Fix spelling errors in description (fedpkg lint)- Rebuild for libldb 1.1.19- Resolves: rhbz#1175511 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Fix regressions and bugs in sssd upstream 1.12.2 - https://fedorahosted.org/sssd/ticket/{id} - Regressions: #2471, #2475, #2483, #2487, #2529, #2535 - Bugs: #2287, #2445- Rebuild for libldb 1.1.18- Fix typo in libwbclient-devel %preun- Use alternatives for libwbclient- Backport several patches from upstream. - Fix a potential crash against old (pre-4.0) IPA servers- New upstream release 1.12.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.2- Resolves: rhbz#1139962 - Fedora 21, FreeIPA 4.0.2: sssd does not find user private group from server- New upstream release 1.12.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.1- Do not crash on resolving a group SID in IPA server mode- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild- Fix release version for upgrades- New upstream release 1.12.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild- New upstream release 1.12 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0beta2- Fix tests on big-endian - Fix previous changelog entry- New upstream release 1.12 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0beta1- Rebuild against new ding-libs- Make LDB dependency a strict equivalency- Rebuild against new libldb- New upstream release 1.11.5.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.5.1- Fix bug in generation of systemd unit file- New upstream release 1.11.5 - Remove upstreamed patch - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.5- Handle new error code for IPA password migration- Include couple of patches from upstream 1.11 branch- New upstream release 1.11.4 - Remove upstreamed patch - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.4- Handle OTP response from FreeIPA server gracefully- New upstream release 1.11.3 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.3- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2- Fix potential crash with external groups in trusted IPA-AD setup- Add plugin for cifs-utils - Resolves: rhbz#998544- Fix failover from Global Catalog to LDAP in case GC is not available- Remove the ability to create public ccachedir (#1015089)- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1- Fix multicast checks in the SSSD - Resolves: rhbz#1007475 - The multicast check is wrong in the sudo source code getting the host info- Backport simplification of ccache management from 1.11.1 - Resolves: rhbz#1010553 - sssd setting KRB5CCNAME=(null) on login- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0- Resolves: #967012 - [abrt] sssd-1.9.5-1.fc18: sss_mmap_cache_gr_invalidate_gid: Process /usr/libexec/sssd/sssd_nss was killed by signal 11 (SIGSEGV) - Resolves: #996214 - sssd proxy_child segfault- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- Enable hardened build for RHEL7- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- BuildRequire recent libini_config to ensure consistent behaviour- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Add a patch to fix krb5 unit tests- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/sh 2.7.3-1.el82.7.3-1.el8.build-id32739446b82d16d8561b6df070e92dd0727f5f3870ca24d5ee22cf4ac4aea16ce38a592862b9bdkrb5_childldap_childsssd-krb5-commonCOPYINGkrb5.include.d/usr/lib//usr/lib/.build-id/32//usr/lib/.build-id//usr/lib/.build-id/38//usr/libexec/sssd//usr/share/licenses//usr/share/licenses/sssd-krb5-common//var/lib/sss/pubconf/-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -fasynchronous-unwind-tables -fstack-clash-protectioncpioxz2aarch64-redhat-linux-gnudirectorysetuid ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, for GNU/Linux 3.7.0, BuildID[sha1]=3232739446b82d16d8561b6df070e92dd0727f5f, strippedsetuid ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, for GNU/Linux 3.7.0, BuildID[sha1]=3870ca24d5ee22cf4ac4aea16ce38a592862b9bd, strippedASCII textR RRRR RRRRRRRRR RR RRR RRRRRRR RRRRRRRRR RR RRRRutf-8de7077b187f7f2a2076f67f7f32a72b9db56d03c2f73b6ec3932d5bb25f92468?7zXZ !