sssd-krb5-common-2.7.3-5.el8 >  A c~R!U]^y~wOh uichQ 74֔,TsP[)AfON-rk](TY ZiEH-HVRrY{--2G)K@ޑָ~ڛiO`~aUp>xZYs;8\OK۵}(GrR _A.VD##tC4 nFs?>aOSw-0c՚)$+]5UѾAw:9ER_[ϙ:u{P:Ji]R}$+`l+ }K$>0-j`B0_5yɑz?4HeFgr \#gozؗGZ6erě^qljm܃y[r+C<@UXCR= :̱2Slrnȯ9'qABV=;nֈ*t-dJt70>b#Fx?.׋IIj118aee6cd1ee3d62dba48b6b193a47c42605df8441ef7488d6331871ecaf6f2e5787018577fb5485e24c66345223fd3e0075d7b3$c~R!U]S# qvL~΢s`دSA=K)JmGo2(ZY06gA.[Ƈ넹B/[馬(}$ǥ<*guqqV?9H!~V;IgG 8NH*<BbN[U0:%42:[C7Syd*j8L#p>b7cϬ} r+9˺k%5(Ϸ*8cJ -9pR,/v~ ~4;Dh.穤9u/v!4!]Mf4mQ~IiAtVj wǿCI8b<@ا8;]bѐY5:tw8BrV^>8]xntR.vZSH'*×HxU*צJd M+fۍUWdOWu@.;d#ezvu)]ׇ͈>pA?td  Z ';X^f $  8  L  t  >     $@ h \`e(t8|9:`=|G| H} I}, X}8Y}@\}X ]} ^~b~deflt uD vlw0 xX y)$(.pCsssd-krb5-common2.7.35.el8SSSD helpers needed for Kerberos and GSSAPI authenticationProvides helper processes that the LDAP and Kerberos back ends can use for Kerberos user or host authentication.cs aarch64-02.mbox.centos.orgCentOSCentOSGPLv3+CentOS Buildsys Applications/Systemhttps://github.com/SSSD/sssdlinuxaarch64getent group sssd >/dev/null || groupadd -r sssd getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd''!KAAAA큤Acs cs cs cs cs cs cs cs bºcs 976bfcf9768aa6efa06ca8527e42f8269bbf646c6b68da05d38c8592d27fec0a2df4353fdb32bbcf3b024300475285fdf50a88f9ffae0aea8fc851ffb13443a58ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903../../../../usr/libexec/sssd/krb5_child../../../../usr/libexec/sssd/ldap_childrootrootrootrootrootrootrootrootrootsssdrootrootrootrootrootsssdsssdrootrootsssdsssd-2.7.3-5.el8.src.rpmsssd-krb5-commonsssd-krb5-common(aarch-64)@@@@@@@@@@@@@@@@@@@@@    @/bin/shcyrus-sasl-gssapi(aarch-64)ld-linux-aarch64.so.1()(64bit)ld-linux-aarch64.so.1(GLIBC_2.17)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.25)(64bit)libc.so.6(GLIBC_2.28)(64bit)libcom_err.so.2()(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libjansson.so.4()(64bit)libjansson.so.4(libjansson.so.4)(64bit)libk5crypto.so.3()(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libsss_debug.so()(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)rtld(GNU_HASH)shadow-utilssssd-common3.0.4-14.6.0-14.0-15.2-12.7.3-5.el8sssd1.10.0-8.beta24.14.3c_cc@bbγba@baZ@a6aɪa@aKa@`.`@`[` @`&m`@`x@__@_@_#___[@_?@_-B@_@_@^@^@^^(@^oj@^ku^Y^S^J@^C^0"@^0"@^0"@^@^@^@]f@]f@] @] @]+]]Y]Y]|@]o@]k]k]Y=]Y=]Y=]Y=]Y=]M`@]M`@]M`@]D%]D%]D%]9]9]]]@]@\\`@\]o@\\\\\\\@\>@\>@\>@\\\\l@[Ѱ@[^[[ā@[ā@[ā@[;@[;@[;@[;@[;@[[@[@[@[@[@[t[#@[#@[@[@[qr[;e@["XZZ&Zw@Z Z$Zz@ZyZiZiZWQZWQZ%8Z@Z@YZ@Y@YYzYKYyYw2YRHYRHY@X-XX~@XO@X}@X@XX6@XWXOXXWW@WWW@WWv[@Wi,@W5W@W@V3VVVvV%@VqR@VO @V<@V/g@V$@V @V @UpU|@U4@UUUU@UzUzUzUL@UL@U.RU@TTT@T~T8TܕT@T@TTTq@T@T@Tp@TA@TuTto@TG@TD@TT @S0SS@S.SP@S @Sg@SrS!@SkqSkqSG@SFSCS!SSRRpRpR^R[RSRNREs@RD!R@R@RNQB@Q@QQQکQQQo@Q)@Q@QQ@Q@QbQbQV@Q'@QQQQnQZ@QU@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj - 2.7.3-5Alexey Tikhonov - 2.7.3-4Alexey Tikhonov - 2.7.3-3Alexey Tikhonov - 2.7.3-2Alexey Tikhonov - 2.7.3-1Alexey Tikhonov - 2.7.2-1Alexey Tikhonov - 2.7.0-2Alexey Tikhonov - 2.6.2-3Alexey Tikhonov - 2.6.2-2Alexey Tikhonov - 2.6.2-1Alexey Tikhonov - 2.6.1-2Alexey Tikhonov - 2.6.1-1Alexey Tikhonov - 2.5.2-2Alexey Tikhonov - 2.5.2-1Alexey Tikhonov - 2.5.1-2Alexey Tikhonov - 2.5.1-1Alexey Tikhonov - 2.5.0-1Alexey Tikhonov - 2.4.0-8Alexey Tikhonov - 2.4.0-7Alexey Tikhonov - 2.4.0-6Alexey Tikhonov - 2.4.0-5Alexey Tikhonov - 2.4.0-4Alexey Tikhonov - 2.4.0-3Alexey Tikhonov - 2.4.0-2Alexey Tikhonov - 2.4.0-1Alexey Tikhonov - 2.3.0-9Alexey Tikhonov - 2.3.0-8Alexey Tikhonov - 2.3.0-7Alexey Tikhonov - 2.3.0-6Alexey Tikhonov - 2.3.0-5Alexey Tikhonov - 2.3.0-4Alexey Tikhonov - 2.3.0-3Alexey Tikhonov - 2.3.0-2Alexey Tikhonov - 2.3.0-1Alexey Tikhonov - 2.2.3-19Alexey Tikhonov - 2.2.3-19Michal Židek - 2.2.3-18Alexey Tikhonov - 2.2.3-17Alexey Tikhonov - 2.2.3-16Michal Židek - 2.2.3-15Michal Židek - 2.2.3-14Michal Židek - 2.2.3-13Michal Židek - 2.2.3-12Michal Židek - 2.2.3-11Michal Židek - 2.2.3-10Michal Židek - 2.2.3-9Michal Židek - 2.2.3-8Michal Židek - 2.2.3-7Michal Židek - 2.2.3-6Michal Židek - 2.2.3-5Michal Židek - 2.2.3-4Michal Židek - 2.2.3-3Michal Židek - 2.2.3-2Michal Židek - 2.2.3-1Michal Židek - 2.2.2-1Michal Židek - 2.2.0-19Michal Židek - 2.2.0-18Michal Židek - 2.2.0-17Michal Židek - 2.2.0-16Michal Židek - 2.2.0-15Michal Židek - 2.2.0-14Michal Židek - 2.2.0-13Michal Židek - 2.2.0-12Michal Židek - 2.2.0-11Michal Židek - 2.2.0-10Michal Židek - 2.2.0-9Michal Židek - 2.2.0-8Michal Židek - 2.2.0-7Michal Židek - 2.2.0-6Jakub Hrozek - 2.2.0-5Jakub Hrozek - 2.2.0-4Jakub Hrozek - 2.2.0-3Jakub Hrozek - 2.2.0-2Michal Židek - 2.2.0-1Michal Židek - 2.1.0-1Michal Židek - 2.0.0-45Jakub Hrozek - 2.0.0-43Michal Židek - 2.0.0-42Michal Židek - 2.0.0-41Michal Židek - 2.0.0-40Michal Židek - 2.0.0-39Michal Židek - 2.0.0-38Michal Židek - 2.0.0-36Michal Židek - 2.0.0-35Michal Židek - 2.0.0-34Michal Židek - 2.0.0-33Michal Židek - 2.0.0-32Michal Židek - 2.0.0-31Michal Židek - 2.0.0-30Michal Židek - 2.0.0-29Michal Židek - 2.0.0-28Michal Židek - 2.0.0-27Michal Židek - 2.0.0-26Michal Židek - 2.0.0-25Michal Židek - 2.0.0-24Jakub Hrozek - 2.0.0-23Jakub Hrozek - 2.0.0-22Jakub Hrozek - 2.0.0-21Jakub Hrozek - 2.0.0-20Jakub Hrozek - 2.0.0-19Jakub Hrozek - 2.0.0-18Jakub Hrozek - 2.0.0-17Jakub Hrozek - 2.0.0-16Jakub Hrozek - 2.0.0-15Jakub Hrozek - 2.0.0-14Jakub Hrozek - 2.0.0-13Jakub Hrozek - 2.0.0-12Jakub Hrozek - 2.0.0-11Jakub Hrozek - 2.0.0-10Jakub Hrozek - 2.0.0-9Jakub Hrozek - 2.0.0-8Jakub Hrozek - 2.0.0-7Jakub Hrozek - 2.0.0-6Jakub Hrozek - 2.0.0-5Jakub Hrozek - 2.0.0-4Jakub Hrozek - 2.0.0-3Jakub Hrozek - 2.0.0-2Fabiano Fidêncio - 2.0.0-1Tomas Orsava - 1.16.2-2Fabiano Fidêncio - 1.16.2-1Fabiano Fidêncio - 1.16.1-3Fabiano Fidêncio - 1.16.1-2Fabiano Fidêncio - 1.16.1-1Lukas Slebodnik - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Lukas Slebodnik - 1.16.0-11Lukas Slebodnik - 1.16.0-10Igor Gnatenko - 1.16.0-9Lukas Slebodnik - 1.16.0-8Lukas Slebodnik - 1.16.0-7Björn Esser - 1.16.0-6Lukas Slebodnik - 1.16.0-5Lukas Slebodnik - 1.16.0-4Jakub Hrozek - 1.16.0-3Lukas Slebodnik - 1.16.0-2Lukas Slebodnik - 1.16.0-1Lukas Slebodnik - 1.15.3-5Lukas Slebodnik - 1.15.3-4Lukas Slebodnik - 1.15.3-3Fedora Release Engineering - 1.15.3-2Lukas Slebodnik - 1.15.3-1Lukas Slebodnik - 1.15.3-0.beta.5Lukas Slebodnik - 1.15.3-0.beta.4Lukas Slebodnik - 1.15.3-0.beta.3Lukas Slebodnik - 1.15.3-0.beta.2Lukas Slebodnik - 1.15.3-0.beta.1Lukas Slebodnik - 1.15.2-1Lukas Slebodnik - 1.15.1-1Jakub Hrozek - 1.15.0-4Lukas Slebodnik - 1.15.0-3Fedora Release Engineering - 1.15.0-2Lukas Slebodnik - 1.15.0-1Miro Hrončok - 1.14.2-3Lukas Slebodnik - 1.14.2-2Lukas Slebodnik - 1.14.2-1Lukas Slebodnik - 1.14.1-4Lukas Slebodnik - 1.14.1-3Lukas Slebodnik - 1.14.1-2Lukas Slebodnik - 1.14.1-1Stephen Gallagher - 1.14.0-5Fedora Release Engineering - 1.14.0-4Lukas Slebodnik - 1.14.0-3Lukas Slebodnik - 1.14.0-2.betaLukas Slebodnik - 1.14.0-1.alphaLukas Slebodnik - 1.13.4-3Lukas Slebodnik - 1.13.4-2Lukas Slebodnik - 1.13.4-1Lukas Slebodnik - 1.13.3-6Lukas Slebodnik - 1.13.3-5Fedora Release Engineering - 1.13.3-4Lukas Slebodnik - 1.13.3-3Lukas Slebodnik - 1.13.3-2Lukas Slebodnik - 1.13.3-1Lukas Slebodnik - 1.13.2-1Robert Kuska - 1.13.1-5Lukas Slebodnik - 1.13.1-4Lukas Slebodnik - 1.13.1-3Lukas Slebodnik - 1.13.1-2Lukas Slebodnik - 1.13.1-1Lukas Slebodnik - 1.13.0-6Lukas Slebodnik - 1.13.0-5Lukas Slebodnik - 1.13.0-4Lukas Slebodnik - 1.13.0-3Lukas Slebodnik - 1.13.0-2.alphaLukas Slebodnik - 1.13.0-1.alphaFedora Release Engineering - 1.12.5-4Lukas Slebodnik - 1.12.5-3Lukas Slebodnik - 1.12.5-2Lukas Slebodnik - 1.12.5-1Lukas Slebodnik - 1.12.4-8Lukas Slebodnik - 1.12.4-7Lukas Slebodnik - 1.12.4-6Lukas Slebodnik - 1.12.4-5Jakub Hrozek - 1.12.4-4Jakub Hrozek - 1.12.4-3Lukas Slebodnik - 1.12.4-2Lukas Slebodnik - 1.12.4-1Lukas Slebodnik - 1.12.3-7Lukas Slebodnik - 1.12.3-6Jakub Hrozek - 1.12.3-5Lukas Slebodnik - 1.12.3-4Lukas Slebodnik - 1.12.3-3Lukas Slebodnik - 1.12.3-2Lukas Slebodnik - 1.12.3-1Lukas Slebodnik - 1.12.2-8Sumit Bose - 1.12.2-7Lukas Slebodnik - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-7Fedora Release Engineering - 1.12.0-6Stephen Gallagher 1.12.0-5Jakub Hrozek - 1.12.0-1Fedora Release Engineering - 1.12.0-4.beta2Jakub Hrozek - 1.12.0-1.beta2Jakub Hrozek - 1.12.0-2.beta1Jakub Hrozek - 1.12.0-1.beta1Jakub Hrozek - 1.11.5.1-4Stephen Gallagher - 1.11.5.1-3Stephen Gallagher - 1.11.5.1-2Jakub Hrozek - 1.11.5.1-1Stephen Gallagher 1.11.5-2Jakub Hrozek - 1.11.5-1Sumit Bose - 1.11.4-3Jakub Hrozek - 1.11.4-2Jakub Hrozek - 1.11.4-1Jakub Hrozek - 1.11.3-2Jakub Hrozek - 1.11.3-1Jakub Hrozek - 1.11.2-1Sumit Bose - 1.11.1-5Sumit Bose - 1.11.1-4Jakub Hrozek - 1.11.1-3Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-3Jakub Hrozek - 1.11.0-2Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0-0.4.beta2Fedora Release Engineering - 1.11.0-0.3.beta2Jakub Hrozek - 1.11.0.2beta2Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta1Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Jakub Hrozek - 1.9.5-10Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Related: rhbz#2132051 - Rebase Samba to the the latest 4.17.x release Rebuild against Samba rebase.- Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8- Resolves: rhbz#2116395 - NFS krb5 mount failed as "access denied" after test accessing a same file on krb5 nfs mount with multiple uids simultaneously since sssd-2.7.3-1.el8 - Resolves: rhbz#2119726 - sssctl analyze --logdir option requires sssd to be configured - Resolves: rhbz#2120669 - Incorrect request ID tracking from responder to backend- Resolves: rhbz#2116488 - virsh command will hang after the host run several auto test cases - Resolves: rhbz#2116486 - [regression] sssctl analyze fails to parse PAM related sssd logs - Resolves: rhbz#2116487 - cache_req_data_set_hybrid_lookup: cache_req_data should never be NULL- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 - Resolves: rhbz#2063016 - [sssd] RHEL 8.7 Tier 0 Localization- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 - Resolves: rhbz#2098620 - sdap_nested_group_deref_direct_process() triggers internal watchdog for large data sets - Resolves: rhbz#2098619 - [Improvement] add SSSD support for more than one CRL PEM file name with parameters certificate_verification and crl_file - Resolves: rhbz#2088817 - pam_sss_gss ceased to work after upgrade to 8.6 - Resolves: rhbz#2098616 - Add idp authentication indicator in man page of sssd.conf - Resolves: rhbz#2056035 - 'getent hosts' not return hosts if they have more than one CN in LDAP - Resolves: rhbz#2098615 - Regression "Missing internal domain data." when setting ad_domain to incorrect - Resolves: rhbz#2098617 - Harden kerberos ticket validation - Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 - Resolves: rhbz#2026799 - SSSD authenticating to LDAP with obfuscated password produces Invalid authtoken type message causing sssd_be to go offline (cross inter_ference of different provider plugins options) - Resolves: rhbz#2033347 - sssd error triggers backtrace : [write_krb5info_file_from_fo_server] (0x0020): [RID#73501] There is no server that can be written into kdc info file. - Resolves: rhbz#2056483 - [RFE] Add sssd internal krb5 plugin for authentication against external IdP via OAuth2 - Resolves: rhbz#2062689 - [Improvement] Add user and group version of sss_nss_getorigbyname() - Resolves: rhbz#2065692 - [RHEL8] Ship new sub-package called sssd-idp into sssd - Resolves: rhbz#2072050 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop - Resolves: rhbz#2072931 - Use right sdap_domain in ad_domain_info_send - Resolves: rhbz#2087088 - sssd does not enforce smartcard auth for kde screen locker - Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol - Resolves: rhbz#2087745 - 2FA prompting setting ineffective - Resolves: rhbz#2087746 - sssd fails GPO-based access if AD have setup with Japanese language- Resolves: rhbz#2039892 - 2.6.2 regression: Daemon crashes when resolving AD user names - Resolves: rhbz#1859315 - sssd does not use kerberos port that is set. - Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries - Resolves: rhbz#2035245 - AD Domain in the AD Forest Missing after sssd latest update - Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization- Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files (additional patch)- Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6 - Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files - Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries - Resolves: rhbz#1859315 - sssd does not use kerberos port that is set. - Resolves: rhbz#1961182 - Passwordless (GSSAPI) SSH not working due to missing "includedir /var/lib/sss/pubconf/krb5.include.d" directive in /etc/krb5.conf - Resolves: rhbz#2008829 - sssd_be segfault due to empty forest root name - Resolves: rhbz#2012263 - pam responder does not call initgroups to refresh the user entry - Resolves: rhbz#2012308 - Add client certificate validation D-Bus API - Resolves: rhbz#2012327 - Groups are missing while performing id lookup as SSSD switching to offline mode due to the wrong domain name in the ldap-pings(netlogon). - Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs - Resolves: rhbz#2013259 - [RHEL8] Add tevent chain ID logic into responders - Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization- Rebuild due to rhbz#2013596 - Rebase Samba to the the latest 4.15.x release- Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6 - Resolves: rhbz#1968340 - 'exclude_groups' option provided in SSSD for session recording (tlog) doesn't work as expected - Resolves: rhbz#1952569 - SSSD should use "hidden" temporary file in its krb locator - Resolves: rhbz#1917970 - proxy provider: secondary group is showing in sssd cache after group is removed - Resolves: rhbz#1636002 - socket-activated services start as the sssd user and then are unable to read the confdb - Resolves: rhbz#2021196 - Make backtrace less "chatty" (avoid duplicate backtraces) - Resolves: rhbz#2018432 - 2.5.x based SSSD adds more AD domains than it should based on the configuration file (not trusted and from a different forest) - Resolves: rhbz#2015070 - Consistency in defaults between OpenSSH and SSSD - Resolves: rhbz#2013297 - disabled root ad domain causes subdomains to be marked offline - Resolves: rhbz#2013294 - Lookup with fully-qualified name does not work with 'cache_first = True' - Resolves: rhbz#2013218 - autofs lookups for unknown mounts are delayed for 50s - Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs - Resolves: rhbz#2013024 - Add support for CKM_RSA_PKCS in smart card authentication. - Resolves: rhbz#2013006 - [RFE] support subid ranges managed by FreeIPA - Resolves: rhbz#2012308 - Add client certificate validation D-Bus API - Resolves: rhbz#2012122 - tps tests fail with cross dependency on sssd debuginfo package: removal of 'sssd-libwbclient-debuginfo' is missing- Resolves: rhbz#1975169 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-8] - Resolves: rhbz#1962042 - [sssd] RHEL 8.5 Tier 0 Localization- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 - Resolves: rhbz#1693379 - sssd_be and sss_cache too heavy on CPU - Resolves: rhbz#1909373 - Missing search index for `originalADgidNumber` - Resolves: rhbz#1954630 - [RFE] Improve debug messages by adding a unique tag for each request the backend is handling - Resolves: rhbz#1936891 - SSSD Error Msg Improvement: Bad address - Resolves: rhbz#1364596 - sssd still showing ipa user after removed from last group - Resolves: rhbz#1979404 - Changes made to /etc/pam.d/sssd-shadowutils are overwritten back to default on sssd-common package upgrade- Resolves: rhbz#1974257 - 'debug_microseconds' config option is broken - Resolves: rhbz#1936902 - SSSD Error Msg Improvement: Invalid argument - Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm (additional patches and rebuild)- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 - Resolves: rhbz#1942387 - Wrong default debug level of sssd tools - Resolves: rhbz#1917444 - SSSD Error Msg Improvement: Server resolution failed: [2]: No such file or directory - Resolves: rhbz#1917511 - SSSD Error Msg Improvement: Failed to resolve server 'server.example.com': Error reading file - Resolves: rhbz#1917535 - sssd.conf man page: parameter dns_resolver_server_timeout and dns_resolver_op_timeout - Resolves: rhbz#1940509 - [RFE] Health and Support Analyzer: Link frontend to backend requests - Resolves: rhbz#1649464 - auto_private_groups not working as expected with posix ipa/ad trust - Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection - Resolves: rhbz#1961215 - Invalid sssd-kcm return code if requested operation is not found - Resolves: rhbz#1837090 - SSSD fails nss_getby_name for IPA user with SID if the user has user private group - Resolves: rhbz#1879869 - sudo commands incorrectly exports the KRB5CCNAME environment variable - Resolves: rhbz#1962550 - sss_pac_make_request fails on systems joined to Active Directory. - Resolves: rhbz#1737489 - [RFE] SSSD should honor default Kerberos settings (keytab name) in /etc/krb5.conf- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 - Resolves: rhbz#1930535 - [abrt] [faf] sssd: monitor_service_shutdown(): /usr/sbin/sssd killed by 11 - Resolves: rhbz#1942387 - Wrong default debug level of sssd tools - Resolves: rhbz#1945888 - Inconsistant debug level for connection logging - Resolves: rhbz#1948657 - pam_sss_gss.so doesn't work with large kerberos tickets - Resolves: rhbz#1949149 - [RFE] Poor man's backtrace - Resolves: rhbz#1920500 - Authentication handshake (ldap_install_tls()) fails due to underlying openssl operation failing with EINTR - Resolves: rhbz#1923964 - [RFE] SSSD Error Msg Improvement: write_krb5info_file failed, authentication might fail. - Resolves: rhbz#1928648 - SSSD logs improvements: clarify which config option applies to each timeout in the logs - Resolves: rhbz#1632159 - sssd-kcm starts successfully for non existent socket_path - Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm - Resolves: rhbz#1925505 - [RFE] improve the sssd refresh timers for SUDO queries - Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection - Resolves: rhbz#1925561 - sssd-ldap(5) does not report how to disable the SUDO smart queries - Resolves: rhbz#1925621 - document impact of indices and of scope on performance of LDAP queries - Resolves: rhbz#1855320 - [RFE] RHEL8 sssd: inheritance of the case_sensitive parameter for subdomains. - Resolves: rhbz#1925608 - [RFE] make 'random_offset' addon to 'offline_timeout' option configurable - Resolves: rhbz#1447945 - man page / docs update required: if two certificate matching rules with the same priority match only one is used - Resolves: rhbz#1703436 - sssd not thread-safe in innetgr() - Resolves: rhbz#1713143 - SSSD does not translate the 2FA text labels("first factor" / "second factor") on GDM login and screensaver unlock screen - Resolves: rhbz#1888977 - sss_override: Usage limitations clarification in man page - Resolves: rhbz#1890177 - Clarify "single_prompt" option