sssd-krb5-common-2.7.3-2.el8 >  A c 0U]\ݗEa%9M̲彋Wh$2L"/tJ!xHnzO',*Tʇ_5Qg*GYE&i @i!a޳ M{FVVS8%xXtL)r%_}jʏ ?3eO0SVn O01iP}YZ;t{ Yxo#cT2</;\l35qTdѷ9l2`F?7fD<7?vxBh,QyN jecb|_}5y/oF<%H5n֋ܤB{jBBiZp#jʝmΫN?{V;*WpE)gk2F@|+؟3"G4 vpWz o#Ԇ5Q1pSQ\gBdE_f6 IN%;f_p$,UcTb010329e8b87edf2dd239b13f75efcc2f9c2d74be13905efbddc83150d169b09583a867549d91b267f7cb8cf4f084ae379ffaf508c 0U]JI&d\ X}wW ?Oeժx eMo¶q&רBsz>nElWڤT0K9KBX2M@SIL }TG@K];w- ڎtx*Gq]_Ma#0=<]"!mC0=!0%Y,y+TnF4"uVR gE D f'-i!R~"V(L^ z–£G8y7c_pd^ሇC%oln4_cœAD[$4q¢KyTϮ,w9P3?Op,ehܴga7hߖv!:*&tNүM;n-NO*\Cbmo5Pc?Gx/6b2M*vo5c*8F.ic'ѩ-K>pA?d  Z #7TZa   0  D  l  6     8 `!!d!(89X:_=z Gz Hz@ Izh XztYz|\z ]z ^{Xb|d}Xe}]f}`l}bt}| u} v}w x y.Csssd-krb5-common2.7.32.el8SSSD helpers needed for Kerberos and GSSAPI authenticationProvides helper processes that the LDAP and Kerberos back ends can use for Kerberos user or host authentication.bx86-01.mbox.centos.orgCCentOSCentOSGPLv3+CentOS Buildsys Applications/Systemhttps://github.com/SSSD/sssdlinuxx86_64getent group sssd >/dev/null || groupadd -r sssd getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd''|KAAAA큤Abbbbbbbbbºbe3cf0ea5948eca148c248c4020a9f3364e0508462be45bd77838e67f7c6f1c1db4d9f282e223432ed59b26e281fe0d16f59bb7706d7b265665dac93fb58103c38ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903../../../../usr/libexec/sssd/krb5_child../../../../usr/libexec/sssd/ldap_childrootrootrootrootrootrootrootrootrootsssdrootrootrootrootrootsssdsssdrootrootsssdsssd-2.7.3-2.el8.src.rpmsssd-krb5-commonsssd-krb5-common(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@    @/bin/shcyrus-sasl-gssapi(x86-64)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.25)(64bit)libc.so.6(GLIBC_2.28)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.8)(64bit)libcom_err.so.2()(64bit)libdhash.so.1()(64bit)libdhash.so.1(DHASH_0.4.3)(64bit)libjansson.so.4()(64bit)libjansson.so.4(libjansson.so.4)(64bit)libk5crypto.so.3()(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libsss_debug.so()(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)rtld(GNU_HASH)shadow-utilssssd-common3.0.4-14.6.0-14.0-15.2-12.7.3-2.el8sssd1.10.0-8.beta24.14.3bbγba@baZ@a6aɪa@aKa@`.`@`[` @`&m`@`x@__@_@_#___[@_?@_-B@_@_@^@^@^^(@^oj@^ku^Y^S^J@^C^0"@^0"@^0"@^@^@^@]f@]f@] @] @]+]]Y]Y]|@]o@]k]k]Y=]Y=]Y=]Y=]Y=]M`@]M`@]M`@]D%]D%]D%]9]9]]]@]@\\`@\]o@\\\\\\\@\>@\>@\>@\\\\l@[Ѱ@[^[[ā@[ā@[ā@[;@[;@[;@[;@[;@[[@[@[@[@[@[t[#@[#@[@[@[qr[;e@["XZZ&Zw@Z Z$Zz@ZyZiZiZWQZWQZ%8Z@Z@YZ@Y@YYzYKYyYw2YRHYRHY@X-XX~@XO@X}@X@XX6@XWXOXXWW@WWW@WWv[@Wi,@W5W@W@V3VVVvV%@VqR@VO @V<@V/g@V$@V @V @UpU|@U4@UUUU@UzUzUzUL@UL@U.RU@TTT@T~T8TܕT@T@TTTq@T@T@Tp@TA@TuTto@TG@TD@TT @S0SS@S.SP@S @Sg@SrS!@SkqSkqSG@SFSCS!SSRRpRpR^R[RSRNREs@RD!R@R@RNQB@Q@QQQکQQQo@Q)@Q@QQ@Q@QbQbQV@Q'@QQQQnQZ@QU@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj - 2.7.3-2Alexey Tikhonov - 2.7.3-1Alexey Tikhonov - 2.7.2-1Alexey Tikhonov - 2.7.0-2Alexey Tikhonov - 2.6.2-3Alexey Tikhonov - 2.6.2-2Alexey Tikhonov - 2.6.2-1Alexey Tikhonov - 2.6.1-2Alexey Tikhonov - 2.6.1-1Alexey Tikhonov - 2.5.2-2Alexey Tikhonov - 2.5.2-1Alexey Tikhonov - 2.5.1-2Alexey Tikhonov - 2.5.1-1Alexey Tikhonov - 2.5.0-1Alexey Tikhonov - 2.4.0-8Alexey Tikhonov - 2.4.0-7Alexey Tikhonov - 2.4.0-6Alexey Tikhonov - 2.4.0-5Alexey Tikhonov - 2.4.0-4Alexey Tikhonov - 2.4.0-3Alexey Tikhonov - 2.4.0-2Alexey Tikhonov - 2.4.0-1Alexey Tikhonov - 2.3.0-9Alexey Tikhonov - 2.3.0-8Alexey Tikhonov - 2.3.0-7Alexey Tikhonov - 2.3.0-6Alexey Tikhonov - 2.3.0-5Alexey Tikhonov - 2.3.0-4Alexey Tikhonov - 2.3.0-3Alexey Tikhonov - 2.3.0-2Alexey Tikhonov - 2.3.0-1Alexey Tikhonov - 2.2.3-19Alexey Tikhonov - 2.2.3-19Michal Židek - 2.2.3-18Alexey Tikhonov - 2.2.3-17Alexey Tikhonov - 2.2.3-16Michal Židek - 2.2.3-15Michal Židek - 2.2.3-14Michal Židek - 2.2.3-13Michal Židek - 2.2.3-12Michal Židek - 2.2.3-11Michal Židek - 2.2.3-10Michal Židek - 2.2.3-9Michal Židek - 2.2.3-8Michal Židek - 2.2.3-7Michal Židek - 2.2.3-6Michal Židek - 2.2.3-5Michal Židek - 2.2.3-4Michal Židek - 2.2.3-3Michal Židek - 2.2.3-2Michal Židek - 2.2.3-1Michal Židek - 2.2.2-1Michal Židek - 2.2.0-19Michal Židek - 2.2.0-18Michal Židek - 2.2.0-17Michal Židek - 2.2.0-16Michal Židek - 2.2.0-15Michal Židek - 2.2.0-14Michal Židek - 2.2.0-13Michal Židek - 2.2.0-12Michal Židek - 2.2.0-11Michal Židek - 2.2.0-10Michal Židek - 2.2.0-9Michal Židek - 2.2.0-8Michal Židek - 2.2.0-7Michal Židek - 2.2.0-6Jakub Hrozek - 2.2.0-5Jakub Hrozek - 2.2.0-4Jakub Hrozek - 2.2.0-3Jakub Hrozek - 2.2.0-2Michal Židek - 2.2.0-1Michal Židek - 2.1.0-1Michal Židek - 2.0.0-45Jakub Hrozek - 2.0.0-43Michal Židek - 2.0.0-42Michal Židek - 2.0.0-41Michal Židek - 2.0.0-40Michal Židek - 2.0.0-39Michal Židek - 2.0.0-38Michal Židek - 2.0.0-36Michal Židek - 2.0.0-35Michal Židek - 2.0.0-34Michal Židek - 2.0.0-33Michal Židek - 2.0.0-32Michal Židek - 2.0.0-31Michal Židek - 2.0.0-30Michal Židek - 2.0.0-29Michal Židek - 2.0.0-28Michal Židek - 2.0.0-27Michal Židek - 2.0.0-26Michal Židek - 2.0.0-25Michal Židek - 2.0.0-24Jakub Hrozek - 2.0.0-23Jakub Hrozek - 2.0.0-22Jakub Hrozek - 2.0.0-21Jakub Hrozek - 2.0.0-20Jakub Hrozek - 2.0.0-19Jakub Hrozek - 2.0.0-18Jakub Hrozek - 2.0.0-17Jakub Hrozek - 2.0.0-16Jakub Hrozek - 2.0.0-15Jakub Hrozek - 2.0.0-14Jakub Hrozek - 2.0.0-13Jakub Hrozek - 2.0.0-12Jakub Hrozek - 2.0.0-11Jakub Hrozek - 2.0.0-10Jakub Hrozek - 2.0.0-9Jakub Hrozek - 2.0.0-8Jakub Hrozek - 2.0.0-7Jakub Hrozek - 2.0.0-6Jakub Hrozek - 2.0.0-5Jakub Hrozek - 2.0.0-4Jakub Hrozek - 2.0.0-3Jakub Hrozek - 2.0.0-2Fabiano Fidêncio - 2.0.0-1Tomas Orsava - 1.16.2-2Fabiano Fidêncio - 1.16.2-1Fabiano Fidêncio - 1.16.1-3Fabiano Fidêncio - 1.16.1-2Fabiano Fidêncio - 1.16.1-1Lukas Slebodnik - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Lukas Slebodnik - 1.16.0-11Lukas Slebodnik - 1.16.0-10Igor Gnatenko - 1.16.0-9Lukas Slebodnik - 1.16.0-8Lukas Slebodnik - 1.16.0-7Björn Esser - 1.16.0-6Lukas Slebodnik - 1.16.0-5Lukas Slebodnik - 1.16.0-4Jakub Hrozek - 1.16.0-3Lukas Slebodnik - 1.16.0-2Lukas Slebodnik - 1.16.0-1Lukas Slebodnik - 1.15.3-5Lukas Slebodnik - 1.15.3-4Lukas Slebodnik - 1.15.3-3Fedora Release Engineering - 1.15.3-2Lukas Slebodnik - 1.15.3-1Lukas Slebodnik - 1.15.3-0.beta.5Lukas Slebodnik - 1.15.3-0.beta.4Lukas Slebodnik - 1.15.3-0.beta.3Lukas Slebodnik - 1.15.3-0.beta.2Lukas Slebodnik - 1.15.3-0.beta.1Lukas Slebodnik - 1.15.2-1Lukas Slebodnik - 1.15.1-1Jakub Hrozek - 1.15.0-4Lukas Slebodnik - 1.15.0-3Fedora Release Engineering - 1.15.0-2Lukas Slebodnik - 1.15.0-1Miro Hrončok - 1.14.2-3Lukas Slebodnik - 1.14.2-2Lukas Slebodnik - 1.14.2-1Lukas Slebodnik - 1.14.1-4Lukas Slebodnik - 1.14.1-3Lukas Slebodnik - 1.14.1-2Lukas Slebodnik - 1.14.1-1Stephen Gallagher - 1.14.0-5Fedora Release Engineering - 1.14.0-4Lukas Slebodnik - 1.14.0-3Lukas Slebodnik - 1.14.0-2.betaLukas Slebodnik - 1.14.0-1.alphaLukas Slebodnik - 1.13.4-3Lukas Slebodnik - 1.13.4-2Lukas Slebodnik - 1.13.4-1Lukas Slebodnik - 1.13.3-6Lukas Slebodnik - 1.13.3-5Fedora Release Engineering - 1.13.3-4Lukas Slebodnik - 1.13.3-3Lukas Slebodnik - 1.13.3-2Lukas Slebodnik - 1.13.3-1Lukas Slebodnik - 1.13.2-1Robert Kuska - 1.13.1-5Lukas Slebodnik - 1.13.1-4Lukas Slebodnik - 1.13.1-3Lukas Slebodnik - 1.13.1-2Lukas Slebodnik - 1.13.1-1Lukas Slebodnik - 1.13.0-6Lukas Slebodnik - 1.13.0-5Lukas Slebodnik - 1.13.0-4Lukas Slebodnik - 1.13.0-3Lukas Slebodnik - 1.13.0-2.alphaLukas Slebodnik - 1.13.0-1.alphaFedora Release Engineering - 1.12.5-4Lukas Slebodnik - 1.12.5-3Lukas Slebodnik - 1.12.5-2Lukas Slebodnik - 1.12.5-1Lukas Slebodnik - 1.12.4-8Lukas Slebodnik - 1.12.4-7Lukas Slebodnik - 1.12.4-6Lukas Slebodnik - 1.12.4-5Jakub Hrozek - 1.12.4-4Jakub Hrozek - 1.12.4-3Lukas Slebodnik - 1.12.4-2Lukas Slebodnik - 1.12.4-1Lukas Slebodnik - 1.12.3-7Lukas Slebodnik - 1.12.3-6Jakub Hrozek - 1.12.3-5Lukas Slebodnik - 1.12.3-4Lukas Slebodnik - 1.12.3-3Lukas Slebodnik - 1.12.3-2Lukas Slebodnik - 1.12.3-1Lukas Slebodnik - 1.12.2-8Sumit Bose - 1.12.2-7Lukas Slebodnik - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-7Fedora Release Engineering - 1.12.0-6Stephen Gallagher 1.12.0-5Jakub Hrozek - 1.12.0-1Fedora Release Engineering - 1.12.0-4.beta2Jakub Hrozek - 1.12.0-1.beta2Jakub Hrozek - 1.12.0-2.beta1Jakub Hrozek - 1.12.0-1.beta1Jakub Hrozek - 1.11.5.1-4Stephen Gallagher - 1.11.5.1-3Stephen Gallagher - 1.11.5.1-2Jakub Hrozek - 1.11.5.1-1Stephen Gallagher 1.11.5-2Jakub Hrozek - 1.11.5-1Sumit Bose - 1.11.4-3Jakub Hrozek - 1.11.4-2Jakub Hrozek - 1.11.4-1Jakub Hrozek - 1.11.3-2Jakub Hrozek - 1.11.3-1Jakub Hrozek - 1.11.2-1Sumit Bose - 1.11.1-5Sumit Bose - 1.11.1-4Jakub Hrozek - 