sssd-krb5-common-2.5.2-2.el8 >  A aPU]:(bUFSoA.ϲKQ4':w7-Rj@^ZΎGQp8UnƼɹmF3.f҉sO@`ʏpR'+,c\ִ8VFVُOTR}QjOxeq>[]S܀FTΫSІ D plX.kӍd|D9ǬD8S [c2%X|0w=y¡_gݔ_;ZLz?|ق=Z',D錁bԝ~YA7F[tgW_7yb\n(Zf_Ej~_}51'pm6޳ʸ\! Kb%m,ʮlSwr{35Azic۝[;qj 3Ə6Ԥʎ*AJ/$#0bK1@fRAZ QP8+WX'ѼP!u4Ad2df0450d6765f90846e4bd05fa242668d976a82e4132e4a91b48fcfdb8eeb315cf5a6b3ff68793c15c7d3e5c07f2dbbd3410b77aOU]b^^V}ޅ ?>^*ۗ\n% zsy~M^:2R -7mҪuތ:8=LIgYJA#"+×q1 3 K:Z)?ēD,ǝ;r\+#UB1#,c)ޏ&SJ0xaWڙoɎM%`G~Q/ SpY'r'#8T8gRCq0}6cVX3eTTm܋z;zH9ZjUZA9ȕ_Z}BFCt;}^ڮ']^B8JbU",ICP$7 :U Wi1!1h$waV1^xo,ڔtԩqb&Wr+"%~Gm-2NQ~z&`vSZ]^Wh4l'pƿ`>pAg?gpd  Z #7TZa   *  <  `  )      <h!(0889:]b=`G` H` Ia Xa(Ya0\aH ]al ^bbbdded fd ldtd( udL vdpwf, xfP yft+g g$g*glCsssd-krb5-common2.5.22.el8SSSD helpers needed for Kerberos and GSSAPI authenticationProvides helper processes that the LDAP and Kerberos back ends can use for Kerberos user or host authentication.a{x86-02.mbox.centos.orgSCentOSCentOSGPLv3+CentOS Buildsys Applications/Systemhttps://github.com/SSSD/sssdlinuxx86_64getent group sssd >/dev/null || groupadd -r sssd getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd''H|KAAA큤AamamamamaOaOam`aIc8ed51d56e26021e422de77fcaeb6075f203a70f46ebb6d81ba7b0ab77620ad247f504e7e0dcc008abfce20293e9c323f75a211b7cabe809f9bb920b56e56dd98ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903../../../../usr/libexec/sssd/ldap_child../../../../usr/libexec/sssd/krb5_childrootrootrootrootrootrootrootrootsssdrootrootrootrootsssdsssdrootrootsssdsssd-2.5.2-2.el8.src.rpmsssd-krb5-commonsssd-krb5-common(x86-64)@@@@@@@@@@@@@@@@@@@@@    @/bin/shcyrus-sasl-gssapi(x86-64)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.25)(64bit)libc.so.6(GLIBC_2.28)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcom_err.so.2()(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libk5crypto.so.3()(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libsss_debug.so()(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)rtld(GNU_HASH)shadow-utilssssd-common3.0.4-14.6.0-14.0-15.2-12.5.2-2.el8sssd1.10.0-8.beta24.14.3a@`.`@`[` @`&m`@`x@__@_@_#___[@_?@_-B@_@_@^@^@^^(@^oj@^ku^Y^S^J@^C^0"@^0"@^0"@^@^@^@]f@]f@] @] @]+]]Y]Y]|@]o@]k]k]Y=]Y=]Y=]Y=]Y=]M`@]M`@]M`@]D%]D%]D%]9]9]]]@]@\\`@\]o@\\\\\\\@\>@\>@\>@\\\\l@[Ѱ@[^[[ā@[ā@[ā@[;@[;@[;@[;@[;@[[@[@[@[@[@[t[#@[#@[@[@[qr[;e@["XZZ&Zw@Z Z$Zz@ZyZiZiZWQZWQZ%8Z@Z@YZ@Y@YYzYKYyYw2YRHYRHY@X-XX~@XO@X}@X@XX6@XWXOXXWW@WWW@WWv[@Wi,@W5W@W@V3VVVvV%@VqR@VO @V<@V/g@V$@V @V @UpU|@U4@UUUU@UzUzUzUL@UL@U.RU@TTT@T~T8TܕT@T@TTTq@T@T@Tp@TA@TuTto@TG@TD@TT @S0SS@S.SP@S @Sg@SrS!@SkqSkqSG@SFSCS!SSRRpRpR^R[RSRNREs@RD!R@R@RNQB@Q@QQQکQQQo@Q)@Q@QQ@Q@QbQbQV@Q'@QQQQnQZ@QU@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj - 2.5.2-2Alexey Tikhonov - 2.5.2-1Alexey Tikhonov - 2.5.1-2Alexey Tikhonov - 2.5.1-1Alexey Tikhonov - 2.5.0-1Alexey Tikhonov - 2.4.0-8Alexey Tikhonov - 2.4.0-7Alexey Tikhonov - 2.4.0-6Alexey Tikhonov - 2.4.0-5Alexey Tikhonov - 2.4.0-4Alexey Tikhonov - 2.4.0-3Alexey Tikhonov - 2.4.0-2Alexey Tikhonov - 2.4.0-1Alexey Tikhonov - 2.3.0-9Alexey Tikhonov - 2.3.0-8Alexey Tikhonov - 2.3.0-7Alexey Tikhonov - 2.3.0-6Alexey Tikhonov - 2.3.0-5Alexey Tikhonov - 2.3.0-4Alexey Tikhonov - 2.3.0-3Alexey Tikhonov - 2.3.0-2Alexey Tikhonov - 2.3.0-1Alexey Tikhonov - 2.2.3-19Alexey Tikhonov - 2.2.3-19Michal Židek - 2.2.3-18Alexey Tikhonov - 2.2.3-17Alexey Tikhonov - 2.2.3-16Michal Židek - 2.2.3-15Michal Židek - 2.2.3-14Michal Židek - 2.2.3-13Michal Židek - 2.2.3-12Michal Židek - 2.2.3-11Michal Židek - 2.2.3-10Michal Židek - 2.2.3-9Michal Židek - 2.2.3-8Michal Židek - 2.2.3-7Michal Židek - 2.2.3-6Michal Židek - 2.2.3-5Michal Židek - 2.2.3-4Michal Židek - 2.2.3-3Michal Židek - 2.2.3-2Michal Židek - 2.2.3-1Michal Židek - 2.2.2-1Michal Židek - 2.2.0-19Michal Židek - 2.2.0-18Michal Židek - 2.2.0-17Michal Židek - 2.2.0-16Michal Židek - 2.2.0-15Michal Židek - 2.2.0-14Michal Židek - 2.2.0-13Michal Židek - 2.2.0-12Michal Židek - 2.2.0-11Michal Židek - 2.2.0-10Michal Židek - 2.2.0-9Michal Židek - 2.2.0-8Michal Židek - 2.2.0-7Michal Židek - 2.2.0-6Jakub Hrozek - 2.2.0-5Jakub Hrozek - 2.2.0-4Jakub Hrozek - 2.2.0-3Jakub Hrozek - 2.2.0-2Michal Židek - 2.2.0-1Michal Židek - 2.1.0-1Michal Židek - 2.0.0-45Jakub Hrozek - 2.0.0-43Michal Židek - 2.0.0-42Michal Židek - 2.0.0-41Michal Židek - 2.0.0-40Michal Židek - 2.0.0-39Michal Židek - 2.0.0-38Michal Židek - 2.0.0-36Michal Židek - 2.0.0-35Michal Židek - 2.0.0-34Michal Židek - 2.0.0-33Michal Židek - 2.0.0-32Michal Židek - 2.0.0-31Michal Židek - 2.0.0-30Michal Židek - 2.0.0-29Michal Židek - 2.0.0-28Michal Židek - 2.0.0-27Michal Židek - 2.0.0-26Michal Židek - 2.0.0-25Michal Židek - 2.0.0-24Jakub Hrozek - 2.0.0-23Jakub Hrozek - 2.0.0-22Jakub Hrozek - 2.0.0-21Jakub Hrozek - 2.0.0-20Jakub Hrozek - 2.0.0-19Jakub Hrozek - 2.0.0-18Jakub Hrozek - 2.0.0-17Jakub Hrozek - 2.0.0-16Jakub Hrozek - 2.0.0-15Jakub Hrozek - 2.0.0-14Jakub Hrozek - 2.0.0-13Jakub Hrozek - 2.0.0-12Jakub Hrozek - 2.0.0-11Jakub Hrozek - 2.0.0-10Jakub Hrozek - 2.0.0-9Jakub Hrozek - 2.0.0-8Jakub Hrozek - 2.0.0-7Jakub Hrozek - 2.0.0-6Jakub Hrozek - 2.0.0-5Jakub Hrozek - 2.0.0-4Jakub Hrozek - 2.0.0-3Jakub Hrozek - 2.0.0-2Fabiano Fidêncio - 2.0.0-1Tomas Orsava - 1.16.2-2Fabiano Fidêncio - 1.16.2-1Fabiano Fidêncio - 1.16.1-3Fabiano Fidêncio - 1.16.1-2Fabiano Fidêncio - 1.16.1-1Lukas Slebodnik - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Lukas Slebodnik - 1.16.0-11Lukas Slebodnik - 1.16.0-10Igor Gnatenko - 1.16.0-9Lukas Slebodnik - 1.16.0-8Lukas Slebodnik - 1.16.0-7Björn Esser - 1.16.0-6Lukas Slebodnik - 1.16.0-5Lukas Slebodnik - 1.16.0-4Jakub Hrozek - 1.16.0-3Lukas Slebodnik - 1.16.0-2Lukas Slebodnik - 1.16.0-1Lukas Slebodnik - 1.15.3-5Lukas Slebodnik - 1.15.3-4Lukas Slebodnik - 1.15.3-3Fedora Release Engineering - 1.15.3-2Lukas Slebodnik - 1.15.3-1Lukas Slebodnik - 1.15.3-0.beta.5Lukas Slebodnik - 1.15.3-0.beta.4Lukas Slebodnik - 1.15.3-0.beta.3Lukas Slebodnik - 1.15.3-0.beta.2Lukas Slebodnik - 1.15.3-0.beta.1Lukas Slebodnik - 1.15.2-1Lukas Slebodnik - 1.15.1-1Jakub Hrozek - 1.15.0-4Lukas Slebodnik - 1.15.0-3Fedora Release Engineering - 1.15.0-2Lukas Slebodnik - 1.15.0-1Miro Hrončok - 1.14.2-3Lukas Slebodnik - 1.14.2-2Lukas Slebodnik - 1.14.2-1Lukas Slebodnik - 1.14.1-4Lukas Slebodnik - 1.14.1-3Lukas Slebodnik - 1.14.1-2Lukas Slebodnik - 1.14.1-1Stephen Gallagher - 1.14.0-5Fedora Release Engineering - 1.14.0-4Lukas Slebodnik - 1.14.0-3Lukas Slebodnik - 1.14.0-2.betaLukas Slebodnik - 1.14.0-1.alphaLukas Slebodnik - 1.13.4-3Lukas Slebodnik - 1.13.4-2Lukas Slebodnik - 1.13.4-1Lukas Slebodnik - 1.13.3-6Lukas Slebodnik - 1.13.3-5Fedora Release Engineering - 1.13.3-4Lukas Slebodnik - 1.13.3-3Lukas Slebodnik - 1.13.3-2Lukas Slebodnik - 1.13.3-1Lukas Slebodnik - 1.13.2-1Robert Kuska - 1.13.1-5Lukas Slebodnik - 1.13.1-4Lukas Slebodnik - 1.13.1-3Lukas Slebodnik - 1.13.1-2Lukas Slebodnik - 1.13.1-1Lukas Slebodnik - 1.13.0-6Lukas Slebodnik - 1.13.0-5Lukas Slebodnik - 1.13.0-4Lukas Slebodnik - 1.13.0-3Lukas Slebodnik - 1.13.0-2.alphaLukas Slebodnik - 1.13.0-1.alphaFedora Release Engineering - 1.12.5-4Lukas Slebodnik - 1.12.5-3Lukas Slebodnik - 1.12.5-2Lukas Slebodnik - 1.12.5-1Lukas Slebodnik - 1.12.4-8Lukas Slebodnik - 1.12.4-7Lukas Slebodnik - 1.12.4-6Lukas Slebodnik - 1.12.4-5Jakub Hrozek - 1.12.4-4Jakub Hrozek - 1.12.4-3Lukas Slebodnik - 1.12.4-2Lukas Slebodnik - 1.12.4-1Lukas Slebodnik - 1.12.3-7Lukas Slebodnik - 1.12.3-6Jakub Hrozek - 1.12.3-5Lukas Slebodnik - 1.12.3-4Lukas Slebodnik - 1.12.3-3Lukas Slebodnik - 1.12.3-2Lukas Slebodnik - 1.12.3-1Lukas Slebodnik - 1.12.2-8Sumit Bose - 1.12.2-7Lukas Slebodnik - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-7Fedora Release Engineering - 1.12.0-6Stephen Gallagher 1.12.0-5Jakub Hrozek - 1.12.0-1Fedora Release Engineering - 1.12.0-4.beta2Jakub Hrozek - 1.12.0-1.beta2Jakub Hrozek - 1.12.0-2.beta1Jakub Hrozek - 1.12.0-1.beta1Jakub Hrozek - 1.11.5.1-4Stephen Gallagher - 1.11.5.1-3Stephen Gallagher - 1.11.5.1-2Jakub Hrozek - 1.11.5.1-1Stephen Gallagher 1.11.5-2Jakub Hrozek - 1.11.5-1Sumit Bose - 1.11.4-3Jakub Hrozek - 1.11.4-2Jakub Hrozek - 1.11.4-1Jakub Hrozek - 1.11.3-2Jakub Hrozek - 1.11.3-1Jakub Hrozek - 1.11.2-1Sumit Bose - 1.11.1-5Sumit Bose - 1.11.1-4Jakub Hrozek - 1.11.1-3Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-3Jakub Hrozek - 1.11.0-2Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0-0.4.beta2Fedora Release Engineering - 1.11.0-0.3.beta2Jakub Hrozek - 1.11.0.2beta2Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta1Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Jakub Hrozek - 1.9.5-10Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#1975169 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-8] - Resolves: rhbz#1962042 - [sssd] RHEL 8.5 Tier 0 Localization- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 - Resolves: rhbz#1693379 - sssd_be and sss_cache too heavy on CPU - Resolves: rhbz#1909373 - Missing search index for `originalADgidNumber` - Resolves: rhbz#1954630 - [RFE] Improve debug messages by adding a unique tag for each request the backend is handling - Resolves: rhbz#1936891 - SSSD Error Msg Improvement: Bad address - Resolves: rhbz#1364596 - sssd still showing ipa user after removed from last group - Resolves: rhbz#1979404 - Changes made to /etc/pam.d/sssd-shadowutils are overwritten back to default on sssd-common package upgrade- Resolves: rhbz#1974257 - 'debug_microseconds' config option is broken - Resolves: rhbz#1936902 - SSSD Error Msg Improvement: Invalid argument - Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm (additional patches and rebuild)- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 - Resolves: rhbz#1942387 - Wrong default debug level of sssd tools - Resolves: rhbz#1917444 - SSSD Error Msg Improvement: Server resolution failed: [2]: No such file or directory - Resolves: rhbz#1917511 - SSSD Error Msg Improvement: Failed to resolve server 'server.example.com': Error reading file - Resolves: rhbz#1917535 - sssd.conf man page: parameter dns_resolver_server_timeout and dns_resolver_op_timeout - Resolves: rhbz#1940509 - [RFE] Health and Support Analyzer: Link frontend to backend requests - Resolves: rhbz#1649464 - auto_private_groups not working as expected with posix ipa/ad trust - Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection - Resolves: rhbz#1961215 - Invalid sssd-kcm return code if requested operation is not found - Resolves: rhbz#1837090 - SSSD fails nss_getby_name for IPA user with SID if the user has user private group - Resolves: rhbz#1879869 - sudo commands incorrectly exports the KRB5CCNAME environment variable - Resolves: rhbz#1962550 - sss_pac_make_request fails on systems joined to Active Directory. - Resolves: rhbz#1737489 - [RFE] SSSD should honor default Kerberos settings (keytab name) in /etc/krb5.conf- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 - Resolves: rhbz#1930535 - [abrt] [faf] sssd: monitor_service_shutdown(): /usr/sbin/sssd killed by 11 - Resolves: rhbz#1942387 - Wrong default debug level of sssd tools - Resolves: rhbz#1945888 - Inconsistant debug level for connection logging - Resolves: rhbz#1948657 - pam_sss_gss.so doesn't work with large kerberos tickets - Resolves: rhbz#1949149 - [RFE] Poor man's backtrace - Resolves: rhbz#1920500 - Authentication handshake (ldap_install_tls()) fails due to underlying openssl operation failing with EINTR - Resolves: rhbz#1923964 - [RFE] SSSD Error Msg Improvement: write_krb5info_file failed, authentication might fail. - Resolves: rhbz#1928648 - SSSD logs improvements: clarify which config option applies to each timeout in the logs - Resolves: rhbz#1632159 - sssd-kcm starts successfully for non existent socket_path - Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm - Resolves: rhbz#1925505 - [RFE] improve the sssd refresh timers for SUDO queries - Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection - Resolves: rhbz#1925561 - sssd-ldap(5) does not report how to disable the SUDO smart queries - Resolves: rhbz#1925621 - document impact of indices and of scope on performance of LDAP queries - Resolves: rhbz#1855320 - [RFE] RHEL8 sssd: inheritance of the case_sensitive parameter for subdomains. - Resolves: rhbz#1925608 - [RFE] make 'random_offset' addon to 'offline_timeout' option configurable - Resolves: rhbz#1447945 - man page / docs update required: if two certificate matching rules with the same priority match only one is used - Resolves: rhbz#1703436 - sssd not thread-safe in innetgr() - Resolves: rhbz#1713143 - SSSD does not translate the 2FA text labels("first factor" / "second factor") on GDM login and screensaver unlock screen - Resolves: rhbz#1888977 - sss_override: Usage limitations clarification in man page - Resolves: rhbz#1890177 - Clarify "single_prompt" option in "PROMPTING CONFIGURATION SECTION" section of sssd.conf man page - Resolves: rhbz#1902280 - fix sss_cache to also reset cached timestamp - Resolves: rhbz#1935683 - SSSD not detecting subdomain from AD forest (RHEL 8.3) - Resolves: rhbz#1937919 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7 - Resolves: rhbz#1944665 - No gpo found and ad_gpo_implicit_deny set to True still permits user login - Resolves: rhbz#1919942 - sss_override does not take precedence over override_homedir directive- Resolves: rhbz#1926622 - Add support to verify authentication indicators in pam_sss_gss - Resolves: rhbz#1926454 - First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0. - Resolves: rhbz#1893159 - Default debug level should report all errors / failures (additional patch)- Resolves: rhbz#1920001 - Do not add '%' to group names already prefixed with '%' in IPA sudo rules - Resolves: rhbz#1918433 - sssd unable to lookup certmap rules - Resolves: rhbz#1917382 - [abrt] [faf] sssd: dp_client_handshake_timeout(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1113639 - autofs: return a connection failure until maps have been fetched - Resolves: rhbz#1915395 - Memory leak in the simple access provider - Resolves: rhbz#1915319 - SSSD: SBUS: failures during servers startup - Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication (additional patches)- Resolves: rhbz#1631410 - Can't login with smartcard with multiple certs having same ID value - Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff (additional patches) - Resolves: rhbz#1893159 - Default debug level should report all errors / failures - Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication- Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process - Resolves: rhbz#1876658 - filter_groups option partially filters the group from 'id' output of the user because gidNumber still appears in 'id' output [RHEL 8] - Resolves: rhbz#1895001 - User lookups over the InfoPipe responder fail intermittently- Resolves: rhbz#1900733 - sssd_be segfaults at be_refresh_get_values_ex() due to NULL ptrs in results of sysdb_search_with_ts_attr() - Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process - Resolves: rhbz#1894540 - sssd component logging is now too generic in syslog/journal - Resolves: rhbz#1828483 - filtered ID is appearing due to strange negative cache behavior- This is to bump version to allow rebuild against rebased libldb.- Resolves: rhbz#1881992 - Rebase SSSD for RHEL 8.4 - Resolves: rhbz#1722842 - sssd-kcm does not store TGT with ssh login using GSSAPI - Resolves: rhbz#1734040 - sssd crash in ad_get_account_domain_search() - Resolves: rhbz#1784459 - [RFE] tlog does not allow to exclude some users from session recording - Resolves: rhbz#1791300 - sporadic sssd_be crash on s390x - Resolves: rhbz#1817122 - 'getent group ldapgroupname' doesn't show any LDAP users or some LDAP users when 'rfc2307bis' schema is used with SSSD. - Resolves: rhbz#1819012 - [RFE] Improve AD site discovery process - Resolves: rhbz#1846778 - [RfE] `/usr/libexec/sssd/p11_child` cmdline argument '--nssdb' might be confusing when SSSD was built against OpenSSL - Resolves: rhbz#1873715 - automount sssd issue when 2 automount maps have the same key (one un uppercase, one in lowercase) - Resolves: rhbz#1879860 - correction in sssd.conf:pam_response_filter man page - Resolves: rhbz#1881336 - [RFE] sssd-ldap man page modification for parameter "ldap_referrals" - Resolves: rhbz#1883488 - [RfE] Implement a new sssd.conf option to disable the filter for AD domain local groups from trusted domains - Resolves: rhbz#1884196 - [RFE] Add "enabled" option to domain section in config file - Resolves: rhbz#1884205 - KCM: Increase client idle timeout to 5 minutes - Resolves: rhbz#1884207 - [RFE] ldap: add new option ldap_library_debug_level - Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff - Resolves: rhbz#1884281 - Secondary LDAP group go missing from 'id' command - Resolves: rhbz#1884301 - [RFE] dyndns: suport asymmetric auth for nsupdate- Resolves: rhbz#1855323 - When ad_gpo_implicit_deny is True, it is permitting users to login when no gpo is applied- Resolves: rhbz#1868387 - system not enforcing GPO rule restriction. ad_gpo_implicit_deny = True is not working - Resolves: rhbz#1854951 - sss-certmap man page change to add clarification for userPrincipalName attribute from AD schema - Resolves: rhbz#1856861 - False errors/warnings are logged in sssd.log file after enabling 2FA prompting settings in sssd.conf - Resolves: rhbz#1869683 - p11_child: default value of ocsp_dgst == sha256 doesn't conform RFC5019 and has to be changed to sha1- Resolves: rhbz#1723273 - RFE: Add option to specify alternate sssd config file location with "sssctl config-check" command. - Resolves: rhbz#1780404 - smartcards: special characters must be escaped when building search filter- Resolves: rhbz#1820574 - [sssd] RHEL 8.3 Tier 0 Localization- Resolves: rhbz#1821719 - sssd (sssd_be) is consuming 100% CPU, partially due to failing mem-cache - Fixed "requires/provides" rpmdiff warning- Resolves: rhbz#1815584 - id_provider = proxy proxy_lib_name = files returns * in password field, breaking PAM authentication - Resolves: rhbz#1794607 - SSSD must be able to resolve membership involving root with files provider - Resolves: rhbz#1803134 - Improve "unlock" time when user session already active- Resolves: rhbz#1829470 - `sssd.api.conf` and `sssd.api.d` should belong to `python-sssdconfig` package - Resolves: rhbz#1544457 - sssd fails to release file descriptor on child logs after receiving HUP - Resolves: rhbz#1824323 - SSSD user filtering is failing on RHEL 8 after "files" provider rebuilds cache - Resolves: rhbz#1827432 - When the passwd or group files are replaced, sssd stops monitoring the file for inotify events, and no updates are triggered - Resolves: rhbz#1835710 - Change the message "Please enter smart card" to "Please insert smart card" on GDM login with smart-card - Resolves: rhbz#1838037 - Oddjob-mkhomedir fails when using NSS compat - Resolves: rhbz#1845904 - gdm smart card authentication does not work shortly after disconnecting from network. - Resolves: rhbz#1845975 - sssd doesn't follow the link order of AD Group Policy Management - Resolves: rhbz#1845980 - sssd is failing to discover other subdomains in the forest if LDAP entries do not contain AD forest root information - Resolves: rhbz#1845987 - Document how to prevent invalid selinux context for default home directories in SSSD-AD direct integration. - Resolves: rhbz#1845994 - GDM failure loop when no user mapped for smart card - Resolves: rhbz#1846003 - GDM password prompt when cert mapped to multiple users and promptusername is False - Resolves: rhbz#1850961 - /usr/share/systemtap/tapset/sssd_functions.stp missing a comma- Resolves: rhbz#Bug 1723273 - RFE: Add option to specify alternate sssd config file location with "sssctl config-check" command.- Resolves: rhbz#1839037 - Rebase SSSD for RHEL 8.3 - Resolves: rhbz#1843872 - sssd 2.3.0 breaks AD auth due to GPO parsing failure - Resolves: rhbz#1834156 - sssd or sssd-ad not updating their dependencies on "yum update" which breaks working- Resolves: rhbz#1580506 - [RFE]: sssd to be able to read smartcard certificate EKU and perform an action based on value when generating SSH key from a certificate (additional patch)- Resolves: rhbz#1810634 - id command taking 1+ minute for returning user information- Resolves: rhbz#1580506 - [RFE]: sssd to be able to read smartcard certificate EKU and perform an action based on value when generating SSH key from a certificate- Resolves: rhbz#1718193 - p11_child should have an option to skip C_WaitForSlotEvent if the PKCS#11 module does not implement it properly- Resolves: rhbz#1792331 - sssd_be crashes when krb5_realm and krb5_server is omitted and auth_provider is krb5- Resolves: rhbz#1754996 - [sssd] Tier 0 Localization- Resolves: rhbz#1767514 - sssd requires timed sudoers ldap entries to be specified up to the seconds- Resolves: rhbz#1713368 - Add sssd-dbus package as a dependency of sssd-tools* Resolves: rhbz#1794016 - sssd_be frequent crash* Resolves: rhbz#1762415 - Force LDAPS over 636 with AD Access Provider* Resolves: rhbz#1583592 - [RFE] Add configurable randomness to SSSD ldap connection timeout* Resolves: rhbz#1783190 - [abrt] [faf] sssd: raise(): /usr/libexec/sssd/sssd_autofs killed by 6* Resolves: rhbz#1785214 - server/be: SIGTERM handling is incorrect* Resolves: rhbz#1785193 - Watchdog implementation or usage is incorrect* Resolves: rhbz#1704199 - pcscd rejecting sssd ldap_child as unauthorized* Resolves: rhbz#1744500 - [Doc]Provide explanation on escape character for match rules sss-certmap* Resolves: rhbz#1781728 - sssctl config-check command does not give proper error messages with line numbers* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release Increasing version number to pick latest libldb* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release PART2: Fix gating issue.* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release- Resolves: rhbz#1712875 - Old kerberos credentials active instead of valid new ones (kcm)- Resolves: rhbz#1744134 - New defect found in sssd-2.2.0-16.el8 - Also sync. kcm multihost tests with master- Resolves: rhbz#1676385 - pam_sss with smartcard auth does not create gnome keyring - Also apply a patch to fix gating tests issue- Resolves: rhbz#1736861 - dyndns_update = True is no longer enough to get the IP address of the machine updated in IPA upon sssd.service startup- Resolves: rhbz#1736265 - Smart Card auth of local user: endless loop if wrong PIN was provided- Resolves: rhbz#1736796 - sssd config option "default_domain_suffix" should not cause files domain entries to be qualified, this can break sudo access- Resolves: rhbz#1669407 - MAN: Document that PAM stack contains the systemd-user service in the account phase in RHEL-8- Resolves: rhbz#1448094 - sssd-kcm cannot handle big tickets- Resolves: rhbz#1733372 - permission denied on logs when running sssd as non-root user- Resolves: rhbz#1736483 - Sudo prompt for smart card authentication is missing the trailing colon- Resolves: rhbz#1382750 - Conflicting default timeout values- Resolves: rhbz#1699480 - Include libsss_nss_idmap-devel in the Builder repository - This just required a raise in release number and changelog for the record.- Resolves: rhbz#1711318 - p11_child::sign_data() function implementation is not FIPS140 compliant- Resolves: rhbz#1726945 - negative cache does not use values from 'filter_users' config option for known domains- Resolves: rhbz#1729055 - sssd does not pass correct rules to sudo- Resolves: rhbz#1283798 - sssd failover does not work on connecting to non-responsive ldaps:// server- Resolves: rhbz#1725168 - sssd-proxy crashes resolving groups with no members- Resolves: rhbz#1673443 - sssd man pages: The default value of "ldap_user_home_directory" is not mentioned with AD server configuration- Resolves: rhbz#1687281 Rebase sssd in RHEL-8.1 to the latest upstream release- Resolves: rhbz#1687281 Rebase sssd in RHEL-8.1 to the latest upstream release- Replace ARRAY_SIZE with N_ELEMENTS to reflect samba changes. This is done here in order to unblock gating changes before rebase. - Related: rhbz#1682305- Resolves: rhbz#1672780 - gdm login not prompting for username when smart card maps to multiple users- Resolves: rhbz#1645291 - Perform some basic ccache initialization as part of gen_new to avoid a subsequent switch call failure-Resolves: rhbz#1659498 - Re-setting the trusted AD domain fails due to wrong subdomain service name being used-Resolves: rhbz#1660083 - extraAttributes is org.freedesktop.DBus.Error. UnknownProperty: Unknown property- Resolves: rhbz#1661183 - SSSD 2.0 has drastically lower sbus timeout than 1.x, this can result in time outs- Resolves: rhbz#1578014 - sssd does not work under non-root user - Note: Actually the patches were in the 2.0.0-37, this one just adds this changelog because it was missing.- Resolves: rhbz#1652563 - incorrect example in the man page of idmap_sss suggests using * for backend sss- Resolves: rhbz#1466503 - Snippets are not used when sssd.conf does not exist- Resolves: rhbz#1622008 - Error message when IPA server uninstall calls kdestroy caused by KCM returning a wrong error code during the delete operation- Resolves: rhbz#1646113 - Missing concise documentation about valid options for sssd-files-provider- Resolves: rhbz#1625670 - sssd needs to require a newer version of libtalloc and libtevent to avoid an issue in GPO processing- Resolves: 1658813 - PKINIT with KCM does not work- Resolves: 1657898 - SSSD must be cleared/restarted periodically in order to retrieve AD users through IPA Trust- Resolves: rhbz#1655459 - [abrt] [faf] sssd: raise(): /usr/libexec/sssd/proxy_child killed by 6- Resolves: rhbz#1652719 - [SECURITY] sssd returns '/' for emtpy home directories- Resolves: rhbz#1657979 - SSSD's LDAP authentication provider does not work if ID provider is authenticated with GSSAPI- Resolves: rhbz#1657980 - sssd_nss memory leak- Resolves: rhbz#1645566 - SSSD 2.x does not sanitize domain name properly for D-bus, resulting in a crash- Resolves: rhbz#1646168 - sssctl access-report always prints an error message - Resolves: rhbz#1643053 - Restarting the sssd-kcm service should reload the configuration without having to restart the whole sssd - Resolves: rhbz#1640576 - sssctl reports incorrect information about local user's cache entry expiration time - Resolves: rhbz#1645238 - Unable to su