#,] b2u jӫ`(y-lGˑm|˂l(]Tv(pN={VFӉ-^v9IJ}5Pi/Yg9R; g/֊~ 弊쮬+TD.kR)O=^Пw7cybaJdٗ,2"D|3Fӯ=aS^np'@G81S8<A dh䱩 'K%t+*xv 6Sb,!4ޑIO0?kuːl(u7ӣ"Y֯1tf\8d{8@hL[5N)T{*?$QL'g;Y #iHϯDS 9feI12m8 z;HG-Z"0au]+Q)r LC. ֳ(zDˇyFRtQ"0>"$:{#LdJu(efDB_m^" Xꋒ&lY%i!RM!@~x&fW5m->DF8|McU<+ 흐*܇Fd~2RfDQRB-ɥvs|,rX<96̴GtVּzY>M2B|lYUL1[j?$F@TuQc"_CEP2{eb&0Q)uyH|Pq"fI;pn*? * c~t{2^ (6؜ӽl"|Le]/zK_^&v|-~3Ub tԙd=3 5:oޏ8rI?E*?ԣ)ϵ+Nb6}.S`%ْVJW0argiɚ^,y2ꤣrUVٗuZX7/ D?}|nNZϿ)N~η~)5Z Wh 'x xN>"憏Hk^"0}܅LdƑ,_6P~I.Zw*2T 2_~g~S#OcjsϗR{si w^fui wF91]'9K54"f`|!DQK7'E"Dh4?fcͷ9|~JBk!cc*(SbMh]%R_lsu0]`"[h3 Y0:'ԵSq'tu'Yllf4שi9R '% 348uz9d:/!b#>;`) )6 ,t<uK{gypJoEh[X}Vs}$5<"KP!Ưf|\E9d3&g.4*ڸfjQ̑p| =+?Fl'>h> j)[\Z{s!%htV<ȩJWω$e:)nMY1}tj. Yq~yG :A-SpDa{/\eZEךW^ (SRlk.nJAAIPu2mZnq)HzoMB +Ɣ,Y{<pa֝v| cٿmGⷑQV!h1A~6k)NT3%ˆ x UD^Zm׹TiƮ%o3o2R! a0"bQ~Banl^ Q~<:oSV!TnX}!@U9aa!5TN /oщykjspߡ>C\>}\Kht}b:o.`-Jgæ>WAx_P?T@m^%NTK!2Lhy}clw$Ocߘmjs3]Y_O.h&aiGMvHk^!KR/%/pݤ{c(S$s;sYɐu1S'A1%x&wq$_ɠ_>A7>/om̳IxV8ٲѰqBgr7< a@*adCLX%IBĺ^ҺJy4lOh.cXA H.Ùr7Fpʳm.9;[dh'0slIbB;o!_m+)cwU0{,Z;lgEƕfGz $Y; zprza)xV˛HZW4C ţ.&m wF5zmI͓KZ)q^˨;Gz_oSbkb d9N@,kp8ߛe _Sɍd?-r(# A7:3_fA?7r4Igf#lU ݫxt;L$8 X %# 똰DL32$ܖ7:!Pr2$K#xrG?lďE;?SoEc8`w @ :? oV'K"GC|bUEQe" q \V 4Ru>)` z^X)s.w/xgVvz_$4,7CG}]Ch=sh\?BA3Z=mr).ARl}&AZJ{̄ᕞH/,iZdp4#p b,w s'yO@U8 }4 {q_ E]TGҽR)+(|nJ\7 I r;*CƠ]vAKB5sEKvC+V t/bh(\ݖFTrC@ZIk)6=<?"(X'[WA4r?&BhJ7up[3ʪ,0|H&э|i ٣(Xt 7V=fQpu$H>|fU ~7뗟ǞS&SD__I(׽՛JRfc}b!Ͳ]/K`@`?PM<"f$xPNevE͒;QeDRzB_3f-'4y\6?NjCtLAJбU+Gvta laG.Xe;X/u/YP2rzCwwws óqr>Gu&RU2idTI|Q$yNha@ =Ap"]p4Y"0YC8յr<}:wT/z0&1 } T>?h:d%\a!Ix::,=[|=`0"ouBV}wуMoD ?o1nSsϖh#W׾:hwG6l@=1˺CvDZ 'vߎ#I6n!(roC*󆇷GٴjPS@ ,mw'mEN%#mo 2p8Ȇ^~g9;}w 4U1ebloPzfk<Y%oE-r%H-U&=Hs#Tg ciX<-FR9fpZ%H&c8 U,GzkLM3hs[Mx`QsuMXǘ8|5ۮ7Q puJùNsKg:R ^2V9s< [LU{| z[2 i$Qo'Tڠ%c&`G֫EYS$l1@Qwi:qrer:Lxt;IDR.e0>IEg{Pv P!} #}'/JG/q& Ó)5 ޽_׹ͪx^8ù,1hӪ- ?Aȅ}}3c!\a9sL_fN(|]qzZ$tH5OM)w)6@;w;S"HACFGzRΌ"mD?גFƿ]b^Q}Po!F4HZk00rk[[6ϫLMn4cYK Nڤ֝NN~ YsyZh^"/Dw<!T {tweٌd<\>~X{T:q 9-)- ~LM ;)̥m\AJGQ]\`3щG^'\{Gޯm>ܷYwgr%[,)yP͊p^:߱r mIG9Jp3Eٸ}#Gf0uBSܤ:|H (.AnDbw[Y Xcre>Yw#*_iluoNf]y7 zz[V̇l4,D?E &*͍oūU˗f sqpHG 2\;Sb:hc杶O02%||6`>rd GV `nO"da(a h~i)d>&OW@(O]WjhᦃƖpN )=C# Rw:ͽimGwhi f>G'Panm#^[Mj'5 e5ǟW|nB2l(J҈$Q*Q587H4BϮp*g8PhzعPJ:F)͋1z)eptYcVJ60HPG:EK3 fB@0՘/k). % |Jg*$718SG۰GvO`?;9Ii"bI _8W@hMd^}\ȐfxgJ p5l kdS̵:UĒ詡ӥtxrֵ^dc}b:ݮv6r{I)1mǖ\pt@c`2TQ|f͑aL?\ې%ɲ->f/ &ԉ}Q1+Kmq-J?r)rJh^D0zbzw3 ^j%ɘuCeg6ja@2dhR M4za`mӈZуqLVNjUM4$|5?CXu@*8p;SogwϘb(PصMc=ݜbR ^fe}$Jl܉ŸA7}^r&l)«$)94DN*e*mmlv|xjQ0gC99p~9"z%~C7|v-XbʥϞEo?*j\xqy@TK>ګh;c]fb/ ^9P:%El@-e49`Tޱ YRM9Zf7r߹ZNuj<ݓcD1M>837XeNGKM q3a,|:9ņ=Wd9U&NmPsM A5|ɔJ"+U^W9e>0^W!;1tЩ5qDpqu cIK3o:a?TeB.cW%0g ʪmUfeg xy[ɫm2t03|2)M -[S8K1TzP>64}k!w5H2X QBh$xy/cfL 4/NAr觬k:,ߘ3wKҔ=&# ru{*rEA=bOOO& #ſM+i5 %/tdzIJYNg󩫃H30VTpLe{PLme"# } *;>Rӥ&^22ϰ&?gqnB˒޷U"S}!Bf#𳠠S›JsM ޫ7@O<`!dEW^BJېA3r"[DgF=rC_gn[t[C锓TpZ$:(ч9UqFY86\?4W2K~nQ})yȓ[XԒsӸ7]JqJO GL*a nhb&m!HXm R%\BSي[ @vkAi&RIp8n &-ؤUu.uF j⦺i8~T_+r K6#Xa\l9Z& آõ`LCM&Li(@.m46%y4~*:MZQgxIgVťM\g_,$j|j-BC(jyiSpe'|26e+ zgqv}f'4>Iq*8&,hV\GЖ616z4$ z)C~:eH=԰"30sQO ܾNoşm;K\؁K}'u4N V|cw7TRuW4nʄ7vрӀT's|%SWt ᗬCAƕ ;sz.O})N .̀o+ؽC[oi`*.$D&&h =R J15g kc+ Nj0bjZ4\՜fj'O)ạpqd(u# =`TT+B.iNHM qnۍ@Q2s |8s:9/ϸn tpu] =lҸ]\w.~ĚwnztFKl#s)YF.:4v0Ӛi₯,)"q]D ":v/ mۖ|"Ĭ|K)1TzN9MKc>?Ko5h|[RdZ7Zj&W0kb 6*?$9;ޣ`X_pK?4~D?BtI oi?hfNU eJIQBC+} p̠[RVC[:[b]%9Ȥ.Ց*k@ω7WgS:-`2 b<'L񞘌Ƴ&ԍ%;4`^xKeQs0)3(Poo~m5Mkn>RqE nj~*ݯ>U#V9)®LJZr0q@N:7n=ל 0"!#Z7&(H`u֥ Ɛ~UUE|Fpk1zӫZIB-`[v<^d[a.^ꏅu~3BGb{$Rg#aMzz".8k!(b'Ah Юc" b[Ă@oUW8m?Q%Zv4Tig1wͪ]Gs<S}Mxn0{`;;BkWHxa,!*GpIfgig,-t$8v _ųlz NB5t*Zex 77c/. f`g0JLշ̏IW2XB!L<~|$2'I:kɜ8ܒ/F =ӠLە q3s˶}j[:|c^[;JU^O̍U#[jMɷd\|5wk>^5Zc-Fkz\̟ǥ MNЎ>7-ʔR47`?'bJ9[g_TcF084wr1]]ˎ*wp_ qMP9Mq-ljQw'pßc<jKHJd}+!~N葙Iƫ$}(}d̅|1ɴhLF^K)dvD90f4Yq%ށ[3 8} w ハE8]d٪ ƹ6oBGIcj@VBX ?~6M_ZOFqW{Ϙˏ3O+=[]~ɣcd>RlM&kT%icLrVN3`D}Qevyj,@)xEJ- lSi}{a &kXQ_~%,e 9s״CϯFmNGٕ> t*/|Lm$t Ϥ+}y]@JxVgf%V#'3 InZ`?* * xGlH3zQtLf2S$Mz竼i|kD#L0nnzi>"@3]kB1;L:HdÈ5n{g!