1.11.1-3Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-3Jakub Hrozek - 1.11.0-2Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0-0.4.beta2Fedora Release Engineering - 1.11.0-0.3.beta2Jakub Hrozek - 1.11.0.2beta2Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta1Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Jakub Hrozek - 1.9.5-10Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#2116488 - virsh command will hang after the host run several auto test cases - Resolves: rhbz#2116486 - [regression] sssctl analyze fails to parse PAM related sssd logs - Resolves: rhbz#2116487 - cache_req_data_set_hybrid_lookup: cache_req_data should never be NULL- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 - Resolves: rhbz#2063016 - [sssd] RHEL 8.7 Tier 0 Localization- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 - Resolves: rhbz#2098620 - sdap_nested_group_deref_direct_process() triggers internal watchdog for large data sets - Resolves: rhbz#2098619 - [Improvement] add SSSD support for more than one CRL PEM file name with parameters certificate_verification and crl_file - Resolves: rhbz#2088817 - pam_sss_gss ceased to work after upgrade to 8.6 - Resolves: rhbz#2098616 - Add idp authentication indicator in man page of sssd.conf - Resolves: rhbz#2056035 - 'getent hosts' not return hosts if they have more than one CN in LDAP - Resolves: rhbz#2098615 - Regression "Missing internal domain data." when setting ad_domain to incorrect - Resolves: rhbz#2098617 - Harden kerberos ticket validation - Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol- Resolves: rhbz#2069379 - Rebase SSSD for RHEL 8.7 - Resolves: rhbz#2026799 - SSSD authenticating to LDAP with obfuscated password produces Invalid authtoken type message causing sssd_be to go offline (cross inter_ference of different provider plugins options) - Resolves: rhbz#2033347 - sssd error triggers backtrace : [write_krb5info_file_from_fo_server] (0x0020): [RID#73501] There is no server that can be written into kdc info file. - Resolves: rhbz#2056483 - [RFE] Add sssd internal krb5 plugin for authentication against external IdP via OAuth2 - Resolves: rhbz#2062689 - [Improvement] Add user and group version of sss_nss_getorigbyname() - Resolves: rhbz#2065692 - [RHEL8] Ship new sub-package called sssd-idp into sssd - Resolves: rhbz#2072050 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop - Resolves: rhbz#2072931 - Use right sdap_domain in ad_domain_info_send - Resolves: rhbz#2087088 - sssd does not enforce smartcard auth for kde screen locker - Resolves: rhbz#2087744 - Unable to lookup AD user if the AD group contains '@' symbol - Resolves: rhbz#2087745 - 2FA prompting setting ineffective - Resolves: rhbz#2087746 - sssd fails GPO-based access if AD have setup with Japanese language- Resolves: rhbz#2039892 - 2.6.2 regression: Daemon crashes when resolving AD user names - Resolves: rhbz#1859315 - sssd does not use kerberos port that is set. - Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries - Resolves: rhbz#2035245 - AD Domain in the AD Forest Missing after sssd latest update - Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization- Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files (additional patch)- Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6 - Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files - Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries - Resolves: rhbz#1859315 - sssd does not use kerberos port that is set. - Resolves: rhbz#1961182 - Passwordless (GSSAPI) SSH not working due to missing "includedir /var/lib/sss/pubconf/krb5.include.d" directive in /etc/krb5.conf - Resolves: rhbz#2008829 - sssd_be segfault due to empty forest root name - Resolves: rhbz#2012263 - pam responder does not call initgroups to refresh the user entry - Resolves: rhbz#2012308 - Add client certificate validation D-Bus API - Resolves: rhbz#2012327 - Groups are missing while performing id lookup as SSSD switching to offline mode due to the wrong domain name in the ldap-pings(netlogon). - Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs - Resolves: rhbz#2013259 - [RHEL8] Add tevent chain ID logic into responders - Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization- Rebuild due to rhbz#2013596 - Rebase Samba to the the latest 4.15.x release- Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6 - Resolves: rhbz#1968340 - 'exclude_groups' option provided in SSSD for session recording (tlog) doesn't work as expected - Resolves: rhbz#1952569 - SSSD should use "hidden" temporary file in its krb locator - Resolves: rhbz#1917970 - proxy provider: secondary group is showing in sssd cache after group is removed - Resolves: rhbz#1636002 - socket-activated services start as the sssd user and then are unable to read the confdb - Resolves: rhbz#2021196 - Make backtrace less "chatty" (avoid duplicate backtraces) - Resolves: rhbz#2018432 - 2.5.x based SSSD adds more AD domains than it should based on the configuration file (not trusted and from a different forest) - Resolves: rhbz#2015070 - Consistency in defaults between OpenSSH and SSSD - Resolves: rhbz#2013297 - disabled root ad domain causes subdomains to be marked offline - Resolves: rhbz#2013294 - Lookup with fully-qualified name does not work with 'cache_first = True' - Resolves: rhbz#2013218 - autofs lookups for unknown mounts are delayed for 50s - Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs - Resolves: rhbz#2013024 - Add support for CKM_RSA_PKCS in smart card authentication. - Resolves: rhbz#2013006 - [RFE] support subid ranges managed by FreeIPA - Resolves: rhbz#2012308 - Add client certificate validation D-Bus API - Resolves: rhbz#2012122 - tps tests fail with cross dependency on sssd debuginfo package: removal of 'sssd-libwbclient-debuginfo' is missing- Resolves: rhbz#1975169 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-8] - Resolves: rhbz#1962042 - [sssd] RHEL 8.5 Tier 0 Localization- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 - Resolves: rhbz#1693379 - sssd_be and sss_cache too heavy on CPU - Resolves: rhbz#1909373 - Missing search index for `originalADgidNumber` - Resolves: rhbz#1954630 - [RFE] Improve debug messages by adding a unique tag for each request the backend is handling - Resolves: rhbz#1936891 - SSSD Error Msg Improvement: Bad address - Resolves: rhbz#1364596 - sssd still showing ipa user after removed from last group - Resolves: rhbz#1979404 - Changes made to /etc/pam.d/sssd-shadowutils are overwritten back to default on sssd-common package upgrade- Resolves: rhbz#1974257 - 'debug_microseconds' config option is broken - Resolves: rhbz#1936902 - SSSD Error Msg Improvement: Invalid argument - Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm (additional patches and rebuild)- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 - Resolves: rhbz#1942387 - Wrong default debug level of sssd tools - Resolves: rhbz#1917444 - SSSD Error Msg Improvement: Server resolution failed: [2]: No such file or directory - Resolves: rhbz#1917511 - SSSD Error Msg Improvement: Failed to resolve server 'server.example.com': Error reading file - Resolves: rhbz#1917535 - sssd.conf man page: parameter dns_resolver_server_timeout and dns_resolver_op_timeout - Resolves: rhbz#1940509 - [RFE] Health and Support Analyzer: Link frontend to backend requests - Resolves: rhbz#1649464 - auto_private_groups not working as expected with posix ipa/ad trust - Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection - Resolves: rhbz#1961215 - Invalid sssd-kcm return code if requested operation is not found - Resolves: rhbz#1837090 - SSSD fails nss_getby_name for IPA user with SID if the user has user private group - Resolves: rhbz#1879869 - sudo commands incorrectly exports the KRB5CCNAME environment variable - Resolves: rhbz#1962550 - sss_pac_make_request fails on systems joined to Active Directory. - Resolves: rhbz#1737489 - [RFE] SSSD should honor default Kerberos settings (keytab name) in /etc/krb5.conf- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 - Resolves: rhbz#1930535 - [abrt] [faf] sssd: monitor_service_shutdown(): /usr/sbin/sssd killed by 11 - Resolves: rhbz#1942387 - Wrong default debug level of sssd tools - Resolves: rhbz#1945888 - Inconsistant debug level for connection logging - Resolves: rhbz#1948657 - pam_sss_gss.so doesn't work with large kerberos tickets - Resolves: rhbz#1949149 - [RFE] Poor man's backtrace - Resolves: rhbz#1920500 - Authentication handshake (ldap_install_tls()) fails due