to root when logged in as a local user - Resolves: rhbz#1639411 - sssd support for for smartcards using ECC keys- Resolves: rhbz#1642508 - sssd ifp crash when trying to access ipa webui with smart card- Resolves: rhbz#1642372 - SSSD Python getgrouplist API was removed but required for IPA- Related: rhbz#1638150 - session not recording for local user when groups defined - Also add silence a Coverity warning, which is related to rhbz#1637131- Related: rhbz#1637513 - sssd crashes when refreshing expired sudo rules- Add OSCP checks for p11_child - Related: rhbz#1615417 - [RFE] Add Smart Card authentication for local users- Related: rhbz#1638006 - Files: The files provider always enumerates which causes duplicate when running getent passwd- Related: rhbz#1637131 - pam_unix unable to match fully qualified username provided by sssd during smartcard auth using gdm- Related: rhbz#1620123 - [RFE] Add option to specify a Smartcard with a PKCS#11 URI- Related: rhbz#1611011 - Support for "require smartcard for login option"- Related: rhbz#1635595 - Cant login with smartcard with multiple certs- Backport more sbus2 fixes - Related: rhbz#1623878 - crash related to sbus_router_destructor()- Resolves: rhbz#1636397 - SSSD not fetching all sudo rules from AD- Resolves: rhbz#1628122 - Printing incorrect information about domain with sssctl utility- Resolves: rhbz#1626001 - SSSD should log to syslog if a domain is not started due to a misconfiguration- Resolves: rhbz#1624785 - Remove references of sss_user/group/add/del commands in man pages since local provider is deprecated- Resolves: rhbz#1628126 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_be killed by 11 crash func _dbus_list_unlink- Resolves: rhbz#1628503 - sssd only sets the SELinux login context if it differs from the default- Resolves: rhbz#1625842 id_provider= local causes SSSD to abort startup- Resolves: rhbz#1615590 - Do not rely on "python" for el8- Resolves: rhbz#1615417 - [RFE] Add Smart Card authentication for local users- Resolves: rhbz#1623878 - crash related to sbus_router_destructor()- Resolves: rhbz#1622026 - sssd 2.0 regression: Kerberos authentication fails with the KCM ccache- Resolves: rhbz#1615460 - Rebase SSSD to the latest released version- Switch hardcoded python3 shebangs into the %{__python3} macro- Update to 1.16.2 release - Cleanup unused global definitions - Remove python2 references from the spec file - Resolves: rhbz#1585313 - Kerberos with sssd-kcm is not working on s390x- Resolves: upstream#3684 - A group is not updated if its member is removed with the cleanup task, but the group does not change - Resolves: upstream#3558 - sudo: report error when two rules share cn - Tone down shutdown messages for socket activated responders - IPA: Qualify the externalUser sudo attribute - Resolves: upstream#3550 - refresh_expired_interval does not work with netgrous in 1.15 - Resolves: upstream#3402 - Support alternative sources for the files provider - Resolves: upstream#3646 - SSSD's GPO code ignores ad_site option - Resolves: upstream#3679 - Make nss netgroup requests more robust - Resolves: upstream#3634 - sssctl COMMAND --help fails if sssd is not configured - Resolves: upstream#3469 - extend sss-certmap man page regarding priority processing - Improve docs/debug message about GC detection - Resolves: upstream#3715 - ipa 389-ds-base crash in krb5-libs - k5_copy_etypes list out of bound? - Resolves: upstream#2653 - Group renaming issue when "id_provider = ldap" is set. - Document which principal does the AD provider use - Resolves: upstream#3680 - GPO: SSSD fails to process GPOs If a rule is defined, but contains no SIDs - Resolves: upstream#3520 - Files provider supports only BE_FILTER_ENUM - Resolves: rhbz#1540703 - FreeIPA/SSSD implicit_file sssd_nss error: The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Fatal]- Resolves: upstream#3573 - sssd won't show netgroups with blank domain - Resolves: upstream#3660 - confdb_expand_app_domains() always fails - Resolves: upstream#3658 - Application domain is not interpreted correctly - Resolves: upstream#3687 - KCM: Don't pass a non null terminated string to json_loads() - Resolves: upstream#3386 - KCM: Payload buffer is too small - Resolves: upstream#3666 - Fix usage of str.decode() in our tests - A few KCM misc fixes- New upstream release 1.16.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_1.html- Resolves: upstream#3621 - backport bug found by static analyzers- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Resolves: upstream#3621 - FleetCommander integration must not require capability DAC_OVERRIDE- Resolves: upstream#3618 - selinux_child segfaults in a docker container- Resolves: rhbz#1431153 - sssd: libsss_proxy.so needs to be linked with -ldl- Fix systemd executions/requirements- Fix building on rawhide. Remove -Wl,-z,defs from LDFLAGS- Fix building of sssd-nfs-idmap with libnfsidmap.so.1- Rebuilt for libnfsidmap.so.1- Resolves: upstream#3523 - ABRT crash - /usr/libexec/sssd/sssd_nss in setnetgrent_result_timeout - Resolves: upstream#3588 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: failure in glibc tests https://sourceware.org/bugzilla/show_bug.cgi?id=22530 - Resolves: upstream#3451 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds - Resolves: upstream#3285 - SSSD needs restart after incorrect clock is corrected with AD - Resolves: upstream#3586 - Give a more detailed debug and system-log message if krb5_init_context() failed - Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Backport few upstream features from 1.16.1- Resolves: rhbz#1494002 - sssd_nss crashed in cache_req_search_domains_next- Backport extended NSS API from upstream master branch- Resolves: upstream#3529 - sssd-kcm Fix restart during/after upgrade- New upstream release 1.16.0 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_0.html- Resolves: rhbz#1499354 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database access on the sock_file system_bus_socket- Resolves: rhbz#1488327 - SELinux is preventing selinux_child from write access on the sock_file system_bus_socket - Resolves: rhbz#1490402 - SSSD does not create /var/lib/sss/deskprofile and fails to download desktop profile data - Resolves: upstream#3485 - getsidbyid does not work with 1.15.3 - Resolves: upstream#3488 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: upstream#3501 - Accessing IdM kerberos ticket fails while id mapping is applied- Backport few upstream patches/fixes- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild- New upstream release 1.15.3 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_3.html- Rebuild with libldb-1.2.0- Fix build issues: Update expided certificate in unit tests- Resolves: rhbz#1445680 - Properly fall back to local Smartcard authentication - Resolves: rhbz#1437199 - sssd-nfs-idmap-1.15.2-1.fc25.x86_64 conflicts with file from package sssd-common-1.15.1-1.fc25.x86_64 - Resolves: rhbz#1063278 - sss_ssh_knownhostsproxy doesn't fall back to ipv4- Fix issue with IPA + SELinux in containers - Resolves: upstream https://fedorahosted.org/sssd/ticket/3297- Backport upstream patches for 1.15.3 pre-release - required for building freeipa-4.5.x in rawhide- New upstream release 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html- New upstream release 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html- Cherry-pick patches from upstream that enable the files provider - Enable the files domain - Retire patch 0501-Partially-revert-CONFIG-Use-default-config-when-none.patch which is superseded by the files domain autoconfiguration - Related: rhbz#1357418 - SSSD fast cache for local users- Add missing %license macro- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild- New upstream release 1.15.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.15.0- Rebuild for Python 3.6- Resolves: rhbz#1369130 - nss_sss should not link against libpthread - Resolves: rhbz#1392916 - sssd failes to start after update - Resolves: rhbz#1398789 - SELinux is preventing sssd from 'write' accesses on the directory /etc/sssd- New upstream release 1.14.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.2- libwbclient-sssd: update interface to version 0.13- Fix regression with krb5_map_user - Resolves: rhbz#1375552 - krb5_map_user doesn't seem effective anymore - Resolves: rhbz#1349286 - authconfig fails with SSSDConfig.NoDomainError: default if nonexistent domain is mentioned- Backport important patches from upstream 1.14.2 prerelease - Resolves: upstream #3154 - sssd exits if clock is adjusted backwards after boot - Resolves: upstream #3163 - resolving IPA nested user group is broken in 1.14- New upstream release 1.14.