+mz$uc?QtAApV6 'alq}{]Yv;*vj+,vri%hg~޷+0 ×GmO(:`PS>2A-appTk{`Z%,1=J•US ۊoYo+|u):3u)Of?[tq@FB:(F3'L1iUbOQZx-C΁owEȨs=ޠ너5jNVy&~t@x[+*Y&әJ($"d6NIW-.u;v}!TKՔFsRzD!EP.h4p FTX4zuK|b%rlDUlNCiIeHTqib&koѱ=h"E䑸Jp)FT`p*-R~2zK;ϱrA ̓qhVT7}6 C3& loY>aSh6-1ɟbTl@9X}zL a#ЖaLIB0a7t!- -?+ѐ4jք/f8䀷K)DޟU]ӣBG/)}a}mľ*}=4<Yby<`2Y@jڙy|e`ݕA4[ `gCgJSZ*1>5E6q?hSt&??YJ{8EUz9Jbdps`ԾJ$3A_ ɟ;BSg,#ӽQɠ'uCIW D+ߙiPN4tpvڣS3<^+`YSy]}Nv5Vf[>d6 k$6 V8YCQg@EZ Cr"M qZF 3S{݃KJV/rЅ{'VJ&'v[]-,Lxxd!/_%FHel ;>Mȡ$E%?>^%tfT@()v]ct@tLE#sFՠZ(N9)KjcwvC,LV7Ó*J賺!EOK5<$7}ꂄ䮗? 9ʖ2+jy VdYz t6Zj^hPI+́8 v@;qM 8+:H]iisv#C1yݲ9FrDXA%Q̭2QϮRQG}Y ~8QQB/:i= { [tS|@qrhse9SS˛Il`M[\r y 9`-cd[8t\Qyj4(, +?eiSk?4DD8rܧ ZVd8NJyM%-k66\"?Ӻ5pum)Ԕ^í=/i-U?)d?]:Uj ҆Sj)Sz?M/0 TJ:[v}x4$V6!jhPFi#B*jNXN32 p8D{Cc=II卩\؄vl+9H "F)0ZJQAO$%uh^Dg< )kwbBa;I;#'NI8(bEYc"}͙ćm\2eyZ!O\ŦYlA֌  6U , + _ (_ݲ2BiB̺ŭA+3\3 c}m,O J ݳtVg%y7As7`uEl\#F7t.k 5%J7B!Օ*Rrc~9ÞaV',(S Q zu7 ZPkߑiXX>,U(-<*?Vdyjyr[귴O׌pqB%?9F@%'ɎS)\ް ЦGeM,63y/6#I*EC"k˜Wf|2%W;d"֣YE7&zZh3ςc/4_:[6Y< 0rÅۓl%Ns~ZNFgy K7OTM#ti[l!XNboPF :=m cӧ}D'ͦt>NGiFQ0ؔ&cOLgQ![ON& +Z𚞝a$J,vjíUθTyg>"4iD=P.{Ei(-^qMt{urb3 H/0Fn׫fdX"\7mzn4xF?+H03Zev%Jj=W-a",.s"͂|FU1в*5 rUb˥T' ,E7OuV;gRVgJkꭊ>MϠ!01hu_\ Ʒ1IO~PRk!AniPՄ1ԇ8Bc !V-0ҭP[(Xާ,"sb(yHuȆc/=#ܯ4Gż@g%Ǫ[v7`p@yۦ v{h(l5~8˗oN|AMz!tYz~n½izuȤ)  3󀝏 s&.ϪOTLjPu=77-f8'_^_^W%1j]xt8zpo㟳|tYj^k0q̝{ qpyڐrbFoJڈ;_(?`?:P>.0ƭ F [ y0ZҤB&g,=;fl LޝКp:80E!gBD*e\մ覓i<߁Z_F_"Qb6sS6Mck8,wv|RH)D=JĝBjjja> r6yj LK$nʦi ,­k3,#OU"(k GPZL*daW֕CCe]]6GN)WP2fns4!Le` xmnO0U (2hRF\} =&̫UWKg$]^fiouJ=B32CBVgsw6Ƴ$u&<\:K+ݼirȐVFأb7. ]z#!𛘟p)6TB/T`T`J~Cv6pnBm>lve D8@?0J!! }~DvH/m+pZjdI҂IM QL%2a6eϰr)a"?ʿn/M1{$H &LSLFHj\AP.㉵B:s4nt\SW%Q;Ϗ5eo ` 0uqp<~/hӓwP\:7 gUTWT ;t!MdP4f4" x2۲s8zԧ6>qvڼakLΨEDAxr'v1728^XNv-ORDj"KSfM%YL%&@}eRϟϤZeOvq[3٪ fsu&ReF^hU[Nwn$],i7Գfn,xW s(lFfrOؼWU gO=>o8˯S:ʵٺqZc8m-8[,Iwb ):kX۹eF3-իdm. sP.TqA&hU۵-ʲYۚDrﳞT@3^W(dkםÝRLEW>/@3nfXw9zʨ&~p1Q3%SbsCH jd"JܧҀBZB^F*+pdAU֩?Cl8T"2pb#M䤉8ϲ^?]g+M-m2SȆ逗q}Gs{6zШkT#w`]N8.,[r$Tvg2Nw*>2N{ERUCs wfG':Vc\Ð9;.}+!|ԋ[w;j Y8);0&k߫oU^dݶwӕ:,h4B6|BbmS2P֬Ir|4VJbSRHrOCȶwI?"37! >& p\,¥NH=MwFpXuo)YGl I3ힽ)o9Ų91ڮ.KΣT1'}-/HLP$a,j55qů+ʼnSa(uws'ht9ғ3zʌfwOԙ2C)!o֓Jẃ9#pt=N؁;C#X"*ZweP}YҢ.Lhrg٬LauQqF^~Tk)a'/N㫀>v }e57nx^*#`H}2ڣ֗΀P6wCmRHN,zUyѕjؚ.NEAh&S[KRpi|t!3Gq%rEml㻚ZaNV87U91 9QhppDF 6΋"Cq/t86 bmw8GIA YHrm53  A, Oea({Hy Tש(sɂod&H}(X&0($!SZ[m4.'̖w~%=ޘQ 8ٔ+dJN;\2V1Էw{GIS"MhJ Wi ОS{Sf[wU>lBڛsWk_ʛP*-@Y*n J?.M}~+O7&cZ"p(=ʭgM.-{8C)gO,urq=-#1tأ>/ijpP]JeB߂J=$5=hlnɌÿ]-(Fj{M 0@Ve@ ’"Y[QC.4p یLH{;E8{tSX*ng.p[cC;+186´`VVJa96]Q/4e3*)g>Z;AV+f~G!qsqޑ--b^zH8n42j?P;Rok\T@ Eo8#ugR]Wy'ƪ{kћCv6"/U \}BKC?_ *ߌFt/Uoےԍ LU|I[cuz-_sK@F'[BƉʹ_MNjHF$z1$J|z|F)y(KW )K-a)I A^14憍i/HdB娈gQEPQ%$rW3s:>_j'li:n"v9=ˢ+ K i2b4z=]"Dx O㪱a&ߜ^r^Fy< !@7C :$Z'qYMM4YiD0n>(2>v 7,Ց`4w Xň(fcgIJY>Y]o s;$hX6UB!6WK]'2/gu?mW v@k(7eg_iT hKy~MiZmG.˵p.Tv'X|/é(FpTՎo$aA"Gm_; .annEn:k|QS(T69f*%}%zǔ"/vM6YxOA-FL)2-hb킺*]cSx |6tҖj^*I{I9ߒ\HfZ4+(!@ + bg;=~ Gjԅ-?Cf1, (K$( ` ApUݘ$}(݉3DSz)mNH+ѥ{B_$!y6[2!|1{o'Nn䗐tta߮i,k.pYDj3).cK)I.C$e>#$KJu:s˂*]{ۓJ=L9uK&=2,ѥ>l-: yz.[;s"[ CݼqNcI)_ݳk@u)0Rt*NeSZa`&xsJiBW[%OL *G#F54cԞ1Zև4V͍*o*OR0i:5-xoNWor.c R$ܧ! }gZ_.GYس2@{8{A Ұ#keX:ι(TdŭvO+)Bd]7,N ݭR/d2!_4Bi焝R=] /Ңʾ /u|+ɍiim,sn^V1-^"2D꘣5ONA2* %X&dI" }$MNU ֳ,N]<(NI-RҾ= zd0j1I^ fK`Vc)ɲ $yN(ML)=V6mVuaގv ֳUsЦXɂ@f >ʅRAJ}w>sZ*^qHFYў}c& |"5I7 'HnXLU.y>ж]8"tZUʡT | &b́;CUἩBJ9Ʋ4D)0}$h:X#UXK]h*d)|&ӭo:y/b,h} \F% KPyPLbV'NvE_ĥ'us>65#4yQ7$0sdƖ ̎В)+,Ðr;GL͙NV`ؐ346]{G&M}~b ։;&ja!rL(>*;<.W2ۇO ۸{N&İ?:Ktc?e#F),ڲW3!ocvJϝTiJ{:xA^&2YUǭ}$'9̙\ 3ߡHj<9q~Ҽ i'Euj5@O py, 6PbyٳDl%ueXQ}OZ_s.rK$ȴINQ>{@ vAQ`P`pSrSEnnJeyIv5ĹbMj#@ȯ:wҍXu'e>ru{6(R^#bc8|++;:ۙK 332n?hd,D&QG|:U(S8P^ 2Zqm)gai 4O~ҸJ`q'=J8Y,C ~IrGo=//WZ8L5Vk98l9t+/Pmz>V>ӊ~Tuzת5Ƭ%5%6W ɱx@>o!Z&lV$UsT/g$tiD-&MwD_:-“Jw,s^JGTy/xE!QKAQlkZziW[b=~UkoeiUِY*m[4'VsstpZ eR"Rolmue'! Q"GϸkzI :.FcY7wXɻd+]6(̍uOE ]\o@/'~Di¹I!|e\P,@D{ˍo؎Px'Gb4(xt8)^vC7qej^N׿ٹ)rI¾ idtmL߃H~PP,f~*,bVsTP''ر^.-D'u嬵wht Wq:E*F5^lItmޓh1y①|~iIf~)rf\yQȌ^ Q N$ }zlz^a|#{QߵIYJ; Gh%1fiފS+[o꠶\l? ϟ;Į^0Y&!c/]Ε dѠ-Ց9u7]Lv=D >lw* qQoݴ [hzwbۡh,~=̈́rK\g",-N;%/˺4QTXi0??2U"UJyB5Ws;Hts-a c4tG7KT#3-Jx#֯V|s'FٶTyWĪiDWN@Ob6rc+[5 [ָlR /9y|?ճv4'۝ϝ> ]]}(GU*O՗=OFQ1_YZpѢ* rOm.