to underlying openssl operation failing with EINTR - Resolves: rhbz#1923964 - [RFE] SSSD Error Msg Improvement: write_krb5info_file failed, authentication might fail. - Resolves: rhbz#1928648 - SSSD logs improvements: clarify which config option applies to each timeout in the logs - Resolves: rhbz#1632159 - sssd-kcm starts successfully for non existent socket_path - Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm - Resolves: rhbz#1925505 - [RFE] improve the sssd refresh timers for SUDO queries - Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection - Resolves: rhbz#1925561 - sssd-ldap(5) does not report how to disable the SUDO smart queries - Resolves: rhbz#1925621 - document impact of indices and of scope on performance of LDAP queries - Resolves: rhbz#1855320 - [RFE] RHEL8 sssd: inheritance of the case_sensitive parameter for subdomains. - Resolves: rhbz#1925608 - [RFE] make 'random_offset' addon to 'offline_timeout' option configurable - Resolves: rhbz#1447945 - man page / docs update required: if two certificate matching rules with the same priority match only one is used - Resolves: rhbz#1703436 - sssd not thread-safe in innetgr() - Resolves: rhbz#1713143 - SSSD does not translate the 2FA text labels("first factor" / "second factor") on GDM login and screensaver unlock screen - Resolves: rhbz#1888977 - sss_override: Usage limitations clarification in man page - Resolves: rhbz#1890177 - Clarify "single_prompt" option in "PROMPTING CONFIGURATION SECTION" section of sssd.conf man page - Resolves: rhbz#1902280 - fix sss_cache to also reset cached timestamp - Resolves: rhbz#1935683 - SSSD not detecting subdomain from AD forest (RHEL 8.3) - Resolves: rhbz#1937919 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7 - Resolves: rhbz#1944665 - No gpo found and ad_gpo_implicit_deny set to True still permits user login - Resolves: rhbz#1919942 - sss_override does not take precedence over override_homedir directive- Resolves: rhbz#1926622 - Add support to verify authentication indicators in pam_sss_gss - Resolves: rhbz#1926454 - First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0. - Resolves: rhbz#1893159 - Default debug level should report all errors / failures (additional patch)- Resolves: rhbz#1920001 - Do not add '%' to group names already prefixed with '%' in IPA sudo rules - Resolves: rhbz#1918433 - sssd unable to lookup certmap rules - Resolves: rhbz#1917382 - [abrt] [faf] sssd: dp_client_handshake_timeout(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1113639 - autofs: return a connection failure until maps have been fetched - Resolves: rhbz#1915395 - Memory leak in the simple access provider - Resolves: rhbz#1915319 - SSSD: SBUS: failures during servers startup - Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication (additional patches)- Resolves: rhbz#1631410 - Can't login with smartcard with multiple certs having same ID value - Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff (additional patches) - Resolves: rhbz#1893159 - Default debug level should report all errors / failures - Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication- Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process - Resolves: rhbz#1876658 - filter_groups option partially filters the group from 'id' output of the user because gidNumber still appears in 'id' output [RHEL 8] - Resolves: rhbz#1895001 - User lookups over the InfoPipe responder fail intermittently- Resolves: rhbz#1900733 - sssd_be segfaults at be_refresh_get_values_ex() due to NULL ptrs in results of sysdb_search_with_ts_attr() - Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process - Resolves: rhbz#1894540 - sssd component logging is now too generic in syslog/journal - Resolves: rhbz#1828483 - filtered ID is appearing due to strange negative cache behavior- This is to bump version to allow rebuild against rebased libldb.- Resolves: rhbz#1881992 - Rebase SSSD for RHEL 8.4 - Resolves: rhbz#1722842 - sssd-kcm does not store TGT with ssh login using GSSAPI - Resolves: rhbz#1734040 - sssd crash in ad_get_account_domain_search() - Resolves: rhbz#1784459 - [RFE] tlog does not allow to exclude some users from session recording - Resolves: rhbz#1791300 - sporadic sssd_be crash on s390x - Resolves: rhbz#1817122 - 'getent group ldapgroupname' doesn't show any LDAP users or some LDAP users when 'rfc2307bis' schema is used with SSSD. - Resolves: rhbz#1819012 - [RFE] Improve AD site discovery process - Resolves: rhbz#1846778 - [RfE] `/usr/libexec/sssd/p11_child` cmdline argument '--nssdb' might be confusing when SSSD was built against OpenSSL - Resolves: rhbz#1873715 - automount sssd issue when 2 automount maps have the same key (one un uppercase, one in lowercase) - Resolves: rhbz#1879860 - correction in sssd.conf:pam_response_filter man page - Resolves: rhbz#1881336 - [RFE] sssd-ldap man page modification for parameter "ldap_referrals" - Resolves: rhbz#1883488 - [RfE] Implement a new sssd.conf option to disable the filter for AD domain local groups from trusted domains - Resolves: rhbz#1884196 - [RFE] Add "enabled" option to domain section in config file - Resolves: rhbz#1884205 - KCM: Increase client idle timeout to 5 minutes - Resolves: rhbz#1884207 - [RFE] ldap: add new option ldap_library_debug_level - Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff - Resolves: rhbz#1884281 - Secondary LDAP group go missing from 'id' command - Resolves: rhbz#1884301 - [RFE] dyndns: suport asymmetric auth for nsupdate- Resolves: rhbz#1855323 - When ad_gpo_implicit_deny is True, it is permitting users to login when no gpo is applied- Resolves: rhbz#1868387 - system not enforcing GPO rule restriction. ad_gpo_implicit_deny = True is not working - Resolves: rhbz#1854951 - sss-certmap man page change to add clarification for userPrincipalName attribute from AD schema - Resolves: rhbz#1856861 - False errors/warnings are logged in sssd.log file after enabling 2FA prompting settings in sssd.conf - Resolves: rhbz#1869683 - p11_child: default value of ocsp_dgst == sha256 doesn't conform RFC5019 and has to be changed to sha1- Resolves: rhbz#1723273 - RFE: Add option to specify alternate sssd config file location with "sssctl config-check" command. - Resolves: rhbz#1780404 - smartcards: special characters must be escaped when building search filter- Resolves: rhbz#1820574 - [sssd] RHEL 8.3 Tier 0 Localization- Resolves: rhbz#1821719 - sssd (sssd_be) is consuming 100% CPU, partially due to failing mem-cache - Fixed "requires/provides" rpmdiff warning- Resolves: rhbz#1815584 - id_provider = proxy proxy_lib_name = files returns * in password field, breaking PAM authentication - Resolves: rhbz#1794607 - SSSD must be able to resolve membership involving root with files provider - Resolves: rhbz#1803134 - Improve "unlock" time when user session already active- Resolves: rhbz#1829470 - `sssd.api.conf` and `sssd.api.d` should belong to `python-sssdconfig` package - Resolves: rhbz#1544457 - sssd fails to release file descriptor on child logs after receiving HUP - Resolves: rhbz#1824323 - SSSD user filtering is failing on RHEL 8 after "files" provider rebuilds cache - Resolves: rhbz#1827432 - When the passwd or group files are replaced, sssd stops monitoring the file for inotify events, and no updates are triggered - Resolves: rhbz#1835710 - Change the message "Please enter smart card" to "Please insert smart card" on GDM login with smart-card - Resolves: rhbz#1838037 - Oddjob-mkhomedir fails when using NSS compat - Resolves: rhbz#1845904 - gdm smart card authentication does not work shortly after disconnecting from network. - Resolves: rhbz#1845975 - sssd doesn't follow the link order of AD Group Policy Management - Resolves: rhbz#1845980 - sssd is failing to discover other subdomains in the forest if LDAP entries do not contain AD forest root information - Resolves: rhbz#1845987 - Document how to prevent invalid selinux context for default home directories in SSSD-AD direct integration. - Resolves: rhbz#1845994 - GDM failure loop when no user mapped for smart card - Resolves: rhbz#1846003 - GDM password prompt when cert mapped to multiple users and promptusername is False - Resolves: rhbz#1850961 - /usr/share/systemtap/tapset/sssd_functions.stp missing a comma- Resolves: rhbz#Bug 1723273 - RFE: Add option to specify alternate sssd config file location with "sssctl config-check" command.