in "PROMPTING CONFIGURATION SECTION" section of sssd.conf man page - Resolves: rhbz#1902280 - fix sss_cache to also reset cached timestamp - Resolves: rhbz#1935683 - SSSD not detecting subdomain from AD forest (RHEL 8.3) - Resolves: rhbz#1937919 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7 - Resolves: rhbz#1944665 - No gpo found and ad_gpo_implicit_deny set to True still permits user login - Resolves: rhbz#1919942 - sss_override does not take precedence over override_homedir directive- Resolves: rhbz#1926622 - Add support to verify authentication indicators in pam_sss_gss - Resolves: rhbz#1926454 - First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0. - Resolves: rhbz#1893159 - Default debug level should report all errors / failures (additional patch)- Resolves: rhbz#1920001 - Do not add '%' to group names already prefixed with '%' in IPA sudo rules - Resolves: rhbz#1918433 - sssd unable to lookup certmap rules - Resolves: rhbz#1917382 - [abrt] [faf] sssd: dp_client_handshake_timeout(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1113639 - autofs: return a connection failure until maps have been fetched - Resolves: rhbz#1915395 - Memory leak in the simple access provider - Resolves: rhbz#1915319 - SSSD: SBUS: failures during servers startup - Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication (additional patches)- Resolves: rhbz#1631410 - Can't login with smartcard with multiple certs having same ID value - Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff (additional patches) - Resolves: rhbz#1893159 - Default debug level should report all errors / failures - Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication- Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process - Resolves: rhbz#1876658 - filter_groups option partially filters the group from 'id' output of the user because gidNumber still appears in 'id' output [RHEL 8] - Resolves: rhbz#1895001 - User lookups over the InfoPipe responder fail intermittently- Resolves: rhbz#1900733 - sssd_be segfaults at be_refresh_get_values_ex() due to NULL ptrs in results of sysdb_search_with_ts_attr() - Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process - Resolves: rhbz#1894540 - sssd component logging is now too generic in syslog/journal - Resolves: rhbz#1828483 - filtered ID is appearing due to strange negative cache behavior- This is to bump version to allow rebuild against rebased libldb.- Resolves: rhbz#1881992 - Rebase SSSD for RHEL 8.4 - Resolves: rhbz#1722842 - sssd-kcm does not store TGT with ssh login using GSSAPI - Resolves: rhbz#1734040 - sssd crash in ad_get_account_domain_search() - Resolves: rhbz#1784459 - [RFE] tlog does not allow to exclude some users from session recording - Resolves: rhbz#1791300 - sporadic sssd_be crash on s390x - Resolves: rhbz#1817122 - 'getent group ldapgroupname' doesn't show any LDAP users or some LDAP users when 'rfc2307bis' schema is used with SSSD. - Resolves: rhbz#1819012 - [RFE] Improve AD site discovery process - Resolves: rhbz#1846778 - [RfE] `/usr/libexec/sssd/p11_child` cmdline argument '--nssdb' might be confusing when SSSD was built against OpenSSL - Resolves: rhbz#1873715 - automount sssd issue when 2 automount maps have the same key (one un uppercase, one in lowercase) - Resolves: rhbz#1879860 - correction in sssd.conf:pam_response_filter man page - Resolves: rhbz#1881336 - [RFE] sssd-ldap man page modification for parameter "ldap_referrals" - Resolves: rhbz#1883488 - [RfE] Implement a new sssd.conf option to disable the filter for AD domain local groups from trusted domains - Resolves: rhbz#1884196 - [RFE] Add "enabled" option to domain section in config file - Resolves: rhbz#1884205 - KCM: Increase client idle timeout to 5 minutes - Resolves: rhbz#1884207 - [RFE] ldap: add new option ldap_library_debug_level - Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff - Resolves: rhbz#1884281 - Secondary LDAP group go missing from 'id' command - Resolves: rhbz#1884301 - [RFE] dyndns: suport asymmetric auth for nsupdate- Resolves: rhbz#1855323 - When ad_gpo_implicit_deny is True, it is permitting users to login when no gpo is applied- Resolves: rhbz#1868387 - system not enforcing GPO rule restriction. ad_gpo_implicit_deny = True is not working - Resolves: rhbz#1854951 - sss-certmap man page change to add clarification for userPrincipalName attribute from AD schema - Resolves: rhbz#1856861 - False errors/warnings are logged in sssd.log file after enabling 2FA prompting settings in sssd.conf - Resolves: rhbz#1869683 - p11_child: default value of ocsp_dgst == sha256 doesn't conform RFC5019 and has to be changed to sha1- Resolves: rhbz#1723273 - RFE: Add option to specify alternate sssd config file location with "sssctl config-check" command. - Resolves: rhbz#1780404 - smartcards: special characters must be escaped when building search filter- Resolves: rhbz#1820574 - [sssd] RHEL 8.3 Tier 0 Localization- Resolves: rhbz#1821719 - sssd (sssd_be) is consuming 100% CPU, partially due to failing mem-cache - Fixed "requires/provides" rpmdiff warning- Resolves: rhbz#1815584 - id_provider = proxy proxy_lib_name = files returns * in password field, breaking PAM authentication - Resolves: rhbz#1794607 - SSSD must be able to resolve membership involving root with files provider - Resolves: rhbz#1803134 - Improve "unlock" time when user session already active- Resolves: rhbz#1829470 - `sssd.api.conf` and `sssd.api.d` should belong to `python-sssdconfig` package - Resolves: rhbz#1544457 - sssd fails to release file descriptor on child logs after receiving HUP - Resolves: rhbz#1824323 - SSSD user filtering is failing on RHEL 8 after "files" provider rebuilds cache - Resolves: rhbz#1827432 - When the passwd or group files are replaced, sssd stops monitoring the file for inotify events, and no updates are triggered - Resolves: rhbz#1835710 - Change the message "Please enter smart card" to "Please insert smart card" on GDM login with smart-card - Resolves: rhbz#1838037 - Oddjob-mkhomedir fails when using NSS compat - Resolves: rhbz#1845904 - gdm smart card authentication does not work shortly after disconnecting from network. - Resolves: rhbz#1845975 - sssd doesn't follow the link order of AD Group Policy Management - Resolves: rhbz#1845980 - sssd is failing to discover other subdomains in the forest if LDAP entries do not contain AD forest root information - Resolves: rhbz#1845987 - Document how to prevent invalid selinux context for default home directories in SSSD-AD direct integration. - Resolves: rhbz#1845994 - GDM failure loop when no user mapped for smart card - Resolves: rhbz#1846003 - GDM password prompt when cert mapped to multiple users and promptusername is False - Resolves: rhbz#1850961 - /usr/share/systemtap/tapset/sssd_functions.stp missing a comma- Resolves: rhbz#Bug 1723273 - RFE: Add option to specify alternate sssd config file location with "sssctl config-check" command.- Resolves: rhbz#1839037 - Rebase SSSD for RHEL 8.3 - Resolves: rhbz#1843872 - sssd 2.3.0 breaks AD auth due to GPO parsing failure - Resolves: rhbz#1834156 - sssd or sssd-ad not updating their dependencies on "yum update" which breaks working- Resolves: rhbz#1580506 - [RFE]: sssd to be able to read smartcard certificate EKU and perform an action based on value when generating SSH key from a certificate (additional patch)- Resolves: rhbz#1810634 - id command taking 1+ minute for returning user information- Resolves: rhbz#1580506 - [RFE]: sssd to be able to read smartcard certificate EKU and perform an action based on value when generating SSH key from a certificate- Resolves: rhbz#1718193 - p11_child should have an option to skip C_WaitForSlotEvent if the PKCS#11 module does not implement it properly- Resolves: rhbz#1792331 - sssd_be crashes when krb5_realm and krb5_server is omitted and auth_provider is krb5- Resolves: rhbz#1754996 - [sssd] Tier 0 Localization- Resolves: rhbz#1767514 - sssd requires timed sudoers ldap entries to be specified up to the seconds- Resolves: rhbz#1713368 - Add sssd-dbus package as a dependency of sssd-tools* Resolves: rhbz#1794016 - sssd_be frequent crash* Resolves: rhbz#1762415 - Force LDAPS over 636 with AD Access Provider* Resolves: rhbz#1583592 - [RFE] Add configurable randomness to SSSD ldap connection timeout* Resolves: rhbz#1783190 - [abrt] [faf] sssd: raise(): /usr/libexec/sssd/sssd_autofs killed by 6* Resolves: rhbz#1785214 - server/be: SIGTERM handling is incorrect* Resolves: rhbz#1785193 - Watchdog implementation or usage is incorrect* Resolves: rhbz#1704199 - pcscd rejecting sssd ldap_child as unauthorized* Resolves: rhbz#1744500 - [Doc]Provide explanation on escape character for match rules sss-certmap* Resolves: rhbz#1781728 - sssctl config-check command does not give proper error messages with line numbers* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release Increasing version number to pick latest libldb* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release PART2: Fix gating issue.* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release- Resolves: rhbz#1712875 - Old kerberos credentials active instead of valid new ones (kcm)- Resolves: rhbz#1744134 - New defect found in sssd-2.2.0-16.el8 - Also sync. kcm multihost tests with master- Resolves: rhbz#1676385 - pam_sss with smartcard auth does not create gnome keyring - Also apply a patch to fix gating tests issue- Resolves: rhbz#1736861 - dyndns_update = True is no longer enough to get the IP address of the machine updated in IPA upon sssd.service startup- Resolves: rhbz#1736265 - Smart Card auth of local user: endless loop if wrong PIN was provided- Resolves: rhbz#1736796 - sssd config option "default_domain_suffix" should not cause files domain entries to be qualified, this can break sudo access- Resolves: rhbz#1669407 - MAN: Document that PAM stack contains the systemd-user service in the account phase in RHEL-8- Resolves: rhbz#1448094 - sssd-kcm cannot handle big tickets- Resolves: rhbz#1733372 - permission denied on logs when running sssd as non-root user- Resolves: rhbz#1736483 - Sudo prompt for smart card authentication is missing the trailing colon- Resolves: rhbz#1382750 - Conflicting default timeout values- Resolves: rhbz#1699480 - Include libsss_nss_idmap-devel in the Builder repository - This just required a raise in release number and changelog for the record.- Resolves: rhbz#1711318 - p11_child::sign_data() function implementation is not FIPS140 compliant- Resolves: rhbz#1726945 - negative cache does not use values from 'filter_users' config option for known domains- Resolves: rhbz#1729055 - sssd does not pass correct rules to sudo- Resolves: rhbz#1283798 - sssd failover does not work on connecting to non-responsive ldaps:// server- Resolves: rhbz#1725168 - sssd-proxy crashes resolving groups with no members- Resolves: rhbz#1673443 - sssd man pages: The default value of "ldap_user_home_directory" is not mentioned with AD server configuration- Resolves: rhbz#1687281 Rebase sssd in RHEL-8.1 to the latest upstream release- Resolves: rhbz#1687281 Rebase sssd in RHEL-8.1 to the latest upstream release- Replace ARRAY_SIZE with N_ELEMENTS to reflect samba changes. This is done here in order to unblock gating changes before rebase. - Related: rhbz#1682305- Resolves: rhbz#1672780 - gdm login not prompting for username when smart card maps to multiple users- Resolves: rhbz#1645291 - Perform some basic ccache initialization as part of gen_new to avoid a subsequent switch call failure-Resolves: rhbz#1659498 - Re-setting the trusted AD domain fails due to wrong subdomain service name being used-Resolves: rhbz#1660083 - extraAttributes is org.freedesktop.DBus.Error. UnknownProperty: Unknown property- Resolves: rhbz#1661183 - SSSD 2.0 has drastically lower sbus timeout than 1.x, this can result in time outs- Resolves: rhbz#1578014 - sssd does not work under non-root user - Note: Actually the patches were in the 2.0.0-37, this one just adds this changelog because it was missing.- Resolves: rhbz#1652563 - incorrect example in the man page of idmap_sss suggests using * for backend sss- Resolves: rhbz#1466503 - Snippets are not used when sssd.conf does not exist- Resolves: rhbz#1622008 - Error message when IPA server uninstall calls kdestroy caused by KCM returning a wrong error code during the delete operation- Resolves: rhbz#1646113 - Missing concise documentation about valid options for sssd-files-provider- Resolves: rhbz#1625670 - sssd needs to require a newer version of libtalloc and libtevent to avoid an issue in GPO processing- Resolves: 1658813 - PKINIT with KCM does not work- Resolves: 1657898 - SSSD must be cleared/restarted periodically in order to retrieve AD users through IPA Trust- Resolves: rhbz#1655459 - [abrt] [faf] sssd: raise(): /usr/libexec/sssd/proxy_child killed by 6- Resolves: rhbz#1652719 - [SECURITY] sssd returns '/' for emtpy home directories- Resolves: rhbz#1657979 - SSSD's LDAP authentication provider does not work if ID provider is authenticated with GSSAPI- Resolves: rhbz#1657980 - sssd_nss memory leak- Resolves: rhbz#1645566 - SSSD 2.x does not sanitize domain name properly for D-bus, resulting in a crash- Resolves: rhbz#1646168 - sssctl access-report always prints an error message - Resolves: rhbz#1643053 - Restarting the sssd-kcm service should reload the configuration without having to restart the whole sssd - Resolves: rhbz#1640576 - sssctl reports incorrect information about local user's cache entry expiration time - Resolves: rhbz#1645238 - Unable to su to root when logged in as a local user - Resolves: rhbz#1639411 - sssd support for for smartcards using ECC keys- Resolves: rhbz#1642508 - sssd ifp crash when trying to access ipa webui with smart card- Resolves: rhbz#1642372 - SSSD Python getgrouplist API was removed but required for IPA- Related: rhbz#1638150 - session not recording for local user when groups defined - Also add silence a Coverity warning, which is related to rhbz#1637131- Related: rhbz#1637513 - sssd crashes when refreshing expired sudo rules- Add OSCP checks for p11_child - Related: rhbz#1615417 - [RFE] Add Smart Card authentication for local users- Related: rhbz#1638006 - Files: The files provider always enumerates which causes duplicate when running getent passwd- Related: rhbz#1637131 - pam_unix unable to match fully qualified username provided by sssd during smartcard auth using gdm- Related: rhbz#1620123 - [RFE] Add option to specify a Smartcard with a PKCS#11 URI- Related: rhbz#1611011 - Support for "require smartcard for login option"- Related: rhbz#1635595 - Cant login with smartcard with multiple certs- Backport more sbus2 fixes - Related: rhbz#1623878 - crash related to sbus_router_destructor()- Resolves: rhbz#1636397 - SSSD not fetching all sudo rules from AD- Resolves: rhbz#1628122 - Printing incorrect information about domain with sssctl utility- Resolves: rhbz#1626001 - SSSD should log to syslog if a domain is not started due to a misconfiguration- Resolves: rhbz#1624785 - Remove references of sss_user/group/add/del commands in man pages since local provider is deprecated- Resolves: rhbz#1628126 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_be killed by 11 crash func _dbus_list_unlink- Resolves: rhbz#1628503 - sssd only sets the SELinux login context if it differs from the default- Resolves: rhbz#1625842 id_provider= local causes SSSD to abort startup- Resolves: rhbz#1615590 - Do not rely on "python" for el8- Resolves: rhbz#1615417 - [RFE] Add Smart Card authentication for local users- Resolves: rhbz#1623878 - crash related to sbus_router_destructor()- Resolves: rhbz#1622026 - sssd 2.0 regression: Kerberos authentication fails with the KCM ccache- Resolves: rhbz#1615460 - Rebase SSSD to the latest released version- Switch hardcoded python3 shebangs into the %{__python3} macro- Update to 1.16.2 release - Cleanup unused global definitions - Remove python2 references from the spec file - Resolves: rhbz#1585313 - Kerberos with sssd-kcm is not working on s390x- Resolves: upstream#3684 - A group is not updated if its member is removed with the cleanup task, but the group does not change - Resolves: upstream#3558 - sudo: report error when two rules share cn - Tone down shutdown messages for socket activated responders - IPA: Qualify the externalUser sudo attribute - Resolves: upstream#3550 - refresh_expired_interval does not work with netgrous in 1.15 - Resolves: upstream#3402 - Support alternative sources for the files provider - Resolves: upstream#3646 - SSSD's GPO code ignores ad_site option - Resolves: upstream#3679 - Make nss netgroup requests more robust - Resolves: upstream#3634 - sssctl COMMAND --help fails if sssd is not configured - Resolves: upstream#3469 - extend sss-certmap man page regarding priority processing - Improve docs/debug message about GC detection - Resolves: upstream#3715 - ipa 389-ds-base crash in krb5-libs - k5_copy_etypes list out of bound? - Resolves: upstream#2653 - Group renaming issue when "id_provider = ldap" is set. - Document which principal does the AD provider use - Resolves: upstream#3680 - GPO: SSSD fails to process GPOs If a rule is defined, but contains no SIDs - Resolves: upstream#3520 - Files provider supports only BE_FILTER_ENUM - Resolves: rhbz#1540703 - FreeIPA/SSSD implicit_file sssd_nss error: The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Fatal]- Resolves: upstream#3573 - sssd won't show netgroups with blank domain - Resolves: upstream#3660 - confdb_expand_app_domains() always fails - Resolves: upstream#3658 - Application domain is not interpreted correctly - Resolves: upstream#3687 - KCM: Don't pass a non null terminated string to json_loads() - Resolves: upstream#3386 - KCM: Payload buffer is too small - Resolves: upstream#3666 - Fix usage of str.decode() in our tests - A few KCM misc fixes- New upstream release 1.16.