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.1- Add workaround patch for RHBZ #1366403- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages- New upstream release 1.14.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0- New upstream release 1.14 beta - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0beta- New upstream release 1.14 alpha - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0alpha- Resolves: rhbz#1335639 - [abrt] sssd-dbus: ldb_msg_find_element(): sssd_ifp killed by SIGSEGV- Resolves: rhbz#1328108 - Protocol error with FreeIPA on CentOS 6- New upstream release 1.13.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.4- Resolves: rhbz#1276868 - Sudo PAM Login should support multiple password prompts (e.g. Password + Token) - Resolves: rhbz#1313041 - ssh with sssd proxy fails with "Connection closed by remote host" if locale not available- Resolves: rhbz#1310664 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid - Resolves: rhbz#1301303 - sss_obfuscate: SyntaxError: Missing parentheses in call to 'print'- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild- Additional upstream fixes- Resolves: rhbz#1256849 - SUDO: Support the IPA schema- New upstream release 1.13.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.3- New upstream release 1.13.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.2- Rebuilt for Python3.5 rebuild- Fix building pac responder with the krb5-1.14- python-sssdconfig: Fix parssing sssd.conf without config_file_version - Resolves: upstream #2837 - REGRESSION: ipa-client-automout failed- Fix few segfaults - Resolves: upstream #2811 - PAM responder crashed if user was not set - Resolves: upstream #2810 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- New upstream release 1.13.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.1- Fix OTP bug - Resolves: upstream #2729 - Do not send SSS_OTP if both factors were entered separately- Backport upstream patches required by FreeIPA 4.2.1- Fix ipa-migration bug - Resolves: upstream #2719 - IPA: returned unknown dp error code with disabled migration mode- New upstream release 1.13.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.0- Unify return type of list_active_domains for python{2,3}- New upstream release 1.13 alpha - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.0alpha- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild- Fix libwbclient alternatives- Backport important patches from upstream 1.13 prerelease- New upstream release 1.12.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.5- Backport important patches from upstream 1.13 prerelease - Resolves: rhbz#1060325 - Does sssd-ad use the most suitable attribute for group name - Resolves: upstream #2335 - Investigate using the krb5 responder for driving the PAM conversation with OTPs - Enable cmocka tests for secondary architectures- Backport patches from upstream 1.12.5 prerelease - contains many fixes- Fix slow login with ipa and SELinux - Resolves: upstream #2624 - Only set the selinux context if the context differs from the local one- Fix regressions with ipa and SELinux - Resolves: upstream #2587 - With empty ipaselinuxusermapdefault security context on client is staff_u- Also relax libldb Requires - Remove --enable-ldb-version-check- Relax libldb BuildRequires to be greater-or-equal- Add support for python3 bindings - Add requirement to python3 or python3 bindings - Resolves: rhbz#1014594 - sssd: Support Python 3- New upstream release 1.12.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.4- Backport patches with Python3 support from upstream- Fix double free in monitor - Resolves: rhbz#1186887 [abrt] sssd-common: talloc_abort(): sssd killed by SIGABRT- Rebuild for new libldb- Decrease priority of sssd-libwbclient 20 -> 5 - It should be lower than priority of samba veriosn of libwbclient. - https://bugzilla.redhat.com/show_bug.cgi?id=1175511#c18- Apply a number of patches from upstream to fix issues found 1.12.3 - Resolves: rhbz#1176373 - dyndns_iface does not accept multiple interfaces, or isn't documented to be able to - Resolves: rhbz#988068 - getpwnam_r fails for non-existing users when sssd is not running - Resolves: upstream #2557 authentication failure with user from AD- Resolves: rhbz#1164156 - libsss_simpleifp should pull sssd-dbus - Resolves: rhbz#1179379 - gzip: stdin: file size changed while zipping when rotating logfile- New upstream release 1.12.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.3 - Fix spelling errors in description (fedpkg lint)- Rebuild for libldb 1.1.19- Resolves: rhbz#1175511 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Fix regressions and bugs in sssd upstream 1.12.2 - https://fedorahosted.org/sssd/ticket/{id} - Regressions: #2471, #2475, #2483, #2487, #2529, #2535 - Bugs: #2287, #2445- Rebuild for libldb 1.1.18- Fix typo in libwbclient-devel %preun- Use alternatives for libwbclient- Backport several patches from upstream. - Fix a potential crash against old (pre-4.0) IPA servers- New upstream release 1.12.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.2- Resolves: rhbz#1139962 - Fedora 21, FreeIPA 4.0.2: sssd does not find user private group from server- New upstream release 1.12.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.1- Do not crash on resolving a group SID in IPA server mode- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild- Fix release version for upgrades- New upstream release 1.12.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild- New upstream release 1.12 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0beta2- Fix tests on big-endian - Fix previous changelog entry- New upstream release 1.12 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0beta1- Rebuild against new ding-libs- Make LDB dependency a strict equivalency- Rebuild against new libldb- New upstream release 1.11.5.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.5.1- Fix bug in generation of systemd unit file- New upstream release 1.11.5 - Remove upstreamed patch - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.5- Handle new error code for IPA password migration- Include couple of patches from upstream 1.11 branch- New upstream release 1.11.4 - Remove upstreamed patch - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.4- Handle OTP response from FreeIPA server gracefully- New upstream release 1.11.3 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.3- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2- Fix potential crash with external groups in trusted IPA-AD setup- Add plugin for cifs-utils - Resolves: rhbz#998544- Fix failover from Global Catalog to LDAP in case GC is not available- Remove the ability to create public ccachedir (#1015089)- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1- Fix multicast checks in the SSSD - Resolves: rhbz#1007475 - The multicast check is wrong in the sudo source code getting the host info- Backport simplification of ccache management from 1.11.1 - Resolves: rhbz#1010553 - sssd setting KRB5CCNAME=(null) on login- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0- Resolves: #967012 - [abrt] sssd-1.9.5-1.fc18: sss_mmap_cache_gr_invalidate_gid: Process /usr/libexec/sssd/sssd_nss was killed by signal 11 (SIGSEGV) - Resolves: #996214 - sssd proxy_child segfault- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- Enable hardened build for RHEL7- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- BuildRequire recent libini_config to ensure consistent behaviour- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Add a patch to fix krb5 unit tests- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/sh 2.5.2-2.el82.5.2-2.el8.build-id7527c3d17d9b6a8702a930b2e21cbff4c48dbf9dab0ff241c2f39c21e4dba815a5e788ec033df0krb5_childldap_childsssd-krb5-commonCOPYINGkrb5.include.d/usr/lib//usr/lib/.build-id/3d//usr/lib/.build-id//usr/lib/.build-id/9d//usr/libexec/sssd//usr/share/licenses//usr/share/licenses/sssd-krb5-common//var/lib/sss/pubconf/-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protectioncpioxz2x86_64-redhat-linux-gnudirectorysetuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=9dab0ff241c2f39c21e4dba815a5e788ec033df0, strippedsetuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=3d7527c3d17d9b6a8702a930b2e21cbff4c48dbf, strippedASCII textRRR RRRR RRRRRRRRR RR R RRRRRR RRRR RRRRRRRRR RR R RRutf-81375c85968bcdfb209a8933092be941cd637625b90086d85d895efd2d9adcff0?7zXZ !#,v] b2u jӫ`(y-$Zt5,vrN8~ݞIM ŽN1ٓuF/ZT<Óy}Ef#Z7TT7ED_V Hs9ݱWnM%nDW D.LjipNX+`GhXcAp)Msχ.R{[OXq$o<=uz^9637]""M3zV`SAb}sХm~N; 9!DdL~Vumu bx<=Q䫞q٩r%F[4H\Iu'{skݾ Szq~AKC;JO]C}W6Z#G9ww֍Ao I}g{tP\"I,-đx0'"_z<*BkD[ Z3BF4?</s,mHhщ#ڧ:錞կ^`M)4l uZhXOn=Cwq &sy6oD s?ݴl]AK}dC}l`G@[ :rM^WW]܀:Yf8/]4k|вe?