- Resolves: rhbz#1839037 - Rebase SSSD for RHEL 8.3 - Resolves: rhbz#1843872 - sssd 2.3.0 breaks AD auth due to GPO parsing failure - Resolves: rhbz#1834156 - sssd or sssd-ad not updating their dependencies on "yum update" which breaks working- Resolves: rhbz#1580506 - [RFE]: sssd to be able to read smartcard certificate EKU and perform an action based on value when generating SSH key from a certificate (additional patch)- Resolves: rhbz#1810634 - id command taking 1+ minute for returning user information- Resolves: rhbz#1580506 - [RFE]: sssd to be able to read smartcard certificate EKU and perform an action based on value when generating SSH key from a certificate- Resolves: rhbz#1718193 - p11_child should have an option to skip C_WaitForSlotEvent if the PKCS#11 module does not implement it properly- Resolves: rhbz#1792331 - sssd_be crashes when krb5_realm and krb5_server is omitted and auth_provider is krb5- Resolves: rhbz#1754996 - [sssd] Tier 0 Localization- Resolves: rhbz#1767514 - sssd requires timed sudoers ldap entries to be specified up to the seconds- Resolves: rhbz#1713368 - Add sssd-dbus package as a dependency of sssd-tools* Resolves: rhbz#1794016 - sssd_be frequent crash* Resolves: rhbz#1762415 - Force LDAPS over 636 with AD Access Provider* Resolves: rhbz#1583592 - [RFE] Add configurable randomness to SSSD ldap connection timeout* Resolves: rhbz#1783190 - [abrt] [faf] sssd: raise(): /usr/libexec/sssd/sssd_autofs killed by 6* Resolves: rhbz#1785214 - server/be: SIGTERM handling is incorrect* Resolves: rhbz#1785193 - Watchdog implementation or usage is incorrect* Resolves: rhbz#1704199 - pcscd rejecting sssd ldap_child as unauthorized* Resolves: rhbz#1744500 - [Doc]Provide explanation on escape character for match rules sss-certmap* Resolves: rhbz#1781728 - sssctl config-check command does not give proper error messages with line numbers* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release Increasing version number to pick latest libldb* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release PART2: Fix gating issue.* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release- Resolves: rhbz#1712875 - Old kerberos credentials active instead of valid new ones (kcm)- Resolves: rhbz#1744134 - New defect found in sssd-2.2.0-16.el8 - Also sync. kcm multihost tests with master- Resolves: rhbz#1676385 - pam_sss with smartcard auth does not create gnome keyring - Also apply a patch to fix gating tests issue- Resolves: rhbz#1736861 - dyndns_update = True is no longer enough to get the IP address of the machine updated in IPA upon sssd.service startup- Resolves: rhbz#1736265 - Smart Card auth of local user: endless loop if wrong PIN was provided- Resolves: rhbz#1736796 - sssd config option "default_domain_suffix" should not cause files domain entries to be qualified, this can break sudo access- Resolves: rhbz#1669407 - MAN: Document that PAM stack contains the systemd-user service in the account phase in RHEL-8- Resolves: rhbz#1448094 - sssd-kcm cannot handle big tickets- Resolves: rhbz#1733372 - permission denied on logs when running sssd as non-root user- Resolves: rhbz#1736483 - Sudo prompt for smart card authentication is missing the trailing colon- Resolves: rhbz#1382750 - Conflicting default timeout values- Resolves: rhbz#1699480 - Include libsss_nss_idmap-devel in the Builder repository - This just required a raise in release number and changelog for the record.- Resolves: rhbz#1711318 - p11_child::sign_data() function implementation is not FIPS140 compliant- Resolves: rhbz#1726945 - negative cache does not use values from 'filter_users' config option for known domains- Resolves: rhbz#1729055 - sssd does not pass correct rules to sudo- Resolves: rhbz#1283798 - sssd failover does not work on connecting to non-responsive ldaps:// server- Resolves: rhbz#1725168 - sssd-proxy crashes resolving groups with no members- Resolves: rhbz#1673443 - sssd man pages: The default value of "ldap_user_home_directory" is not mentioned with AD server configuration- Resolves: rhbz#1687281 Rebase sssd in RHEL-8.1 to the latest upstream release- Resolves: rhbz#1687281 Rebase sssd in RHEL-8.1 to the latest upstream release- Replace ARRAY_SIZE with N_ELEMENTS to reflect samba changes. This is done here in order to unblock gating changes before rebase. - Related: rhbz#1682305- Resolves: rhbz#1672780 - gdm login not prompting for username when smart card maps to multiple users- Resolves: rhbz#1645291 - Perform some basic ccache initialization as part of gen_new to avoid a subsequent switch call failure-Resolves: rhbz#1659498 - Re-setting the trusted AD domain fails due to wrong subdomain service name being used-Resolves: rhbz#1660083 - extraAttributes is org.freedesktop.DBus.Error. UnknownProperty: Unknown property- Resolves: rhbz#1661183 - SSSD 2.0 has drastically lower sbus timeout than 1.x, this can result in time outs- Resolves: rhbz#1578014 - sssd does not work under non-root user - Note: Actually the patches were in the 2.0.0-37, this one just adds this changelog because it was missing.- Resolves: rhbz#1652563 - incorrect example in the man page of idmap_sss suggests using * for backend sss- Resolves: rhbz#1466503 - Snippets are not used when sssd.conf does not exist- Resolves: rhbz#1622008 - Error message when IPA server uninstall calls kdestroy caused by KCM returning a wrong error code during the delete operation- Resolves: rhbz#1646113 - Missing concise documentation about valid options for sssd-files-provider- Resolves: rhbz#1625670 - sssd needs to require a newer version of libtalloc and libtevent to avoid an issue in GPO processing- Resolves: 1658813 - PKINIT with KCM does not work- Resolves: 1657898 - SSSD must be cleared/restarted periodically in order to retrieve AD users through IPA Trust- Resolves: rhbz#1655459 - [abrt] [faf] sssd: raise(): /usr/libexec/sssd/proxy_child killed by 6- Resolves: rhbz#1652719 - [SECURITY] sssd returns '/' for emtpy home directories- Resolves: rhbz#1657979 - SSSD's LDAP authentication provider does not work if ID provider is authenticated with GSSAPI- Resolves: rhbz#1657980 - sssd_nss memory leak- Resolves: rhbz#1645566 - SSSD 2.x does not sanitize domain name properly for D-bus, resulting in a crash- Resolves: rhbz#1646168 - sssctl access-report always prints an error message - Resolves: rhbz#1643053 - Restarting the sssd-kcm service should reload the configuration without having to restart the whole sssd - Resolves: rhbz#1640576 - sssctl reports incorrect information about local user's cache entry expiration time - Resolves: rhbz#1645238 - Unable to su to root when logged in as a local user - Resolves: rhbz#1639411 - sssd support for for smartcards using ECC keys- Resolves: rhbz#1642508 - sssd ifp crash when trying to access ipa webui with smart card- Resolves: rhbz#1642372 - SSSD Python getgrouplist API was removed but required for IPA- Related: rhbz#1638150 - session not recording for local user when groups defined - Also add silence a Coverity warning, which is related to rhbz#1637131- Related: rhbz#1637513 - sssd crashes when refreshing expired sudo rules- Add OSCP checks for p11_child - Related: rhbz#1615417 - [RFE] Add Smart Card authentication for local users- Related: rhbz#1638006 - Files: The files provider always enumerates which causes duplicate when running getent passwd- Related: rhbz#1637131 - pam_unix unable to match fully qualified username provided by sssd during smartcard auth using gdm- Related: rhbz#1620123 - [RFE] Add option to specify a Smartcard with a PKCS#11 URI- Related: rhbz#1611011 - Support for "require smartcard for login option"- Related: rhbz#1635595 - Cant login with smartcard with multiple certs- Backport more sbus2 fixes - Related: rhbz#1623878 - crash related to sbus_router_destructor()- Resolves: rhbz#1636397 - SSSD not fetching all sudo rules from AD- Resolves: rhbz#1628122 - Printing incorrect information about domain with sssctl utility- Resolves: rhbz#1626001 - SSSD should log to syslog if a domain is not started due to a misconfiguration- Resolves: rhbz#1624785 - Remove references of sss_user/group/add/del commands in man pages since local provider is deprecated- Resolves: rhbz#1628126 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_be killed by 11 crash func _dbus_list_unlink- Resolves: rhbz#1628503 - sssd only sets the SELinux login context if it differs from the default- Resolves: rhbz#1625842 id_provider= local causes SSSD to abort startup- Resolves: rhbz#1615590 - Do not rely on "python" for el8- Resolves: rhbz#1615417 - [RFE] Add Smart Card authentication for local