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_1.html- Resolves: upstream#3621 - backport bug found by static analyzers- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Resolves: upstream#3621 - FleetCommander integration must not require capability DAC_OVERRIDE- Resolves: upstream#3618 - selinux_child segfaults in a docker container- Resolves: rhbz#1431153 - sssd: libsss_proxy.so needs to be linked with -ldl- Fix systemd executions/requirements- Fix building on rawhide. Remove -Wl,-z,defs from LDFLAGS- Fix building of sssd-nfs-idmap with libnfsidmap.so.1- Rebuilt for libnfsidmap.so.1- Resolves: upstream#3523 - ABRT crash - /usr/libexec/sssd/sssd_nss in setnetgrent_result_timeout - Resolves: upstream#3588 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: failure in glibc tests https://sourceware.org/bugzilla/show_bug.cgi?id=22530 - Resolves: upstream#3451 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds - Resolves: upstream#3285 - SSSD needs restart after incorrect clock is corrected with AD - Resolves: upstream#3586 - Give a more detailed debug and system-log message if krb5_init_context() failed - Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Backport few upstream features from 1.16.1- Resolves: rhbz#1494002 - sssd_nss crashed in cache_req_search_domains_next- Backport extended NSS API from upstream master branch- Resolves: upstream#3529 - sssd-kcm Fix restart during/after upgrade- New upstream release 1.16.0 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_0.html- Resolves: rhbz#1499354 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database access on the sock_file system_bus_socket- Resolves: rhbz#1488327 - SELinux is preventing selinux_child from write access on the sock_file system_bus_socket - Resolves: rhbz#1490402 - SSSD does not create /var/lib/sss/deskprofile and fails to download desktop profile data - Resolves: upstream#3485 - getsidbyid does not work with 1.15.3 - Resolves: upstream#3488 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: upstream#3501 - Accessing IdM kerberos ticket fails while id mapping is applied- Backport few upstream patches/fixes- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild- New upstream release 1.15.3 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_3.html- Rebuild with libldb-1.2.0- Fix build issues: Update expided certificate in unit tests- Resolves: rhbz#1445680 - Properly fall back to local Smartcard authentication - Resolves: rhbz#1437199 - sssd-nfs-idmap-1.15.2-1.fc25.x86_64 conflicts with file from package sssd-common-1.15.1-1.fc25.x86_64 - Resolves: rhbz#1063278 - sss_ssh_knownhostsproxy doesn't fall back to ipv4- Fix issue with IPA + SELinux in containers - Resolves: upstream https://fedorahosted.org/sssd/ticket/3297- Backport upstream patches for 1.15.3 pre-release - required for building freeipa-4.5.x in rawhide- New upstream release 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html- New upstream release 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html- Cherry-pick patches from upstream that enable the files provider - Enable the files domain - Retire patch 0501-Partially-revert-CONFIG-Use-default-config-when-none.patch which is superseded by the files domain autoconfiguration - Related: rhbz#1357418 - SSSD fast cache for local users- Add missing %license macro- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild- New upstream release 1.15.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.15.0- Rebuild for Python 3.6- Resolves: rhbz#1369130 - nss_sss should not link against libpthread - Resolves: rhbz#1392916 - sssd failes to start after update - Resolves: rhbz#1398789 - SELinux is preventing sssd from 'write' accesses on the directory /etc/sssd- New upstream release 1.14.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.2- libwbclient-sssd: update interface to version 0.13- Fix regression with krb5_map_user - Resolves: rhbz#1375552 - krb5_map_user doesn't seem effective anymore - Resolves: rhbz#1349286 - authconfig fails with SSSDConfig.NoDomainError: default if nonexistent domain is mentioned- Backport important patches from upstream 1.14.2 prerelease - Resolves: upstream #3154 - sssd exits if clock is adjusted backwards after boot - Resolves: upstream #3163 - resolving IPA nested user group is broken in 1.14- New upstream release 1.14.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.1- Add workaround patch for RHBZ #1366403- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages- New upstream release 1.14.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0- New upstream release 1.14 beta - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0beta- New upstream release 1.14 alpha - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0alpha- Resolves: rhbz#1335639 - [abrt] sssd-dbus: ldb_msg_find_element(): sssd_ifp killed by SIGSEGV- Resolves: rhbz#1328108 - Protocol error with FreeIPA on CentOS 6- New upstream release 1.13.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.4- Resolves: rhbz#1276868 - Sudo PAM Login should support multiple password prompts (e.g. Password + Token) - Resolves: rhbz#1313041 - ssh with sssd proxy fails with "Connection closed by remote host" if locale not available- Resolves: rhbz#1310664 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid - Resolves: rhbz#1301303 - sss_obfuscate: SyntaxError: Missing parentheses in call to 'print'- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild- Additional upstream fixes- Resolves: rhbz#1256849 - SUDO: Support the IPA schema- New upstream release 1.13.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.3- New upstream release 1.13.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.2- Rebuilt for Python3.5 rebuild- Fix building pac responder with the krb5-1.14- python-sssdconfig: Fix parssing sssd.conf without config_file_version - Resolves: upstream #2837 - REGRESSION: ipa-client-automout failed- Fix few segfaults - Resolves: upstream #2811 - PAM responder crashed if user was not set - Resolves: upstream #2810 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- New upstream release 1.13.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.1- Fix OTP bug - Resolves: upstream #2729 - Do not send SSS_OTP if both factors were entered separately- Backport upstream patches required by FreeIPA 4.2.1- Fix ipa-migration bug - Resolves: upstream #2719 - IPA: returned unknown dp error code with disabled migration mode- New upstream release 1.13.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.0- Unify return type of list_active_domains for python{2,3}- New upstream release 1.13 alpha - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.0alpha- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild- Fix libwbclient alternatives- Backport important patches from upstream 1.13 prerelease- New upstream release 1.12.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.5- Backport important patches from upstream 1.13 prerelease - Resolves: rhbz#1060325 - Does sssd-ad use the most suitable attribute for group name - Resolves: upstream #2335 - Investigate using the krb5 responder for driving the PAM conversation with OTPs - Enable cmocka tests for secondary architectures- Backport patches from upstream 1.12.5 prerelease - contains many fixes- Fix slow login with ipa and SELinux - Resolves: upstream #2624 - Only set the selinux context if the context differs from the local one- Fix regressions with ipa and SELinux - Resolves: upstream #2587 - With empty ipaselinuxusermapdefault security context on client is staff_u- Also relax libldb Requires - Remove --enable-ldb-version-check- Relax libldb BuildRequires to be greater-or-equal- Add support for python3 bindings - Add requirement to python3 or python3 bindings - Resolves: rhbz#1014594 - sssd: Support Python 3- New upstream release 1.12.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.4- Backport patches with Python3 support from upstream- Fix double free in monitor - Resolves: rhbz#1186887 [abrt] sssd-common: talloc_abort(): sssd killed by SIGABRT- Rebuild for new libldb- Decrease priority of sssd-libwbclient 20 -> 5 - It should be lower than priority of samba veriosn of libwbclient. - https://bugzilla.redhat.com/show_bug.cgi?id=1175511#c18- Apply a number of patches from upstream to fix issues found 1.12.3 - Resolves: rhbz#1176373 - dyndns_iface does not accept multiple interfaces, or isn't documented to be able to - Resolves: rhbz#988068 - getpwnam_r fails for non-existing users when sssd is not running - Resolves: upstream #2557 authentication failure with user from AD- Resolves: rhbz#1164156 - libsss_simpleifp should pull sssd-dbus - Resolves: rhbz#1179379 - gzip: stdin: file size changed while zipping when rotating logfile- New upstream release 1.12.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.3 - Fix spelling errors in description (fedpkg lint)- Rebuild for libldb 1.1.19- Resolves: rhbz#1175511 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Fix regressions and bugs in sssd upstream 1.12.2 - https://fedorahosted.org/sssd/ticket/{id} - Regressions: #2471, #2475, #2483, #2487, #2529, #2535 - Bugs: #2287, #2445- Rebuild for libldb 1.1.18- Fix typo in libwbclient-devel %preun- Use alternatives for libwbclient- Backport several patches from upstream. - Fix a potential crash against old (pre-4.0) IPA servers- New upstream release 1.12.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.2- Resolves: rhbz#1139962 - Fedora 21, FreeIPA 4.0.2: sssd does not find user private group from server- New upstream release 1.12.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.1- Do not crash on resolving a group SID in IPA server mode- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild- Fix release version for upgrades- New upstream release 1.12.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild- New upstream release 1.12 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0beta2- Fix tests on big-endian - Fix previous changelog entry- New upstream release 1.12 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0beta1- Rebuild against new ding-libs- Make LDB dependency a strict equivalency- Rebuild against new libldb- New upstream release 1.11.5.