$̣˞\OYizU+R5l*qcrwBG.L A&Ւ8s?.[:0Eo*D1(婹l-Yphoq={F3{;?tɪzO,5iƇ{:]xe :#us6q_ b|m!7CӁ3^0NQ?u5[9t,<>YZhI馔n%4vB+E8pzЫBҾ6ƻ#ޕ0"B̐إͧbL|فbfa/g7)q5[T0Ig;/՗6W,i݁5+22?!I' %7IEliSD(Nfؓo5! );YLV'N} |Q0w@Vl|EXEl9 qab$-݆s0~B=ǘH3  qmYpQ-VFЋ >4a5y^'Muƞ 1w/`7(PQ^CdڃFxe6!uOqmMKKgzN!h#jk HDž% |^M`d==-I4Z^L"G$fZΐ4s)=4 Dx-,KD&K&Yn?~R:y5 Yz/v*Ǿ4M\ٞfbfjlYws;&il6Tonk>]enqdЈ^A*/3S3̨ą+`H9yDLk[1}Bڨ6mAbs_&% /Sr#,-ʲ (B]٘e]OH$:Rb|& d|&rQIS`YpN;9c<|.#y.:eH 23FK^ҰJ+Hip k#ꭗ`NGx3=jNݘwpXkD:` 53#Vw3S2T8bBlG&(1Oӵ3NVawAvɐ/<Z_2j%&~70* -W]$VédN5M=Iʫ;s->Gٝu+WX&)`#8={*$rnO YU+JtIw )[NuX2Ma_ӫEטЦ(. 3O(S_QmI L&k@8E'dReP){hՄS9d9Gn!uFRp,!")W9$-xi& ɮKk審}6UQC<|Wflr|mXȡ$ŏR3?̘a̳1)H;xa\‹41̞,zcHs4+bK'O;3~i,쾭/<9PPHXU Ӗߩ rchSt$س-Wb-mY{BuϟnA# 4vJ[4b)kypo*/"Y,5Q' 1 q3\YO2n Ag+}w-gF~r [k1&D4|_)τcPw_xRԡg *\W=ð$3a_˖(T@.}~LxwG}U pTu}> BCY6TB~w]m%P!nrN+ L)}%W,j['8GbE:q[sZo(ژk퇺At :&6v$5V-rZlS:t7(fI}}Bx71rT?BwSVcsz& PlY?"3}[Xn^B6-p9z*j4m1db4axFJ|xg +6|ylbG]4H8,x',@O .O9մ]Ǖu+04#/I/VDMћUਹ9Iyq4^h*:YMɦ~ѿVq?>)7ĄLYd3yd[{BpiV6Ȅ2A/d #,lոYoouݡy_nOE5 5- atd=waZCSb9/@Vlhsre^w)@*"jƃCLTQ}۝_Qؾ¡؞q4'4جEh8O]@'d|Ce4/u/N^>0B ߽CEMCsRH·ԅPt$^]B㧻xM{n *XDo Ay. {"78tql %X݄^[fX[}C11>P͢FX}N#_?4Ib jrMQ%[՘湠'!$$ iA}. 3FK툋qxo~L֧nqXN>4ɧ|<GBe֖dEu i#G.Qn/HmoA ys2W\( *E("PS R.RG#!p(效GoLu y'ϟ"/ d:YTۣY)JjNrh s5Ǹsb䆨̸0P|ʹ⌬4MztQrU̬Ͱ=Xf?N p+/%{p/Ɇed(b9]X[fv%J:8kEz%/S1|,#^1yOI*GL[|$ s2OnZD nrMk :hFNV  +澩}mLÂ-! 7Km6lj8YbC)5-_uHH q 8b_r- dIg|[xZ*Њs\C"U͒kx:JT[Vy 3416IvRk_N郎OnjTg3w/vj녕|2E҃ w@k6xpn.AjF,qݘe&GM`8K^O|[pڻz wK1D|5RJ}[&Myu vucO{Pﰨ_V*.`I DO\z3Gp)}b%vTO,,M>A[xNT6gXF%/܀ϫٔ#y\+u+Ge JdU"Gh_/bS}xQgۃy4LI5Rl2pyCj}lMU,GԳ]$ }> {rO بGE_fZ4 5̳-FO} `f p=n/:n*IBè/y}N^5AMm)=s2W9!YDx͍|bIU&N`b ]vhݞ#P?!gS`UQ1)4M: x0MGc6슴*/$ \)7 B`\r9 #ZKΎa̤+ %qY8yą;_Z,[!g\ B}id` G~'="JEM艤o2(C GGS,r9<˨R0#xz6g/|+A: H [QÒu#M9W q;I#אY;1%/?j=ҎB$VYI8<_4S#P\>m5ef,c4CQP@ Q(~/ [5n0˜:'.ӱlF!GdYm"3TzqBjNp&.)BZ'#o2QZ6Y{#.˖;8Vz_3|c-:6i4/U?ZYa{G i/@\WD:%ꪁ| b ɘ_ʘMR{;makĐά݉+p}\?HzGCՠv(d譻etcHkzCǨGKTe(TBGy<'8FxWm~p fspxʢH+^a0H0)V1k׽ⅫEih8vV*C9+xiȹmhEa7(-fVz}uNz'Eާ |q`a+3[ Hp-9Ϫs㵑$zDa+wGkF[TT/ڡ^8譹*6^y\=x&F a>=18b%w9zv}++[j0"5 : X_AɌP GQ&]MK=+{t{}]ao(Gzo!_1A|C/r!mԽW89:NП=oq]!\StQ[g,nezl}è4pmt«7}K̵룆he9=Aƃ[t8D>)g8=D pD4-i8j|T UNYr^aR_\0%YgkTNiCh2Kg7 ΑՂrzy'IZ$ְԱR:ݵ$6yG~-N‚CpB0{ 9/0z~|,f4z+mNSTbѰo(pa.P1;a,!1zjZ {FRc]V=,Xʻ9GKm'UV\)W~Ѭ:=1\(X%7x">itn‚tu{!xr:g:f̏gDxtl[d%QK0z6o%Vʹ&]/O4XUt"dguWְ{p>߶S# )Y2Gd'36 03-+CڋA|YfzLIs*]Eij;}R$ZO2!ku ^Lv\SbR Jz%csya hg.]B,`Pq nrBXNhRk^!P<ƱTKOXw)6zNW"c= aހ |^XZjS{#<;~k^Z~HogO:d2s3#͎HQ/,I':V*~]Pu_|v G9o)CVzݨA=Qȩ^85^܇pD:5(+ rwh:nx _rc3edQ^͇l nAbvθ[Z8.hUE8'ڧ-y$_9F|$ge饰Olki?2m@/I_c{?S&al:=tna}a`E #(Ȣ99(泍{+g4I~4~yhBc7%~VvT\Mb3VwKT+ٓX5nX(>t`hJQ=Ϯڗ o8Ǣ@]"ܙUTH޷~f)|<~i C~zI JZ,a;QOؖ5(tAAQ(!f?8o0b婀pv$_oZc ܚeMׄ]= {zyC#h %n:T&#i؍#T )qulfZk}:pL9Puy*N]O!7`{|cҷn{}&+N TopWhVD17EΛIG`0Enq׎%?^<)UJ^k {EWEw+/}^JYi&Lpp8ȽhM@p heC´#Th)f?ãq`k;gJq^Vfs6B~60W|P4H7/TD9&085>p |g?(zjC5e[H阭ur]//8!z.IMP0 /X1;c%W+֬!"LPS(v0^%yOU'%ڻ\4_ Lچ@G`bI8Y6-b{1q5='<+Y4W6W` d6}Y 1#rYv D !vaw|d+Wʚ+tJ3_tF3@2;ԁJG; A^3#B3p(kS(XTCo =T ,8N*W?&*x-mMCjJ/Q3.մSY?/ k7(Rhho^Ƹj^&lj2y[:Ѻ54I>c=e*~b1=wj֣Nixz׀ʄQwN8MǷqrEuXgv;9˖R &m YR_d4ώ%Z]JBKk`1k(Heq%!Ӡ(FbFF F#j_ۤo Gu[9C1biwfa%aK֢f RH Xo2Iq[ U7~v֍`GH@5 3(&&NiÀo,|mL~[fbb$Ǵ޿"ì0s1vbNYZ8:u%1Ф,4vAZ *HyCMl^b_OTh(xwB!Ϡ;uTʓ\!Ɋc]37@yCX2W؟%CO[cWU\=`u&B^5x;>i_ f~KdWEVX&5cMojj+XFsz?jVಙz"igH@փX?%nW?i5AD79DF1%ğz )a9AeɤeK ݮx_CɻKc)յo.ߌ杢d!?!ۦL|3ASd oUVՓiljiFnBgOv NfpU;[ kB WGK2ɍY`+[ ͝dłrl]}/΅X< L  Q 1Lop5:thZ`X4'f =_ ݶ[ZqMn)ȑ!ٚS3ZXm_֓]ob_^Rޥc:98Ƿ<:S7[<)h7_2*PNd? _wDZ;(/cpbG{Igd湩Jg*P"]y>$Dlڟ7gE5e E՗ WAJCD,x?a߸&FZ?P?U=<КYN..'6qHƦ^uhɌ㮐; KŌ}*L(B@(Cwp q d}@Z"$_?#ی'_-K0Vll09l}zԡMs=w=e/)łodxLamɽߘSqaC%W'\f0 )vֈZD-aT%pH@<Ƴ;V|'׷YTe'Ӄg@;^ߢC78cK0QR7w~j7K]' AZIg)L!Z}\y4|=?y{.p j$X;ʳQi:o hPD2@sU`NpgG^6V{EllԆ4Bޅ4_]ak}jF+ԭTR63'ٕWBC1(3>"f{W(HXB;B+!Y9c m?b%,1щ'n M\p>vlC;vKX*hlSa<\>pS&FNJ>(7[+dôh399 /k̊Wc@EB:kWfy ;F.?-|6άN~Z9p(K?v !W̽Xُ]ݎǑ?p(Hβ`/%S0D-qe?!#IQY3P]d YףkZkٴq 4|X>~YB$סyF؞2RΟM2qf TѠf`wKga3j ri\"Tϴo 51:ڤe#JegC|g-#DfML՞xv s#n,Cr 6!'lpjCL-\oS`;`ʼ TיPng%7E:TnWA,VeGTBu˼_m*+nB` Zڕ('*ؖ ^IʗQECRd0߾_u'~dA Z[4(~̖VN0o(X?A>0EBmgQȬ&"%;3J (=Q|i4!