users- Resolves: rhbz#1623878 - crash related to sbus_router_destructor()- Resolves: rhbz#1622026 - sssd 2.0 regression: Kerberos authentication fails with the KCM ccache- Resolves: rhbz#1615460 - Rebase SSSD to the latest released version- Switch hardcoded python3 shebangs into the %{__python3} macro- Update to 1.16.2 release - Cleanup unused global definitions - Remove python2 references from the spec file - Resolves: rhbz#1585313 - Kerberos with sssd-kcm is not working on s390x- Resolves: upstream#3684 - A group is not updated if its member is removed with the cleanup task, but the group does not change - Resolves: upstream#3558 - sudo: report error when two rules share cn - Tone down shutdown messages for socket activated responders - IPA: Qualify the externalUser sudo attribute - Resolves: upstream#3550 - refresh_expired_interval does not work with netgrous in 1.15 - Resolves: upstream#3402 - Support alternative sources for the files provider - Resolves: upstream#3646 - SSSD's GPO code ignores ad_site option - Resolves: upstream#3679 - Make nss netgroup requests more robust - Resolves: upstream#3634 - sssctl COMMAND --help fails if sssd is not configured - Resolves: upstream#3469 - extend sss-certmap man page regarding priority processing - Improve docs/debug message about GC detection - Resolves: upstream#3715 - ipa 389-ds-base crash in krb5-libs - k5_copy_etypes list out of bound? - Resolves: upstream#2653 - Group renaming issue when "id_provider = ldap" is set. - Document which principal does the AD provider use - Resolves: upstream#3680 - GPO: SSSD fails to process GPOs If a rule is defined, but contains no SIDs - Resolves: upstream#3520 - Files provider supports only BE_FILTER_ENUM - Resolves: rhbz#1540703 - FreeIPA/SSSD implicit_file sssd_nss error: The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Fatal]- Resolves: upstream#3573 - sssd won't show netgroups with blank domain - Resolves: upstream#3660 - confdb_expand_app_domains() always fails - Resolves: upstream#3658 - Application domain is not interpreted correctly - Resolves: upstream#3687 - KCM: Don't pass a non null terminated string to json_loads() - Resolves: upstream#3386 - KCM: Payload buffer is too small - Resolves: upstream#3666 - Fix usage of str.decode() in our tests - A few KCM misc fixes- New upstream release 1.16.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_1.html- Resolves: upstream#3621 - backport bug found by static analyzers- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Resolves: upstream#3621 - FleetCommander integration must not require capability DAC_OVERRIDE- Resolves: upstream#3618 - selinux_child segfaults in a docker container- Resolves: rhbz#1431153 - sssd: libsss_proxy.so needs to be linked with -ldl- Fix systemd executions/requirements- Fix building on rawhide. Remove -Wl,-z,defs from LDFLAGS- Fix building of sssd-nfs-idmap with libnfsidmap.so.1- Rebuilt for libnfsidmap.so.1- Resolves: upstream#3523 - ABRT crash - /usr/libexec/sssd/sssd_nss in setnetgrent_result_timeout - Resolves: upstream#3588 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: failure in glibc tests https://sourceware.org/bugzilla/show_bug.cgi?id=22530 - Resolves: upstream#3451 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds - Resolves: upstream#3285 - SSSD needs restart after incorrect clock is corrected with AD - Resolves: upstream#3586 - Give a more detailed debug and system-log message if krb5_init_context() failed - Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Backport few upstream features from 1.16.1- Resolves: rhbz#1494002 - sssd_nss crashed in cache_req_search_domains_next- Backport extended NSS API from upstream master branch- Resolves: upstream#3529 - sssd-kcm Fix restart during/after upgrade- New upstream release 1.16.0 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_0.html- Resolves: rhbz#1499354 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database access on the sock_file system_bus_socket- Resolves: rhbz#1488327 - SELinux is preventing selinux_child from write access on the sock_file system_bus_socket - Resolves: rhbz#1490402 - SSSD does not create /var/lib/sss/deskprofile and fails to download desktop profile data - Resolves: upstream#3485 - getsidbyid does not work with 1.15.3 - Resolves: upstream#3488 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: upstream#3501 - Accessing IdM kerberos ticket fails while id mapping is applied- Backport few upstream patches/fixes- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild- New upstream release 1.15.3 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_3.html- Rebuild with libldb-1.2.0- Fix build issues: Update expided certificate in unit tests- Resolves: rhbz#1445680 - Properly fall back to local Smartcard authentication - Resolves: rhbz#1437199 - sssd-nfs-idmap-1.15.2-1.fc25.x86_64 conflicts with file from package sssd-common-1.15.1-1.fc25.x86_64 - Resolves: rhbz#1063278 - sss_ssh_knownhostsproxy doesn't fall back to ipv4- Fix issue with IPA + SELinux in containers - Resolves: upstream https://fedorahosted.org/sssd/ticket/3297- Backport upstream patches for 1.15.3 pre-release - required for building freeipa-4.5.x in rawhide- New upstream release 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html- New upstream release 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html- Cherry-pick patches from upstream that enable the files provider - Enable the files domain - Retire patch 0501-Partially-revert-CONFIG-Use-default-config-when-none.patch which is superseded by the files domain autoconfiguration - Related: rhbz#1357418 - SSSD fast cache for local users- Add missing %license macro- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild- New upstream release 1.15.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.15.0- Rebuild for Python 3.6- Resolves: rhbz#1369130 - nss_sss should not link against libpthread - Resolves: rhbz#1392916 - sssd failes to start after update - Resolves: rhbz#1398789 - SELinux is preventing sssd from 'write' accesses on the directory /etc/sssd- New upstream release 1.14.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.2- libwbclient-sssd: update interface to version 0.13- Fix regression with krb5_map_user - Resolves: rhbz#1375552 - krb5_map_user doesn't seem effective anymore - Resolves: rhbz#1349286 - authconfig fails with SSSDConfig.NoDomainError: default if nonexistent domain is mentioned- Backport important patches from upstream 1.14.2 prerelease - Resolves: upstream #3154 - sssd exits if clock is adjusted backwards after boot - Resolves: upstream #3163 - resolving IPA nested user group is broken in 1.14- New upstream release 1.14.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.1- Add workaround patch for RHBZ #1366403- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages- New upstream release 1.14.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0- New upstream release 1.14 beta - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0beta- New upstream release 1.14 alpha - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0alpha- Resolves: rhbz#1335639 - [abrt] sssd-dbus: ldb_msg_find_element(): sssd_ifp killed by SIGSEGV- Resolves: rhbz#1328108 - Protocol error with FreeIPA on CentOS 6- New upstream release 1.13.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.4- Resolves: rhbz#1276868 - Sudo PAM Login should support multiple password prompts (e.g. Password + Token) - Resolves: rhbz#1313041 - ssh with sssd proxy fails with "Connection closed by remote host" if locale not available- Resolves: rhbz#1310664 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid - Resolves: rhbz#1301303 - sss_obfuscate: SyntaxError: Missing parentheses in call to 'print'- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild- Additional upstream fixes- Resolves: rhbz#1256849 - SUDO: Support the IPA schema- New upstream release 1.13.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.3- New upstream release 1.13.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.2- Rebuilt for Python3.5 rebuild- Fix building pac responder with the krb5-1.14- python-sssdconfig: Fix parssing sssd.conf without config_file_version - Resolves: upstream #2837 - REGRESSION: ipa-client-automout failed- Fix few segfaults - Resolves: upstream #2811 - PAM responder crashed if user was not set - Resolves: upstream #2810 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- New upstream release 1.13.