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.5.1- Fix bug in generation of systemd unit file- New upstream release 1.11.5 - Remove upstreamed patch - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.5- Handle new error code for IPA password migration- Include couple of patches from upstream 1.11 branch- New upstream release 1.11.4 - Remove upstreamed patch - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.4- Handle OTP response from FreeIPA server gracefully- New upstream release 1.11.3 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.3- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2- Fix potential crash with external groups in trusted IPA-AD setup- Add plugin for cifs-utils - Resolves: rhbz#998544- Fix failover from Global Catalog to LDAP in case GC is not available- Remove the ability to create public ccachedir (#1015089)- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1- Fix multicast checks in the SSSD - Resolves: rhbz#1007475 - The multicast check is wrong in the sudo source code getting the host info- Backport simplification of ccache management from 1.11.1 - Resolves: rhbz#1010553 - sssd setting KRB5CCNAME=(null) on login- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0- Resolves: #967012 - [abrt] sssd-1.9.5-1.fc18: sss_mmap_cache_gr_invalidate_gid: Process /usr/libexec/sssd/sssd_nss was killed by signal 11 (SIGSEGV) - Resolves: #996214 - sssd proxy_child segfault- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- Enable hardened build for RHEL7- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- BuildRequire recent libini_config to ensure consistent behaviour- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Add a patch to fix krb5 unit tests- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/sh 2.7.3-5.el82.7.3-5.el8.build-id23d71c49a0ec7eef1ba868338ca8a7fea72f6bd690c93b857d78e5e59911679add9a92843fee5702krb5_childldap_childsssd-krb5-commonCOPYINGkrb5.include.d/usr/lib//usr/lib/.build-id//usr/lib/.build-id/23//usr/lib/.build-id/90//usr/libexec/sssd//usr/share/licenses//usr/share/licenses/sssd-krb5-common//var/lib/sss/pubconf/-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -fasynchronous-unwind-tables -fstack-clash-protectioncpioxz2aarch64-redhat-linux-gnudirectorysetuid ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, for GNU/Linux 3.7.0, BuildID[sha1]=23d71c49a0ec7eef1ba868338ca8a7fea72f6bd6, strippedsetuid ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, for GNU/Linux 3.7.0, BuildID[sha1]=90c93b857d78e5e59911679add9a92843fee5702, strippedASCII textR RRRR RRRRRRRRR RR RRR RRRRRRR RRRRRRRRR RR RRRRutf-88661740333a9a576f81d28e8d713caa803012969635d6fac304c8b7e42802737?7zXZ !#,J] b2u jӫ`(y.MɾUPkɘKx;|M\ p/(]w1wgnk,^NBX]N; #<rn&ؚ6eKE"ָ &6{?WrإiN-yB_Vsx@H,[fPK |cB91x:U5 >O <֠XZ߻5lc i[ۡQ܁)\L6!|uDٷ2._։1 h!O'7 d>˗EЌI 6&;H1^fn\XxGqF]kmAja$Tkd>LWeT-L:.)w.UJ2СJXCGF˫/?nJPڜsGЀJ%gT&Q=ԣ3<+4o#vGUE*o +PS] yJC%4E#rR*8A=r)G~]ΙvT(2WD79L*У5&d#.Qde. LY?v5mקp!pXOl`d"4x.w6dJƾ,&+`Mg͋͝A7h^PNwۻ˷e\=Ñbg^Azs"6*?x>+M@f^mPXϢAE&HR0km'o(I6Xt0t쳇=6xCAc+?}u.qU )\A5{Piy iΧt~1S*8 e56w6lK[0:$,BkHKRv9gM|l(4z@&5V1[d7 #S q ۺtk~8t12cEՀ,8N:~+l! H4Ruͯ?zzfߐ L#Yd|XMsn+WC}_e]@ǃ@Bi$zs(?vqO62 L[h__2A9ofii&Q ޸x|※l z_qsD h4퀢j2ˆ 0Qyݳ)ɞoׁຒѴc!F]͔Vh /0d YtS/X *)"6-OeBiy-)9[c #Sիny/^NAGekӵL\!Iq8+J_E I>g Yְ m9sjTIk؁8lp>Dob6'YY,FbU\BQR/T}UdpeNAiXt^QwƊL]xNoǜhfw]*Z)snF<@`orp:*!Rk۵ fj VaD0 TIП~J}(Pa(.=O2=wp6TC#)(zAJ;씬v|Γc0ͱ/Ș;!J*DK0[vQE-o5fM3G9G:']x=[vgϨn҆Pf-=@eELAv5!gGv"-Q{$@65 |t8{[syr,TX3'^@?0:W۳Eگ,G,pK\t& O!70i&4ёc:u'$ĨŢ Oa2}K/L,|w W# \K$o H0{c4I[Gm4d[7`\s/xeF[d !D)4EL:jڝnqGqNlS"SM_H"i[b)3Y?CԔQ&ɂ8~=N2+dž?D-Mc rdan;V4dG :(:B|7ʽFI0ˇLp~bO]"Z˩ 9?〈IJÄU= ^jy2c[%c[ Qnm?,xPu\/9&13DksT̺ @YW'4 6NPBG52J cm\{sĺU륓CEyȑy?Y&hN& ziϩQ# u* Hw  )(g/P1 ci? k^rD!d5"_Զx FPZ: -G:[uJ>*n!}̍d;mvB/>qLtPx mSL&cڹs kQ8Ȏ䅟|nt`Zdfm|#H\k}K'y5(O=s>NCn>%S{jE"cZڨ_o˳O^vw%o>)Vnx hu6O)۩|Am:? _痒9*N~ڥ b'v#tX~-⳩`|.!~z+G 1iA!ekdTNjbrwOb c6M),r &p싾X~MԽҔ[1oѱ lCaSDB\'r0(BqhvBqX%.,W^Դ}Z6Pę;؊)YOE'`f졦;j $7,pà*J:I"eH`Y!yVKdR="uWJɌ#6*[,  #eZq$׮%ͪ-AHR0i^ޓ=vaUkԷ2l<ipq3h}6l4>Bc~F@<.!u g߀k_JGlҼ0⑅XwLDrj. įPzۡ$\հ?k+0o0΃(){@rl茎ZmL䐆$46D !,, {zJ/Jt޽KR5v:!G O"͜)89?vÀ?'˚URCg>.{+(VYoytm䚫Q7*5 x gBy',`Pl# -VEsC$IrDkV$kc ^.V{FhF-`_êl>xC<StdO $ &Rێ jPٜo"~'~ IL%W-.e6<=BkS CCܝ3^}@$k; k#g)\)(E'8lruՃSÛRjZ`U|>/kҋf{XS~"9U:`10lu j{:b4ՠǑ?*m¼#1txnQ qiFmKQHK/pZgD[z%o~67w;xq^)pV bD*(+YaFV)ٗ%X&+Iԅh[JĊ#\߰6FfvHmF>Lq+8Z):PIeu8s6>lHe$p9&EZQ|ao;i a}]l.F!ahxsts V3 !hu;H}MS#ra {5"!+'ծF &j4Vq %E-NG-)tg*|!E-E7vo&q66Ιw8ys\NmJe],hRS_GYtǟ~_[=2f 4V-W$@I 6ESk]!٨+~8-MWzqR3K(䙡%=54Њm'$H9e+h)_8w8LķL´ K޷ӄI| Cj\fvbHvJ,ĦzAj_β ?k΍c?U##NV!eVUQ\"ݼpYqK}þj}h--FgGEΣNeU񅁹t KFa3:=miŊdA4|"7dl_=",`CQ*0xޠ$obv|Ԇ~M&GNHiq}H\h0%mzt+a\0\w6>zs)S]%teo38>5ۢۥ*כKr]j(60S6L-i_MTm(/k9lQBӜ(Z 4X/q&|qZi ^C b٧ {VB̺,jIȦ6GOתm {)}(= 'H3)?_>>a>UKJ;R6r @(h)rF'/dBvZ\N]L- 1bο$CpNx:WN0ȶm} _5{>+s''KY580ԷWN(>r֠td+`;!G> "xYnf=MD،6%>#mie6 : n`-ɾ!3?el-b,kk!/okE? Wz(3w]eXMxyĄvzG7>1CO^|I^*f9bQTE=0 g/FU tnٳc [Z`H^[w1/v- +,unLEF_G:>CwNIJfTl|`r씑D) JꌾfxBQ˻ `Kߌ[ċAyoM9MB@1j6iSKÌYlDzn 5sq*J>ʻɨo09?V+",Ą{j12x^5n0٣y6O\>(e Fop\]e"VbR|e>;}(62E;7:"H`[R.װ" =`L<4[-/QA`g%r=/Jߍ|b̚2qZ̾NEN"VbV=odX'igh*As[3Dǯ&s}<9+Ry<Џ[ Dw94 4!4˚OtuzT<%܀ 5o,6t\c/{G̊tSߙdOǶ`G:Y WYnl1õ3''u[ ^(l#Wُ(M_|. ;_Oԫ{!0ڋ^2V3dOa9䧒CݛrFN ߃1/*v<9j'/za ,^Ʌ2'HsS)WMD(>AT8܂HX"2;.ɏmy< E Y`+(yaˆ̻C] X9]sCx3u~с>5'Bc:~P~;gx>JCWX ΁uYkDAfkԟ$ bü%-|X*`LZl `@r=Z4;_[lBDG"ĺ-R YhHa&@,p\i7pqk, {S/1E'okkoozhj9f@֤\Z3v c#T1M׉=j`CF)ԧ>Eq)vFH,_ER+rꄁ:Q~,t>'FƉĦ5ٚp OYdhz1"e%  =ғyPəqy&85xcA;ϫJa;Hm۟#X.؏K󤴲Q=;ȲZ:A@\cL0֤;yk[h_5$ d.66p,L]\^f225u QtMFQ+F]}U+{̋!a-~#{MnՉqM(H8; T39e7]4C6u=\?u&С?2&#|,@{xɈ$hVB`熣jg!b gMn̆yDkvin&gXI=vK4ԋ+b_{C%c#㶧\좷i$0girmV}VdAf3ZiD3 8y\Rm8>רX@\mB`{q1-F܇At}]]Pw322 #v :` 'eR{LZy~liIE\rZVԙ hzU1Ys@*Yy1R.+itobK0 >w*subU([3=Yx$kZ7/ ):K<'qϛSwnj*19dy5Ư Q/ 9AVTK-GA큿_ ;Y+b|A|wiY3!{r$Ӊg |2D26= 0!v-ZtDgw Z!_?5فXJNw:̣+N9Jve͢l_Zo%^B7}@p* \LIsۈS? i;0ߖtLT7D=]U;^DKoɚ1xWnrE, y ] upԜQK'3sR!,Ơ<>s~hMN_2_%JyaK--<͵`$YI9J^9/*VӸ5k`VyTrV u85XFQR]N~ݝ/N=B'ܿX92 $Y8<|r LfiCa28`; tMr"Xz:9891eY+g>daKe{#"67w|x dCrzÏꆨW"tHұ$^o@ń;+pihqy#IuY@ n(]_TR4*A"֩vc:E%Zr@0Aaj=ZWţ7ŽpF1REE"$aVg_&[piEDˉ(GNd ;7XR x+TA<\0 ؅S;K_̷?Q1qte?->` *7xYf򨥨D75ɐp[ 2~qNqOYg j^ W?0Ef)kbI3L3cwc'K3q|_9&,"AU[BZ;J;DT8MmG$p?O:o|c`1d<`y-SV8Sm<$77(zhbe .]+{",l5(/^m'66E p2U.4psYtLc@ELf獝d' qpymd܅e;6 JH|[Qb&Z"L"X-yB=[UDaHA~'#a v dܫ+aeckҐ#~BА xOr?6U ,)Ι b ڡ#*fk0d fK&6 },ciR ?Yhȏ"KП'muCoc>h w>T8w-vDG)B+ADfvp[l?[d#M<%t釃eK4w?yx>x To0C|o86I>evɺ{U>u'!= Rhc8 MP g)o֡OW[fb2vRvq/r2qJ/<5PDZqP2 h9D O;Gb¤X͡%7)^.E2 d?#K]+cT'L,@]o2BRT8;yretSÉܮg+jp>ZeO(TgC~Gw'PC,̏<,r,Ciƴwj9V_poIn_+f.M-`PN0ZE} ly8]~|Uu.b/la?% -PfT1xEU( Te[5rV_PٖKof_wۮJa=FyrCZN&)?ɵ90uzLB!ΐZWd*F`U՟ 2#חx\^D1ĞvWoP #qɌR8EJ.;@j 7&`|zM(aNߖ_#{*5 +RQ&NUB}隟%l$<ω[xdxÃN*$hl &(ǁzg/,po}7@2\< |_-tp8CK%], 18xvo6kM6rIDOgk݊reU&msA2sF Mpww@UF'-%5ge%77ꀧ5A(--:GD3B恒0X/@~ Ё|KsFUxadh5Odx~ZY62Յ Ś,2!%-iB.J3+Q0VieޕL~ d?\o֜doYJ* <@ݎY)trfrO8#ci06v̛fk^Ia%T%mD?-yJ^ 5wMiʛ4jĒ[KZw@:SaEuT:d L5^J.89BD&Z4.d?&ޛޤo|+?Wu@4=fTT HoD0#X,ɽ}.hg ʎkąV E gLx^#P-L/ݏ.t{LY/dm(-Zp^/;P^xyp<51ka2yVR*Ɔnp$9$_P}07d`j\Mtgz EE.봔t{(K>Bɧ)t`r%T5r iT$ w(! a9DđzD ̉n)TМQehyN=$(Z gԚ;_/i^9a"trQ=SxFЧ?݌,=cL]t١u_B¤I٧C$\Sk={T&a^1|7UIY1Fo舯%> mN(eCm7!IBU#Լ68$IG'5XXwjl4INV)FX iy+c! wq/ l0wㅤ6݇uz8!pWD|5UZ}*6X/4DXq7-f%gg ?7kM]˻dw=5/c&C Zm;A) M:V>q(V+#b6Cx (tMxu3Q=@:RQܣ! r9K<фx&wq"\WAhUp9K`K,A+5+<;ۿőw GÜ)3 q4 |F;xIw>bG:MgaPdjs7G?D#qXM | dEA*Tf *MQ[PN !r{Tە^3K}?ҍCPL-, KLBXŨnJ{x3 C͚147J)3utQD* .!N/# ^.!(G㼌I\CymJì\-b4}'.tL}>P5kp҉m':O#d4KD .g 4?o5+@+zG(-Pt;B Вr6{\{$)[N waܹ#ip9~ ?Ւz}!yOuǔNcS%|eXcW tZpzS=@x=zoub"L[TΚd%v\ -w-|v](Nki>7S q)(` Ke)IfXy2aVC(g;w,fFh>x`.( lr/dtײ(6ē<iM=~P:`iErE(LΑr=Ƿ9!{$RjWj6wY D^^yUqڹeeB??842<947j)*\J c r$^W#@]tbi (>}p'X[(Bm5XA\KkoQ(6dJq&v#g"OH%I iAu2aB,QgFd~n9I˷][cyLUG}$ 1^Ss=J}<\ /*] T2&FH# Rnq!8g_3quHqՙ^eȽ!h0n{E$6EFy}ts>yVϻ( ޣJ,ĕ|Lꊰ4 )6]\_a)D@}n*E(|4E%=Cﱅ>Yo^ C(ˆTyàShYW/#hP+T.'۬\#b6W5ֈ`Fg| dzsyOdEsN/̬\ݤFzl\Y2[{/t_ZRb/'[|/E,eBs zqgv7x p3 $D}w,P9 d_4hXHtǑI *}X0hȒ߳g%$ǼEAq,1N%eUd{Yut)`؊.&Q|jOswMD~-j( ="Lja@K_Y~7b0eZ&ѿTf:.̪{IpE؆j Дw(z}2T!w?wE Km9W0NEъܩhRDn7bU,4uU. ifVwzoKIK4vW?d}ryCA+hvDAr>W X9AI^?]<),_Hb=/Ԝ-0ڞaJѦ9)D {,L 5ӕC5I#.L Q1=A^XQF&Vm0:kG> ZMЕÍ=B&tRodZIpH2vUB$0M`l carww# ,&FP#IL}#p3m#rLZaw\[GKTVzv9emJUeuKq<98l3rN"!POeՈob%DTs2D܋J:xUvȄEڨEY`*N ?B,g\rλCt+ L (taͯD;ks wSjǘS0 RΨ>DF.EjElx 6=[C'3^jBnYŅrcJTz'sF/+nA~0ȿWWOV in^$M)g6)M(Z{\\*?s4UhM7S|vrmfJr n鰼TEF9rn6$9m]Ej%-qn21ͯ5:q A7nvNτ]9(*Sq~K'x]ZN+N:d U26ho*R@޺CLtv0+?5kKWePkb/QyE WѢIUJ4$\7M!x4>!Qe@0Q(@uű waz>8M@0M  SQxQA(?-G'w|g.sa veKg@[sY4K;( xG^ 4ʼn9` 'qKHYLCx' x`]k2$?imq ɹ"1;P iB|e(sh \5@BnJ AW`pa 6 &hXzG=>ӫY$I9?=㳰F&RJsbϛ2<7?٥V_ɦJUqΘ)d}K`-K՗k,us-ߵ~Gnt[v8/%$U2Nft_5+ VVj,j+Ql2qKȎ26249噎VfrFXm Js'&*.h8~'V~M(X>RPa䨿O%Bfkt_AOOVRiBj}6w5E_Δw7eD1f)rK}̖jz08(gGIuTo#-|>_m1EGח+55KXaqYMi)4S(b_.x/' fdfXl>dy@=' _{KEP2$ՃG,]=0.k#Fp()&LLlveHCWx%! ` r-j޽r$e򌡜\ڦ._ mOC"(gbCdJ8D[o7s< R)a]V6@*+i>nY-&3$ǯKmC;S0\ Y,M("KjځWu6lRDˁqϸ㧉\N|P{Y* 1(+fZ=CKBN-aV 6w;BU"FW_5Vؽ`6+M^[z;%e2d܄/QMp:[Vl/끡r<}6G]}hIt`w-eH2Cǒӟ8ȡ -#ldB^mB O?cFf&16;(]՗|4Xѱ,hc^F['<)]v[ Y?&ǹiV̪;&o SF,w{ (bAj[CԒCƛl;`zFmh8 kQwe[SbͫȎIrѭ}Ux̏:.j]۱/G;Ow=RZ8w0G{%X4E[(""@|\dcGb}@ƴxg7x!][1&' ʅY0/ %8-]Cn׉ų;< eZ;<$k@ܪ- n<{SQ(}[S%U1 TNg؏3Cn9|*\MB{ūMĄA5npвdi\4Rf񰣤5H P65K ̤ ؟BD0ƗߵsCawjyYbqzu\G>Ս1׈ZMS^o@NKt>Gnœsӝ>S(XB!ȦQo Ɣhw˃x)5_^qvƖKSQ$6o zU[5vChKBy͛ZLCټ w8#yqٖ\O!lxTNlL`X?q맼Fm.VFip#E@rXZ@u1:a[Q]a=%x 1/xIV<=sCߑ1ejc-ѹBޘ'.ǭ9NbW?qro w=dZKy؄k* )jF2BtH v޻Ab7|Vl/rܾ)vL3; Q͚AQ#'T Ȼbj( h>mj57s> 찼b TڙԾ喻JyHL͠$[pOFp¾:xn0$Ĉ+:Ir-<!+E9¼5OG4dՀ]Po p.'"U".g@z $;iS!Y>^^V,ڨ 9tn?{ksLݢzց+ ~R7_$aNF{DbܓSV!EeP;})˫y3- !~ K3a_ڼ+P9E̪8R іv8{b%qlC`vzi#O=ZBV8re-dQsg:ۜb"cAkoQ@))/duL8"7e^W [G[s4pS!꼳ӜjbyN{0O~WGSzb|EjIWExױ,K s;/SNW[f%e4tR],TfQݦle`mߴ.a>"k'ThZzK{1)=]H\ňtoLw寫b2[1WopPj [,c_X,C뱓}H'>W({C=;WrOOLfű?d,B gxX>fMts`p%nE 6=oU 0Hotr_d>6NSEniַ|>$N[~Dx` $G4{#w2Kl7t]bIb()oEc LÊ(pM5W1GDrJ n{`c(pbyU,kYBΖޤQU}ӮLt~8{Wn:!&Al ;0O[ *$@U`ɼzoU!rk*{TMQ+י'9S'j* ̇E)"-_oF6 w !u~|1[6l.=EUھB7}"Cߎl$8M|Q;BU xؓu¾C\i`B]-O#!3Oz@?$K'>C_uJ"w`0 ÉmCl~HB_:fѰ M."5fFL;BIO(x8qV`xWg:J},vv&KA9/ YFhh63zK,\DdH @m:gfi%;IQE'2/j%/4(,c@ k >׎PUj)v+ KlH3-;?Gz 19x<ZHf9dX^֗ŋAh$[s3لeeOwPhz 4GOAWnY(/Rv Z`]XlNFo;l:æ"5q@adiZDfMo~oY\i%~!