+t)?3~npm᷂GS:Ǎxh T]q4Qq+zx0!vSkն8zY#=fA@jX*AQNqk+~L޹!i>?.Wp8[$>·d,U`Vwy@a0]650RSB{|5ЂR1\n-6ApDܬht}{"\jSMC]]}Iv Hë1v04mJ$}P)7 q!3[Xbu4wuyRʾKYaCm]fՇC#}R/(&u~v)6 "ϼ{sa |zrʬSG"Bz-U Ga*]tYޜ S4|jk̮W{%]V~HGP0ve28=dd|u0M$dR)1IO5r6 .vb\'P0tۆ9 ~aϔ~sE0]8KXu;ݭc :>LM΢ag:mUZ.֊wwPVYM0|Ϊx3DR>w0[ CAZ}ڄ4rwuF9܈ȥsYr}7ů^7K2(,ב+s"~m] O>8!n!KԤ6'L.-O,>q +PxĆ@iěLȼ:58x%VZ{w~zHi40nq*m/hcaBp>cݫ.0 Ezix^Q$h* Bd,x` N卿9ߵ-p}@C\`Z *w,j$-ָ,zXS5=Z*G[:Vͪ1АA&Paٞq|Wfۉ/SDʴMˍnû1qG6+b3h|QiɢI=0NU2?S_aa%:PQEj,0-1kw^ v F.Wo驕{xRK3oᷬuL3l"<*( q@m 6X؝o=fPdgƹɏiY͡`teX0ԈCU^T11>nv0DAGً8>~^v4htBЍ7#"o);- ׁ9gV9+j$G>e/#L#u)\N5fk>L5|E#/0fܿ&D ew"ҨV j6b*ssp,zpJLߕsMikWaeJ~Ӝp~T7t|X#[d Ppi\^$oky_,H5Sx;!|^]H;Ò'+ҍ_e.VY$!7o\3yY!Vg֍9Xƣ MHQ\2GpV\$Q@gͿzc҂{:Clm߃Chr\-(7XoKNec[V%B-pV~a܁?@ lՈW];蹵j7 `UkL1:MH^ |KZW3r+5Pb{>ZEGFXS _00%8]%/ELǒgJ ~K}7%D F lMb`ɵKFFUֆ9cè$Gxwm9:N )aeb kM島ׯkO߷A]}ޗ}<VxB1&D\B~i> h Ksw_**j0@2xhј:(D ] J};p.Nۋ-%#q:5/5]#6M]Dz_=njrb%h? ^$J_Ħi`9lC1ն3.Jv 98ZQy|yRLbY(s*.wSsڷ0|dupt4Ôu<8Fkbx MG3Jr0&%w ?v3* ͥtӮƠI0&.ULpِK}vlaJ?C?-H&etߜىӪ/mH$0hz1qaV%[]V4`DVR; Jp( [Zb (u.Ҙ6ђx8_-!+sɯ/3*Yc|DHng$$!{y\?LNP}Rl{5 rLq,\"|{2+ aAJ@󑂮7 uT?+K˻ WL}dWG{о s S}HyԵCSN bAMAY9H^hOjBP[" ^ۚle(:\qʙn˜MRQ\gBѓOnY md6E&U@~Y'KDzDsi(Yﰉ@&{p#im6KmDֶQ{ So+5Ԑ Z%·|a_3J;E$^$ N {/qtW f:2FzzT2BsqX~ &&7oj&[:C }ߌ?%cZ3=l1SuR=+$u}. Dd/u9su>)+IR.&u0<@* MA^}C ɮ }$kn7b]ilj)if~c!ڍwX_EZl^Md>op.=l⭏C cS[ >5?A ^9U?vKS,O>p5 tq$9IqYJ[)\7W\` Wp]\%\VH=M}DW80q)T;3ɬu;^$-νbQnD>H3[iTs2]7ESY:O}-,;h&>5P\Ja7'M0k snh1X72TqxYO"qEvk&Pu1@exُm$evEm/ J[OyI]( 0B8Y뱈 KJ*x5&>FI괥 xٱB  O) @9 C=B,BƏKQsyK$ĶÜRw̮gQ$x{S"3Z$:S ̈́э {8}p );f[l?Jn`VrvK4 :"=924AR/ Vgpb"ܙ{,qQ5zsH+&^g xXXWw);!h:MF}^cpgسS\M 'jr~g "y4@"qy;EnN }}s"c@s~& l7* LNnMQ2D3R=*t2{ t=- -T!%|ʭiK4E[f-5#uy d \_{/&S`ټZ݊/dPO*-x̑~P9>tȜӎ䄩ױM.(B*SJzTœw&עS٩A @?R(Ils{##?v9F"pTPAm`{7DT8/}lNf}qz;-Ot hiĮDq5UQxmQʞ z cL)+/ED0D(4|tyMHP6*,Ls0@CB&RޙAO)RP5XUj)wVǙwMj X H{uPS/g+1" Kf),Nq_@C "_v([" Q3+=1ɶ3dQ,#$<`?%(urY`*9w<aa$b^O `lhZk|ܒ;ke$ ,W2*`_bg÷KHsyޭ5mUWo&W wL&3$xY"m߫ףeG!1Jnx0He$eJ 0:Y (Ϛ5IMwuGV-EEiƗsz"VT51^ͷb,awX1w@P& Fj2S xd3yxW tӄ\Q"),?7+U@O #[$wܣ\ꔘ 9mA?]ȠDX|g2ibҦ f> =^$t# J lP&d9X5reN:&kf9VTEXTwfyTuXq3tVdD)w>)&t!@K=0AZ]Vsx사KtrGUVogu2w_yGTݰD@:F, &5o" >7 ß+5)(VzE*a1$`-Ҙ#*XF5b1ېlξA+DLJ .ĵ򥈴4 ya\xi+ weӽPpPvŇtJX_e 3oTפ}@T[Kԛ/T&_uԮB, 쇺!y#T}8]-?$ځ^H݈=3!CybtݥhR~yӁXZL>gN /e\'Oh>9qL,ﰾ|]rb`>[SfMd@49_׊eq7AdLl%r&jyʌfjVBn"Gx&lX Z(粇 /3 ]83*<|#ll_Ȧr[YR &oKc+T d7Do y[mwusH39'Ϸ–4=[^Y2t *? 2THTQ Jga2M>EklC )>H#(YuQa<61[໌f7җ7g!/m|ANϓ+WP;-sDG r^գ63ey 8dq}k'yh~=sW&tXݘM6! <ʴb0nylύ2L KJWst% :Q LlpMm lu;0E̷c$5Z_fa!n̨%S0~&6qAEJ+{heR((gG/TKb=AXGjKek `7 ~_Re/䴲QP{860&^)q&֦=Po0"kn+ͧ!R L97<w6pg ܅PbSЙ Vjۜ#6χΞ{RsDՖ%BԵ-5uZ[9Q>Xl@MߥE.BU c!JL5 &tV$XEjڣkhYRwrl>S9v~# (f2g%-gɡdcNoyB\vᎰ'8x緞[OFe$qr(JDVOǛ4~#[LԔ5?5y5&BQ{]x4ĥ9[mm'&Զ]>EC*9$siJ[oxh):p]F0݉~vL)1GA rYT"o_nopD`6+}ҋ{7- nZ;IީM}ens? jR#G*}y`DU~KZzʯ|t0ءqKnfuzoO7W=ONGI L; '-AHUߥI;$o-z,~EsO( D5 fr?yBӒ*RRi<:<.?l9Qhτo;t> {gſBy #>R &{]JCt>_%ÈfVPniӴ$|݉ʻ`7[\z}{KsH9㎭-hqBaP"ڸZ_< bB:ҼwM1 2W8OF'{U7ʅ0@l A`u9GX>80rn]4!4Y^ h#Y=dƴ~Gͯ~0<0HX4e3G'Y(VǸ| F-jm7ߺek,Gw_\_0<hI ѻK]. ;jN& X0@:b,tԲ+ sȍ6R&jdQdP){+xR^bn_r89l姜!Fk2(KN,NAi՟pfZ(Z܋H*tmZ3( .qYryo|ۜO&QhXjWW?AJF^07`wIqԛd7c4!8۫VCj)5e)?pd*PPې^h6ck!a?1(R98@ DK*qSM' jY7wTFn,>jPj5 B(yΙ4 r:4jcK5\[ZSg@NH`$kˬ\4'/Hԅ4o|~l7ey8{Y̓3Ķj$"!6Q:-ޥ}9N3h$&(:x )fA `߿ :F^G}z^fu0vם8nU3R^#]!p7mI\`8HUݜ~$kg᩺cZ28i(oEFIY(Wͪob"> mY-;z`v(5V߶! Ztrͅ&Gy^B8T̛y>X/4X}>- $:F:Y1J:m-J>#޷G6vhu+,M'{5:,ti N׆hN'SۯV5璐8st{..غ5Hn"ҫ@y|\y9O/j%V֋zZ,z";O`f(^ hE|uU,G!h]Oz`[e< {Ul}7S~4= jU1]GӤd3lˬF!w-VY6HTP֞_22*P^^iI p6LxAny9g ~ңs  sVRwݳS >  )G)m]k['Wh:xw(鵣*db {Ʋ1s>Nh]< CzvϏ_ZPs^BRhխ =(>7 #Zq3riӨKIm}d69¹oS[9OW '8`I>'L+>1fFyؚJjr 0^`So쌻}J7Y.?GfAB] 48B d}vj^6UPaѠ>EprN%ՆMH+ڡc8V m)q0 nqv 7L}r8kB23[2ܓJխ9:oS7rQ\Vm.īm(/$[?7&9it",`@0Q?B\~̀"j  go򵠋mODT-Dv ,fw|Pu4jN\rǤ%xA)NAng ]8o |LA AEUBg7d4;<s]ȖKYt:Xy4Jj^_94okh~O NHJ|q*V*<SpA};IZK1ƀ!Q2sci75YrG6 wj(8foa3+X᧺Ǔr~0kTˑ΋(eڢ[~!?sEBmpg!ȿO58i" *G0̔Bo@{x %?]Aa~DFS5z+n1_KG`-*+zb؋ZwtӟcpGHBא N8?PԠ(O@"2ߜ8(nm ?:Kg5`O&Ym5]S;1R]pO;h=Q̵:WS\Y! upJlMyAvzx:D x~ҜԵ,dr092]Vlm0Rٯq~UoݎW!KEdCP[x2U f~9b08{h =E8&e=(&$61|z=/KE2|r5v aT?eu{8=-h7j1Ww]U8TnU&+d'戕3. 6e{rD=fā[Nc:j]O*5>PKFׯz#_s8%Z֭r<xl9ۿ.,)[!'l_N?1wbоJ kip}8? +"$9"h2MZ1@Ҥ.R*!#⿮(Ӈ/ns5BqS)% ZW0;\gz!;y#Nӓ ϡ5g)^V.?g%Ͳik7 ]K{0˶֚-lSoC"Hep%ϧ)?xZ{Go`Ao&Xǜ6"?"!ir ssHH~@ᅩ >ռYHLd2c[+,cUg:kj%Iʔ}ʉOX&O +ZoZ ub" %qX+";?8G>[^*O7.[c\7a-:)i*,",_ŕFw{< B*jX `{՗,㺎# g3rDp>X:ϸëX2g8o;戬.v8AdOr)C%p>'>xzHz4ä իcu'[:TCK+ffL} LKy z{K]Z T1%D{2;޺ uW6bNvp{hs @1]oq|W>Hu#GMd#w-S$j4`]-e7X5l;1k9/AHl&IXq.`́kh3qt &t }~ !\ӌz8S2 G prCd.K(ɄW uJ1𾎰-y3/HVԸ8_ܴ)ob+s#f:al˱G6J:~{1ZB\ Oe) Hlr,'e[9d}.#ݮ8~Wpy}},ztQC`W㇎jB'JҬos%JB /AS9zy]l -`9VY[gUv!9Bo~Q#遤k"XɖKHig,|a;샡QfQejܩ}xoVOJ6X}<EIJMZ̝:@r>%7K!El<3 ] =ӕ_TP< +Ůt:7c] 1yJNPG˃dMp`uQ Qj {~VxĖp&2r*^!m(6la]dkuI# ugG5.@D K=+8-:|gя HIj`@+%< #bnoUv 3v>;s#keJ{/kJ;`0$A:B2JDzEt+n~z݆tTzzGLLz+"WBIhy?/O&n#"ߺaQ+@ɋ ba,wu>yqޯFsJU%o ! 'y9µPsՍgLWP ˩zE빾RmSĕfFּ9tk6E[ӍVpbL{7.2O8RJ,<~9*Q 3llǻ/9!G/F13Io1JZ*99!|( r\raR+e ^i]t_20+KG,Txy#O:v[x3+TT"#1A&4y[;,E9NTpw Lb{ӖcV,w#Kh+_ӔIת7z5hUX,ݶ'oC\pRgfPFE`7BXL$@r 䶈i^ʰm cb(\-E'l "(| %y~ !0JlϮQ&+ "MJ6!z$nXM Fb3 ^koeeMp&A˵NzET(ԱF s< p l3:ȟ¹Ed{8?x-3T]H~&_Dݫ5w;M˺c l]LV6 /bXѿIEYt'@$H挞}fs^ڰ~6ҥn;ܫiu),:W.2,LbXC]VS*<_3VJ# h'Cox(cZRp4ǟs`CS-Ja }!9I7Ml0埏ѫ5#Tw]~潏! /WS0 (dlۻ yد5f{ &F`~0ma^e馼~dJ; ¥lUW/~H 4A<Ҙ [af6~.b<G 3H%&݈53ㅛ6hnCFb ?+vp+[ c\ଟIJ'i@i23u=PRkqݙ>#PRidJ{lb/{}3"-OsJTuzOOB/^ A5o[? R u.:E|ڟ<6[K~]l{h22*$H޷j|&'y&N)W:\Т8aW ~Gp4=ܲ#,x+25ᘘ% oFzDp֚vw:|h}7(RwrӃ n8ãT|GQjc d#!TJ:j U2c>/A^emȹBf3<]j'鑎\4gvn[;pYK?8,_W)%ւk[ػO;>^kЛ0Z'_xu OHդ!-J 繻]?vN e ǎ=d󍧴~ӎ|Vܞ5}A-iykl]C P KS5eπF%ɻ[N'"teKsP< >;krի1S~վqQ ",3M6Nz8 0|{M|x![I}\j`dU,v|XA[4XYy' S C6غ6<ۻ9huW+C]7b"-+0<: }B9q e=*$PT#Al}D]2MZM-8L ~S,ϪUavgKyp"~Zm*ְ+%~bALOs}瓘~Ā!b:Ɠu8e&DGp r1t5zah<5ˈ޲uM\t#{i\^ Cȃ^Ͽw8/v5v?ׂ\**bQWB0KZN-mr$Оyjy3R]ASk:֓zpU(21T _ ʠZ6La>,1 {KB  *!^)HKR{Uva,** YȻ # 41&FnRZiT&RP=o6(BVYH`'B߬ǜ ,\,[>(aRI9 <!4y;0oADp '8l9ޢM3aiϖ 9]`_go#hð(Z59ܭ%+_݈Cev\W؇J!aE W%kַ sUl"? <1ܤLFEtf uLwg%Du2>Q}3~6 ; OYgK9JkBfd^[BMPwf\ft)|9/NAAçT!+&}7%›PВ哦9K=Q ~jYU/y7N% -h=SǪJ  U"MARˀ`Ck'PQ.R\,Zy5T+[8馷/2+c`a_mw((NGDK:I8bk@ws` KSѴ >٫y6ӖD08~eӣ.Afɬjs{VkBLuZ<GD%7-LX\!cR=՚&.xAbeƣ< 'wPR7v9AnB֜tC,/G::2D@|"uu9?&s!qP%> ]bW(>O\^ s=ɭmi77EKk?Y=e c{P}kJs*4zFb 5awN*أGa2ᓁx=x"ze!)HA9K]&5/@NLU,(vV*'_scV,ڴzv,g=0)e $q~H֯!XmHF[R{-ꗫ%}9svvE>Tw_0B~qU=R9 Q(yf XDF<ϜL)rbHC<<]gOCF\Ma9s[-_Es(;q5S2ִFY6Aa$^Z.7Q' J@T&\rvI\~)('_Ɗ gA>\nrp9Cֹn6RtOJo ֖6P}Hd*4§:"ol)sƼ%RC RL~p{.?q0 ;0Rm-'\aOgM]FTp\ָ?X c(E`9B;z.]Ո)] J’QfFz-) .͆- j۞8$_Y7EU ]ȋJ5\ˍ5!b9|F3Gu㽥H=EȕNj\:*$zѨΜmxmct ѥ?H-2u#z]!~ZxѧN9S&aɠZR3^c䄋kS0H" M vJ?%Or %1ԝLk$Y#aĉ{f)0b2?@jC--4i΂zp0 'w[8en zޱX%N}5UZ_U\T} ww &pn(@ʶN!5Pj&)̔(!V"崶̌ ?@ Iy{i\۪ %) Oj١IkZ^Ux0kw6ƭn0_^\^4#hN͌>YO@*6Rud646^/__Pm/-#8o=g[fXҤ^p>soVVŹJZ+bvEŭNUO>%}ϸőE|Vl"?BҘ ?<,r+C^QeBLPkrnrv|dG&@#)8BUݧw!IYrJ btZ< f-٠$4t@4>ߌ{[ti),=Ѯ-M3U U2NhY "~$` c=[M@3Omku }"WjO͜~'j*TxjO=?w?r(Qê4,FR]`i}@u(AZ<3M\~v—62Bqa@cI ґ|ۣϪ[9Rhl/uLa4ienЖӚ?w^˛U xtPEX{ C.# Z:^3[1$C*棼` ܒ-cD67 :~kLƔXL_Ic?SJl*[\ EawOjsڡI?6VcaJzNq27%HsWM[j| %`ȟ^í|Ol/\jŠw A-4 [->zP.-"0[|Ѥմ7A 3*g_B̳(CbV*/>ρ-F#xMDYMD`A6q?o \JVF3JEU )HmWh }ؔa=@Qu3tQ]^Gʔ1zlmZY :oD :K}-r{M,@CҞAJ>])Zɜ9ᢍ09ElxY,! [G1iEW~nMb&ӎ(MTfJ#;ԝ wn o59b|~!mw2_ʒP6gg"87iw66-Wpy#,phUQe :"ܴ6'(§h^؉;J x/b"X2p{0軦 ߭>9xC1,QˇtR wҬ0S;q^>WU2׾bw-T;A^ 6 r >*oP[3`pL&?.Ov£wƘL)4i#qe 1;" =53@cȇ7l4;XZ)e Gіӕ܀5& ŗr" Sb/&+S{2w4O#]hk$ /cx ';i &sX cYk!K/Gч?[:AR=?:Eǂ\3ߧQxmk%6!j^^q )zmtFN"w[&̒Y[λEyRB-NN,^~x%N1?SW24Urif(%= ye$raT>rN9jar`P|>GMH+!JQHLXV-|1 3x0:4:4?)Y?@)_d='l/GmD}G$*֬8S=HI|O0r~9HHZvt"upۮMCN}eϖ8PJl};Tf_}=ze^%^f ~7:K(.y}4s'=8:Auy~S,EWfTRy8.fk7eGڇUY)BjKן: ^v0!Iq>YS #Rkl061^,҇)އ,@@Ǔ˪ W,9)][bpsׅ:j/t߇A{ il=Sur'# t=f(#g̼~usŠ&T_Oj]eϬ煡A}wVLDM/LA9g'5&cw;-BI D7@Z @[n0`h/\`G\O{gr4rK(0־YsScl(\ x_G 69o( =ldA)6{F",fږJNW͹- %J(9De< 5d)fjEQTmm<"cgq-TrFRHcƃ ۫aLڧ J?^̉5/-RD)1+#fUXSחXN[dc0bDe|Q#0]'t}ilJ>A4-MM^ (Zs`Cϣ fT%5 L4#K:x'+p`5[ǚ-߆2r z4:iFKD-Vj1r2n:~sCZ[UMCK+䋲<<9ԜܿvSD8y$@&gw ڬa zCq녥XU9řJ;u lPʨw}=k}cڲgn_s%+i j ^Ơ29&,b3j!Mx33= VgTJ:S:,x؍#0"ux-RgM 赍YFc$*?dL icpsQ=\I>k >lޤuc6+[>T8/)$ڗt~?+*wnjyi(DL`fAy/oÁ[*>v]l"&>('[y(T4)4מkOWYNWW[BV;t38{^)e[}C3IšX;3xxgZXwuULXrOjoxo!m/ƴԋ˺Yr!c?M$`Kߤ`-0p ~-q\L?2K -l g=h_՗gVa2bp\ ž?$}@#Bވ݆vַϑvUM`;Ƌkɨx9s9TȑN8L&2#8#~{ }‹Ø,RgAg7uApNP~5A=jAc(&YIdԜTbTA ,OQ-( Ca RŌc).A预Yښ9_gAzN_޼Lv"BvAM"%QM_M|BaŖcU-ӍXf!z)#`>Rw*zP!-&9p/3,uv+L 8]ù|YcDAh,7 F8n_'vjY?pJ Pe I>:ޫ8mƲ*wnW9a"'[T —4Om?/Bnܭ^㽊5h Z{5}3\a'MS҄)koQapxa'a·$͒b_żH%ءu*P_KLe3n<aHj e#v4Ln| /@ɖ!Zʈ9S#u?xPvoiW"-uZVӮQ]Az8@]| 2,QIU\3A6pN7 rY ܥ켸87GMȅT(߬\A8Ah}]x*Qr03K 4蛜d?*EėZ蕺c2[cqSWn>U#oJSk}yKk_L@|bfV4!&?qkaJg: rǃv&x^ #m0t9\9>&lԷuȀ+dnI!&d=8(ҭOy)M9sqG$ o|3[]e䏆 dZ*g3@bOcU!&بz` BS&; ,JGOȭyn!2֗oӮ)/u禖T;jqaCU'TFM Zbk:qsVyY%sR#άH4zH L$%η檥_J7^S|3뮂S|ǡXY6eoE&S,4|z@L%MADE?Fm:;M6N^`~ Rh(' S]+h'5wX%-7u˿y"dn<|?Xrc]47bRpXTUg$dQ@b:!IH*v|x̆I$1:ܥ ]N?D 3XKGs] ɽXFf1BCc##s(dр`f=St'qFu{ _XG?&8 W+"}OMD9F5-*~',ۈ-#N FM(頉 N_G.vt˜]xdW@c]@2Χbh-:/q~Ƣh^'`O= >_n BeŎ"Eetrb\iE4,ˆQpn}J0X(ptf֜Zd%_6[4ꚳ~1w+kwj YNױO'g ٘=,d8ʽӐ^i{Fm@JYJ|Z(HIxBH^sa@26B^e)OXTdf΄nr2b*ENζ`n3} P,$R6VUPG=a"!DC8n8W‚?i{Ɣ{^%ܴ֕$1*n?`eœ/`Lb@ \Y E5k巗XUᘵf3Ü:R S)`j6]F1Nґ#՜&Ub(W h,v—a{C)Ќ;w?`>=&;⠏XmX_,7*mhonyCZD4y-,4'׹ǟ# dD*O{/vP:$3=W]MꝦ wDt1K7Ji)Qׯg>iGw8 ^Kh;53s&'ikʋ5q Ɂ,o[7 95#V IYG<"6ئj'#=fm Y|ְ&u{q*? " okQhՃMNIoM|A1vaSg3ʀlJM [wCp6}'vg̗X\R{iBEEd\BլxaՑr)9|@cQLώa9\T-{X}OڟI!