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.1- Fix OTP bug - Resolves: upstream #2729 - Do not send SSS_OTP if both factors were entered separately- Backport upstream patches required by FreeIPA 4.2.1- Fix ipa-migration bug - Resolves: upstream #2719 - IPA: returned unknown dp error code with disabled migration mode- New upstream release 1.13.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.0- Unify return type of list_active_domains for python{2,3}- New upstream release 1.13 alpha - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.0alpha- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild- Fix libwbclient alternatives- Backport important patches from upstream 1.13 prerelease- New upstream release 1.12.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.5- Backport important patches from upstream 1.13 prerelease - Resolves: rhbz#1060325 - Does sssd-ad use the most suitable attribute for group name - Resolves: upstream #2335 - Investigate using the krb5 responder for driving the PAM conversation with OTPs - Enable cmocka tests for secondary architectures- Backport patches from upstream 1.12.5 prerelease - contains many fixes- Fix slow login with ipa and SELinux - Resolves: upstream #2624 - Only set the selinux context if the context differs from the local one- Fix regressions with ipa and SELinux - Resolves: upstream #2587 - With empty ipaselinuxusermapdefault security context on client is staff_u- Also relax libldb Requires - Remove --enable-ldb-version-check- Relax libldb BuildRequires to be greater-or-equal- Add support for python3 bindings - Add requirement to python3 or python3 bindings - Resolves: rhbz#1014594 - sssd: Support Python 3- New upstream release 1.12.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.4- Backport patches with Python3 support from upstream- Fix double free in monitor - Resolves: rhbz#1186887 [abrt] sssd-common: talloc_abort(): sssd killed by SIGABRT- Rebuild for new libldb- Decrease priority of sssd-libwbclient 20 -> 5 - It should be lower than priority of samba veriosn of libwbclient. - https://bugzilla.redhat.com/show_bug.cgi?id=1175511#c18- Apply a number of patches from upstream to fix issues found 1.12.3 - Resolves: rhbz#1176373 - dyndns_iface does not accept multiple interfaces, or isn't documented to be able to - Resolves: rhbz#988068 - getpwnam_r fails for non-existing users when sssd is not running - Resolves: upstream #2557 authentication failure with user from AD- Resolves: rhbz#1164156 - libsss_simpleifp should pull sssd-dbus - Resolves: rhbz#1179379 - gzip: stdin: file size changed while zipping when rotating logfile- New upstream release 1.12.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.3 - Fix spelling errors in description (fedpkg lint)- Rebuild for libldb 1.1.19- Resolves: rhbz#1175511 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Fix regressions and bugs in sssd upstream 1.12.2 - https://fedorahosted.org/sssd/ticket/{id} - Regressions: #2471, #2475, #2483, #2487, #2529, #2535 - Bugs: #2287, #2445- Rebuild for libldb 1.1.18- Fix typo in libwbclient-devel %preun- Use alternatives for libwbclient- Backport several patches from upstream. - Fix a potential crash against old (pre-4.0) IPA servers- New upstream release 1.12.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.2- Resolves: rhbz#1139962 - Fedora 21, FreeIPA 4.0.2: sssd does not find user private group from server- New upstream release 1.12.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.1- Do not crash on resolving a group SID in IPA server mode- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild- Fix release version for upgrades- New upstream release 1.12.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild- New upstream release 1.12 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0beta2- Fix tests on big-endian - Fix previous changelog entry- New upstream release 1.12 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0beta1- Rebuild against new ding-libs- Make LDB dependency a strict equivalency- Rebuild against new libldb- New upstream release 1.11.5.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.5.1- Fix bug in generation of systemd unit file- New upstream release 1.11.5 - Remove upstreamed patch - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.5- Handle new error code for IPA password migration- Include couple of patches from upstream 1.11 branch- New upstream release 1.11.4 - Remove upstreamed patch - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.4- Handle OTP response from FreeIPA server gracefully- New upstream release 1.11.3 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.3- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2- Fix potential crash with external groups in trusted IPA-AD setup- Add plugin for cifs-utils - Resolves: rhbz#998544- Fix failover from Global Catalog to LDAP in case GC is not available- Remove the ability to create public ccachedir (#1015089)- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1- Fix multicast checks in the SSSD - Resolves: rhbz#1007475 - The multicast check is wrong in the sudo source code getting the host info- Backport simplification of ccache management from 1.11.1 - Resolves: rhbz#1010553 - sssd setting KRB5CCNAME=(null) on login- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0- Resolves: #967012 - [abrt] sssd-1.9.5-1.fc18: sss_mmap_cache_gr_invalidate_gid: Process /usr/libexec/sssd/sssd_nss was killed by signal 11 (SIGSEGV) - Resolves: #996214 - sssd proxy_child segfault- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- Enable hardened build for RHEL7- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- BuildRequire recent libini_config to ensure consistent behaviour- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Add a patch to fix krb5 unit tests- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)/bin/sh 2.7.3-2.el82.7.3-2.el8.build-id1f448602f6176f10ba1a5517724555d2b8f842d1b43b61f8e2a5f038e14ae2d3db0eb34d9b21de46krb5_childldap_childsssd-krb5-commonCOPYINGkrb5.include.d/usr/lib//usr/lib/.build-id//usr/lib/.build-id/1f//usr/lib/.build-id/b4//usr/libexec/sssd//usr/share/licenses//usr/share/licenses/sssd-krb5-common//var/lib/sss/pubconf/-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protectioncpioxz2x86_64-redhat-linux-gnudirectorysetuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=1f448602f6176f10ba1a5517724555d2b8f842d1, strippedsetuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=b43b61f8e2a5f038e14ae2d3db0eb34d9b21de46, strippedASCII textRRRR RRRR R RRRRRRRRR RRR RRRRRRR RRRR RRRRRRRRR RRR RRutf-89249c1ee26a690b592713972a6ddadae8dfa14f64436eb389e15d18fa39800db?7zXZ !#,s] b2u jӫ`(y-o5i34<5LotTISl<Qh1`5wwqNaMV y Ee}jǰ'(2r"gskWS|_RFwI@2 K :>bje0ޚ]{2Z{ͺV0|cq38d`/!Ub\,;:Hcqnu..[i Ӧ0c|~! )r!!|Uc{4v[ 21T><ԕ%BÆ|+o"@R28I¾ն/LIS ]4[\ݲm)ӦAy|}.7!+\;>3P1X<=wTٮQqۚ@qd!: ;FdwU߁Wy%/*mIKV E{ꋔ~>l*A`/5G:r&J~Fu-|Ej¤% wЬ.Ts,*߂H a$d  H%i^iDY.%+TZ~B<(BtڹRut#K=^-K8Q˾(`^rVFZO cwe[#pQfckUeK,-T,H᮷y:qEOtk6)h)?fjrn'@KA]bH`B 5\4Y_QxfXF j{M %*\_؈sue(I鑸yb)>i=T|;#?YyV*yb0#$KG񎴌x,vh?Z^*s)+mN{ܠ % ,#0/'gskjtߞsŵ_ fp0^N$* yI|Q=,c]Z!&)"bhB‹d0uF ꯣ[A:/Ĭ=QAF֞h&'?ýc$bM?z. Cv v%czOz?I A<=6u7Bq^aw13e>b2AK/c^\.I/9ikϥ6=^$ ivq\<ʞ)/1uRs?R<_v2goB#XMY+I- M2M9qqҊcO|ÿ̵xXEvf@xvEJ9+GjG \JռϾu"dm+2~:hkp;X=Yڼ# o IFm2KGsbL0=W@l4R}7Ƃ 7=VsTx-}N^7uPνaR(?r0}ֻS㿴rܳl/T5n4D< J$rK>лe(cop^R-ؠWW}mm*GxH_\jSFDiD}GHI;z TLnAz{}ΊPMo<-8, ]$wR>G-U238FHv^Nx_g!aQF|VsO>&" -]2*aPŸZݒ _AT1ѣBeJ/T1*IǍ&y^Y@Y 5f2Ty5ݛ~}a0ˮyG+%.EIp9t3MdeKI  Kќc){_U\/k٩,nxDtj wR 訰" a9Ei n;΃YuܩrLT7{x~@cxN q>;M<Ėp*LsA~3TkBՇ~FC(~³>j go XKhXb| ښk4؟-2,7D:X]q.;v Zf?*Xa]ﰓFp{_=Š2ppyzNFan3ˏv_O$mˎB-1mF>q7׳}SX.pEA|nYOĢǸ !ױk&TE>Tc_jӵrGr@]Ĕ̷lvQ5nb6ts!9NtsLgib; Sa;ʑWg@5OdkƥU\!^pV2 wOx K?G L[FN;tYls ~R ^|-6 tT㥖á+"#VHg0mtapFt6:h+UrdGS +U CLӊu-6ΉvSWk- Ƶ@)ȋ;5Ur>  KnٳҘB8i\8u~@7A[DlKW9_fQ=T'~ È/OR!-~@wt0 sI:g@Gzp-lb̗kHhYd}`5~KկN@OĶB LMtݍhI<~.[Cp8^m鐨!=8O[.:r[Jh w-MzK5 w,`7A@.h8?DQuZ=*$ܭ0~slhs;W 4di E-x+ixrM7.KWU&(_k3|mF,6A?Eϝ38{xST1~ CeWh9M+Ԡ #+G:lUaEZCrƶ~kE7e*BFEiTkKR:L)ŎYoўRVS*_cbbtYKCIDr홦j=8 |7~瞤'%,J8FTaZ6}RŽ00n,\;Zb(BR#SVYJ&s y6QA]r/G `98o(4$a;\mLm W_PX$KY'+ +Ϫ9[QexOؖf1)r!~8q1[ |ygC{(_Zy;t3ƇUשq#7#ִ::Z~eY _:Ij ,:5 "v9;/beW&B1.!&ᶮIw{\T6L^޷Çpj,!.mda$ɕ[/SVhC"TD V`hb|'M~gqY%9d*b %GZ֨d s6DЧ ൃߛD&_0R3i\9YPj,;-HR:yjpMVV!K>8Y653)"Q T+c8'H q5Օ%6=m=݂!86fjXFI &фqZytqm&XP/X(_6.tIh:vMhsDCM Y\H Nh̷Ժ5r*OKu1rp9@zO&L"80KzuXWBoӋ,Awy .Yuqp{dt#Ϝa@Jޔ)ft>7Ȅ VBx`45@j/.P|0K 6j b@Tį"é%pJ UMޜtCrn+D?J q|cQ;'8y&btŗq)@rlN"K|f+@,`:4BUШW$loP :wsЀb*SD<Эfo$_~8nz[k>0 J6ە9xy+1l F'[;sN7T5 3y~ 2ըBfJjw@݌Y`-0gąlCUDZh+upp2oG& #+]r"za_SFDd:opoQؾ#P%I+MDTiFb,.