^5ټ@R Jǭ7"i"!Ay/o5QW_W>SdžЬt,>Y9`VvC#glq$>-m Jmcu&3gPJa(7o 󚇥܇ OـQ}G5@ԑO}xiŰiBGd7oIx+w Kѳǀ_j 7Z6I=I$Ym=HN(wS{ {dD+iTVR')rnyeީ!3?k=LX~33_{LK3(; f-!jwjLu4 czFDž{ UA҈uYE "6$Wy.Uǥ\=C3g0^rD93RTx{eVLOB1)A_Dt k.4^~mʿ$6plq%YQ+DgD^r0/PDU: Q)##I9fKCrK3T!į(RRF"'VbEU}NM^RӬ#z? Im\mڮoq:Mhf`crAfg*B [zI.؟{Mag% S6rհ0S2+ P^oL )9ǎC=olb8أ > ˔Ehぁ"O<<0-/Z05FJ6i~=Wkx?$e*33ZGt( 1cE:l`nV1k* ӟ#:41|R EI|խB,ۂ PYRG;a>%a4k\?Jn"C%e5%exYY߱P[_k?6kkdzNGom8<vdI SW{kD\De! ^:gM%9O*(r>CL\>,9C fLJ4 K! .xPkAq~J$=mlug̵7O%sb;3̶2!|1@UqV)}jK?7<m*J*йKDb;vQ#E:QHՉL 7|\⇐V:'w_~iJ&nY)q)s\b&mwsWʯ NQM\Շ,3NZ'Nqc~NfjԶIޝBS.uX&(Y*w*:wN$^qQS{]^< 2b߻? Y^?נ` u?y[PIeh-V NuUjZΏ>J; C|K-_5x~+]]yC %NvB Ԝsn4pOכ}33}i6>1A6%eejI*UᡚwC+Nt@mSANki ENbqh/y=\*զ:ݟ5Nl: "w?tKQ' u1z31>ҏ6x?![D(BfVBH\aZ+$jQ>L_+!gᎶb◐L(!1T ?࿔ 1V}Dە;yqx?n<; ey%`ZEp7Q\]^P8a}JI:i{\BӄgGMvl3z;qӶɚ)8Hk8:Xz)S T5=LI;A% +5ڞE[Tw9ӁY,7k>a^gfcX,֚ ABbCtoK*=6$MqR4 Ky]=}7Z"rWZ`mD^D1@YD"`q 6i7W(sW0IHodtLGm^CSy=|KbH 1Rq`4 4puH;iMTewd5AQ5JˣɴlP5W]|9R(,̨HzAP4Y$T^;MFXt+,Q8jFsϛ0PbqcܦX?PM:+|| m*:sc2=MCc7F7c5Dfȟ>F@nd4ݴ)`kٸ$@ ȪFcP,FB`b9YB !B{$ԎK*8`S[zm+97Ml6hV 4M/y㠞(Y,oe-u8*}aq*.U8x6͒z|@ #og!'-? T+-{U[gJ) >ſ q^<8w D8 8L.%8ZfCtfbF Y<[)W&aƶWPaK5V&P0<+F$>R^8"X;\$Yy-;>v|"ʺB呚s) bELN\hA8_v yO*<PI燜r:D<l &OѾ8؄_Dr_ﱫ/%p^7go@i4M*S dovsU@>IۙdyS <^EvtIYe6NVL_\L/(6pZ_M7)ɱ{j(rLhWd| g eׁ>Jeq_:7S(GinnTKP.Ux}wQ?~M<izu7 QufH{%-wڪ~_EXJ.&j?%-j|(=d 7/-5 9#=V-c(H{ Y뢐A - Hu7RBCO fxޮ$d潕?VxOfSۦ}}H·k9.v@`~t慜utcK-FJ2s!v7cF<۰[\"xN!-Z.pi nD{!dPm.%ͳͼ׆% φ_)Sow._$Gଚ^w;sh"ߖHBTj]ñ?@ER@3u/H*v̒X fɴY !]mBa3F]idYU C IXRci2wau OCYiIU௑a;!\si@ӎ*t$)NH $ ZzI^ɫZrVݾK+ 2!ʫFg|BI}tm`٩}o\9 d"P(Jh~݃ vbzBF&Vtݴ5 \UfEUw7f9QuIL6AI :h)+yKYxK6$9 [뫸.7B|}䆪BTU8Y?6 Rٕ_g{|}sy&E~?<INq%'U~KÛ)_O0}а{NqKQ#4H_euZ( l Qni0y)w:Kx?Td/rԋHfxۯ{B/Yxmm9R-8nJFemL/u/@Hx@ˎ3?hꝯRM Y̅WX6}b{|i-eut7ɳP\Sz"G,{1z 4 V mW2!vmwc/>LyaUE>?~avZJ3z+$-Ks2_mp br7:sHX-nXL)X tnˡjΐ3/e2pY7e#,w_[bd'2ZbVz :P׊>< tEzl-)fhW,3IsоI^N˷lDL%:m"*(^5kWL+NP@|2!jsNgrNgC# xӢK ?F3!&FSiFlM s嵡L_n7oK{37h^B'l˦f:xP-SkKQ|fmcp8MgvB鳈TSؐƎ詷J]TjY 8vgݰDRsyb1x"*H:n:0$jWv<1XSl~2*&$C绯3a1'Mh6j`/CL _y45TB98)>`:(@xl-Gy:ЭD:PT%,4j5*VIXgw36;BPKV2ٵBIvU4tZfD%SmA4"WK}c/KOfmoT=ܺ|R"6IOVzNkԻ#*Vr;F?HIA'6Oܝ pJ4`EH}SxS'Ud rx3Zʣ`lV.]Z3XmWm[)BXѳKhܑt޲r!OKʚ4Bl)MÌI>d#dcrtf1XeVUiMVTW=!ӜIHU<*1O8xujdKaOS Ǩnopp[1BѦ{;T%zkW4#҄ɇ.ulY3 BnmZdQKM ^y̩h3XKC_Xr0Y8Dvs[~Y,$:!)?9v%S$U6[m da؈,l%%>u5/d&؛L"Fm_*GU( *[n[6UWE"4H 5p܆>PAWRSR`,f-A 8'4Rxdyp'#RYl; &XTP&A]{BF0k-yJ{ Jc:Lt'@{3SEkY]$6#V56jR;-+rxV;eu+eK^ko/b`bVG#n$ܣ#B']u7 TԽpl8˙xG61Gk y-!Ot k͝P뎧 CoYJ}s:GKkq>+&/oN><-?6,8oZFxjyWBBksWW7pƟ(:NNxQ Dcfnd4~'l^$2EO'\"L~R񜁾ltiS'M?} TAH!:{jt Z Z Tts1%3MTMU(~a[ޠ@"q*ھ=ɔ.3y oa :-zR, AdQI9B͵|tDʇ T?tדZgRx-1 K$M"]!ޢzyP8[! 2Nj)3DHAmV(J& n삥rQ`eL^.- `|~7`r'eHWW|D^7g^ϐW߭<n>]ԋCQS.R[#OLk?#9Y&9hj @!daHr| @ mj , QA3>|]!ᜇa(ٟgah;rync g-5B|a:C/Lꓝ$\V6NUw~~h лBjɭ~mr@樑ʵn[v Gu6ј '2k:OO/ގ.p+~I/cŨǞх kkD,Fƣ/&aҿ=$é: !//˳qյut\#(Ki$SF'a;ȣI(U`v #)E')*nSwBUY6R|&8.dDWIbuRr&nBR`{tZIM"qm< 4%HѹM[%Y+ۍ9 Tڍ&?9Dw-эJ|@B15"~Eqb0ѝ9龼_.u`NP+y@^ކz̴@Aۘm1q)V$,j>cYCOby3^IygqW}o ҄V.!A8_XnxU6Hj?"gї9A5MC+H#HM;#?IuW+ *RhHjx/=O,~R`7i^{Ο\8bsl}/&.eجӁWutQOl:۠$̿a\N;^dF=Mk #63̐at?< ~JPFבgXLcYsmm<.Yk&{hbXƣhWkBqyb8jYApˇ2woHA`͆j'*k{m>PVU9]HWqdHܕ0س>SFgvwEo-Ϗ'/r̭X|`8!犠WjȶzfS&p-G\nLR\Ģy@S[$񻑋 ;4WSrBҥ(*T> ]>cg]s*2SI6Ih t#OHI-%>* |BmiGxAdx m> +W=CnG|l<f3Sx@Uf޼T#\Q+f/lWQU|>nxj;c Isb??%f9 :HZ]SwӜ7  d= V)`]A1$D/D& ]pWl`6oy|z~>on1ʗt1K1jrvٗvD)QOa @zёTS iJ*{+$^5q-Q^⢭,4q|5&UTPoqJ]hE7žJFv}?4ہUj,Υ7c1D0>[/͍ sfk2)3kW Xx5}AY^(K4yWq'ޝ,±U|NNL! 5}@=k;69]yX5tEnW֮e; s6 _RMvZZ vOCMy&:O 8-?? /3\<.%0)`2}QB1gni83Aκ_凍Zk#ih<ϥ E([PV1h u~hJʋf~Y(zJe}R8U,U^>R]@'4a9ޚp[ەĈݐ} "*o|T W1*c鳋}{qO؜:Twg! BcIe@ԌóEU :-5c@= \0|EwnAmӖXW6 = 1c-(Tf2kcT C:P|)/Op_Q@z? H=]xg{z!KQG>71c3Mr?qhhC%)(e|8An_ߨ5D-c{kN)oU1a؝_b;*b! 5EVjѥOLABvW_A dzTDž^BN.TSSDs,H2/soAsmB,kg)X;K7潌ۈM ZUս$PN>!*Mו&t/Q?\h{fS0}R̽SνM1}xr#e\.xԤaHcqbkƂrXԃ_]7.|(Ǖe+[K0ёt-A=_w{d\;~mSL!9:<4xEQK\c|v1%hWp\7j l&A'i=` 7 |S1mRڒ5iGя pg#ca8-]pHËsNLJDrL elrt`tO'oE *u !z< 6߸qXne|In=ƮN1,{qZ$ߌeaWv3>˃4kRM M͔ }s[rQ[ 쁧q`¬ ǸR:n<)$mZq,Y[Ǡ2P%#)`7',#klf(\=wxs 1[JuO=C|0HHrD\,JKrvƊs%lݍwΑ5譃(a!w x>(cH.@{dy+g#74A(?C{ͻy(Ftw6x>X5h9 ˑ4N" :]Xwc]O"P"f,",L"#v5L gv fQ;e$Efo֯V>#AFY04,8+khzVp 9]z&-RPȈ)AQ.PP,_b.va?ڗ=Vg2JuMtet[qD>z~y Nuj@> tNvcdReԮ t0P{7󮴎mɼu@q4EC9fI4d|, B)&R^Rx(`~mu1dx^9P[ތ$~;߼w\nD1-=[_C MBr 6VA>B[,sjH`z-m V L_ߪCfPU׹{6޸bm^S`~|T]vOm<Κ p'r#!2Z2J}^qP\;,mϹl@m'^J<pj_֡J_ex5Z0< @4 fZ F5;s߿9rV,D|:K[T_JD_%): XͼjU E*=I۹hǡ?6 Qot֪VOI.`6@|bwZAa=(,tpIQ.j*Bqp ;ZfGWham2WEHq@9K]6c5dJKWqL-w:[-ɠpt6y`vgPkQCdhc'{[f߶< {` SO*,b 9Z0{^J:S{f ׄ݊W7+z*L%bLQ0KxE2ڣ$z|SiF*<hJaQL7|o9kƛPy@F+U4 E>jYKPu]L{G<$Hu?Ѧha,?^q ~E&[>.wl&feoKEiuhVF$1)>fPy˗n,%,৤`!`AӂcKNH_'h$QS-7 'qugTV4VL@_3pJƦpѾ=+PehknH֢W9X&IkGO;ԋBC uI6Y=,Aʕ6~ WC'Ac -<4wtF؃ZRm<# V@e"$~_PfGiʿ7 c31,!{l,^p$W0sznk)j(sG?Vx.h-rh~ToSvZxU.:iteE9.h--^z ^1|/pe}ZGi\L0$ֿI0Jg,pjQLvyRL\l+IAy bBwI7L(&M[]6R(%el1}ۦPx83p/](B7:M\m!,zzem)WF +@>m8;mK:Ne}x8qX[+y~a|1'd{5ZZ2Đ8al6H#[6ZlF{47e^vJ1cmHቲi| . =҂C7:`△>٣մ՜YduT"/a)j]wThu A--FP+"{=7@+<A?mڵ9j&|]h) ڜ|ɴPSjc p}b,VƮB[D#¡"߄0^A?eG4C,n-5CNgItop xh& GH&O"K,I5g%h߭X`Pj*T.+m\w+/uϫԌYNF ˟ у/}(1X-)q'k/܄R~MgS=i01`l:ws{D,Ǯ.+;c$暳H "ATj@zOnx1b@{df1ާC7.Y7H3ٶXl6uc&F8^ODxf\zy3,{yHI4E=rta6RAnQ$*bn(WNU1 ,gg|\R]BC)'G>%! jcwxT^4dy2ݴnvS㻐F^;Ӧ tԹd8[%(P&0ZO<xg\yGmr5!lHx#/5wK8;hVo0Q/Q'HŊPgKLo1=3KETS bAiGB蝴9;+[X:=T:fxטʍp qAo.KeȓI+Dr[ij,>`}z<(~`==!cЉSZi-βWR3yFKSg{7O#L@[BWO1ܶsٽ JR '駍ZY_ǝF8xQRqf6eVKEC%q0cJD6;gx.aLeVڔq bdg͑V[Ɣr㿫dgfȢ7* xҽBdy1s*+7vޗ(S{>ցGXES15ݪq;"S{vucAg$[1sVA)h;_g$ 1w*`*ø?/ᴔBAXLU|X8g]U*) ¨8E͌yAؚsZ>roF_w!)62GwRIг>8 |NZPYZ!ѕ}s=ѐ;ʗP \?^7OId j) Л674?At=Bce)U-fB;.a}*d Ï7K$ db6nY` Xe0 vXys,>nȭ<~}M>곝ųȐ]8€n%[v#).0@[#$;jU4_ގ>vި9UOopoY\`?$uu(=VZqɌ?H}ۥַ qRž}Il)~yq-'e!5mpqQYƂsmVBQ:~:ȻB חzJVgwK XSAbhX,me{q"5 J 䗟^X!BTM톥hx5yD5v 1BʍDC;F26y3A^RPr[s phZy$n@{vz~ ' f;F~4U]9>&.Y9fc+&k]/"g)_{L [?L X{S[=Ugn,:ިNRPAMׅs=⁶%Q @x` cWaqrw.sWŜZmMԕs62La #|aɲOw@/l\m1%,Z` [v]D3I V6HuQ N'g~٤[ZCG{XPa50ERdffhG-N ;`ԕӤ+%vg /JX=yzOaּܗg!MEV B)spX}Nh1JktAt7S0o%q3ʓ(\?,s.3THʒb|x|eʘZ\ js2{RĶ1h0)%ܚzgMWtVԻAr]"?d/2(V~c4Ihk#s#l\+zo7^ B*߇bT"WHl9*Z,15Gt~BKļ x~R-V 3,P,FǾYdvTB g]:c$ cp:5WxJלh.RmJC7Uy7N4ka5dRiqV }{Ò;=bGnW4ݛ&xΤי˙| " o$h|n+e,B͸%Fv?ș1%3O?Qrl,_xL\T-Vx5tܗM^D8矑}?szR+Ow=f,a5ŚtTQC[O,秱5J,ލ-VO7'Vkľߚ}UV UO%&?TX$c7J x6Y:]Xwa}'$1&ڲه! zn#%gNV åNeޕ`?z3 {+`MA@txX=|#/'N50<@ID:4M r+_el!YS"vb5xf';a>̀#kHwl` ,1LV1@[éu*y1eu̪D>ZS>LBid??Ţ]Oϟ 99,$t'==kZH 1?m>Gdžq FeZKM/@DMeg#3' jyɛ+X@'b8eVl}; *M`8JÚAZ.~A:8@Cv_kd@&И'+SbMEXCjU]I8`b-n"*uGwj|T^(-->Q}+Qi-T2)'@.w E,,磞'0P}8ec#iIxp4y!Uu#Wč",V!ިirI Ih`OkS9& & p;'a;|OՑcJWy=)"y,AFTOqfL}'ku@~ < mJA62Xa.xro~Kd!I^Tt^Fio|0~~7rhpa8H.fװs9:Pa.g5dN0Ѭ'׌51#`OF $PJ@ǵt biI۷8vd9c*.*'yeCCL8kR?Ÿf i`v}|?/TxlGJ+0[:[G\(%I/B߂Bo3 תI,+שQ|#e2޵,"w2Zǣ YV<|"Ղᡏʡyw6PbDXv1`197Yw5`Ylsj[x[1:Pҳf /, _q݆iع+ECI"L eĨBD/* g`&vjL-_ޟ"hdv . VmeN2Ƥ, qOOX:yQ u}KEQn!~ &!Eu:=ɒLT=0%{UyCju!?E6Y/ໂ[ B͍|ƀ0\wDi2Zp̞̫<$]n]KEDL)+IUsm#cTV# ?Ehb #Ԩd>|C7cYeY<\HЗ=@#nbsyoacrUA(J1PI6KS3eoמ%,{0RJ 8w<@5eGqƓ 9  NA' %PT˿Lթ_Xʴe DՋTPU_teg?_15N7LB!vh#Gqn QC.ƼBc;"Mݲ|ՃH8r;Rn K=:{ G6ɈB:7a 򈝃EwAdIX?.Ttoj[~Pu2GF#a;>KaH۵Ʒ?ún1 λa{&͟8܎n]'|Ś]!o 8ף.)ڄu^I\92/] (`{ <P#j!)6 iSeg18 ?L0#l8x T9|7+e8{1ON٠ EeF;I?NQH)C"qj 'y^ d81a}Wڃ]]J!xEJzur[-]s[X3Mz盬rOB:c5I:wQ`e9EYUе$G #m퉡l"u 8]@G; B/m}bvn)d2wg~Ꞻ4C$(GE5HX¼t+7ٞw{b+H6z6Nɬ)5S:-RQcՔ7. 4qȨUiƏxJ6_;3% d9v\I`M"ĥ7H|~j_'$K=]L\7ct1[ͭD.e*O}r}8YWD6.6aZ. zZŸcV rӽ8 :\J qKa#Z {q0L„0NNBb"y3IYE#W%ABm\eLNlXme (j B>>\;B晪609ao*ƕ)8*/* *|FGPt*+͇ #X g9s$X͹ӷ^@JKωegg\gMғURz߷*H)R ?a%6n2׃kbg;=6~חoY x##51 ,ޕ}0-J(Wۍ}AcLJ(/YJ9T [} HpN؃"xd$ Ÿ_z::ФKjyϱd,>R۝.Ughҫ 7$a5\3 d 3/1_8&c5F\Obvo~c' NAf%#~B yCiI.KMO("df~z:{xByv}ꚿ ̔#{ogb}!J6MnK6 bb%P$U &MIܩFwkb 3_ڳg\z\zr>7zFMUZ9)Í21ӷ=پ53n$ᡮV9@t=Scs`Ʒ2K oY^vg-ju-,lHVɇ\o DpjT}M^}edCVXּ`IԶ/)o#څ#1sjuڡ0QoNʚwP P}lˍK=9rmH 9oY$D#n3ՅHfz@{A,{@ Z%bz_Pu 5S"CÂ^*7wO Js}ɼ++Lz@.o&d1P]I 8NifDKd ǘܛ2>kQudRRϡ|AǴl}r.Dm>^b'ݴxl#Ӹ `}?q!ƳYHqgpVkcNW-[+؊;bfqJ?Ә2hi>0z(}ZF4,sga3P7WZi !4aQ*!8v:_MYA*O2H3! 'ǺLnϣ0RHeh Nd!A˻w3Q"- xiǽճ&Wa79ՕX 6WMT;n:e)lvyۼN iB+q)"-;Rz=HȄʎA oP&򕨮>L2nH:']WsbnJ1m6w˳b2d$W SQu & kpg8B0QV9FqJ)/G"oG{̕~(_[dY_U/ ~^(M/?hG_\>(= +@fWx6̘ E!G05]/Nz;'e{6ʁ<ʀ0y j@$ՅI#h{Է`]'Qp<b1YKٮica'c-6[ &+Xp"FfO &#+'FsYmTfhbSpwElL~Ci6mȅkncsD?Y#?X@W/Ew~7w}Y2 %iLXف-@pW׿)1ne~Rty~?8'5i`6Q4= Px>wPoPȍ盯ZDf68')["V_s;$P6_Д#)'͂5-=.A)**BQm]iL ]=/冞GIx͗L(.R VC:;,ݏml%ɗE /ٔ|)3a妘׎hk7(R?5Y={VkfYN{"oD$h YE PנzB'Ƶ͙RS@K)4KD^pp-}#STh64vcy3qAcis,9c@-^,~@ 4+P ?tfIJ}d) bx=b;+> ż.lH!9QCjcS0#`iTf~'{6ʪyLۻ%ǣ 7ZPz~/usqo",.t c6qthW ߭߫$@ 5StKHќ,B e Ķ=c(TWmܽt[}!/^dvz䳰k"sǯ<-yuϱ劎5Bmûj-[cuG7CyЌ'ϥN)6=W) 3@2:[t;kteK/Z( Gq(ku M!JQҳy5TO`w>xQۚ%-I4C 0Lx{jF}rc o@Ḧ́=^V(29ŵ*R5j֩ gyU5RѼX<\ *mV[wA/E"eDԼ㌸&=j.Ŷi?ۮ-ghya9Z\n~ } 6|%uH҅"O 7z IbHڲEY2AXm2BbxtV< { JnB .8H闑qc6n++iQoZp2> >T?mpe˹tŹJ8c1w>W&o B*upD05}W67 ku=2ο_pc83I)ۜoVov1x,g#]A/VnVDΨH]O @Mo2ԙN^LC_6jb W+g \##h~n/ qX,( (5&M$OgGe,vf$F&,Iۗ8G"ClDKȗT%KԯPUbSHAM`§7(b68 {$@* #I[ho}4bBT$7yRjL4c؝5\&D}ؐuUcO3bC>Щd:Lʅϻ'Y=u{yV K:RxCn+= ZoS9cz'%%MZsDeWFJY"@3X.l}'m)zl}h܈^r=z?& |4zT%ͬwkIᆡQIqbM늑 9D|=?òWo,[&2 MF) Pl%xAyINҭDvfD[(8fx @< A={̜n?c;fR7n]Z5\k u|ș[85ӤKeqvQeǕGv.56[mQ3׶kmnC7#|4~3OD 2N o/;۞, G4zux-3bwlצs_gp^$\r I\wbjT,?ZsN`J2̔۟B/+W@ANht!%џs?q$ M"GqC{jR3O3oP%]+dZ#×)9|F <ڸrҠqmϏ" F+('"]Ӱ&4 uDaq`PWis``oyM|;Pr} FJᵐ =}g=sgSGHi׸!=7^705і z0ܿ S.V?5] 7+=o@xC*ab]^-+}FfC<ӌzk՛qmL=S]+f\ly |,E5+HOǦ3@?bMMTt6Qbf7#hd#{ScR$-pt'THV26#_B3XJ{뀪pn_\/iPy VR}Ї@˕h""Fu| 5q\lOF yVP c׮WoZ<;`cҳȹK٩`Qsg7\󣓚jED4{`S}wWaeWVBsAdC"dpOhPeU:>5,\h}{0̴ |uh_ 3O'<ʭ-,f Qf9^hXm!{\?`>X:@f才 l:6x O' $(wuh6Bl]Ph;, #PdM͖a> bݏMJy-ÍI8iYaB-:Vlp>5c35qu?:SDI0MXٝĦW{h_U>H /iz|BU?0 9wFpb)Ūea.b@7 ;)N@%[ ?-1Utgn7Y [> _<@=7R\n<*d1&uMc.OH*Kw@B+liT\~ ԏd1XQ8Yo__[P˦< w`]\ ٮy"扌G^ܽZ >{&a+ _6S0Ԉb} :=-l5i0G ` g!j&9Ξ5QˆY64q=Mho e{lhg~4 ~ `87Az?_<(@jn #еҢT!m?#:frSk x #"] w}-#JDVekw!HrRlywM.ѷSm{mŌk:Xg2^pP͗F#fp|;EcZ+X 089X4ʚRU ]ѽdUə`5/ +Y Ѻ^u/qOJB-2xڙI-G7áUdvK'_NUCZ3zts6i0co6 7* ā!0'K؊\S}Ⱥ{J8uM6cAt4.tnMh/6h{GzQ9X߫DQkX0aEad)+fG288 fgD Z|Z s,#x$JZn~ŷwpXˉLtUNCh-@Gn*\,({dv.5rE3oEh ўRs>JKml'~"TCgQlM7}wYgA{D.3=N @8xfqZmDQdfDWsZ-Ck*obS 4o>]ƶh!n*_$#l)G6pثo"QULN61~oaFC_E\WnDJG I-Od/1u/Eސv8[Ʒ5mf82aGȁh|Բ/p3$lQ6̛DhwC\o5d'La#[k+iQxHKEǎGr=k b8VuaAP*\jFn6eOd;34`>='̕®=.hYCXb!