Ԓɭ Bi,GSJ*[dґaj..G]JkϑSO% "z7P~ ŐɈdG0OM@b}1EH*g,q.=S<Z'5UgD_YQN ۗʷ/RFБ O-oY΃[aH^#&@0paSUqY,28>atbԩ!nE>]*A _1'5ǍI.00Ĥ!tRJIX=q8BONb˴Z7ȥ=ꈌ61(6<-x/Ǭs{e75rSYIhS 3=ؑJ1O&5qu5^VAc)dدtU5_{K.U5Tz*LȎE0-8jjfyT[4F{R?sMx^)۞X.}R՜`| 3?p@X>=)$DѶ3Ƨn!*'M9uY,pR5nh|UP74Hy!nؚ쪬Ŝ7FTbƅ͚eN ?7 qϤSIkA5$BB9ܚ+c o'DaTf 7f'¥P@Q0F&刵G-iLHrnZjx!V AzJe J";P OS8$Kf.Tzmt(>ws* YdWG7uG=q Hֻ\o2TiP+?4h씑fBvdo<~b.tږ͋:SCwާߩin=^^Xc]VH 2b7Dd]$CcDsu?Q08VC;bHSPJ{9S! YN9bb8wtַMb;!MHC5׌&c]ѩ*ms=Up8P>I8XFs43=8uA`p1D$9ҖTsdi݀Ժ/Xa1[qcΊ!)[JxcnؔM)ʩuѯ#C]+߈ _h k+'Xg@;-=Daݙ-)"Մm̏R4.T(ne q@Žthd% ao7ݼ+qv"hv /@fbۧzAFa8v,]U(?-c[ghO&A7'-d-wi[+tp8hq :EWlTJ3$qs)Iso`'}z<Aeh @K).Zf.fEArTM_BL?kh$rv+vN=wq%`=}pׅziIan/os KD΄Fg\':1 Xg ǒ\I5uQWq5y|28##1EnPؐF=[l' |j7~}:|z2j(y0g.#>AQ!c{ZZ2h ~ ABF*e pۨóFp#TKp0&[D=@d_'Jwֈ+RP[ĞAз~?/jcRחc8ZlIfPs̸V(}XWoWXD;R*==Ia\{仩f`O#u9VZ吻l~Bbo=,XjL]{^\^>.11 xOYxM6GQz4eA䮔T9Q%-gE1{16z1 J[OPk \*Qg1LTG/WW)TX1ѳf`E$қ^NۓP"qOfy0/G#aOz$ ˃RncUr+t! ^ 5E&X/x}2%5j#@*wӣXf [4.]퐗J (?qƅ-+qS2B\me(jЛ/)MR1,[Q))0P.js?TT/z:&z 6خuRSPR;!{BRrxd<>3.F/+mtFX Bp,}m bjhUyJ \_Y+Gn ,# 9/.yqi)^=Y 3y.P\5|X8:ׯ(&&_՗b?h=޸ڡӎ+ly`?0׳'LL_AD3KQ٭ObN$j[-U;Aoҿoտe#W b[{H(|CU(gqx@M _ jלtmve J^皰0_"!QйjCؙ)ҮOb`+?n Ŵ ʽ?HY(Cng5ciy&:dRkVL50`@>ٌW \Я#g CLoec^*oq_Q-9M#OZ\޿Um |PltQ9a?N͵wMɒˏODO-Z7jc4ѐמ&!Qӳ5mTF j-w0MxW1$xF]xG .y[?{cņ?mgJ%[ *!ÖDk8q7a{Gd{z]a7x"UHvo-_iӥPkh/Hqd;7+Ij.agɧdžN5:3`5(⡫U0WRIXvG S3?a|Xʑ{q׻U") 1P׊l+lI=֬pL OL!2G.YW ZWqSF5` <^bu ؉CӘocW$goߒT,{FF|AeG(+|t1&"-<,wߩ߾#5tl `w =CWLHQ4.7N(GVAM=nm1PBZYFo Qi"_R-}>t(lI^.ѷTPd$PS~OC1tQȉߑ` C6 Jb3aZ:G*s LԄF>* UO!m1 9P=! u. Td7y]f| 6^ܕ\)w0P!aA:'t)xk2>#'Û6p4<;UZxil8PRܟP"Ndj&IنEH#d#>Vךiz+1#CkIx$a-h;}h*2)姅]s9̓4%R+叒j."eQ3hLGzD|e]+~1,O1c݄pm Ǐ8 )*⾗ѐ4߻Ĥ/S&icCs~I4RUêp=3-z}o*W HھL.+Kvz`ԙI<ƞ,٦= Ř>u4i|EPb=@np<"M|DikUf>(*A\ /iFiy /vvw:g]1=d]kJ&2\$pifsSb^i.h CA?W n?NB\J\jP6j[PݎB"0҄?6zxTJD F/Tҳxn!H%tT)VNAydP |hMTAVb@,$yq+@{Zb{_])$bJ+>]5\VT n؅H&p R3$l0^}z]k c6QY׋80q?]aA#>D`iv-6%Eҧ3@.z=ey}ju50H+FQBڱzbP xZ:pNmI&GXfV. c$tN3 2H]qVqDނE_\:_g0&dDO2;8>WIzj,Y*4n JZ7S2cTq W!6σZo5PE^aKWo# ClwCT;2߹ꁆh!^. 3ҹ}Pku^$w6:$hQ.l&WGQao;Swds ~XV-k6՚t^zve=q,qs0qi!N6M 8f3O@>(ZH A6_)*99kFU E~ LjҒHk:dTr>-6)'Gs9 mb^J 7` kI" )ٰZi&YH5ёswuWJ ڱȬnM#Ѭ)\H_ze.,٠@r&]xDP N6CDO[k=ꁐL82X {uyʀ#i5?8R _TE,=̜V͏;򣎀׆3=NH~?zE_do >c`-,?Xt][ܐGL2N,M˪K.놪u2靶ѻsDeGa8*#٤ɿ]_sbЂ(ZU9kKa>&Ȇ'T:(rZQ?*5UYc4Lc޾ed9SMrq].SK.8PbTy+>|^I*8!dh'6Nve=c,!pLqY09 eݞ.arUIiЋlY7J&{ *?Ι"cwRPle*7+F,+p"m/Ɏ!tmKJC7av 08.cO| z;7Mˁ=Ț-nʐ:GBC "hԤLaԕn3eyæ\H:knSױ@1ۨIggdծU[& =.njxpg֐~SMy;5p ifջ(ҷz: i~Pk2Whjh*VFA{~8zp ec"<#y$|Elx:t0H̖WδJe$(gqA+|Z˹{mՅj &L;zqdOmۻ[r#-}T pdJ@LnփH.e!?auH24@尌 SKI^-%fث܆'SϦθyqى$]2.INvu}0b~: { vJErNڮR*2dD֩'0*K5#b ǗކK<T@̀_kV$*CB#% LH׳MLW ; j%gun$6-FYJs ufNev')3-kBp /M1 n㎟]y&}uZv.;`XAZ^9?x|̦̰jhkvKbbK=8SB\*- ,n *\b!X]$XMvZ586+-c rZp#yۃLUrդX: y ;o!< -zګN8<ʮG;.gZɪ*X G{0O? B{Hhq:W5ZypkW:gib@(T U2vR?Ɉ,_|Vnvx3s;4үg5 ,/2{& ϒLW$b b-k?괯>L-g)yTP0€?BO2c:1ȽMzF*K3Y3E{9 fјE9+.3hMS^F.Wܔbhf"Le!4pA)lE0E8W{ЀZ>ɍ-qy .3d8}ߜfCw/* (~FsyI0sg mPnm(ergʨ/ݾ;Tva/,` ß --ksir_Vm[}Pfh!ב{Y#iC]Q!g6T"Cs%>VTwlw\AQ!Dk'a^؁䳱\<4R0ZA q'[IT6\=l=n`@ ~h#{t4f2̓ CX"/&>|őm rM.Q2p1od 9 X<t"jd)V*F' _oDM?/Nˣk~/.syB_!wkѸ¢4oacۚJ4u9]hzpM4>H1E4#)xt+F #|! >B@D0h763xK,xK.PP`WlIX4JKc͊\OjΨ$9Ev hU* T&YㄏyXW=xE`f Dl uGZ2'_}n<EF~^5ElgC-ξ}2O ȸny(lRo/M&Gt+]CtaMnPK#A6cDirޱ em~(L×P«G@ܱu{m0\c}?욦# }ֆln'ov=bMq) 滇sy z=?Jlh pI"&.V3.7v$ubx0PZWf;rL Zz_Hx~^ؔQ?4j(( p"w>6 "#J3xNSW*+9eRPK@ߣQ%<,.%Eʙ NQMGuP6=}+vI {􃻡9ǜ;]y41dqo<;@5G F;^W:%qpJ͗ K3 VxnqoV|ߝ*0pIjc#9],!̪jia{OҦq"e'ĔFeL5GX}<7c\lWE! FmE\rL,nlT _'M>"k:4+!+a1'* ]LĔ4c⦶OHǀR+aҥd}ry.Rb u .5'í;8AzYtߏc%c~Cf̧Fi-nk̝ѫ9o9cl4lH;Odd$ZmٻI"i=r߁TU{clMXpk+Yi1jy9L|ԈQ9%mH}i<Ts dUCAvۥW}?-1د(-aT[|vx.{ewK%n˜DH@>L704n ̹Zuɔ}ٶ$h:{MQKw)hCǓK+b]z+CH;b}`[4.%l j#{CAQ ˶Q\gib[.L)3B*W̴&7 bIXk^8LufNGLih3AM;@]p"n \ZUIos"8CyE޲u^mXXUKĊߛ Ca9'*X;MMyے읻lLI\|J/;Qќf 2"vs C4AO%T=F%S~NUmhYSGHQjoPg 9QDtOnmznLόyH7lg.F{Z#RnZ/F4^BvߥclJw a'  # ?Lq~[th߲>H&̶)0tb{^%OR\C3XU#+hpIH&aĠ C@tqXf5Ut}o.Y*i vioyݺw/b$㻿oAq jTEP +HT!λoMr4[6xHK?.z f aN+kd:ݪ ۃJ9d]5pLVvZAglۺO` DDYD5?:R/c:XD z̋J }vF ( Kش^|iDe*_P/tZ'#iDNi :c@%ϭM'%H*,}&)<6'taߩhwÈ6|su5+Gw@hie)ܯH#-B8mҟR:3y]][;!}3-jL6vФgKf8%J{5U^Ήfr: Us/NJ!B`f?