Ն0;X"̅A1P@ nA5'g?X"5ENN$\)lPq?)=Rn@'$"MWxqcgB̺~uY`JYԣ n,\ݰl?]&'%Z97}*.yږ˚qoEv MدwL $1] O\'[c]p4N nfD* SrXHy ]2os_Y{Ot߿S tBm%(f&F$pXuA7_6z-ZHfNuRd@ޮG{y<8c㴎d]?I=*?fsY0v" ц}YBQp-ikSXYj*/'p9,M2u1YX.]#c~4smr՞i #|£5RַCKV94Nv9T?L;!R*#USHuUh۷}B5?U,rD:'.̣C[Q^,s\]wUj3neb&:Fd(k=.\piZQ^6?uwjkc u_cdo68[IgGr[|Y6?HڦKs+0PN'Ӕi*{ۇ޷\7QUoֶ:pT 8,I;6#o(h:4N;N{ 7eeP 73೗S}qszP!<8рyb 5X*azŋā$T1t.Qkmj x.cZey 6hET5 B jE|5Gy2Jf9 I1 I:e+YλIʹ\l4?S=P o]Tq +A( 7%'yp:S+֍ Ql4c1LI)'H`H{+j<1` ;)+Z=Ӷ t1`:4?tEeHrryF[Mi{Mf[g d$_l"᭣?*-CL٬x/C[;9u:IO޿M xRD$I@:sTƸkacy+G V+4@"S~_AnE@r%q߬jpPEZzh(2?KT LB&cRa;n=VkUdCePuq蝷23SXg`=mBZ[5/uxT@zk(dl!W aWJ!~L̜}5BeZ?Z6,9֍&Ny7>it]db!;cad6;$ܝWIXNڻ? 4ր\Mb+'`]2x-]#+.V O#^ n QQ!*!e2X/*`M\dZ#K If{A%sn pXEΕۂɦgV*t_ngpw?oBywW|cBpLj or&0 !M~&wOx׷mɿ{ Ui*7 Θ <tG.E*ܧ|vʙ.9+ Z f  k_6U ƫِ jRzdx1F/3$Lrm_x=ɰ*߂y(EمOlɰ &Ί(Zd Fvr,d[))T c֫i6su;7*@dpRs`)V#۟N;BN{p<0 JxMp'pE/1sc7&DE!6fcnR"HPKz|Ѻq0+ٱ u?vvs8q2KM_9qm8)[]hrZ %\j$}["Za|j }EPWM|™ Vfw-@5:,?"gA¿v~ZT%.#{dD=g7U =Pu!Spok_oʌZ i)F3/^[Fmi+]mIz`A՚35qb߅!4boDoU>T]!AlRVqĬ!mJ^'/hyJ qO>y;Fz`j8]ڌ*U]ԩ(tohɃeqd1m^ju! sT}s!xG`i5t*!b/>%,TT1ڃ[sG) Q-\ENdQ2qhTn''hfnaT*v?]d;Ƈ';Z6v8_N1jg!mRVcw-V.Onil}ft3C22g#[,c{ HUIo+Gf">)\p_9vF0`7쪛0͡f$XqJ<k`]RePJ٢߱WuTf)l4L))~k@*Vp2>=2l_D!Qtp&+..Dd@vŁyK0{=kb[f]YUzw".hߙ߄Rt'y{!1BCEFo:{~NwF/J%N+Z2 f'I2a Km7 ž,?9(YkOWHNVm! l\I 5?Y!vxpN 9X "!l1 *)[fY?rQ" ѧ L#5x!|'/#~V3Da>W\S%i6_g ~ұbTS,*Tk@T$7V3Z8AFnCǍ:C}oI^ :?C[WYT췀'X3?4H/i JeXVZCEO0Ck.#M="H=BVyCW{ۏNz *.[ewBܱ[ z 4r )ܞTA_x|ٙ1a*mb$2l]׌?TfH6,1`nB;4S9Zhَ7 l?QܒYgtE4 o-_ r?}mƶ '{yt:_Dو)c|^}7vܨCbsngV0s_"7-)KP.Wqx:DL@CuR7eYFm26GRfwvU?$T&[X#ij1[Epdr'u^c7|B5TC*5Kk;ڒ-c="1E :WF|}as[| Q#:}Hk&{2Guݹ  a+$FgӲ^)FVF./(ȈXFɣHheKz$Tlɇ~#LJ&l3Lf10L^mnf2蠰O`KYvR+EUy Qˎi^ :}xtKM`Sp܆4@bs'-F?jdxNYj_rfX5evb.[$ Spa֏{F@aW7DOCOY8]Tz*ɶYj^?cl:.&^R? g~·ld*3E ou/*|{>?ʉ9ov "SDHfxrEF V}w7"1+T8K_5a#Yi4~69M=M1*zCN$c{˚a% dk#LLO9/Dh Emg\?? b/|e::͑>M.xK.$:x X&?ѽYp}%o}uax„E-ĸ)CzX{8] Jx֐ 8&~ub6k L- o ZH>9ؚmp\*KdO" %m_SGrK3[9䝑v {I_f67U+CD/:HS }Q-T{7ė_GY &[vՒo~$|-Sxߝq8oٗ 3*#5ިk>vPM?߄meHOL411٤rS46iť!hnΧ@J4Qo4E;e5u}r(*N@:?x ή_1pwUXCúG{#F_e2qȬʱu:NX6q?`eb }Ⱅ$xO#^dת *>]2\S&KҢ`.s d%1 1QD`r>9f:M* J)C( b,aH_S_-杊?'ΊuvJ@%FwÊ\oUNd;=ZGg,=wxwa6 /&yԥ- Ӊ ix"x3-d-˷%`,ARwZFl gGא%ZQq 梮te 3ǃT\2Ġ}mV5g`}MI &0ȀR8L##|z((,5 f_Gj=䴊Lancut iZ>NS"s? iXIG ݒBB +9t-3iX.tmLt%!_%p"cʮS"/,7g_R4DfBr=ϡClOr`m{66O&rM)1^`?η΍ +ώaX-\\l4'Ji?އ|Q 稀5V IsprF<H,>Wܱe޴@ZYW]4w!0d Bt*An2#)[*Z7Mo^CDӚ >x3.p4|SC {"3p:E9J(fԮnG|oBPQKh∟%G938 #8to>qRkxVQM6n*s~lb )?(J]]F3Z{g&@xa^B\gKB&chg`]H)P T3 :2Ғi^ݔ2e}`STD^6IOv5Ҹ(nBʍx{R j`10 ̘( 0WFሯZ0+>t-~e Gk 4HsMbp<މFu`C^˄Sӗ:"T2|&h Vq}j=A4npB""DU$1yS~.Z#jh8^E7*$9ATf9laD?:dGtVGMQxYbLnu(s1ULHro#h"AHs  )Nj"?/LW# {_i#q5YAv_8R)sDU=J(>s˓ȹCr(ƮqOnM`w{.gLHB?nu9ǜ`Isp@w T4#m #`(O&ؖecPHN7ɗޱ֚]pQwd2 7C}`6H6tzUGX щ.A^@dg;;̃HUYx)e3Yj-zBM`2=pZ .@1et'`_b>4H 05>J7,ʑ{iZFvRO,8މØ"lxZ9 9/~g?]tn#-"\01BTnW 궋Q{3}G *{Ř<,Jv-+!!q7Ɗftl/=]ɟޥ$IĪ yRdoȒL\0ZVgp}ٔbタZiF/6.MLOlUU*@?B7ǬV ݊*ȩ,EDA8'~Ƣ|Ed^ns=Vc'yXA=Yf*[Oyǃ4+1{ ?"fw%~9Ehnf$"Qm{49;Э@Z`okx ^BIЮ}mk'6G)\d8FqAc5seKJ\^g!eυӯ@^{5$unC}),ꜛ%cղ31f@2QaktWQa+%J]P]3a8 -և41b$&J֎>: I`(@'J"E9ں*2hn! ^nk L)tX}|TOm|%S~ -z1Y 8 =(9w\VSB)08< i\o @l>E3Ţ$As`} P5[8"2;&Mī>uW[c&I}2%'.%ըJWjI_i&o àqĝĔh %s %1YX0EeЋq+ dF/pw ,wC)^R5/eW+,7F,AP=uyl{شiyCnG@Aɷ۴j{qЃHvI~0һV jK8ɠt%4F7WkȆonu6cdbLF[@snΫǀ*fVm&2іkf[/ I:KjX pۀ&~\aSⰀR' Uc"(nOR[zJ4Rn9 sSkX e_ueX!d>n0@~>?sky5 #C#kyAVm:qNRNS}2T%zyEtE~^_rv=v6i[ AF ˼芽І::sQ?;@[ N"Z;:~| HiGC5* f)k8y;["_7=eFYSl@XrI!jP|7WsK掇5&D*c!hnL4̙EFX$I5"-ݹvt, W:IcRG>@j U )WlzR>} fB;hs`͎c7T=S}kNm?ᇼr^r*8(_?|.uh=1f. nZiwa kW6xJE ѲDm5[őu7KՃh}P0"?vnqiǠ+Qm|à G5Iu0`7A / J>T6B)c$~țUZ}c(I!G)ؾcy@ú}h.'j"#yqK:@1Y:_(jx^IXqo:X^ZP{GQO]-XyN3V)Nh`@zxN9 RJzhzlB/ !->DiG31s0WIosCsNH MBv O}om%ZfOXwʠKS ;JPobd2zPmX?>1opE?e?WE iFͺ4E>R 45}P,&ƽ+۵#3h5-Բ;?;m5j`,fe0_Miħ˷0A?EG?bޓ@m/n3Wb|su}ѪS_Nu[I'?wc$\rl(o3-vؖ չƩ$ؖ^\ Cv sC9Egaqӱ6B?xKh~%LvyChԦpU9Z)D85B|6݋z!]ٞ`6#+:ߢ=}ΛCjF" 0䮉mrw%bxih Նz&X"g֧剈HMQEO'+z9D+٬$&w`# [~.Ǘu<QY^#ҹE1~B% z^ oJCGKVz «zBP揾if \?sYWG9WQ;C }8d\[}ఀ ;JۘΣi_8MÚ7FFW'2eoW;Rs8uڜ)GNbMXe5kнI^EζyڝVsZgٮ'_ͨ$M4 ucN=^vz\d"'_^ix49nܲl6l=<ަD3߼B^'Gjl?&-xKBgFv]ajq7;#G`!O`8iK,Nʰ|ī (\r)̷e1`_/Uzh4w,(T햌Ւ\k;q&՟7l G68qg* з+  "(ub4. f^9?H{Vr£.j:^]<r>ȕdVWÞP"0sŔ7.As١k.ɖ1[_{%\[AǨ ϕgkɕ<䡕pG' .+F;U` ܮ-iLJn'2X&=ZE4*Wx#w|s h&7'VF,"@M hW%AƜPӨ < kh W},T pp01+_KV7F<<ۭl %T!{#`^Uu}=Ȼl>֦krY!b/Y:B_[_ X&ഊȄN9Tpt ^M>?Pd7Y(5,SOME!|a)^:( YI۪vCoBtbh,5}UF:M)5cMÜ>|࿔FН- [ꃐϾZzjB :&cσC>k4/-^pr|6RwK,*@*[rN' |G?$2.u \%V÷diPpxy-MO R%C vsɶ29sA^C߳i+lp)d#zYQ_B95E}vC_%&5DYi#o֘ y3À`7D#'f}*:h$+=ww;?1%@jqBGĥոBYWL!CН U yv2^`ցZy.0mIkV҂Yٲu%On8-VOtF>lo87cP@L/ V$ ~rN'@2iU4o`C腙N\mu"m!`se+ӽÁnΘ7TwHGhe^|%er6c"N JPz'iìaNf 2K)oQ0nBUͤWg”ë1pN~3ɔ V^M.@x]"ޑf*V#_vP]Sa~!v,)Xi7y{Ĩٌ55ggsʧY(^XB\7OIzY.FM! ˦r(2<ۊHl-Ͼ(ڳ+0kݧB9sD= `(rNو..qdAWGJ]-[9ϻg0h<7KN׻|3^q6^Tt"ֶ(7=_g1UN=) 5NbTrl;pHysjشOOC$M4V\0Yf?ޒljZW1U; INa 3wu SX ̻؆Z@|BSsaZkS s46€TsSIB>-}†dda#= 8?Y&RdJ ғkK'hí_rlSV\ x'S`a!SCF˽8u[8߆#Q Z#߸iJ'и;*/i^aTBá<"ahGPJifXΌ.Hd*>S>pVcgwϋuqQs )i.fM1:|g("TGˇ 37M-\AnBh8-D[fE0C[<,{n:JʞAx$j(Ͻy=[nj&@-AeOw0F2`ёGͬOzB8` ؑ'R?=g^ɿ&}Nx Pq yXG(C[&bqx3*:v8;7T%t雤h꫅ |6ns í_FM2tNajvc FgV+Nmd4Y'K:mY"{&_nX1)K@6{uhRT@'i4L+9nإxzQ^iyu˵{²\(dV- ~]mEI>PaT;[y' Z: O CwW|,̓X-*g&33ݹiy Ot=<6zAajCQPIL!ܟ7_ɺ`R >ǍFE\H5 m+P=עq&Rk?Ivx0Ya/mȒU; r=6W_ÚN"!]y$Opa۴0m.1C&Cfc׼;lVDe'CD+=H^L2ѰoRA"v=F.Oi#H2Bn,)*ԡ-DםA $s0m1zEA" i'ߘ͊|oo?͊8ɕ F,`ϓӁe=^6ܮ5~x\5gpAN:0O[۵Զ(ɫ -Ñp=UZ1r"Xlnou'lVMzb)JP{gרa"6;QoBu3FQ}H:GKA)׸0AE'iw*>YU8`ŖqMY|\Jʮ3Wz];\b]^0H^X5lG ϹBj yiڇaBeMIqfxMVܟB 6RDQ; [r!MpW xSÑt!U naؙ_)g/ؑX m2] dHbez5alcfzN{ )lzyh9>}،+ѕB'QNWDV \TJL4J;pv;lRV?,*ep4YuXN8l0ԊV͙]wg: #1z)vx"oHmu tؤ9g/Uk ;\Bl ŷzxeL{wGSZ4d8s3h*Qqs a+rh@VQQ$-Iďh"uOfSm…5@dmΒ9Z.yWTm"aV3XLiG^7WQR[frcV>c ~K4 ?G"]QJ([vӶыm<m+w0bІ0(?] )!<R"0MW܀yJy~I*)H8w(P}39OWY ^T*ӓW]h=vW 3`.fY5?S&M,\΁iD}a$e|`.mY *Տigϙ@aj(Y 7}i|T vEDH )R7ؘ $-tgk|_:ZH]u_ lr5Lnc !(!@(U.<Qzʀu4}sPCuHG6~WqM\\?OM>/IoBĩޥW}N–U,.~aAzb֡h(y)Ɠ/2vޱ:JD G1`U$|_[ҤKJʫ&nJ km~2qP+tA*^IB0KGp8MP61|ObƏ@g~y YXmZnmh[XQsbQנĚpU2$;Yl8!XC,r)'xZ2Dul_gFPWw];\" ED H?ߧf=1(IWqzV1 vYRM>ys4YN"/[n& ē\v׶T.ajL5$%NF?@4cIB PGAH0l›OU~"v2םRcXm(\لr v$,H)uU{dnl@Br5h" gHZ^<ׄm SQ$ۣfN'8ZAyS]ڨo*-A}$MVcf3όin+S;jW/0=C< 9zm1cuó Q!Hv15ެ.c[w-bl>MIuMGjŲGh8ͪke Ũ$X6AƓ1ima6$FH^mER#R̠"6ay3/[s\xM2tZ{/tH 61ju.9phHLwO#zSX;åAa ~%xH>맰 z>̦f0!p}\8 nK49Wis_( \~|h`JXQ=|vx?44 WbsƯ|\J&GEO@&teضh[@Q1AxXa"B_ĔE@_+`wMnۛO:lke(GHf=!֩!z%\o_<]:IWXZO0Ia91aA}<Vm] ag8F"Ċ iq> >cNaƧ_ H.-~'+V"!{\lP{p [#ZTE|Ȇ_^d sá˺0@X1"&C}/`[B Wlzq/ń==m&j, Un[.cuTlAT9,.^ B/4ܸ*Aj"_z%Si>\ۣ hS8@U2:B\CPM3J,S1Q?o[C%Zv)u/!zպ[犺!Ẏ҉bxKJa^@W!N\6Q;Ҍyy\XZg湷3k[2@^vI{M$(=jϚmꍛq0(,?-գxfAcQ'i-#ƋDx銕#"[c>als ء:{L`ouːqFv8fylH)[QG>y% ̮/B> `W4= JD^pE¶3u.:c@Z:3֟ZxLXj'9W-:~3ֵ<͌L^X v,W$9J,wȢ[<YlÜE%Wv41 > 3s~K;~>:6s[tYrFZA[!%3O"+b0*/o"^y*~n-\2L}'ж* ODBU eF.&¢t;3#up6KL H]MV 5|OlseD.hoÑnY%M4}q n=ݨ l8i(ZC;,P *P)Cf_ gS` өjmx?)XC)FC5g)m2 T3?'^J"z@Ho0gImuFin:t5Z;4L[-t^ Þ &y5,3=) } ?OQ}m,R<`H-?O v¸S}A4-/mW$T\ӿlq5v崬3Bc$<V"{q;}zX?7SA:5 es6UA2(mPR1%V̝rIj~]9r°T?y;:ˊI:vޑӭLBؽKoZt8$qW H`qSCheu]Mx뜙Feȝj*_T] D[ThW6ҲovǡptfNV.T-&syvAŪ#⃳^#DW͈a:3\u稦x,}Q4ҥvgʓr@!|Vu@# oB\@3/cQ_TW̎4h$rd;MyN&Le1@ rhcEB&B dLw'-N4[ElgI`fO{9,_5]J\@7.'A7@Xdp#no)sξ:qI.s^1ś2QNj5dE{6]4RYHOH.FuV l Odyᤦ-7lqMb p|?9YWev]>k2 P#4 ؽ2RCJ#\=ԟNTe2yd0!ILuqV(TGA\LҖ`t/&ЉեS x?n&PG2^<9IwOȓDa_?䓂uoﬧ"+(']1٧1(gJҼ]I٬||zTnX?ktojյn2Vm"T,;oc(s^m>Et"N>j( 1sLimm/8.3qCv'Дd䭁*$0%.6oR\4SGL$,cr>esag KE~}3ykNΨ)Me5=ct%b MC;D*qZaᳰ0^#/G1pPK#.. 'KRhA}69DL,fSm2{O~D1G|5S D2C> g20x7waTŞW,6nM )sPDzQg챑Kd=m<7eկzi%'dsq”j ae`aX fuڰ]dv2 x,s;8ƈWnȲX+kOf#\Cqݒ~li zl*oj|h ZD BMzBV :e)B`%YIOʖN?&UEHț,ǻ2;ʶM/gQ..we F?yLaR<,\#y@6  Vƽ[=)Z޵\;\¹7&RQY8tn zhs bܸx_D:Kfl U4JaNo72 zpՍ;~Ydԓk3ͼ-DɆrP0wMtkwfSu.ҵ]{}cy)9 tIq{jxt[\bѾL-cv7Ϋ |B%l֪dWUW\!Ieۣ5s$j =,QPzoaюl! E%TrX2(jic60<0LĽ@4 '9j5-KRhD$Vqzå$feKՕa2J>d&˪iaW=k⁛)mLV{跆P7L!|ijf{ f@RP4XAz3K$XN >U3$GJȤOU|8#x4*^)0oW%-ǯj[&D6xh&1rgx8(O:>Sfjqy ֵ껗0cyS(ZHIpsq3\>]gVZCP܏ <0qEK/821rKIWBsJX4VL 2M۩:;nXK\,Hû͙=<4r/\7#8~ pf*#DŽY|tkXs1x{K&n:܌qY@pB26q%=;y6XgqqRn0fGr}bY7؇"DK㭚lq  h@s%S6V;F~5kI*Z;BSmxnz^v̙SwVA~8I >}蚦XŷUWEQpX1 H4AIߒt}|§U"!3emI" :{kG=?mum˻cGC,vڗFnb]ɝL{U7 r<[GŠb|2?Z0k"z+I6 rR)ɧO*\(OKCti{R wS.SƓGߚ2uyve!bWYe0ωPsAA6wZ˺ST{6Ok SGZRB&W[1^ ϼ?9vV%2_ApXʼ07?]y!Ą˹(A)-N2$A١)u6ҭ7"z< ᚔW} Pк whl0HQߜ`sCu>+[|"vエz[C:й. Rbb_<Ү^-i=Rdj:ϋj_37  q['5 Y΂}(ȖcwjFxLJ3F#YbrmG4ʰ@:_^V[E~S攻O!ËH1˷?~( ׹Ҧ$.;LODwF+xgtB^^3A1}(J9Nal&۠YQ O(Vrxz\m*KD=9WJϻ@L/ ~~?w)FQTF{,!F(X>ʨr TE:f;ԉ=*y(Ԭe3:] vVX>Ne,뽻i&YCtʗ{ G784‹#o ۀcsG^BYC)91W=?pǖM'JqЩU!Z ?d/00\ +,^BNk!q,f=-͆Q<8l3`V%ѤHb4e/0d!T/!Y:k HT;S{keqlS\XS::-1|odz"9j|Yexla 3v%ۘR/Ed-w.B6JTac5\\xρ4}ot6zR1hHlo<> ^>f |.8g~2 3zA,ن2mҔ$\1G?hѨmO'XʉdATNip(`!tvܿyx 2QnjhQJUEOr)*4hJ$aFݰ6^E.bʗA+|CHTdgl73Z2Ȱ"FS}'blۙcNr7Ė$Ѧxϧ%rcMt=:`: :O_`5b,$ yP+mlUV$j30 oTqh 8386Xw{ q;V6N2{"C 8W Ljd 8P_TL}5;1ܼ4Ll(<ҧUdxf|;O@'Da(R7뫴IAoy?Mn"\Rؕh\ުE-OשxXna&VvAzefJnyw_]2A#~c"D%ۉx lk/]I_s^e+3* j1w>>pDz![<`hC6T3~Qe54n ֶ5G*[2z#q,@Sj?q-!t4T} r(1 >r;=RXwSu#m7vm% l^͉rYTC[oQWM#Hly=kdu!