-[(~: Ga:&(_*(C]mܓWn̤simc`=DYNyf }KgqCP=TXݛR<톮nh/9C*}9__ҿFTZ?y~J S=%AL{&5|/(}V1XT+YsL\ / @jЬ$l%đg?}2Z$*qf`w3tzAᥪc26[Ft[;oF0f`]TVpGoy`n:ܚ4^#vT[8տɍdde=1٪qGRR0E;/+z^[gN5WeQZKn7WQq nL- \}Ne`2ynA9-[B0| s~?JgyMbC^p5nhu҄IgrdXē[`·&Q1RY&w=*8qc2i ®Ftk$s:vh=ӡ1TR,q–`""`%b*~ncmkڅÜmk)QOTk*-pAmN#wKsjkE:cwjW/+]oMa%ÓغNυ*wщ1_[`8gU5E}k:{[Wk2e]^gc}Xp^v?m{$t*m$%0Fۄb͓+}[T&*MHd F0*8cB?dh ~-2Ƭvge󍫷,tYIcz |沖;CאnUԖC[ױlڒ >8q-BA*^Q-Rв䲓>*An2MWs^ LGλR ^ en{!ڙGqg >k* G}7fq(s.>>OoOPN֝2ӧ!D`XP݀d jAlyE^QB+~|)rj< xoVx&KC~` _HPv4BюRˏ~:X6JьGm}1ojYy#H6ҟ=n `Iq^߫9uSϟбL M${ޠ/JQg8#e8!ȡ%XUNY^Rpoq}52s[qLURX׳{Z dyJMG1`aF(?3d` ȂbL6<'SrMvm .\fӋƄIFfV ܉N!*J6h@TN c@h};&p/zyꁀDbw>`8*777"B7u" u3m,'{aɾ푝^ǎB׏[ϣk1B3B`ң ІsE/^1:,K] b>΍/NM~~׎hqfİea'T0h:cO=hA0]z#QVeT YAvybjq "#tw; fO^S@(OT~y%d#+:ȣNզ> C@=Z$*%i+[7iuL=O+ ^ h 8QoLs0rbK>NaG֎3KAdG-!vbqB(0qs[.k;QKSl{\*Y5y+rZ_^w\b¢!ƕ8!ف2] 1v܂zVP EFuS\k:53n&;<\ U:XۙJg?n# B'E[?c"zl3&{4W qovjմYI[ PAU*Ie,pG-)Q3[ 3 o6˥\ضz2gjMg_ٖۗ#;O Ot+tZݦ232}O*BQ܁ ޚOGlG2@2߇l3?SEwj9.Lw68u/ˑ0E[Eg,N۴N[[ ý$N/f]dî_b"$L*4C Wa@Tb>pa)ycUO(rYrPҋ}+']^4I?+تz߱svA&+KǃMr`Oo;}ƴf'KB9h&;f뢨%޾"i7G,2uD~%)fr<8 .y76`v,>k8OW&T 6`[o/ _Ehf/n< t}'EV63Rj{Q^w [Ɔ.5j eR6Wt@ 1!+bZkc㎝Im ktڤݣu4swSΘP.c5RDKg=Pq myTWTSo顮m5o=P'}Z޽`_# YCTfʶ5tQXJFUINf\hVV vlΫܾlՌzOԆ]w(<"Vv߉4C"׼h6"دe"(5Y)ܘ^-?6}mI,hZ WوzKcpP+ Zid}{g QBuroEgj% |Vb*H&@eoӻFy{of#LB\m"٢ifRkl[Ò1r." X3&"ߒ g("2̕*L6U)DONe"S@0ʟag^0$X/NjԄ\"AU}TghCǹr.!7~OWJ:WSZ;eJD0)^޺'7[T:Lb U)"#'# ~-~@E6Ҋ_z˧SV}(\HCjh3DCbނ,E2ɉ [L ʛac3lV6XyI † >AR#!L'1|.ytiU\^[uD60B (6+9o+.s JgE^n*{$;ȊQ#'lgWR[BS~Ϣ)(pj:S^'A8'X.Pgu Cx+pB#L;s%[q"  alx\u3˄q`B[$~ĤC: aq(y?3%ݤdouAlRDPpĠ5xIn۶LA~ 7˜+cXpn'>rtUQP: {NAz8:k^v>̅7a{^v}=qXA5c}hO!T| `:>> %po2x]nኮ Qxhj-RGKC`rhGII:m8b&4=AXg&fk\&@_'A*)ی[K%ǏCև n\m*? 5@ߧrZ3{6Z" s_HlU `Z9lq&ԭ@SZVto`emzaZ沫p \qa~:[nun<=B~"f~˜`{]Tm]oV;&5S|*45hARL@f29&}q NMAI~TEoNw5BKRfz!߬2&o3!sO` SB| "]G* Txܾ}*n˯ћ7{w˕s8A[FjP#Ͻ$;ˏ4U㻬`FQ=#0G±ו^1!b̒R"Q7zӛ8QģHҳ=?E ѻbƴKdzQ͘JEqjp'QeodG`6f듄=1ώ,<5Y*掮3z9"hޏ/c;UEzcnf IXJ,*%9))yn^xm`Rvbc. ֲvyVT]*2eu~bvKV@I@췲A]匢A? ^DN{Q¼#- _XeXD;NL"cn3DO0 f&uf6C/~C;Q۲ؑH$|{ГF$28XXQѦo[Ū`ZL[7^s=qdN?LI.1HRs=ZUN}ꎐj?s(AkceniRQ$g bFd "Drw2gF3kžRw]e/c^W6Z +F֞\?5l$E8lMf۝cٰwTMR p-No<!]>Ƭͅѝ/r蛻RA  "@Fni?wi9%}B)c JI"!ҧeU2YZ␠ ?ao"!rv!Fc""dyRlI}1Ro))ڊrPRJg1 W)L*ٸy˃f V\H"j-5m,S.5{`08nj lRWL`kcs~g~$r-|h雹kzHZ>TU.i*LJװ6| W%븒J]_[mƾjm=!6&) @6Ȑy0O. (<5 G\W6構]V M5$D;k==|$'9s̈́JJ*epȅmBf5qC,^RƗ@aJfci,R"*Vm iݾ۶l*0JLǰw.aD/HQz~c/xo)+,O :# .XƧrП"X@!U3Xu**wG, i( $ΣnnMv2 qf׸ wY8wA *]5y ]E".tW-MA'J PK?‰q:>Q~2sElG( f ] H،x{ ] p=QF=}w {2hJj Bn-kj@o@-.b:$ C1Wzo#;$d2S1"15'~FkbBknZ5V?y'!Hs GSj\7K !Tǖ#:,G .H#(Lŝ(X4, B1t=, iTk4 ~?k˔JE5qP[-.*)tտ7ÆBx=a^y!c?ZJfD;DG#﷽ȅª)("!ⶋ;,džqNfq9;Qa>h{_x(;\ӕ"S@oR$XʲE_2[ Cdj1/&+$ bhd&w,ph,3<.\#PQ\7KsOr;\xT?tW{ʹ!PL1x{'iSVh'ItIctA#nb8EtϘFi8 /M\E= X1u;r",* YoH9x<;dq<:提{^=%Cn|Q/*CPicT2T!+x)jM9̫8MWIJ?I N[E l# q˥̤qd[(sپ%KвT+1A8[ `hGד {`!X@5|׻qި.y݉zoЪx0޾<? ,lG⚄|&T)0w,aG R_RP^LN~SBk gKciKb(N kXXqA Ԡ:T-;3ebPU7Y3[oȅ_u4! \7ǔLvS(ypZT>5gs>'Ob*XAr5t,z Nkge/mHF$kKɍ|GSOmX쉹#{pj#7ac+^KЙNDqLG@X ̈́#D/l5 [-cʳR+GfEnl"qYqnUkepջcZ-eS$A/f8y0w`r7l\H?*AbbpfѼR7/Zq0˷TrP*U WP#T" S wCӫ?HoǨh`*Mwo{;߽<8e1e!|QR+.k+BSJ;:!a:f CjP?( r.=R J +"Fyy(HD8x)~Uza*✻lP(lSNn&-x9V2I%%##$]hb`$7I!̟t_w#1&P{2{n;/g<4nP,>bjiUo 3SѽM_i/kgVQ#bY1tz;->cQ >+=VYgd8b Y ^elͥ,瘢&X,<)kn!8&G&\l Sɠm8{'j8+? $ )>N" ,e'}:qim2IgBwjdsSۯ۳ao"MHEuڍsJnKR>mu7/x [,oc~^&fMe haTr#vaZ͈ugeDCwmt$CDUreoRAN7'{q>'8l(2u[FrҁzX Щ'KrT+9+a-iG;RMOrfJLl4,AGh/ciUL7>HG.2wE^sR瞑~Y/X$Rk?c!#iQ[ 9ƕ2WU_tOrc4>}v7Q}Lٗj#3=p&1}.6 +ȾwwX|)@l㩔k-xF;N$h-@ ]m2ws_Vgprp!߶&dZo$0"s]g( <01!nW e4|W*vΗa++NIw׊aԺy\"M,3MQ kƾsbz|cvbTTQ!J2\@6qǎ&kn=uu]QLjG=9eysV4ĭk_8.Yf}sQ@'v¥M<.Sh!Jp՞8Xt[/FI&ȹ|C cAb} ͒ ;Fr!~8HM=+fm2f:ɫmii}tX+S;,ơPO? tmͯiq5n籭=~(Eٞ}#rI~,Q*%ӝ?ﳚΞyMf hx P߂ؗ,橉*9/-F(^hS;Ҿ:i^J(h{HH԰. V d}O0=WX*̗&ЎP9w2T}x2&Qi`0pf@-bx.XS,$<\NYкFe>7ItH?Av ZE&e6 dYZG= E.K ~_vl=d`ұU{[k +Kusj ʹ$ Z6Ps_(>hӉMc|*KN*Hzg'ф.ts(zb$2 ,G s _oD`>"-s"֕\ й`ilE3Iᄉ.Awu@'w@n~':B AHn- aX=zrָ{iU=%!67i/BakS1X_ sJ>Y+n-[4~y}J=qOevoHluN x <7~#E Y 1[KYK*趥Xq.L\P$s_r jHds63NIjIVp8ϳ]ypf\i'@7Zji\a:_@ݨ?uRɽ^rYy$㵁fMner3$zrYz6_ nwzq7&(eˮ7d)wͿB[\4V.uZVK7QGHzd @ y]X_T f5Q>yO1=Xt𹪡cdMJI}9$jh.s{JV!^HXv/F4KBeilgChjJH|\!s3;/;GoϠ4 q?ÂmXS_#X)#ewf.@b,:/nM?OX:гbb|4 ȰGy.ccS-RPǼ@P"xkoѠrb\dP2`-&L:\. 4R:m@ y]nA~f$9W i[5iy}Q&D7VH̘LN2u7%SKO}s ieJ6OX`mz79) KFC58]Ś݊n]QlQ/ֺ7PGBm@zݍp"1a}bbN wDܴ<٢.U {ˆA(9!DP>\Q!mTkY"q# ixMX xI:\;#54v1NX5cll8{ e+6vNNw-3Kk߸"z{%NM \RN~ =7&Dfti 3ep#bA%εXܶ2m=Ov2`m1[L}-F2Aj/o *ױ~!/[z3"L0r>RN Ҝ#V7)`ɼIt-gЪƸ{bpq1B4Mf=wZ@#kp_Ɨƴ6 \"CMڜ*L~_y_X<#B[,ejI T!P8߼gA0wTU+oɖ`3h |~}zcpQ%2g0D%mdƙ貘~NkO(< '(!%1ɀ~쎒qEw=7Łp0 4G-"Ɓ՘Qۗ$3V:_4jB#+z6u\wm>p!q ,5,3ZI'Q$y8 Kjs*yp9f!C֧D)զ0M 9- S<j\QUwt@|*0:bP9(eUT 1e~} zx!NN~W߆hέ}k=w=_s6HK&)]5=%bKy>ctVL2xr$$aCC{ JG6q03g=uA>y7v06Y{x|IY3g Xh&QP?GS1,dYr|FB5~yZc(М_qt;4أuZÝDxL ZLG`iQQs?<|:B-kPySQyv524"-ǜTwi%w~t5Pk@}`|| ȴM3;)!TtG1]q= Pt+p1T#*c*T>6,M^'ĊX fȶ. ϭca*Fⷖ(fa=0LoAvfyK9Uh@(ypDlzGa?Ow>D h~4r!g[{~@*cO*fԩ0Z}e!kMZSzShIm (2 a:ܘ^~WJQ[e$gg{}[%ѳ9%+ljT, t`K7u^]>~$7,&C(Sw9'loP}Իcļ%˿~Dӕ[vg ڮLcyO{o0yXmJUh@ˮP`_9JJ!0c%6qf:xx9j)iVG$D℠*~-Qx/]9y0YYCXe8_&17Sz^DHU[lI*Tle@#KRA3B79%Bv5saU yLXY~dfnJR}@kI RjiBΓ>L\:aK;b ߖoƣM6|{Q|f'|p2;d#x1ܹ.7KMn| @uQG~<'\V)Ȯ.$£ YdCNsT 2[ITN}Vh,`g|NI#2̛ΨqD25=s2" J 2"% ݢ+^-Z6ލ2 !+1"Tw ?BY:ڊكZvh .7sPtt0X1Yw(Q|ήO98UFrqڧGM;Xvw7 &l 0CD WKo}T8\w]5)~+Q t@uY$didA^4SJDWeyL<( a kQyIϸ+Ǒ[?(\COwRBD:蝪 yϜW%g?Hx@? G],gKUބw_8.Ղ{7oc݆ESÀg-QfѲzYۼ[j}xxQү_ȰzC5Ζh {u #g: ӹϐ>g%!KXG\ L oy盰l1|=_ KUczU/$͡]޿/aO(蓚nF՟2#5n=tѽ+:b hU;a/FfuZVʀ!"۬*aKfkA1Q6M.v` "NW>YjG|lnF>R!?lB[(Ÿ;qG@3Fx^n~<8Yfzw%gkp~E;cnDpG:f$7\1ƋqbBj破`d8_s ɄN6KP= "#3Mo2LݩK} >-`Z"vỆ:QHdȊg3ud@XmWP?@'VMA*œ6&Rm;8wŌċ?n 08(ɽ>/-zϏŃܱo/x;9┴ۭTΧz_&h*KilsEqnˢn>$ſ5)픜[(<+g2XeJ{_;NՐ$CѱH<0|ҽqBѤNB*dR1KS YrD#KE@+t\n)ߺ~oס5Knێbw{FD-,AkcswZR.ji!f`Fؑ[3V<ϭ?-JgovKdX*ڏDnG~5OTK/iCQ/e}EYT16lVOn#rV|.vZVHwB ],}"`na7P `JSR}P(׃ܗ'Z=L.YTQ޴7mTYAk:F슎扖zWr-m A ?ӇЌ9 AwCi_( o{lU޲].*Xq:7ES%ۍ=_A:{m~kXl3]*!c2'W{9b1~CRBa`:*X_8onH"MyVƢJ~Gyqې%A~* Aqnid_JaG- Z ''TH0\- HՉu`EP(olIN!Ҷ 4Aa^U/x77e%_j?dcE;3*ڱ*sهFfੳw#ABC(tEԝJPe~=^ӈ5:+܄?` ZAخ#( Zt|0*bd q"$YeyLS28f6,'yjeˈBMiS~h8/:B 3yI~\3C I=i/aj$FVЅS] EBsV6wRfrY r˰L_tc3NG7OM)ܝJXeS} I#.B:\1.s*1yn0)x1e%EMhmb57sYY7;)];'{`I='֋! FIlѳqjjgpLxՙ[p"(npPu+v#OkI&ܻ3j7>Tk^H*w:yX䘙f,|Èe;Ep- YEh6hD<])<.0!NHfſij8if~GV&}P>RY'1 ک&{R|O e\O,ej˦om]gfKWYqBʌ&;{Ɲߤ%dip-PL+*JAN~"8 jQR_5s/pRs1.Jo|f,)/ /^$=0_0Zqp?FB)IV\ɆX=w9 6BM'j]Pu9 ~( iA[M|ˌǵ{*w5I{LSYTMf-!FZ'ms|I|U&XlD}a4e\FU>Yak;Pk$0C>F V2 h8lO 3-o]NU\~m"Sɮ lj'yZ ָx yOu>mИgKY]Պ}i%UL#kz"hf #֯ fYv2fy5]!*lPCEf^LnO#i)m(IO|@ )HECC$.w<&:~A W( 5=@]ML f90x3 %5uMX! xzi-+$-yFDl;psj Q>tp7u㚕U84[;!tTTG0?ɼl ޭk|Eyəf06:N9L.a\ۡDЄcr<.=x זsSKӘ¯e [AduWR;9:yR2U^JA^ {J 0Gi?6UVnNF!+ׇ4s m=/6k&YLQ Q(bZVR(B1{uTsi]׻>jF3iP ]t0 11;?~| KR>S.*Wp^A߆d>&/NاaXmȊשCtΆRr tT]`kI`Qt !jŚtG{+NA:j\$cAX,1K#8mTos7h\r_ 2ړtT/ׂܳ@,f]F nU/MqF-Ϻٵj7D[wxB\r5x ]IdHu.EwR4w;3޼ѧELvؒ$8'Z)ݻIcdk$;WӈuK.;8'kf PS?};ЋF6Шr؎ 3鋖_oo'C?^EZ#I|Ux_LfM~@R 8,Yy}U Hd"qXoPX)Sykl(v-]LK838&:1N*XWڂC,$w2>*TXw0O&(w<ו7ae%P_jcX_ g.`RSZ/d{]}ď_|79 ҄*VSZw%5\ɟ(+qPHGbႀQfeUUlg!I W5rvy"e++4cS?J1Zq& #r D[t6SR=1{7}u8j;+SG\yumpR4+:tB+/Hb˷1;eQZنT,ꌾNAu>Jqh)z4dJ 61>%5p`w8$Ae4N j_Ǡ/Eoݽˆ(}_v#bzsUi?v]_&cvd BIp I,0Y#*,w j+K(𒺜FLoO?=lMMEߌw&ARL0unZ%j_C# -hf#ϫDjcz9.9U!1"\b@)P:i?r'+vЩR>?<5gך1Vs3킇P =f k\Jցp)(0di3g q^Wf e,=n~5 wcXv5sh֋VL4,?&<0/+2D'J~BOW:c\ 故oә)OÄo#_2 KIK.hpca ; DӸ~t|Z1#~5zuL^"G7ii6#nX2ThC"ڎk~R@׈ IOZDsI]\zf)Cj)R=Wκ:1Ot6Cӂ}~P# (GQZcƷ|տZ6K1P*9P=t?,^= !E[VTst|P0CɃm=GP[`7i?8Z`. }f%( JI~BXn^_ G"|jm`V_Mj⌏5.iBN}m@=O,- ⧲Һ4)uV_Z|Gq\LG wH=_1@?>T񰕰pq  _+Ɓ}lP~!d4ĥOqaws76v~[c:ʰ|-sCS9ka,Ҩ_S%dn,_dpgυgk[M}w3DLX^N򉖸(q{IxNX|0^ 4j-!@Jf7d!|PUCa%Ĩ{qZ3>OM)~opIq6EIMJoY#٘^uen1cA*bT։Gd7)6וR} _&?Xy6# Οa8;Y S]fU&dL|CLd1FNev)mGįȤt h "Z&.EwωTdܠI^.I9UR|yt6(& *.o+ikO,-ƌȴ W_тsD#BL(VTzQtsׯaS܁hV@ .,WeQF}cr*pM@®ímE+D:.m ΙPfHZ16<)a#g .GȿFݡZGX%;kBa5|bnaL9P[~m0lsqQ TX8#P<N9 ["tʓǝ^ d)i5{ uy5-wu3H^Gg{Gݩx=AUD* 7%ѽAw*cgضI9Hڊ[e ¦,KxAu63&A1$&XGyTz Nf-IBt +0NVܴtT3k7%ԹN1" }REhЀo2gPƄ;z*VfiI~..Йޥn:Yvzի° Wt 2vsTɳNMn*-}:k hfdUWFaxDߟQ#`LbU6V DrJIy\l8<بLVvMk[}H' IoU5جWz4j9&ܽMd18+u HI"I] Y w\?f)P_mS`^tl13Q"hI܊HHWX>g -? aW*8e `$f I伭50$|@&#~v kt?gcϷl)v`e&|XByhA5i/&E7;ydws iSS,0 $D0qy?>ǯ3ZP{b(%"sUeݱH'Q#MzMA !Ml̍s2ks[qnKRXάym -cBFCF6;go.4Ί?6a֝{wހtl+j)ʆx{Uu !dՈiHR`NYa=z[L}}gI1\ C0%A𴠦&N`P諿EFUd DGbiJ/;.DieJ{=Fdh_!G)vadOS+~Uh8_9toeHY 6ᱧII +&%XaA<]%55x'x:]ܗc9+4"C3. tаh-&z|j U~7lrȽ"1 _\0=l F#!v;-'O, s15 lw{Mkl*F'Cu=kP#=T1`1}F1>O vs5SVz ׻ajOf7h&+9 YDJOz$5/ng).iuE>(!:2ѩ ɣcQB˗o / Cyn雏R>V,#<*& B,Y`r [ t1#HV~sډ=k67<>؊R21M3 vYH^YRoD≳f^J;ꯡ M  |57kSi -HRnWNRq>#s7nCJN@MXzJhDK\6|;X#)Q5a(LŨ31j =0{2SهK3A6`ҮSn DzT  Ux [g'\xUoYߏ? :Vz5!P~p }@z ;W0Tm_}?fLY=w2s ?%PgVBSw;J4cAvR&b| NщK BHJ)KRwhNA~Y \J`,kÜuܥcԃ'W~(18r֯kWFuqܨ^fkT힫e0q/5YSg囬>X%T:D!!H;IƧ > "A gn߆ JrmdϵA,M2US3,wJ*^g}hwΝA=@[=myɤes*&{]ɂc6}׭ע5!9ۉ*td'dlLXc M <4CtI Lj_LC> k\ؚo#bظ}β@?Gqn,tugl>(N/^IfT˨ (]J,+tFe'UI28_ e 5461E1zG >B $$vuҗ܂>W~oqG79|`Uc9Qw3{XЯLn9ոbDk --f]YL̶fpTrkW p vɥe!8UEFѳHB?b?l^(G]G"#%bKMZ~ F5=ն iWv)H/7*^ (+eUvkś2GpW&L(Əmha5tU2gH[1> kHH" d3MUf@Ps{zHp!