%^yw#e'_R )%!Y|ԈdxYxZov*y9ޗmigq]O%R EQuoU5Q;9m&*!>Cqs{.n0 T%!)nyG{ECk'H4 .8>ap?M[۔.HLZG?`''LIn<RH;goltm3?L<'Al8wVJmvX9x} H8.bnwJv̩vH/7e+&60=G\Nϐ0m)|wVof ݩKQuDnkiGaLmŝG~1 /XMd˫8)C;%VEO_=q@=fV%mҍ/,Z$B@'͌nJ>T)$2O#mO)%߭zPכlA쭈4f ^t=hXEF=6LcF!|HK*)nȾ6>bͫ8j}@?NV8֟Gi[S[J!HKXhc6n3i?)D ǰ5QG*d;^!RhKvŏ畷ʫHN),DQl޳F ׽O4ݲ2b_-(WUjcy'whГ lLp/cOdE5aT.?R㓻(=ao 9PQn:fx'W`(Y=Q]sݧB;q1 =rk=|G^yq=^?  [YI+LU|k'` 'χq߀DDE䙿TF77Ka'א.T於R6o hq5:Li7"e)]T'mij eQOfCr%+4/A#3էkEѓhJ >70 Qx05ޱbιx' Ȑ/MEƮ}+ςL1nyR⤹ES)M|.\1ħk}~e|x5 $Jpvר_6$O\۟n6x-tomA/DYPRWKKL0mg%nW%x׈N@2Pa`9/s x>&ׅ1~DF Cuc K 9~PUJϬT,._R@:Z~gl[5\.yH֩q9r3`w}KAj׻45wp]!-ھ,vZ;&vG{u_5f婨f`h~1;&pBdRޣi[@`%PY*W&腑N~h0NNo7KO$he*B.=]^#u)a$a7î&Q0<9xWг:Kȫ>>0@&?<߶,ƃJAv'Ӻr1޹';`gsߓ]gJXrd*hnu6$0kqIaR]f ;x ^VRCS0zhNC3?9`fWWr^@b8T%N7a 'm@L!`6TC/IBkd6c1sS8ԏפee:6m/IL4XlsՠDc*&Uؑj`q초:; |:;I[\~ ILG&z2ޡ-kItw/j-7r  *V̹9"XB WPf"s"B\ikbkb7|)G۳kÔT HxScMizfWO b(^#t8=&1}2Ȟ%gnKfM$ߙtnǚU2?K 5%ͩ=E<=ߝ_48t ,);p%CpPO~c$n%,#GWR;%Y ͖TOmg~ `JW"X'.6=4#BH(7MacE9i'6B)rM@MgH8,r@SN4%I,j=ڦ,t2.U%/\bP[Luq\yq-owrD͍q?Ur(f pABaS"de(XJH|vOufl\LW%BDWi 09F۷wVr-K['!ڍwyEt]W~q-j)geU7A|Dy []é6$tzh(t7kBh!j5mdHkc7Q';H͒=9ZR*KKakLO2O2:{MjCs¡sF%ZcH!^U&:lWa6ky)r>/ۣA|ֳ Ӹ˚EXBen>vna {hס !OiKޠӑu y(>gF.p:eNVv'NQrתV0vWk G rP$z7L_w|K=;$1c˽[{+=iJx(#ĵ@x\Kna("!|Z;=n69w;EʺZN̤>CFkl;gku׮G煉qʂpV Qw7DAop̯vYfY|ǷL^9X(+mlUF]?Da@ .iU=!*㩏sƣZWް+ɳP:%u▇.iӠ]a26 bYh%x%OX+ V>PNf).bj͕ rCQLcB0>}ۉD]aMJ/ݕ?. ÿZQ2x&%!i=l"$5ae0Qri31hSϳ4d.RPsF&ǽ] {I_hwf:ƅ .c03L6q,4}kM i} Wu7Xk+Wվ@v<@N _Rs3xpjQc4w6+!q2Vj-AYNhS$38Г4}VpɌU o%v6Yˆ&O{E]uhwm0jX: ,N]k`* (h ]` g+a9'3\Al=[+ ߃"r"gI8H5%S&~ [p XXhe@,6F<954M»OZ2@w+PBտFX0Jw$.o39ƉMQ;vU"ՁU Lm Q~x߬Q @X޽"0 T!ض\_h)!{Xo8~jf׶04&sNc(آs< X>Di]e7H*`=ʿ-e1] _xxҮuf[4uD6I`B#S#͡ZUq[eӸ;_yeߝ˂ֺk+K- FR^:3]4l^^gg3 R(Iwh#FOXAAJ R1 5:tsh^8ʩ^rUt6q*{g>*詍xȊF瓅z϶!pjiyfjm$aHENA=} cѹػOʧBZs9ii2.wX6t*}J/ۼ"u%Ѩp{mB\_ yyZ]K|7:Ž0MXȿa'j.|q>)nNyݒB; ń!x1#ߘl4t쓛E~{Ŝl{xmsbM{&l$d:}/{L9ܠ0b[{kch8AXxubNф43k}8gsݫ9v HGGRΞ/RvR;ҹ/ *^AUccG3'[} wbx%x,)V4<[E+s썸lZ+c%:]\OQ"I453H]kEOQh/uzCx$m(HXZq0Q^u2KJn/e 硪{ [0ŤЭ!"aH@p z`T!1T8_6-X:w^V%0WvHs0!QueV3. 8?=D·NI%TwQ% x $l1ǟ|Rl^@fud[t p-+MdŶ|p]##t͛*~.#pnda--(eIdM" C;Pjh VE8Es)￿TT:q߇NEKWWOxӀ?4q^[܅EMP$\WekAA)gd⑿.&K (RGwr==l\ fӓo*^y/ဍ15|-UL(^HXוڰQ Pq :V="ZA$(BZ iq=9qnx^R3=֥3d4~I:Zg4P7dԶhIjpvsa0+MyH+ c - /z&J0Wo߳RM ̝p8m!*Tn樒/owٱ f@Hv|l0{ x?./*g7EӁ*+ښjeҢ[EsfWuu{9WVuGQTe@ŠVaZd^l+0WV ;`WI7F UD&lAaic5af֣ sTC!*M^Aqvkx.Sp.iiub紳ŷҀCZP-uRM<)ŭ7oR kɧBu3VGy9.țR{!FT_ 8%/*z/6lrsM!ǺM2)KHc9+{֩SyTvoOcR;sa[ L?~PPM'c ̯Xر1. J &nR,_&R^l|1I P'EP=u؊I#b>Y/ wA(6Zڤ8W(U]hI|rjvjig(.(RE8Ey)W@}.pSE9OI4p"b7E$*'C-G3<tBul|(ysrk .%g2dK 'D)YnV!缛MwNϙ]"l+b,Enj|RHjtoB}^oZpϯ7[u=ȝ^U,(c:u$MDU>~Ǎ%!"s^2av(' l@QRkKZ2V_ci2Rq_ޒ%`!UR=tQ:oW&2]-ELeq({UJCo/R>FԠe]e7b Z[5@wg+88!|eʦ6;ۚz2sP[uy=\ŖѹĎ`,ײaCU0e r"t]EvK#M0628n//7sIgҎiSOeֵÙe3uE˛B߆#z'Q:edO Bn)QxÑd=SO)Mo"?ͩPh) "lMj\yݡ88A$Kg514I-HV)z޳.mtx! wmL#R>Ǫes,e?DDNZyF)r;IQ@JPAݸJ2`rk%?uy\S #;~fB8|r^>1;0+[)$4N r0 WhPQ] gnDM3WIqCC=ןyDW"9H !Z|Ha5^N\ RyS"" =]&gev)S%X#egO>1NT5}t4MXv ^?HۖJ2S?|ʽ,qT(]7qJ%郬-HdZ6 "0YcVZ 4lʁuы ÃE&]},D^=fF{D pUQAlvcZ# `R* QxyGBuXx8"EDhN2s\Z>@d cCdakI7~. gJAECҊG(WS "<_rMR'A-oT&8-6Er@Kbw)a䒴~<$i}RkRK!TN5NLyl*ضWZ _ޡR7S9l <$uYg?pgn\4a 1 XBn`]qpPSw:2:jTjOP7\7 Cg(?̸޹Ɏ-# é0P&ia/7$50tWH%9%r"h B؁,cS*1).ҁ Vm[t7о{*kIK\STI$Lpư;#лlՋQ UC<(hP6[!^dNI=B7.hҎ* SODagM./ޫh}D_jǮz!2:.?|9MUU3 IH>"bTE)% p_˶ո0KAws@Ys~M Ac%Rx[1?.$ԌM} :ps*ObABliK E7/Xwyc#G|5exJN0sy5X076LӍ O픱WzLRas):`İWZwuY"GkDOo[2Օ+"n0ޢ$G?T} \ DCa M,HGDSO >Q 58a;bkkƠ~:_[S럈Q&^QgDM)mszz鵻I)tRP [ T(δҽնgYt2,!Bg_rzQV_y8gd( SJzz-5>WDܼ)F&J$LH\^#<\LЬ Vxd31,yQs}|'[|ƣn:̨N$+6?$^QڊL6^{1 ^81Si6:U=izZ>X]t$٠gDH%!>- Og a)4T 8CLBRF 1$c}8Iqxj B)!B1=+saGC瑱ªlb.iRQ0Jq~/k\*ڴ{X5*98YHx L[cc'we ztQWi[x(sZkn絛ۈENWx yȆ<5s]YKdV\Q"iůкY&+6Q%ߠ!xM}MTOVd`ђql(#AotU"㟜z$g27(]Q ]_ӦQVXwak̩C:G%2BZ>@ *@{*z4BTF1B'B@y؋˘ T}D\OYiWE CwP#[Sgf#e3jµsBGI^D$hEj Wmd5R>r*a_g s#{gaԦ_@Jw>ؘNF+saJ9?5`؊dEOb?;F[[;>HL3<\o %8w2Um7BY6{?PX].خG@ ]A~ CZwQlQ!^8Q\| +z.ʩe5ֻ6e$Z0cgzzDnBzsv[]XhV9wlԘg;m8^~OI&XijktjZue*mH6 FPMP\1>ոv y_dd:>Uy~K@b5hd@m-'[%+w,S`c ud6D/:||PlAc@3W+bQV;=aL#zq{ks٭Vh#Gs8YvM^Ph]Cf$a{RV(܏7^IZ}Y2~L⍬qlELZt$$J?xI~ cARž%V<\oZ@|Sk7t#P]ɲ,Y.?RFʰ@)8g{vΠĻҙ屪3!