-z `=ӮDS5{fpq_#'C7Q~TH̀b>ٚ(yE̞\>Y$ bJ*oZr* Ȧ}T 8׸;8ʊ+\8^ O*?qL -9P\wwI_#30YP3mP?bns|j\$ .Z9;+ZO).M>.)7?7>!J ^+xž&uVjh.4iXga$ ܋q kT3b Ew5;m=ǛSqrBܚTr"Gwq9 Syr6HӸcŤ62@t' @;S܁Mdͅogf]í!Ͷ*>S#K O'.Kx qX&ҚbBTOyJ#Jp-*} $ud*4$LNP;Gjq^@B M߃U@*Í(&J_)~Hd?v&^`nfQ+w;8C5 ,<'d?Kr"Y D-sp S&^F"梋4q S'E;ޓ)A^!IA,C &G\nx_(7˄!zg  kBenF ?gLWm9#B]eŪ . Jr@Yuq}觐Ssu25 4 Y.9][IJIX3Rq HҐl|Q^}tdeFim_+J_eJphEBv }* B`^I@*<8Ç>JV^ <2'VkvPi9?,20 76IjĥV$3E|+d1"r/>Gʲ%Y|F0|'T{x> tNv*XշΥKל?qMզpIK Au6*kw[yE19s09 U9Jy޳U!8xPf(fG8h'ޞdmc)2vT&#mEBYXy߱ }hj[XShJcG'Ҭ C$1mR;.%s'zr6#^-wX6-wb#?f>:+y B!2ш{jXi;k/PoƗ/N]N5@2:V:_LsT+w tV)76DAȑq6!,8Kh}Ft}AYȏyq?5]} ٰXq%;k٫%' D"gB_QC6_9I]|d@䋔?\ !s 7jTS[I+L 6pč걵ui#w$V;/˨d@P;Z}ȨUW0\!,.БH:"% P3~R_ܾ+P3чd9?4Np-Jf`;QOrdWf1k'ϢZ °ف Y ,W5xUȥ6a)96Jk[d>u 8ҠQwdf))HP8=.^*)) 7Ü>gB!YD9uqzA UUhR+ v)BbR4)Y0 d'q=kr(9Plr*i$;y6(sfND!;mQ>Q qtS-/C] dv16@& (ԬVe1zuToؗ:K(a)kzhf}nVboCny6cI9L M5T>IZ|zQ\bxFh+`ـɿN8/KKQҷ@o< pU&$k$tԊn[[`S$aц }1V qybpDtn(HvH QPФόN$o 2<،au*Q!1tu:̋wgmWq9 }o|Bl?XC0S^8VYhts=39!*D LrkC-! 8o#lD@uħAy\Qϡg*w%f,У"J;bոS_g8%Ej)AT{; qrX>rB琼8Y ,XZYlWYi6y˼BKْɘr$](.BT߿*CDG) )B!WFa* lG?rWqiTYJo-E8``_G(_(;1Xst)>x4]ypԔ9gՒE>رK +6sbAmF4굊 bTAvC?p*9t f(g`uoP$ȱ^uꉝu/UWcVh/ /%f:4)1W?En!k@ 1Q蒵q *eG>̛؎7ΉlFC+ qM/oB#u.Vy+YqIn DjW Vu{ ABB{ CryU?B d ςp< e,'gνRaBPT{`J0hͪrz/&E[^ `C#BQ /^L>t&Afg/  [M>.k ^Lf1@޲Y(VbJ0 Uqˁ7R0uf\CߏK]yg%Y怳9]x7 wXD ABw?ͪWvhr\k|l9Q?hJujnh=L#_ИD}tzV4m5&TE}n杻e5X*Z\A6.zV?zSO:;x.^yd?ޝ*)A:΅4!'Y.7VvȗTa!_!씥JhdҚ$4TSgD_켬YXVs kO>]/1γ .,Zn p/-u~&OK0e)y(./[GR̛aU7Q]$p D:~pE6y32|Yr5~8<Ȼf3Ҟq27#|EY!;~S gi\jK=XPz vuW@K%hEt{(d|U6NQ~qxMC:J =jH:x]Zj-ِ]);TsQҮpŢi=mx9_B2}$71"~" 1>O=2q_akC l`΃-@a~Cďg*<+u$Pt)3fexȏio4 }<y5kɩ|ֈ+UvՒzZRiOAW4Ye=!ev{"+FC| 6 qf-JВ cWIozv4isaQRH~6mK{fi׿|Qi(Hg}ӡֈf5+*z΂p,.>PpS`5%, C@& ϩq׃ڎ鯀ƟcXG<4 i5VJ-XU=Hg RjIܺ5U>H99m?on#Ya# Q? A~#rni$zr{cMM{ˁ#ѡhj p.PV=SsusSQ 6==BLp/s^. $N45W7@KexR[O p* H OLϬOW{f5Y oNY`˘A%cs\)1Q6N YtюiwAh/>֌EZzt;J@t-+r<#VYsV|5DȨ|:;dSÆ2~r9u%շYs !u$;DP{Fwʸ*ɪ<ښv2REgvۻf ,-ٺ# ixXiE ⾈ R-=#*A;QOWK}O-H?^)OB:?nalQX8F|xg%pϪzBO S_@tK9a`\%Wx =S% Z&bRkogͼ!X$V2D ,=6&3 R@:7LЀ:_~C&UFlcWk̒Ux)JPJ# ZTdնBe~!AH]Z VE@[ѥXoEVN#Uxfٺ#U3MT15?Z3pYgY$\qK"є U0` A YT'sEȿKan4l + Ȃ}.`,fY;G )fDuj ~mne/2!L2$w[kWȆ[lK9V\*MY *G,N)EzwKœSȫEGdK0^,H5JЃyT!=@6jgzs'e|lz+;9^=cF;C\hيv)Y8w7x jr O}? D}9 !b` (*}KP|G]v}U9)垩fB|B%_`I%.zu :i!"´QV0=xilӉE2=TlLw E @!X4֊,. !$|/u:uIN̚j#c0^R:ھe*?d^O3x;e'n'MaQP!z0(>~ E?0+Žm̜Đ4z1%m+.Q̑`2}>P[AR"jտ܂KyCo]µٗ73r*x.`BOrxR$S5'Lco禬^p>Sw {%D,$+=忚a_Uڟs=Lm_ayWLjֱΆƊЅ݇820i#U @󇊊ky tώ"/wipLgP;e/ԥW`kGjjT#5`+:YU3eFm/{$+:EB:j]p٭Lj݌Hl?& 'k! {zq; m˴$qν;ϫeq}YC ψ?C`pĜ02N|+$2hGdBE1"CvfJ@yobzvrr#5\p7:ԶT{Fn# 4i#c vn$(˹74FGZ+b_砐b '5a`vã4}1g\FėpA6~YXoVC?,1(h'YgXĉ"+.'b( ~z.^:ktoN`n?emV.=uvS gjKvAq6L#j uol|J15e1 @!HG~ǪDM{@= e^ƨ>B`>{ K>WSGGOppE|na0a"[]BJ@Uڟ˧&jf)ۀҁƶސLKfA?R#CO ]{HCb;_w Hq`y;u9?0:q\gaҁf@殠ͨ1v`(9gL H&mH`j:\i ?ɴ$dx:ttg=j+.wp ݋UE"{ޙim6 "Y9'p4FlD%9BoHT!aܤ߀|# #$&T}=##ut;Bd\^ixԾ?UahwluIduV}+xJ`ăRYC-v6GU~S@[YV BP9Sv?|Z/:@HT*\ M &%Mu3>~Z2 ](GrP{|É SZp,QZQi;)]{ MqjEx|>_'*MPbEMof(]jɦX{ZiA#(9Q%G/_ujtyU;䧏".'eֳTnu{4@_(vws- =|yb 9d0 |t`P50ɀ+ (DKdI05R2Cwxbf]*u0uɯHq_,L!0[.ͬ ה"awaѨF\(GV\-YkX[Yga1 bzw#>FO{aL\zcC]Hu6AYK}\Ѝ}[zby&1,vrl;R-x2?uO4V5܋ fkSŤ0|YDMvdɺo" G!֎ʤ? pL<8Îz*3zg7'Y"aGj^`=kZM$ϟ`[9u2{ MCp(:Ƒb|O#_8mSݣ }-\"5 Uub_2s<8Tm5ʃb(0-kGτȷssJ"`X=*";#FA x|7?W)F]sJҦHG લ[xW5U,V[Q4(M^;e2.MֻA_nRJb^YD$hh%;D5?sX 1J2|)dвy栭HX&#R՜-Duqc Fَ>*]̶L%")Op pّzC d⍬wXO٪bܸ(j_jkjCc<}cDy58U'׊y~HS=y|U ƠBSL.v% ׀e/˰s {ےd[mШp?Yx:^}h,$LiA-UoSESa۰,[ dZ-sW(34B?8$(:bgfHq(o<',0z˧l W_u!ئʈhi4ӛ !fSHwVNJߪzdf=s0?9b`$EȌfD5"{X6 $@$tX;Z8CioS 1)TGiAި>Ǐ֩ݑXx曏cmfvz0|c#F[ӣgxMQ2̬OAAvb6,C^v~6 :x"ZI'3j 8iJ^b't8 {MQGOi6]c[Yqn, 6rXͧEi+Imd;v-anfrq*'l&m-Qڥ%!d9u~^͑`蠧/$ @H+#+I5q|.D-<&&#̊w,` m>MC=FT8ɼb4μt%p߮/ag(7!hAdd.,XǔB&ZGaWɆ&+Ĝ"cX.Ћ`w*Dy-wW<4I2(3f~N}Ȟ:}P7H(Ȯ{rw1!Z0քA+(RyGc'/P$Fv!ХLy&[^R[]e|TecI.@O;=0 ߱ьc^Np=ۢxm>K8k%K(?6vj'bV栙6 a0S bkhF ÅkDe"y)Ӈg-ӚaVGڽ+h M7rE9a ('?m49z MN󼰱[zi54u3`ע R;RѡkG -6+};;zeN2a:[MWe 06kH7IN9v.H(N e2--!?nK+t ζ?,SYv@~b!3CͨcuK$i0SI捍q i~wC?U]dڡR4?(2Dۏ-xk4S3N82})Mie2I35 WT8JƸz񟯠=9sd4 .ߤzcޑ贈}饶أl/h~a̻ X(m> Mܦ䶋>,~alWط ZKzlF#2ˬ~k H~iKisroso/Y0VڠκSQJ#j'eeCsxΟcGX 36CFu<1Ir h{&uN25,Aڎ$XavG "8%]5mI jհaAcA$- criC"l{}j}ͬKY{uTRD)cФћ_Q:Ji+;^wԈo~2 >жF[ p[=.+#uI# _Fd2OE;sL8y'/1>Lk}#NhOkT`p97 T$);I1E J\ WF_9%nB}Abkrpcg gPX7&KPdNx5N@tYJQRvG˴n5}@t#'T+c#gGYi$Lo6w3$8$GUAi\Mj*n_VŢT LK"RH)WpmC{F]\X化e;FA' /u*h}•W")<~%,beᆨ%l黽4 lxݏNIk~?t. c" $Y{yJqN:'WKJ|ʉk+*dV|/Do6hVbWʪIF!^BjS9nNP3򜰤8rT&A+"Z-fGMyyQQg&Z6"s&KGzgPJ`͛:2d3GcLlLEpM:8ц LId.][0#=dl O?goc* HZ‡|+{P[>վ7dxDA%H8OQh^r]+qr cI|mnq_~Fe1da u']IM'OpWo,Ig-OΛ:)&%4A=%HAL AeLmñKD5CW@0rawN6jw;cSʂGz5~ J?A -MrWU[?ADkIlߝzrf AԖO13VP[}/P%7݉qN26AE` ]Tf=1k:Ÿ;7^I7tр ossZGi2횖2Th53JQߊ e gc6~ ~U OQOdDP-,r_R5")[Ӱƃ}A2IPU^hLdQu#ʐȒ&l:ͼMEB B Wv9"Z/h6*ڤK3~z }9NѼU]*N@oc<]Y[k.8sQ$g e/̒@Aǹ٠±[вՑ8=W3Ԡ$_Hw3:ǻn-)k{[7|԰M R"4RJG?еcEk4I&'-w?}RwnWs˜ ҽ(1:Q9o۠)v矝VY[,Lmaq[з2-Ȉⵂ&|ԍB͝Xh#Y2fb2nU]ydR8䎪Lohy=#ǔ⟒7 EV0Jd9D/N~x4M!+[\{O7׏VTCDN 2D-?3e ^xb_w=:nฝ}`eװ$0;L4/;#1Е "vi\/ @63xo$D%.|^'EZKE?R2:vXDx!6FUwYLX)24yT%֔z8>Lض:o.X].3v@G er׌bC2RF _ 1oTZZb?k(Gh8MZB$ )橵又! Q6RwYZdzŜ&qC{|z5&{D t(F7у9%(ˎ^T|ū.OZ\GF9 ?o#<ЂPɊNۧ7*FAiSYQNe ]F ^@r#ކ38IK7 <=m(γ HdP@ Eb 7yUQ_eHZˌSNUr셏lY~捆=*{nK2uNʩrJO9]u%ے2iaNkUf"͋:BT$;D"7r?i[iV3_/m#W/ Ve3 (QfJQf3DSoގWjdQ(A_fZ|4rm UQ[ԟyG;at럛ݓJش9TLW"[ge.*\78.{\(4 4 a]|W<4;(Zr'qPN@\j-){퐡ժu? ;I) G\NMjeRDd^,VCʖqU2 lhNWcEZX_ ^t.FoWc|p[<v?8:'j,6X=Ej]H?yl.rXj7,Âzx/}&j3ɥ<9@%1?4G<"yxDn5֏ 6r|(dRQd8zTÚ~y H&} 2Zi7eÞ)܅:қT EXL Mr,euCX ^<8I3n(uF;ޜ|wBW\ōu[|̇djw2[]7)nEO. jjzIzaf A s$l,7v`y3kL*#X#!{(XIe; wlZȓpwH#f2#3)/61=(GM hө &Y½ēD_:I`e >,EM`ÂE+TmNje27-"mRb$OQ[ח1 \Jh;KOzmq~(SkόtR[N5(4M??^Potjh;wX8[sxtЮ׏&Ӯ|u?(i3c CtYQpZ]c1}gz> 1$"oפnJ&o6P7r;q`+.ʿĒʯӠ2*aq3bxWƶCF0dU1+H{H ڰVnT1}:X7|~b. _{Œy/sz,OPqNj Ij9Vsa"UBM'aoBak^/㑩J;}}[k [t!ȧ`U˿ {_m`n]2=R w[w뺐5rt>^"zdB"nV9}vtT Fd&]Si3+@=F =ޮ$;:?*T e‐~MvC`^B"M빏͊Qr 'PRbX:98;nX=MB1P܃π<΁Uzm<%ry/67$RRc00]r)7^")\TZ(fį7hlOB;VU2b]e}.^|8DCH='`4r ^fE+ڗ b0Y  Et}a}7Vŏp|6Y8tr|*q^@*mFM&1ѱ0)ۣ]cJEtdN]L%=i>XeNˏA 4"0?~1&r_Tmr9"t~$-Fi>|5~hrW1;LvI-g lՂBTދ>yå-B_#Y팙h-c|+<.%un܃Ky}+X~0$jUA.tw<.tem)* #4A]x|dԛ'TZ:˒;^ݜr%a+,JM#OLjNN*}(FtYҼ-V<Ӧl ,=#f /2;GJH1'efQ ,'be2Io!iC#;nzR@!xh(>?vݵ]v[lm iEL('M‰8 6/W =QuCxr G4*P]oG%D iW1m&?,?ߡT ƾ*\!tjMs1(74s[JP[6i%1CC9"5)@0%UFope풜~vp qCΞ} $ܯhFQGGUNf6*'>УBm??gwc):S!P`VAwzӽMC(}ySKSR$Q`p&duK&8!~e -KvygBb@5M]kzY_Ԉ'I~B1S\^d[3)!KlϞ 3Ao{-myJ*s$ݾ+ts[Uf0Bk2t'"|xyc!KrY:-o7FG-1E:(D e\?Xgcķw-bk吾Sg~{;?_q7jō<52f`KE v݃ /[r6E0ኚA֟/ስ|_Pt ͷ# q$VDR=$yV>S N߼d법m3F!3uB MQɣP,=Z6ƪH03Y4QiVh9(V/#.lO9곥 1^6/cDQ@w*zwĭ_RR'4(N>= IEG֋Ѷf,l][YSqb8up:y nۥ]T/{ ]x9d*F+iGѷ&VlC9DY mJK@ XwmNU Р^$^e_Tç[+K4-*Tc*>_w{їX+4kTe֍uObBVhe U~t>bGy*JOR| (@(f)hCe6;peg6F׼ī[p%V&_= l'Ux3dV9%qlGA$YEygЊ]anf*IICFt!f4Z YeTYn] q''F,5ї1=JH;\e$8G?% mu&1e[TNpꆲ܋3W*q(Z$ɡDҙÅT\eVe}E=ޖzߌ/VLavFm΍?9:uRtK08/.\!P Π"|P@qQ@*tm 7ze iwh5jF}߈y4"Bʄn#͏"=+O6JsDNA}G+U7G~)bj&ypt9 7^4ѼXj@Cx >H|`"A!%jw p[jrf*~a$պ7wUaq?uq"&]"AT5SVŮip7'b~Rrfi,QÐ^M㞘_ƩLzO[1feYj74¼bw\K|>Z)ޕ~h|tޤ!K]N"R1",TTrI\"ْGnLYk"۩M+<ꢩFv-Wbߋ #>12SwLE 0bﶜpiB+;0חwYIsۥF/}B1OM!1abPOmu=jë]Zt] װOVC,:INד1Pyu D$B[Zi9Gg_{/swX̓2Խw:{nҖ?Y#F1I@PѶď8J7(FYJ>k)?o?A< 2LvEW.7408~RI&NG::z;ܨCvjwՋx1tAkIPF=Ifʻ׫>8o yo3q`;O2|xݾY^Q҉I@>~$ϷW#`K6lG]ue Fc8[-h 1D&Y2SYA\׷̎) 'fWGu Lj4pB:ǬZL[cmDV0αBXʻ29K*`j,U'ĵsϻ p>4R>0"ھ;=TRQŒ*P5͛6BQjtZeflb-n|._,,UTҚ`6 sm4+O'~{_/ZYA} %K%D"_Ve@N[E+ii> 2>Tә%y_ qԋZŴ^O)1Pgvl"rdddO .P[wϫ8e>˂?3~87?;QxZX%G? _%EǷFYsra\hɀbl:lNX c*ՏdJ(rBG<>`XegP[͘/QN~jVXJӈ0|T5i;䥔ηiQ*0V`.IX[[^߉ŽG)< !#=0A˻.F8ce}'7 } 8Js<B/$%*-/_}M)P4s8B9ss|}m9b0jndG_ un.&R w性?~ A-PRR~r$;t}bH@؞(Mr%ª^pt0HfpУy:#oqX7b꜠Ed>NORӔk \z Ă]d}GdQwoĘ۸/=ox#>KU`FCЫ!YoBWl vvb >#:_k)"vw:Gωb %R,.U0j[j;ҀSl¨&m0@dYTMÎ;p[;~I8?<:AQ9yiq ݨOV7?6,?kuʻ^(8z7fU3و>4Osy#ι*W=Zx.o/uSZe| Ow ~[kdJNIaH.v@A⻜x7h Xf3h1 @%ϖՀ/@},F8yeVBSf܅ ժKZ|]^ w9rAq u.*efi q/գXXy=8El1ۜU C([㩏ElT*56x֦+ dXRqTT_Pl@6%m&<Bׅ3J4-2u E5R0Ǿy6лٸ͐z3.qn]X2օ ,,E rM#FHVn θ-NhgQt2u]Lkh2-ٺOdC_!Gc IC^FPJGA^喙D>AR; 'v'(^,'P 9>Uɦpu7ԋt.-XY6>KsHYs"ym*($HؾOS().NPH< =XnQH^ 6Տٱi9B fpvqsM׭-gmLxKGD&b "/+pru DTz$я7,v5A3N} rfQDK-7sT* d|X#N0deZ pFK)-FI @V#%?kev=œԧ'UY:%%F+ sR3#&ƍƫKអ_Ŕ,~whVI^5R0dff/>m޽ ۺd+u`\S~Cj(\A`!uԓf$S] Ef_ Qʣnu}y&=NV>"[IeDv8>A5%pW$O)ؤoC oq/MRᣕ,!uͼ,!l n^.Auu$boR\X Θ dé횁79FW &6nv1mI*|Ƣ'/#Ԭl!o{dB~'k?MM+%,.Jh 3VGegIi*nQOeڙ:Qkd'^̗Օ9K  ᥐ1v!Zm`bX%ʋ GV֋iجTaslm)L/‰'[3A=I^:D&s%v(YTȂ6SEh|oMUqR,J< 6sh%yM+ɖ[-t繌X,K@5" ?4 %njBmSp Qn 0=fU~ f:I %Y/"\|{8w.d:ס80M}%sK0}-0EVHێDEPS*r 2$$cd@ }/8G$%qM 7ݬ{,9߲ \]2ctBf /0ۓTZ*. &Y;'q[бTdݙRfB@N?ֲ{,N Ԑo8rn?нu\@g`˘:c2]KwcI񛏒 %My(t~Jm, /ȬìۻTf `X>C/®$ˀP=0A&ZrUu|\kGuv[0K:=0ndp@ 65</%[؟djE7WBX&x$*70( |(7<8{}aĄҁWsO8uK^7(/, pnO9]PnvZAīWd<~<:?P?bӐC>6ޛĸ+}v}%C8n՟JR'̂WIHiHEG^8gxV)+wOGlld 9?ա#B6zbe`GA}SpQ"T#GQ\,߯γl33ׄWN=UjS>#@Te?أ\RX{ >3^Iw.@QkB /s6Ә7s86OrA=;.!խc[ ϘP: mĂH  Icp1c4?)ˈ@PcD)i 7khʃ=2*% ?ߧӬ_aV,`գ*;WQI2 ѩD:U¿$Zi~[fe\wk5{O;`>kxTA`&RoAsٻ- ғV~vҫ.#jqr$>vpi5IÖ(R'0a D;țhk. L(M8!*@1@|}o< F̷BB5@3SFR{Nҩ2ӫ,(*K@Ŀ11 9K~Vmo3}~R:)yYo\VPnWK~^5⿢=LS)]QG}Bk33S|a )EfHa;=T8@1B[K>{ Uظijb ,7}fn>,@*}:soM 5G$8ۋR!RĨfN"/?Bx$o`x#Ir,y鈦q1|};By7,6.R11<zԕF,: PVV4qZJzsP"N2a-؋''METVE-5"-bnZCɇIsoü[ͭ%?x5\vZSĎTXjF7BG8udԛ&od쾥dj#.Nx'V"c}B9 `+$ Ii-Q~)gE ra]Z{R1R73ăUIɡkYxZ CbMF=X)iKa'V\p;wcֽ1jrm+" 8Z5ۭ8nkqFJ&G2pH}EeyaE [\n-*Ru q٩tzs~ bTL3wQ( "ٯ ',ӁveWpWJƗa闠١7-A ƹp\I&i=ڍVw%GNV ryQgԃ0r35z*}SˌXv+E2A~dD?%Pec!oh쒠GCZgR)WE[1 (dw'I/s5m s4-0fϫMjREF3DWDc%Ȣc-`ӗHss!gǸX\.uJ1"5%¶ 4svY C ķ .O_f{dxvJZvvrwG_0:M;d}gIC*pVb=QjvYD85m#c 2;0q zi$*ϊohq 2;h/W1B՜#u>KuI 5z3"Ynɮ7^,W.(P@?{ cAټUu QFt{+Ez9 (j8>k-.qո7g~X#T(@?k1g {ƿ.?uʺ*Qc$_ͯ&cIiAeG2ܷV!K#L|"Ͷ7IKXb|eF0G4R,1Ţ?itAUХ41ehVngJEܝug5^wcr~jO\RMx)8Bu;V]^z{;v 4v4C]Ӿx)f-y/ۖ?ϟӧsqJYZQȋg`E&˫25qMѰۃ]իC1.0jB`3L<}6T҆WSW UI^$*Ő>g@]}33Bͬh;4{F%Xda1 -_qjOoDmZmn^)BNiѬICgB5-`9jx)k|SfpagM]@GQsLP܇ݣ pUb¸%~+.`Ge;ҶuL'cdgOo7tYV w|, m.q2qC{xBgG ׏Pt|OG;X E;,a 0-黌H~=wۋ˃b n]wS/O$2ܭi cEQMUEk`XalNrh|ҤvHCmZU7A9H;Iw G