Ž%G\1_jܳxORϽssͽ71x(JY.KP06 o%޽lqe2:Lĝ&~;+g ˙ XS}]ϺJϪs7D@_7mCLU)*ji&b>j¯ ew,Xr-8֥=ٸVSs2E`M6(SN^dbK9ZOEJKJ#[΂V .r3{覓srhьliwqn3ؕC8Q{]V;CVj]f~'{7F%4э: uPA7j<̟xLrM: BBLfň}b0Ӟ,ƝGp)ä6|dTlWfqpozPY `/|FpD]坷T~L^.דu.G[E:A uJXԖ/_RG\GϒŽR-[nȝ-x}Tc2m4쩄d`Fۈ|Qh w_uXkO_h ތ9kbUȹLvVImI;0(1&i*]=c({:=]\Y.:eZ`Lʗ 2e\/j:P v¢r63έnݡ63G3lCdZc=2 F;& fcY6#500)w2=^j_Pj;J)ݽOx!\wL; 9Sex6^&$vI%_ -u$ :mU>L|t[*Ct9`E5Uvf=.\" *i"+q޻/u=s0X3P٬p$'rKz{ԎY89QS"yUR7 0BZh2/ڴ2enI6PY2\N?GcGrS3Aaa?,XG#3#j0q֙Af:#}!lnN`g-%:Z?1^)T:C'd8J1gdS؀{|X"z5S DX,Ir>%MzW%]#H Sr637qv& )g i W%VON+#06~3 Tl`Y HHA+j.]t6t߇v%צ@iL3'xΡk6T8 M9q"Rl{v kRrAH.x׸~'P}tBuɫms)`|SOR{^܌jC\ FgG%{ef*+ET<=yc7_ݏlHJg{БQ&;eϕg}v`9qz!|eK;ctXi`( LAL\Op/H]Yvg؊SHuũT2V $>&'w%K0;ީ؊xM.#Wn4j;_P]ʙF#H`tVO^>3.++*QkZHU7Ǻf$vV|dT9vPݷz i<¡v8:SQIҮ -7qp[dBe!  !Iۼ5\!Λل\_JF`m^I{ymVhY+Bܘ:ސV3nZi˅2IW:_u/3}N8) =azLKu$rUKDW8p~;f]* !]Z|K#ֹͱ*9iCR \>`pe $ܡ@ң i¶,T*h5I_ޖ֪t0x:%L7ȠA2-{=lͶ‚pMN-]2bD8{쿄!QN%?)%{)s&;12vUo #$w3xp+k ::Y(ֳ ~ڻùlD6p Z'w a;hhcog;#uFLӯ)> KOɃ>@&Dq6f{^l|-"5n.x- ݗ&f& fKQZu!E<T YTdCBHA9&:˰:Yw4NM `1tjzأUG_O3eOmP@ 4n  ȗ(%a鄄 ̎0=נdߦ~?q&~Z{> )i&`AqҦG^*Q >F0@#:x2y1¬# ޏ5tK^bZ,,|Y29>\IΟ ںt`t#w9ΠKl- =Z7M+.^Zf4nݪTO}sI>y<}֤HDgA]@q< arR/ DU'Vo奩πXz7(rh%"0=?\dE%o"i 6%EtZ^93@㩲m=R91Yi4%싛<lM#+~6~vy6ϻ k`gۓJ~}_{B9/̵JW4wCU~w٦ :E󗓏($41EwȨбIo„SH@0NwőTm&& `Egu!]beMkjrNtKĐb jfs (AQoI&V:$7F< W:M!j2PVF!DUuT(pcKiKT"5dȲz:"e++(|872hۢ8~(THnh[ĚeNU?17$msˆ-d%Ji{?eP'P N0L oC7]hӱa?Of6NnuJBm hh{MHmkf4LDח ӳe[)+&e4ydſ?b lWAK[y Ja/s)|E4c|Q{]iE/IY eaft 󽴿1u0\goFx p]IoM5Qs?h, o-Oe ^hZO^})Z½ |FBC]LgDF#%~LyԁeNS?Y삓a3JYŊ5b:q ?y[n.ߪJ?JquLqqMZv7(~]kY_;,+G(MwȘOgloK$)3{)8z"z`? [aa;k.RTj%aiJ}LMN\A%xSXH{Re+G{*y1DCpt\JJ [1#as.+A UA6!.$Dk>_Cޡ@3|[& ivA#o t_‚Tg1_DgQR5ϰsZfyĽV4^_7 ͫjX$FG q\RǫHDpP&^5對{T^vC_0F%_)q,f>4\K 'g[U5G<&9{֘%1@MDqZZI5Fេ -g;+o[rԩH`4z>DmE;DzO 򬪤kk”\R&KbOlG7gE]BA5`T>@@BfuȢ+{IUv_1gmGKN"BG0qڻGzS)< ύ@/懇oHIԥBJI2%\|14}@+{aa#k[";^ P5)9D̯ w ˋނiwSW[RX0|&+ '~lx8ysՋJP/U2.u"U\*0ik2$.Fuy:7΋WQ^PCU:}͹6w>+q/3>3׹OG `rbE2\M&lu;Q3ͪ(A_|!KQ~уK}%[!t tqN/]ʗ ta4ήQHFFP@"G9';t+-&"=f9ʲ$rҜ `cWiKW)r|lMO*f~Yie%ݤxfdV V}x v#\UĮxȀC1LPK" Z['dj)'w(BBPfJ*oRj cު-0pL)׻Z}m H)XAg#WL/.$=PX끺:3My2.GҚ%넆D& Cjێ}c7!zuYey+cҩߘLhp Q_7flZM!X-rrTf ;FYVA9S=큨)-/pIGrSgm۟ 4qYQ⽯ IE_6mu"4\ﭶy&/.%|IB{<ʗ?pKX^7u. AdJȘ *pu 3LjThsy]$jlZ͚~i9+~GUÍ>!^]|PUEEzaPWVn4fmⰦ[ayL֥E+;;1ү~OY4uKa<ɾŧ*&} QT.6oMw}mFhs}똢GTקiyy7 ԁ9$ZW'!jr%e Qmj ;%t(R7'$W8]lU:SU%g[UPqo}iGb|nzxtDԝ2A֤q"IHEm`ne)C՛UC'a:cE6=ZU~ùvC#pj++CO4l7tlSYa):zෂ{*[dY g΂ZՑ'i[O.ƑZ st]|3+ZN&Ipj q.hR4V_&E  8Ɏԁ6Gl"Vۄo:ֆ_ʄNpAC5#oRҖC;M6r@0QQFU"y`8iT-1ڣb Ee}Ըf^$qL~,}DyY["<%T?I?p c$KM[ω9rM3E21/zx= Şyc&,vD=j4[OAJNPNt'Y÷"]OthW+-1CFN9{ ӺK#b%T 'Pd|x&hg]jguDy*i$ّ`7#|JB5ew󘿨X>l!W,}/<,?i#)Xj`Q9I;?~8Eo|I y&muI|V$ ԆҼEu\0HG^o_mB* LlNXr+7мKYQƐTm{6'X=;3/+NB cu /TIbO 郲&5Sfe@\9M4Tr3׳ḟ^Sw ./yܵJ!t6\.#Vy"-i O '|e g x_+}P࢔qSq/z0_V JA[9ze1@3y:S'lz1<뗆L'Q3nNuvou#+̀]N>PDbmƮe`g}TU, W#9aH<.Z)Qp6 < 3d{Ԯ@|=y~[:_tXY[:KbdڄJ4#y 48ۯ K San5ij"Ne6ZnB PVq`#nՉSƍmZ*$-ǻJrW0Լ~Y:Ll .mg8/vl ά>ĴtR(Z-imPM #X Dꨥ zpka8[-W QfjqտK&bSv;k`Hu)>_GvzsTGbc4=7pk{iI}<4sƊ.F⌵l˲̰k"$O[|=vw M% G9=Vy]g-lv0Ĵ|1P.Δ#D{tt&*ea> ג A&qGgB@5[ڀ7!#v2OW-"*i;xʙ#V-Bo2 [nBY3ۍcґfDR8}G6? ^N猅l@3<`t!s!1 g_yXTV!ae<݄@y~/CqARyT,̰ I넪b[/=S QL/НYPO8+c^u$A2*M<8fT]IB۝|ث{J;tGڄ`d^W{R kTPyv>&"o65F U<lwNLg ׅ:{N<,#-$An6FcAلj,Tv2@>o*D,3IwpDwѣ"Zpx?#Rf4k* S$dr+1 4(q Q,#@ߍ:B:/{S9q0(Y3qvY^3JHZ`cM4Kzm&K+?$K2Q` #"L~+_%z]aHt}*HJm@5)Y(j{ZmWU|m)/ KkS4s9Zw; $u3r"rcVӤ2ivs/qStN_#vxw4aK=Τ͓<ڲkBggMe/d1=ZiHt5 ,x[ yk0'P'7H(I%ȵ]M kK l|S#cg/ P<̒u3a\C0mHsϸkcK{z5hc"okNTjN4gc-W(p!ߎt #孷5R@CAYk4zEu(C"(}Ƴ "wx'^^p6:Jizh' R^!5c΅^_M/Kw0@qNPO\Ie)a lH{[{ˀpD:0@\<"l5 {-".0c?3Q[S?5Bt{'fn~ ޏ[*"%AN`Tz0\@}kb׍v_nM}Ԁ+q58ѰQ1y%gVgwP͋iX ]$?^x Q\+'D!~70ϩzu%0F YP4fX)lV/Y?B!A hAљmaR Sٞ`qn_ >;` #`_?i d{ Fu] #Yxg qm\kBܩs~&e~&3A f`~[pU$N](!ɐqnULшBcY>̢H^FRFx 9 }͡%Vk}Rs.ٖ>(n G$#0_ptޓ8Z{23ODef,2(fMW:^(nAi=E6=IuHUSs@k{oń($ ڰX6@p3`~ӣ"V)6doFTҟ2Cࠩ6Zl)'oD[a>>tfcoWN `@Ԣjo1+ΛɆ+A&D񇼄V^!Y=9eCJ3瞒5%tiF|8aiҤě%!1-Okܧ*<PH9$jۼ%n]F#Ea5K0MX;aT?"zۥrwh'J |oLgL:XgOSm\ݚxkz(X&TR U$G4&՟N-C*SNG#`hbǁb,5㯪?jm-cju _ؔbV݊eE I)+xTH97t_cvB )*rm>tk]QtvAFW~c,n]wbwe*:޲ 3f+DK_)Q$}:sPD2fy;cWQŒKIXmc˜KvYd}ȃIrbX흅d-fA2Ma]fe.htJ= M{mt.؀ qoGHŒ=UH|e/Φ?:IUri.I-f}ߔ i}ܥnnl$Jp֭Gob :G1ӯ'BVa *sqC\3b“<놄^ )%Y1,?\tzhpO0TuEZNP&r6NOENus[SSOCMF/X y% •AX,3_+~F5'SZ8QL}T"4߂L_p kU3|߬G22ӾD`|X]Vp6$jhe߱n_^lm]A!|C=-ǔsg[ lBJFeFM9-fJ-:ym*>¡W#.qbDP4Rlzģj Dr[˪iFn>{rM71ko9JAQSWĤ؆fgK$TtxwIA}22hC AL#*]Ş Q[K960tMx}u[cj,`FY4ir)7C^6q𶮁BK +s@={`[sB>l4yЧF BbRbAi2jaihUH Jٿ_.:T{R霡/" ?eͻR9'ɐr`ite*:~cD!0o~έԽuD`ĢDT֙ A_vwm< Aۭ|M@9qjNIm||(DZV Gy*q'oyxO~⫅f. ŀfH4gEtf[)Vl[#AfS+39jUBMܨ<=*Ofk1IWhOo5} kڜ4Z~6uirF엙o"UqmbGn-c@ұv0DV@@1~=\rc` *&46UB'\bm g% 2[l7ER =hdeP^F2GUPW4Tf@a īa#C^D0M,Tj>hu-I*ZS1[4hU od+P=_JF|ie9%0t"\AC( (o[tSf"A\qg`yHp`=mײY`^c:E?Xߔ-W.IWFN%ɾ1kۮ3凅hB]CBvXeWYpv5*-2-;a ^a}{$iiLDZ *W_i9DSԿD+Q!<jRz^a;]%iaW1fYtκHj<7y:s/em%?K!TIU,O!XEVیR!HmR8bj38zBHֳ4Q{^p ?9=$Jg= [Gc8 ֥!r+̈Y&^ .nP4ͳÝݱD{DBuASN<#Y$>ӡ)A}? Mp⧄l+*BG_ĸ/jmpwޛY{Z/C6ƔNf\Q59zv)EexZ*>N?O$Ɏ ΰS n(v \cGw3@%Ҭ[Si/Y,`I*mUy2P,48ΒR33EW>|K LL)>RapYou v#{V\,] 0_Ziزu+MP&؅ XN PTzg/!fLsg_Ю3Eb7,le%:v 2$ZOdX!~̷~J <SgYR_aA]s]$7dI|}MH 7b50`",^ѝwC#]v~7gYt -Y(eʊ-mC/w!'e#8b9ԡNSXNdq(󛦮t*rB"1$;x6/WL(3SHۍ!/\Bj/.7T ݩNuڏo(>ȑZ'T396"жrIpd0|cAeu}6h90a* on=ϫܖ倇/ENpǷUrD_)7E8d0UJ(4IIꆀH[};5Nd@k^ҺD.Iv}Y乨f)(,8GC2ƆuYr(WlC/ԯ^ ^NMq)Dz`ea r{z@9zè@_X v~|Ge*H3.z J4oP;: V e6حpӱڴ גoiZ]z,DT8MQ|by<8{FHsAX&N֩X4ԉlEw=5,ҀgR?/u7iՉa 3͚2 V*gmnߦN~'J@*B9b沋WܺhM;>+ЁyczíXs՘yC]*= j,`ՍumiECLJwz]SO#=! '_vRNi" 1Q55.Kçu+zvxO23֊ɡsw[_hIP}x}ѵʱў׸$V:ޟ:U D\oIAqI~oD2k4ȁ#NeWsz4sE~WOP-`[-~ ))]1['v"bȹ04-iE ܇E@jNdX5KuLx(0 ⊢9U\-Aao[i5ytY8&{Wip6g">wGŗ&p[},i3hxDeyNs^b()aZҙ9\ڡ|1V]`20SO}?qn^z!r:Z`&|UA(Cg:۴F 4_`%=oGBԥ; W"vi|+B>_` AMHM&,_ 1Rxc!yl " e' ˣIj@f`Ip 'cgStCg8ڻtB4f$-=qv'0XB3u_)ѡ=@jv^%>[Luġ(x@XVs^U;Խ!a&+cKuۋL['1G,і(f\L~{-)p=Jp}2 MWM]Q9-U)7*>hGce72yCs%)bF֛ )bnO3PdU<]".CF$aM=WȤ. Ʉh 0ݡV(Y7EK(&Q\8mC2#Q=S?-ٍl1ZO׫T3V,M9bQgˇj "e-g$\'X==E.>A'GQ@&-I>'$I!׉t$,Kחou|.@C*F( GzVjn*4poۄY`=0i@Qa“H 'LFJb?@Y:7ٽ,ogצ)W^FI;>. H xe}Sm)fHKo5v+=mN 롫ڨ%n'!s` @CT;' &&Nr .qÕ⾊F=-r֐q }XVȈgᩊ9eg+v1_) 6qosdtF){NJFKGI(k~3uеJdDyڦ^}s4svmiS&]*׈'kp\7Nt+xǟY_#OjʄĈ-n% t;q"-8 VsO^?0Rg% XzPxj;2oNN`TÅ:{>,/^CƂݦ[agЎ8;ǟ_.$ICkMX=fPtUqEq֕t#3a]^'"Z@?h&˂@[AMAr/cI A&mߗ'T%`)tM

8 0XbLeu-pJ$Y`OBSqMd\7{@IpAyjmPߐ$ES{-JHZhpٿ5 r$ks@+SC=\ǡ1{A D!bv\pbvt6X , 14R2u /G){:Ey[<_qnZ>,Rhl-"& [sѝS`cy3dD1Fo-A0DUARwF `g !0Du?hXzMhA~?lAўNB"pK*Ad̴dW t$ \mm1UP1ITSHvě`SoF=QǤFHNC1>HˡDBh (j=xi#257sӟi^FY!q<{\~KIOQd#4+0PɼSR{'R㝕i-\_a,w>7b:m?6{9ډo*&?c)I?\VuJ!K]BJsa@D";'.͂U"V#ӘAsrM̪y>Mt5> m<8 w7j.IԐGPAY @ ZiPh}}S(d97cQ5= ⱖϻ */) tyfҦ͕ՄTM0YW`,8ݣlp`k ђ]z+G}=~EWG=MN^l=YDQPPDŽ' *=- kgdFA v mwYռozENnu#J .$59i4 $P!'aHn4ʌ6p vp3,*Bt('zGm7?QU^z?+k,Tڸ@E둘2B={z"ۺ^7TYLCR&;)b3 x$rVXoQF3' #?\ C/5Ƒ Y#\YxQ:dAmHڴj'X6?.On1ks&SaQL P4`B{`آ83Q AJ)XtQ-7TzB7A}[ E槝ןKb.SA:"ۧ>8Za%<C t̨@Bx)@c񷣠^?rX߁sETTy˛3#"|S7N4JHȠV m0]"~É!(xJ3W7!b撴!iC@@:=D甕CIԎ)v?3OHokŵ%20m>SpO$fi>@Ā n›*3ǔZM)Ag҄vEp)*Xؐq0`֠KakRzAACI__,ìsJߘ{r*K!B?0=.`:qi5nT鰀-3'=#Mp=JWPszE'VVmd>uZqD.9*ڦ.L,^!in@Qcѿԛ6S-ɘPqϘg/ 5-|%rѾg _sdy;GR׭<v-N] UsLX iSuHWDp4*q٩pQ NA^m(/őF1}8*#-O~? 7$j_NxȎrZu=*=T++mI6$\hˬ-bdu,ҿ {v3UuEUR/0'p>pB3&Tt{iǨߊ ~u wV~;r]St$tg;ԁFP%`o3 f% 13|7rKIc犳ҳ!9@$_TCMktS"QUހ %Rѫbf`?N@+|{0^ I?RwIW1}:8J@~Na?b2)R&!R#39 Z$,*ëS uW\J<ɯBybP`IOZ4ogbmO╇:QL5ouY5o[)oϾf)J/@9K2x %%A\\ZҨr?j:"Sh.Jm~*Ao,xDX *~pt5Gi{p_ophzȽ 'YaӯA3LYilJi%!w#A|!24P 'f?):㼋B}ȩ\іs7DxHDypZG9 4䅟;5 =EPS q=qIpZEIZTTSdݟnqz._#WHcwÀxW`^\?fCGL?ʪz\`%Ѭsv>;'^oB3n"G`[[H % B.}'ܣkkgr1"vɸrNYςjFn¿E^9k9d[-~jd@gv*>]7ˣ>/-̂#`ֶwЃZfGkA~~TELw]  ͇̖ezaW($MM/%GsqO<]D䅽& w (n@Cj&a 6Igfc3ѵ=Sk#`9;Zl&1ĉ_%NZ݌6FsSXXB_.lY2g)H͹z(j}c}P{:!X+B1 zBkR< bp Vx"LZi H+Uߒz6)H* n:e:`,WFQY DFsڃģ|7!\[fie"l6J~'SK1|PZ2vN~:>OA( X3"Z;UPY jId\o$ 1<鲖3y7]՞ qT @N#`tUk!UvL5 ѮW%qИw[-hrt.JW&ђ h~'8eŀj 00p7i07b+6XqSJ/èXbV Ce \* %BN͌ګ“?0]1Hgi_zqs\-7{x9f%Hk9#BhDŽ2_jxrltP%.PPX}Io*Tڶ ^I>CivB Y_ q֩Bl&6N@ {qѸH{ PՆi*X{~Êݾu:o<:C %\m'˫qj <7ܚͥϘk'hr_6,t^qOWAzQp?׸k_:fث_ދҶe_)u=u&ML/s.GpsP0*)UJZ2$)'&ҵ2$SB;w-Cxpdo86J##Ii N/VG;6ZEF2)V_bJ1\m^ ©00H_!3ƒLٗKSdnGlrFJ{>G/ [p5Tlɡ5<2yy 6[Y֭^7\I5< H*AwڙkBc2Pü$ULal2*0V%' GV,t 6l W^1,>smĠVifڟSפB~WW?JE>G!qq,Gp,Q:6w {*Jc7T $| glzfrv( ^ ȧpqGmZz\'KCc\mfLN!-9D&HaoQMS#*7 boR&U&eICSG}AmX !PzGHNhL/Oܨ ]3%nYCƃyޘj~""hgG.wYO@+0X+|4heQ_cд&E: @Lө :3$F腊˱v:s'ved]&HȬX-"Z&&SdLQ><=KuG3Yj@lQ7ꐳ^t3Plj< +ٟۂk!$$g-ʳm[le+e;so7r5p.hA%j g$'Eql꯽r5> ;q-J~_gBMNZ4'GBv4+l?L6t*s '3ɋD\ }k5츾hQ>*cåXL4XtwS=8"1)!_JinmIB1$ {,:Q o3,rJwˋyi; F Nb(*jy=Sr #[T̝ k+0 [97E@" ] ̱s%] yTS*KoyPIE1[ MgJ"LwZP޳DZY74(wSfPwC&TϷz)RVPcwN>TE=Xm`ÓFDCG_Lf[㯡CuP.V.|zGZX`Ȳf!O6(ǵ0g[GY^HJH #ęsBmW.gyG#㏁ ysZ\ӷa#[QL3* J^Wd♙^_cu9XtP@}q 58k:֠MV`+"L.7<CnQI{si,B~P&-7%q-ѓ#4<7$R 3,2M]=Ĭq|㮊Fw-8;i(DG > d4oF:A8_  07eAR[؊Rv*hsXAfOz?|I7$"ӫQܛ7Q KT3pe0ݓ7v>BIІ2r3Ur>bxdۼ¬d)YS>=W:i%`MziI'@/pD 38Y{LA_("Ϗu)8Jֲ.~& +]m2c +mNH-84cf:Z l ~;lUXlV8Y)]XݼqWcrGZk?z &!`86>wЮǧ/+(sf{A1r/#3\~k9NYX3+ H(YdL\nJ̻p˩u{@#E{R@pM!)#ٞ|Ċx"P1_i&vPyMqzbkGU2n&w,b-#z Й~ 9ztYʓh!N$8YZgoi1 AGtL=SYHD̓GUzkN. حBrn?fy1 \YK-ӻizc42tˤMض_Ym,mq[SzQj{Ѷd`#?v \G,1-1BW7j̊FD#hGDYA-Z$ v++nZHґT`<*-_ds0A4e3{-^|'FMҒӯ Tv3jFb0,܆aW6ʪU$Dp`Wi2&SqEW\}M-p 3|08)Y_gx%3p:}D(fТrSC,"iӌ]  wVΧ t[YxnrT3RWˍ6~wB};'r(],j9a xs[un\>_J9L 7t۪Z_iM}#{uF' M+ZM7\Ф/ғb5~IvgIm_ (V5H5"pt=uI@],W@mJΠx7~%ϭ}vLk PE/W)4| comVm-mFf\qT+4; AGiv*| AvSx.IMi[ʂlF j:6yIa{>;Lj| n="H _jdZ|@jUۇgj3 sJ1