<|֐?P gK%2ՇtޜDz7eb:y QX9 Xª+$` 3Ș@rSO`coJǑ;2 ,(*Ô5P6UCx(*kTؗ]V*-yRۆ;vM/ m] !> &*~}  zk@(3})3p^yb3=|80't0(k voۯv1!ޖI= F=.l5~82I3{v ;a`OÖΗS=6bU[ǀMՏwQخ(Y <FG~KQDN/z>UN4,Y{ MA)2pok A$}=@#c{o:c@gӋ#kLhg.B0p<=I;ޔY\sFf;^?4^ju>_{z cm=};U) K4=vQ}&{m"G!-}n:j?yze$@sh9>Ci .n;h wev937J=l%4rODj\zEN_yܠ`#dώvս $.UP x/嫝qAF 2:;f?aH!~V~ǴovzGNE| L4ƨ r u*5HcZ@ȓ<oBvja B6l:?My' rZ=&DHbqo, YerSC̃G{De\"o"6S:֎ tQw(;lW /Tj(6`gfGЊ <$2mM=],yK9MwʔItq;ik]+Kj4J*4tZs1 F瑡3?oPjlVG'ՀowFh&ٝ~719`` j.܀G/\ՄVVeߪ1غ`1k9SSǝB{[m&Drm*LCe{cbդ F0WeNcAaOA$/k؉PE[>S+z`S**glr\t#sZQXEm23p'ZY`ZGHcʱTHAVhwu(&`N v? nĘqLf.7:g,Ո?f[ihl+h(0sTIA|7ѾElUjjX:Na/ƺ@V>QrBAzϸ_:E`5wDI@PE{Wp5T,u*<2ֻ^DZ ;GKS$!^Z8EZL) ]|R3MKx*Y0E9g Ojb^VkIPuQffKTص ~ItpAd E(ස,MjHjv5hkO2l ;Aβ'v:k~:KR+,`.-z}(;nxU!]&v r9THuQk$iS*/+rU}VWC*6jT4}%Ꚅ_~Y$s:bzMD:rƢ)+cwy-"ֶw qPU᚜χiBoZv ܈O)g>q]v?WX]}mɠ$| UR|@12Gjȹ+EΞaSbJ}^h4sFWzl*Dž /w-jaP%12{% ^G͠b T/,LLu8r_8醏.0E&Cb/y)UmG 2BEmkԧ o[G؉@nWԨɿsD6<ŵ6@ pHw$D]#]Cx\=t^OHS@}6aŸۦG2{c޷XK0Z NXAf 7zEĭM6.PőĠѐ[}FXp145f|J)2}E*q1)Ƥ\m \ca4P#|5KU@ O}c0o ]քhV{'_ 209 ("/ϖN@)+|vonݶ)Ldjp蹝 J.bH cSl@=@$6#ғ47)$lHI DtClɬ7V} Pk_cYNcb ޥ7Zdw;o vlxRFry{)e [g-:8 {*#1._WqHT>jfutJΜ|2m~mPyVJNc.k~9J!3eI$V CޟYz*%QPnۣ;8(/P?s6諜p.i6JVm.,赋2<*>^Ҏ ,ml3 P-Zi ӂ4 wY.}Xu6 kАh]SHZ-i+ &ӾHGFN#)Lԩ\_9#x yw/ή%j |=BLUkXp}FʜTh JF4MZ*fTjqD=6HJ;"/X` =9Sмғ,dyjwмZ}DϑZc؎pEX6vN 2^(yg=<+z_C7+ Rcf0afSb3BWy\ѰE;PO,ʂ Ƈ; T}UCI^ǧ֤8з_|K®mr&ӥ0aov6J+~ms.ϓ?AtU/}6:+Gt> 'W;6TA&mWSzl^A;sl lćbM-΅Ks Yy&|ctǺۇ^CY +QBLH&RTN[U)i ..缡W.}[nዞCYT uU.A5Bc55p.᪋"9Vq P&n/G}*mH =zG[?4Fno{] J'1 ,uTywC<  )lQ҇h?CJnxHQxtǐ~I}<{pE#,1.J2y c,ZIiUs`%@7RnPW6o6'S/Cjw N*$AK,쁄K!7κ^1J3+Z>=p;˳{i曡Rq6)&A_X94<N3,|^& JYѼI+h-x}f%_p5_kL2=)M<,E9|Sp+ƥK4nD$߷ C4XREd`wQg5~0I)u來Ⱥ:o_i+y T0 H~] *'Ihv-GbO@ωxK,iPx_ƃUԸvA/"]W7Rh=7zMMx1{8Ƭ*P8br;|^5}Jއo_1?ZHXd/B5Z,菼] `@K){ 3"5v|>.O;Dp١0KYNn\/dk~a3) {isOye,%ް,b ɪ}skEJ:aHeZ):v]iJbZ͔`}:+fch"ŗn&{q aɛ8riZ?N7CL ?P^0)ͅfvmx[ CGj 1HtlSØa\wE^ ż A*2 IY̮簷y׺ªd"gPѦrXO;-Afhqd]\0+XǏ }s\HM4u8c+ReE iMh[C'~̻gXh7Һaj8*x $0*ϤMIjjf}eil!Ք$@Kx0 %jz쬤UB3iJ:@DE` FaÖiMɣBXaUޯ߫$"z%!2B[DL0߹m-"0?Y_rpJ|mAC"Ӱ_ľkBnA3քg# ?SV;nąihWĦ]{TM*E L$V=d\cPׯᅿ1!b%:8s{3jcDtPJSqt6?*]e}$zrP>J6YNC&K)AwVkF(JV1 :+g(jSE&T? Y!(2␘}d&ȖXPFZ鲖Ģ7bJz\n0kHr˛Gf d[EIc>aȬj ]~m|,<c0,U߇[==8TrdSSdCNW"OuvFw;ƒ>MԶd۶L%QLjUK.]/8r:Xp0,g"}Vd|qA+M&ܞL w%=^=^c`,&W?A$C&V/cH02?p?~1<,/[_dE*&l`0 ?oUBCJOX kfn6<= e\l@9@(<;QϣߋhL(%.U*ԔY:x"ՐQ$# krŌQ:S4*U!?s0mV}/DTQ y浳ȓr᷊[.D5PGbV6S\vUxUN^D[\d+Ih>W}MN\GȇWS 0hhYO àuqv:< ocKg\12w%bu! pDH23T|toE#C.#QjJHXYS)$Ȥ*6@ z0[=-)ƘKV;YCkX3$^ZVh2FN6WĤ9eM?Z,RUч8O| ur +0[*DS{8`O7~W_8;FI6i<:jkQhqi:_ȍe`b1w'o VxjC&Xdn&cΥ {0c8'$.ӌMgʪ'И.2YbrƓ{V%n toT)K7HޕuS*XІ0$:8>uQ, C!0(ʭW?owW$/9~u?Nڿ!EjXnfY\VWSj xyGJp@*!ڏ..SOʰVJ u9aR}F3I Ujvji"^7r%]_7YPYL27T'\=ur,~.>azXyGt$TZ]^o0PUz UKcdIM_HiP-yQkg._iUp^sH3-uL&O`o^` 8q,N6* =뗈f6*y]>F/d;>b} i(׫{7loQGyÑ0k] ;:sȀӿŕd,1ZUgR-$,n'5 TY _yT):mYܜava.xQ:#:yJ[L@PD4Zӂ>|uS U{;EZ%!ThFb;" rZaՁ^\k"^DW4쾯Kk9ñ}M;MJw҆3|OyDu>Dٔ( JUvpӥ+ݫ!3֭?Rbs=(J8FBVZbndQtwƪ%( uHTRgJ?+|fF9y+_L3sq ) DGgP+]Iuj .֞]C PړG.ZwHah])1}R$apZBO9n-@ 'ju=Ҫ4]q"7?R, yU!}qmj/9>)-_x"K_ zB_K%u)+A*2ī_z˳'}g\Ks:HJ=> T[|qBJ `7 l B~1tS;H@(Łl>4':xybb^7y.ě@j7_B{mɻ)]>Zg$BBJ<[pb ηg@/[zTVql *G܏XP: nV@"KCY_#1^ݙ`j[WlovVH{%'nܷ=#!wv\NgWERH> @2 u"S霷HEeZuɀV cEr1 uKi%if OpΟw0ɡMhjsSXX}`9^Tn,rт 2ž;!0dn n= "_Q.n11ʎS uZ!im#Z]. 4I͋C/[Lᄁ)z|IϹFSgt"2  uՙ#aJЍNU+N7ޟ'l9*R2o2[!|#U^&~Tq_ڃ22447u[&+D 8aBtsG1e"Geo,^r6ڻ/~i@7ԧm`lC L#QCܼcT蠟=,$k;$Ȫ\~WF ڨP7 BN\qکh}LJ6El]@\>t GkbS<)Z3_m,@7I5~G C-28Uxm[:W)W\SS}J p0IgP:O͕pXlU[>A.)5.kvp&P.0< 6#Τߣwuq U% 0nny% h,P6u᠙1uƱ#͉us#)dEW_AycpG=eCzu' IZ\4 ]tOpl'1SZjS*Q~fMkH0_ ./AM Hi9ީ'BKoO~#1X[j7 vn8[ gHD4:9d>,!mH*6zѠg^>y̐4['BUwUAlő~XV#SW6i'lQ o1:TR*}ұ.[mėID!Dlx5(U/\e OV5bxʸ-S@B+9ʔm?̽I{ /J1+n֌GN__Tε7zWotS@`Ij+V{vD*QxJu fS0;+X {} 2](s`mD{ľ~,\}K *JmKZAMJ lw*%mU[Q؛_s̓I?Z_LtbaW|cj">K +5 v!O0!˜$Ek(8L6VyĬ<އT.nnJNHcTٙ@0^$Zgv=pj ]Vղ?Y e@qoY9d{9 c)QHGDSWF\onnT۴S]@.bu@ɬōk@לGc⟊VrXǝN_KjsN358ו11^U2!3!ZZ!Ȋ^NO ?~_ڏna9'߻q8_Ha+fw\j|qBSn"ch)3Bے[\.]zjLW0 j# p]rȉ]bZY8'}I515km8cn-ۤ ?68H V!XV!b(,m46[j0ss:J c*K-R „ 7{FƅgjEard4ߚo캝c-TxԮa~v%wETr%gJf6%!Y``#{,F8GxZ|`3٪5Cc`RNi-7QbgeGd".iwk/+zW$|>wӈT7Қ38/$J{ ecUmAk aByy5cXv O ##t݁ˡ$S={>w&_!Rr_ `J|0/n 7)J4I1՝ɐ*oخflѶ.^RRLR8q2N:Fh svh  lTne da㕊CPɃFJ݄bmihNV!uG-. CT(4ɋctEPhVXN` "g<>极_ sL"#d T UlOJ󟇝 u<ʁ"ؖK$6fgD%P5 \eig=Nwv0Ox)/: A<s͛uVSFP?ʍ [ap+&ĩlK2ksUk^H+]`dWwG+)w@4>l/sGLr\K}hЄW%ïG{ }HTкkVsd4g(q/ ٛi{/sum8s&K^d/!Ic^Ji4EC~&[] \$+$izF+;-}S۾vw Y-/.4}yi^@ bKmXVLx'J{a-p\.&ŝxh7.,CZ!xVaMZL'Oiko @ H%qIzzDgb- -'`[߯H*BT>#e >n2ڎe(*Gj2(ޖ],dX huЉ/0hh?v㑝Sړ's/Y\8D9Ki4alu7/֍'T{"kd9zN%Z [4_HWsM9cND)*ƛcjSƟSCz,GiZD=ӡU-C@X,L9@W "UX%IeYȇ7eF$\sTum={)iIcopbjf4eG{]oѓʠ^>  K>J$ 7EwzUcj [4{ =uN:Jy`l^p "Ƴʬ( Lҗ2b6.iȡi :`@z FTfS_ "rs]+xS}*ާ!={sҔOy^Z. 0m<Y9 |DJ h*Qsy^Xx(usI85ؚ7>1.틝qPdr_[?TNMҞe{)S㎴R-@!hz6,.J$ɷlAĠ?)$S->Y5CNOU8]=[I"+mgOCn:QBlk8,|~BE\Q1)A 켙rXKXƙPdZ?9(0p|__L97fnouV{E[I4~޷9;\_sP&S:⢏Z!.bVa@1U{lC䖊kÌȘ ])~MF1IKXYRJS@ϥGebҗudQ,%hs [*4Q&+/zo92$F;S^$G $Xg1*MLWfpsP[ `` n]PĨ\Xp=i)zɻ8-D[FGμj+܌,]3\ β'̭ZN'-?ςZڰP?»[uѶ̻ {%#rhsqqs'^Ls/pAkf{ߍ8+RP׊gfSt W {Dd{eތ o<-e|@Ȝ@gwyNRpK,va؉VK,Y^bbl{F˫Z"^8(*Xe 4SeQ@,Svp|jb牍,:D\5ozj̛A;XB7$bgK/? sWF;Hw ;jaVo5+]Nvm9XcU}QHsIFqoHhGaPp +t:@ YFG C\vE$up%S9N:IP5\>V+?⩬c2/*wj.Qh[uT*(2d]U16r(IXo_Rs+'DՒvv0ޤ|ʏ]mvncxkh!|l_BU,^ë/$$rԔI%y啋 ]L7uP7Qb |FfX{rtԩXE&iW5 gzbDƱ)]U`@v%= d9kXo&@htLG?$5?WQ߻n3 N KZӶy EkX6"b>Bfu (Or7w܉!#bVn63?f?i!tpW#RQu"H5-DK>iӑѳ82$+yOJe@?(^MRԦCʁq 70a֞ϱIG;rj N8 Yuc'}vG!o(Ŝ]m]ڵ2j(8݈sKlR~ E̅g8I|'^}l"&9 aýs ELYqVppa-}KZ oNdr1vTdAHCn\I<^[Dze6kl@*U@(y)jҚ 0ݙhq0?ُ[G }~z"i$dariTS697]ƱTaa]?Y-tL!%vg$Jꃼ@~lEΊĪ(vcP Y.}ҜFM(GV:r*7CfPY~S^VFuQ9>FɀF-^gz5Ff6$>Bo* 5y_'f[u]O! ˈc߂OU >G.&C}^^\>pw:32㋸82th %L]Ξ9鈅R̵H [ZB$.LNH>9^$y̔Tdxh٘L$ѹq+ZO2qSvA@mbDIY(j|iwK2ӹD4?>fhƕO;PG!xmVSVc)HzczuNX{c?Zm'ciN,ʯ#o{ A8,ye 'f,7\Q(h^&*m/ MdF:W?$ FAMN+*sgO/,s㤺%=T#]CANA"2*?vcˊ# SIBf A S+S򼴸Oww ! A~|JʱB6jLbE) f4CDRAIx)55: 󝹦7](S6nLLhN&87ϟɊ( Nۗ[ ,ʦ/|"P}__ǿ m`+Pn`.^?bMĤ\iXQ5uVۅELNMʹFڑ& /37Aw 2b^\ )ٗMŭ*Vuglqo". a# repXPЙ` *8h-=~`nt\Fi'2 ݣa^@bHFYgeaZr/,*q:ء=razxiCSNkuCB̉.]lJcg⫭Tn;{0=/~CWF@A0suK<Noڳ"a0PZPk4 Hĭ1}ygJʌ6{:&o9yL l_z=&$MQ-ׄO>B.*u۹xt~PXD|.#Po:(:EAMpn`Zӂ'0T\4C_h`v$H%L 9%owo5 c#[Fuȸ,h#yR̹7(שbλGvjus_"Uh@ $y=qʦҍyccҌAlr=s(JNrq4$&+wY#;ʎz~KZu(?)ϝ,^i5|cb6bn,,/Obg Ob`t}z4*j64Z=w5:Fy ѿ);$˄#UTHt}qEn(AF &$. Y@] V$RB+͒dXtmriҞ[ Oe^YĀåyW}r{4Cf :%nG.>n#oڹh-=ˍ9\R]KE(PGo3.>()!ЙR&5ql+'Lwc+&{Ot> d}"ݘT[zV7/A:ǹȪĹ{+9@HNf?[l֝u3"V2W'+b(<̴sL_%EW0hύ`-NXbs:Z&/3y rmJG+eWIgVHu;{9|kA'iq0 VEt\ex/z\?LsL-3  WXt@CX;Oep?-ƹa(v/u':%JY(u{ s7wɌ _[K@ ^>8Cz(,>?XWFu$lSfTyR*}Blq$&!J[_WI 5!yL@W5}yGؕkpQɪt:-d 294zPU歒Ib>/Ğ*4 9,x iQ)L@G~bN +r9*61̭NH!a5ˆdN#A1b@́ , |_TC\ "MF\+i*U0{1I0R4D)hЬx.zZ' ӂɝU[: ,9iՇbvd!-o pQ|WB$*t9QMi(Z;ؽրZ Z쀨^F6OP2hsA~NB +{kb#|F]|Ņub|Aݷ Ef("]ל) 8(wsX-5~(lgKf[h#DnH/ي.QwQ 79ǼLdBx":M C}ɇּx<4;lg|F!FvbK9ۭNI*S LO 5Hjzu1x_:|[_گ0ک',H [=$.>9:ĊZ@>YaYe6=Œu.K&땆Kt t 'H&Gߛ#&%P} ͩ\b+2C]ϔm=6ʗ%^5o1Y:=ܓ lZ'e6MpQ|AQlܠx6P0}9QROO9B&VS?>ena!f(g="#m%,4bp-Ĭ/rNz aPQ'YJ᳧j1 v!%xjy3/6īHe`y.Mvޣo( Es|F\"7 %zxo˗+.، 7p߇4{Zl2&qUrqs3v]`?fRSL~V"6#1`3zE 6ZLiS :Ya;D]/ơM*̐ĴeBRMfx#t4REVy׾o߇ImI D{LPS>c#& -æ[(|'*`!Uްߩ50nrb!J;ɮS@bd6}W 'GC 1_-'Ja}:~kR{G ކ.7Q`7+ՠ6'$ A S0@r J ^qO.C-݅ (W9œqT:#G7塇?Bf.R+:$3WK(7Vg^Y`s$A4zx~ZyH%P!M G>Wmc?XPnj9cbm0Y9/Eɦy??zOފ1'J%J| a{QHQؚ:oOm1o}ifv|cF}Zf@O#%!Gx5'\fLw"CV<oF/,i t>\蘆=^XԘj>z ߵxZ/t檃)%=Wl$wJr[dd1޻KR54NAO/?R,;<-ꑫV / ɓ{8wk.=Di?kG%6N$ YvԤ=sز bѹ/0gw=#0S $ JlJꕁ;sv,^O yиU݀]̦45-EFV´, Ⱥ&7_%NoT==C2E&ȉtm"/M\Rj&sڕ'6u1&}( .Q6Ņ]) šldVt17,/1pz`~i}34sұH~X}fNx }9e8s1d āS{RYRSl3M/" #gijp4z}=n>F;!;ffC2'*PmnI4]R[ 3]nP-7JPl;f9LރR˸iAp~}h빊?c7@dն6][\~3R*w0uNAzgj=HH%e:VbmyZYkK izラEK֫.@(/`~)A'P, \A zoi6㎃Ux(2CBJ ߢ)ѸKoFQ9KLMV&q,a!T7dDP49$(`& Ditk2$(/:~^32TYmCXGc!\~BȰt 6f,a !J8f}y_8!IwVWI"7a I(ʂÐ4&V+UM2׎l!mKs8hsv5M@vjaIXw~A^U8Fo{z%X5%CcX2-jܟ$EHtY(GUf?^}BG^+#2wHX.\aOlK6[-*eZ3LmYK 34-P-Z_MG>pXmVCx7{,c wG꙾̏j[X'töYjG%\ez~8u<> W+s# l%@7m]Z̏u(ZM>*[&3-h"`—GCbHH,_5SJGC;]KH^\Q(TA|V 2+1?=q &Y ^fj"H4H hˀNFL%L5`Q wa1I( ߩSJ9'E_MDeEi/*)'fOfZ? &#,hǺ0߹(&X 6s^_yof2 f9\\ 9Q8}1tE,)Sn@>Pr\.\4f>gt ?ysduWXR}Ri$xzj( R$G/|pƂMhL2> )/l5(p\o02; sr5BwE7IKI0%i~-S"gK67M=W# Η]oҪY)!lt 0wl'⢌ |Ù;7RNpNIYZyF,x|ќ,QGjB1'2BTܔmgK#YFZ x"8Mޚ"(1^f$J?&DCfk 4In\7\UW\k/?9>Ot-~pcp['!amY)OqyQ5M]ؖS}gWNmǺk9m:ȯ>'n܎ZN82ꑉS=RP  rCE}_2곔I;ڣd߶wOK:QnO#A~U(-#ô%aWlf^2JqMsMF!N Ôm2i2U4h͌͞ (V?s/Cmto;s\OA9~2nw];gTߠG ЛN YZ