Ĉzpz|T; etCC/uu}aızN;\J h ױ;Z29\Y\ʱ["j[aڏqՓ~Q'm& a=d)JH H`.,T!MhѱPD}pYPEAh"fkZc^sOT3wD\.>%"_b%ܥsTD|~ Dt[+@fxzEY@" ޳KF0SA^TVE'D`!7oՓrEM /ɐ }\:S7`U:K/<쫲vbz/d߾&vx:JSsS:KҐpRB~!8(!" F,`33a{F6 6Qzi ٍ|]1 M^no[:L&g,tQ&&"X2l-B F6f@SJ94_l2BWΊ) 'JXD%g?SX~?jw%xxaE3ZE5ɭ{MoDLԷn-}r_v9b;Hp 7Vvnz.KnĂNRYj/# έX`chNr4 Q{<ϱ%-G;X4ܚINѢ}}:+6 5m$J֌"'Ҟq<\1hXs* v6ٿЯa㣦ٱ7qCu@ώwR w~ քoHK2O3%}rF@5!K6X|jŵQtCx/!;j*sY u Q6AGݸBYrqqdZu!tض-6~"pC5\Jo l 4tmC)q`"O)wΆ*y#ztqk^MdQ=l](Wkp 'V Yw|JvŒl{?r=p=9EӬ`YnR,tfqZ+HT劫Fsc:/Űx7s%@)U苗CIPY4 P ` \k!r j|ʆ+Tu}iՑ+%ی~!sUʼNg=ɋhgzu +7ݘs촵 Dd')Tlʼn9;@Tn6H_Y ͘(iBw+Iv*L/!}CN5fϢZ{ṙ<^阁3nPp!}u/04O _͎N<흚Uq+_+WBUsk1դ j1ʰ2I3GA"mCtfNۗ4B=Ԗ7LUzBOw&E9܂Sbɦ+u4J{%nRSXB@Rqo|b#-!h ;&owut̵L:j~kgiSv紻tA.Hr ڋRS:;8.12^p1VF?w5˞a@u<7\TdẂ1┎|l?MEz퉲FA|c*;Q\9TbaeRf7@[n!)cx)S^;ة1Q-*Ct8P4zc'}Xxc&5"c֝^6V[5 s.T *As.#7>`AFIܓ".""`by7% ' s <@rNy)_uQ9ReG1RwHnmäC??w;GdM0+氨op(6U@j0xVvzeT i">4 >%!fF!䬓͘Y`7-Bc!ԯJJ!r|y-O'bwŽ! XuK^rr7v,~l-~r8-wcTF:Fg:T+t3Rh>*B7J#vb !Ǩ_rH`^Վ:2FP{yDI ܺf@и`N?_{"Pظw)qVin%: :U8`‡}{l,f4߅3k0f ] ?A ֶQDtaSJGe&:FW#K`κ˜zՔ zE+{<>Q!J/~9+M/pfє8oSNv )Ϥ؜mp,KyPZXV_#K2Ff^dP?6!$%lmXϰѓD%Of-ӜE2{yq1.D3n]Zњ_(ћQzvYf S+ÔIA' UξR82hi_oҁg!KRыJx89N6bWu~~P6Ғd7yvFTF1.4g|N `m_vC$)D證55a.4:΋kܹ~s9VP^(:ɥadDk[ ~ᦀj8d *(|]$@%q'{rQ4@.ޭDIGL[8VCrzMI*!t$ ?mَŪL!>SM|S}Sx&eq*c%B1'6zAA'gB>*f}a;1sH*bY DTwIsこuo#OޤomׇΕѝ+ }Jbdza~ T5Jh]&7qy8ұ/(۲"KD X<2ĬE'3XT`/C XcH00l9&Ytܡ/f6MیS\teRڧQNTFpI+6+^OKxzY" &vym Plŭ1iT+l<<38yŰ;aFN Kf*]oE;M!&# W-~d|I:O hh?@CqQvEr$"..Տ0l[37Uj \}-ɷHu ]q܊gT$!əQJ#$z27!DO0 }יBr"}}0Y?tox ^sl@ wEdWs1Mн¼67%0)\纡s-bB Hm]fg?Oz*= )!Hhd!4wLa y 'ݥQ0xDV)mUa'zUsYo\ޚl$~cy)&q5>Fm t/#fk2JSBҰ?d*r, qi{ȔUʴ=;i8r$x`f$bPke{54ХH:x ju tr5v̧,PLFo}n0K힩j.=נ[/Q=^-/)51a[' 7q-!39`S&rV{13!5 V׳~rظnprș<"9/Hbtm9ђ}Zm"?=y>I(}(kmqK(5OMԄn<&N vt[whA$ʶBVBdϞlGHJ.@_@J {-ڔ,4i:RRpe J x0d- Cfh8]e a`%d7+ ~al(cR؋*'37YU1& }(N7NR1]xPЕ JŪe0F\>w[V"SuQ1-KEc*+7\c㠛hn.b͵!L&5DC!8)]O(gM:k2$)x'^obPC58H_7;N7y\E{z]LP<|d!$I'Q%i}e7P Hphn?~4X7vo?.ٳy a`2sM2ғǡe"!ZF@&ɭD+1G]B(o,W i;= +㝥r[UAY_d!ضv/j]wt g_')ITga}_fU$;}cmSuJ\ 6H.O½gm&ժlv23_y$*ϼn`U6ھ.p!YDʱc6R7ۍex]+)ƝyA%u 7ogyz{X)S!}V=pGGP=A \.ev G:/}>\! ݏ#-\f+Hfy|CI s>L,VH9XݒDvrd/F[Gp|Q,JOX?|ρ8/zL2a[@w6Oݲ VQ Pv+Rn^'* *^T!FׁEu!cׁkF3鱃˥Y.1WI6,Uq#lAx%xT/1dS'3s75Y1#tC)aNѬqa-PL! HkJm5#4XU Гo'Kebز6^Cʎ$nA7 /SeAo^vFXZZޘ h'3ӄY+ 4ަK ZvDbMrvӠXF:~Ҫp8`^JIKt}׎b様^ d&|yD6Oq2H"~XвջZ\ʿΊ~oH܋Pkke ՝M5kiCf@SUP%xrϴ7K+|C47Ӛ&-e.Hd\2S=qUPE@z :^Er^$sU?|?|am 6}L. BI<҇hå=1Kh3ߊ:c}~E{sdhtP wOQ)C.Jd br̈q0ߺ;@tC=Fak)#ĴxQS%[) yJ+kF[y/?gVcSQ ɡrjl9\s*BbZi;ɛqV Ogz*M( Nu!Ӿ{s./o&z5M Vחs .SRy$ADuT>%BcD* Hit?Po"hLZpyُXlK[ .#D6TgY s^|~ qIIgϡG<ܗm;= *pֱ3M?uA=h-tSgݻeT*=Sjfte#IRm,-8$5aC,ŵ¾e2_ L.`SQo T8zjWޮXYv3B3eQ(ˊ7kqbܢvNLPfn"dZ^##`LOVclΡKjiLR3z$V?Q]Ϧ8ȓ:75#p[9FZm7"i^0B/1uDU4=W9>ɣPחUeV^T74,^q; `'UK&#!Rhٜ.vh"z4Zh] d^oGr6UGZj= ަE8ޢzw,ur¨FeEcgJR5 MWؙUYV_T)#~ڶ: <rغ]ir &"{.J$[P:U0(`pyJWL:L:Ž(+Z әr.B5C'OxTi·Uڄ DI-4^$n2S EFy3X5)ᆮ264~ZN7U=&G2p.EͲyE,:cP^([Ts俷*zagd_#dAbsTkD&Eqx9#V݂ h,;T.NB- *$a4p)`k2.(:}S,cqP{pCdqStlsrf(*z7Mp$O],;z,by[0Q+P~[ .3}otCɐsj'X?uއQnCڰ|'%O~wvzœnX9(xŝxxoFPYO+"K,v8S̎H]] <'0ܦQPߨ[,${|sq * eV#."m27CV:/0TiJS9FAMU׍O-J*6(awgyDr)^lb cU1ML#x 5 $,ʪ!$Vp$ 34f%xTpm?x[tXBxs|^Z 0Huʃ\6?O(D@{$iĆUn*r9-BfJl*FGAvI6CcQ¾d!ԹJ-, B{^6+M7+KVO-KMƊqtMdxq&Kº\ZÐIHp8o2+βȊ6z߼6Om VF.w&^/N=N )R;m!`fߛR΄)Px3mj3VafzEvr*Gv/ VY Iϯ-U K(OUj:IiiAPߛ,\P$k\Lɏ V=8{ed22eWϱoi @ëubÏ,T, k}l5;I#F^ej3[R槢88/P[0eX6Tm}ƙ_(#Խ1d"\̖BKD& otQN 2T9.iD4?XMǤ,Ay&w@moxoɖKD6m`טACqw3{(~dKpZi^YT49IB]YAo/f5Qyn2F[: rB3(ˠ b JR\! [Cʫ~mxч?t>Ĭ`ZnEDDHRVCi|zpc,yLJ#CwJ1yzA'ۣ~ʢw>3I!A+Dr(DŽq]Pİl gޕuc0c&z-\U!u&0F6L6,+=AlX %+3߼X<TVҝF;ӉG@:osgN${1 ^d{&-ڼJ jaV )EwRxI e.[YkJ uZf ,F=:ըOD5,"c]H+UӠAԃ ivy &i 0wǚ>IHr)‚fz jZt.fHF_`O#X5z?a=wb"SJ+>NW~g4z )?cٓqKFN@#CM[1/+p !nүr-/8G/ ɤƗ`tOv*58dv u=]jwWh[ڸnvnnv%L/G\e5eAÐ<65ZKj&#BȚp! vx0ԗ//v;jƋ5j>2(AP@i.S\[IJEXs9;ѹQv*]M6BbSwR ]l6[zojl}0,~e!UN#6мiFK0t\WF# onn;dR.bVwܡw?h6Xj.J{ATAlG|4uK`εnfr{H6,eY̼du}&W]x #kumbWspvD>R`+瑳+c1,j+M[]20f9!=;f-4 \"1C_a(cX) :?fh$i^HyO yuQ/i ceʤDYpRVg_ |"S-z$Ӽ̠oO!"h!x? C== !,iEhVب牕@j6=l)+ߤu<gl8@[9X/jY6B#XZX_SLLHKxX.. TN"x ՇXuY}IG̚#b+݋Zt::o_-aG_|N%ߟOЁ`[m]Ө#U:#:4K˲B1y/D&_~an奜r0 *+ i\Pc4bnمօDyH2L 6YݑktfQݡ p@s_M@,(vyXzY(l#?ѣ;sbmBr=bTYcnaeG3 p+򌼷cZTʾ5%#KO2s|I73j-jFP']Wz"&gZm(8<\hj$_ j~͝`hBq`?}vTDaKo'[ Rr~t C'Oo!@LS_m0aS)}qi랿"l KwWԫ%[펕,\Ahi݉Am~>3,˼o,[oaqcKT 3~%]N 36]69\#opL:ԟׂh&, PGM;y299z>I*wr|da? y<ڟ&K i6(R(^$?vN2+nOgQ }qHhcbd9`0(p,U6a"G0V’12'-T~Q>L֪{6!"n .tɱV{vp6-FAmK#zVhnKd5Ik1X*\RVxu/44M6zi9fBV,Q"H=bD`Q5՟#:sJUYQf,M,vayQ2hdʘ㹌Vu }yD )_ $oOBޡ_-wV>;X6o <7sòA$)kdDB$F|6ӱzA&^7׼4 ٘LYOxGI[+}^>t/S!%{v] "hw-i.:QV1>4)-4a#e1iI- sp8w[uq:P.ğ2BJ<jy*mm@)TZgOd- -ߥ!S/(]K)?;7]ғq'f66q@DǦ9TV2֌K_B3 }ǃx3z;/j4޷?H(˝Syves7gՀv}m4gkהl?}\Kmlؤ^gXd; :Km1WQ*jt h84C dK\92^8=&F?6ypm_   $ʃϻ{8)s("'AWh~sޟzL*]:QUzc>J *b+'2rsϣ]"_KzĴߨg'*br?=&'E鋗.F\1B@:_VOE"LlicH'r@/Dx+IsL|ON^XZ6&flr+.c8-\aJKAkL$4@ pAI\`G*aBͭ8+ 7j 2" BcD#Cއc{W"B`+'˯0j@˞Ƚk t㋇YfNY ݅;"ǰw,s}4gHVJKHeVT% oJ`2Qǡ m5C*bV}M͡_5ӕQTof]ԏpZ4m~W~OZ[>rӗbQ݅IW55nI&gb\VYHe:NPfm%-Y 8%;De-R1i.)i LďYQI,N KX1Ee!(''lET? l]Xl/ȽF _aHSسDvgECjƳv9m926R(kxDzGf5n|2aLpւ ,'{+ߛ)o!X7bT~Tgm/_n|tW8Z/!1.ܽ+ vx(vV5KtdC!գ({忳Jᣝ-DkC92]#X[{)ÚVvNz~ʳ9EGl@]ˤ~K^1d#_i}%9e2$@鍒T,^ *LЕ>kĢJ VrF5bcO[WP!yvؠ@81|m_5e h&GU,X)U[DQdie1yZ=[&L/O0"f"mq y1 7 r0BqC+W:pJ#dNK~'nOʾu4鴵['QuRj|sD {N_LF& >دBi7"6hCJy| ȑC"ssWlcxĨn\2ץFj>jw5JWa|aX};NI1dsTaQT0#wJQ̷A6ة"!l4Jƌ(Z/%L} sfUd=2c̆\WnIH:*?(D$AlxֳzEa+r dCP]d]65wB'SIIˬPv 4{s}bXt-7@e<> jʅ, Oq9VHR+t'T0>rAeWvuk<`*MT1[sŕCe1`,#!&K0v;2HXP ${a4&FI-yjITb=084 mOt:p-j/ `RƵN 3UgfBzhGSiGf_8 3ޕC dˉ_9,I;*2mRJLUy2ADZ_ spSC̉S#Õ1Gw5)q͵ɜ¥LpX84TX(I^,7R$ Ⱥ uߏ8>S88@2 QWܭ;,U{ico?N礥J@d_c]$@/X}C߶܀=ᕵsAvkO@wrup㔄+mhRʾAe}3 [~~Kl[MJ\@h\Lr?Ƥ .(dZ?vAix| *SVy}:rb\ꬽ"hb~x5;t%5toʖ%M` *܏#jb[,DRGoO |ndb].WhEk B}:r3 <q^'r1o܊vSj#̋{Ix y[= uDx_}5 )]ջc0 R^Io 8F].R;1,kc]B]O zKnF9CvtjTJemG{Nn}C_NgAmxP(.󔐲m !,s c9mtS?~+H(&9:$oAsZt8<^:$,'dw[yTE?bGNM!F$t#TqU?WG1KO1,#1NUcyT]6:Z˚/Ϡ2:dyz"~?V2tb.b(;fu7&nR\*wKb5$ 1:s.IkAchQnZ[{u]Zju| T oѥgc{.IM(Y|{gਯvEB.XIb ɅA3N#毜%ȝWN^k-ē ,l= ݈,]||h+:σ*5xUrgFq-PŏGR\J0_(c&-Cn|3] t9ܝ"mKd7(פCSE3KY dM3ɶ6Bz6eV# ,؏X]A"l)M/}45{AF )c\),=J0iJ@7g|-];VnhknH[F/kz9)ԸN:8uQ`xS@ ۞QÌ=|s"3Ձ@ =Q188/"6;Ps"; ~)e_1[sHtz!) Bz._e1(;k>FQpGBBuJ|,Ju7Ij>m=|l.X^G!\XEU3FZ5zZǃX\N=Ҫ[!UoKZâCB̅fp٨P=K0G2lߥ+n:ve+t, 3Vub{փ?#h_*teFaZSc)id-sږӲa2[tm9zh ҷ u!Mzj~܎C63zuG)VoݝZ83dDzTv]qM}R;(wF'TSdqE)!`ovv6qX]A6O#ȓm(HkwBXu~2]><*"AH3Cs;E*y;(EKRa`G"(t'6NC<`S:\v%n*: &}5A$0CWPXk8uY5|^ބ i9ϻG {ai- pJx9Y&)>RmKD;4eaLUO8R;D-&H 谁Zd")ę|3+"alMeF~ -ىIn)аnNx? ԙ2ފRvV%+.F<AT˛X>$v>U^c,7.`wި!+_뵉 s}`NcddT5=G+񁁐z(9 a(pl/Zսё"vg? +<aT!]FGvGXMq]/pPRo@q b .$LTK;K^bFG|_l? au{یU}(Q'N 黰8>2& &᥈ 7.)P7 i.Gϖzn 21+kß}!&qYA@.P K.`v&"@ ̈@|ۈYa&Cх ۴S<]3Ep՘bxQ4Or<#6_pRZ4by] 8OVEKTgayܭ Z&Sڟ)FvQ[205&cV&HwosNb%4*1o( M/,Ss qkQhAXxgڲZRR65Q,L[Ļ$'e5 *_ lX%r9ظ#5Ɉ SER$%T+]iB'T8ڌPƏ'6UWVbav#I$o,Pj$l&nbZq-H<ϼ"n;Ƞs\t- 7h_Lx8\Zܴ̼5D&a~1\zGb0t)>"y)ףo$/ ЮM\PLV{NPOr8 40dGW~?o*T:uxدNa -['@a-ꮐ2@Ov>SM2jÎ 21[dhR⎿$P |\k)FP-^PE1T,-*O5 9F;dJъhon1n. N^B]A N)Qbu{eMI4!YL/Uxrd .?VێSxe$T۞^TO>L#A)#M (3MGߧ4f߈-Wxcㆇpf  _s@>%OȂq'g$ٕ1Vvw7iّsަ(/p P@hA_~hU- CL.15@%c]8ݿB?.'zYjѩ%~4!Daz_9$I^ i{,R\gmk-E0fC5mKF,꺵4ߦR9 Ez3a4hpDm}VPإg|cI|"nD0}N.) zO_֢bܫ) E#{R{NEVQZX(PV]_kIj/N rjLOG؀`Xqϡ Zoapvf*)YkUB6J{)7c,5徽J7e3|ezGzAb9Xcw yŹ67ӭ=Ag_ 3:T5e6虸Ii!ku(T(rB9v'OmXɃUche<=*kPeiU )x隻G!-"8&*cR"` W ڧh/m[]ɂhe7haՅxz;K/;y/i.q4˪ d ry fAŞ @I5'B$UBd 6?"]aMQ}ΞSׇZߝ,Ygj7@`N20Xù!_WhHNO^A:S٢ Oa,iͬCW|3.[7iWj*b[E:Q?OpM1ϸuo.ilk& da ecj eMTܺI_v;?Y$ 37DŽ \upg1G2B?yjƠc%O"-:0?t]S@BeDV_`N?NjJ%0$1 ͶqJh.1%v+`A|4k"VfS)^9bCmm<0haov?vq;0&fֶqEIo@p~ɚ{=zAeǤ &tDbXYF:ßq@8LE:u㵝gɛ$Ҿ _>1:@֒QN+\HImP_id CBrUh1-9zV?"TM|$N<\(}憛Q/ꬶ})Pr"`"@ʅA17bM;W6X"}_*llFw"IEu 'HՀA30C($m70퀭7z"QBkH0{6wfoK'|Z[a+x `*NW|*nb/mjENiޜt툐4AK84fXr]V rnLNg$bt_p84'H7(Dg;F(9HϢt& RR.ִ5(6W|hUB]mO3ï#pbw^8ShiW59[9]- BXWƥ|޼(CA>nR,[F6% „ \KlV]$հ֕1w@#jW#ň&6Luj܊BR\9{7:%MsXtUD$agEfw(XZëhJ?=?_e u ]tM1r=К~c:DON`ʛQ^ͶOhwR-$C{f} ;oJl57g#jt!ݔzhʜ5b fCU0J}\cF{uD}0>d +h6'B'8Uv2yD?߉_Zp2@֣Fe%"jc(tUGR>Rr 8Ͻt r ՚ F"3 u|ERw=**\= 3=+5lBZ{ qD5j~*&mxF1?ew{xzvK#riͪJKR݈t֤t`Hc+dp+g^:5GHgdO UL4FfTo\]h 4 R(Sݞi{)[R' 4&pޭ lٔbt qGwDt(1-gm@VNI,-2l{-kY,v7F 9AhO|cČUr6  xT9żA 8$3[gJ2wWQ lٴSc^&5Kc 5e"WN1>ܦ7)&CX]JK,%+WfސQ=7/v`9PU?@U7!f[6Fx 镝yI'.ݾK4ibbnbv떀 Xq pM_ OQ']>)H5T!['Q?eVJόNP:{{-tBW uFPE0SdxMOu*Qs P8LY'Uۄ7577 N t8(f al,gWƀg,ҥRAᆅ4R{}} QYd=j)Ȍmmw{tsթ ~]SnҪ_To'ea̰*;>ӛ]+Q΄ @s?^஍ ٫r__Qc8"\j}j PC#{˦ +,;]ba71t} b>6\S0̗.b./%t? /Gj؍ʧa9ؠ&JK,[b^_>:I }.(V›v|KvaIi;H*wsx Nfi E/QZ^c/@%MSdӷЩvK۲>z@aWR"mJLj-;8xl1G{ܒO V2;0{Gi:n2@πnɌ7sCg_+9B!l4Gf󰥌&bBo6܊~n` i 8kjB/{%Oы17w2ը0K}hJBmgLxUXH.@(%WлQ}0$e2MD1 (e'ӈ}u;:`ϐQRKB, Dۮ8z뾑cƄf΢Tau+ Ǫ.YeH1 %Lxi%Q*xb_xe^H4z]Xo2AFoQ,a'dDC1->HPLrlKmbfҒaِg mp:tPeK{]<齃SY/(I5br_H Rx;^6HVSΙi * iá25/&fc^~UpȌIY*y=,ti%=FH ^X.po?U%9D]ڗz坖S^2<\duûA(F\fZ_Ɩ'o__֌nt`L#yA/16 8x-zerH:YQ6Kr3n`71%]p^y{PyC"mA|:EeS6&pQUV?]zgBNCQ "k6LJsx2C4Ģ]od,~R­B{3OYUeޫZvhޤ^GѺ8mę=t[v,*D6'Ib;˷5L ޞ'+ISN  /d3eF"W3?D}8iD"Գ󿳐ꍽ\|4i4V*оAq` 1beX3V-Iɫ>ݸC梼#,kEn'&37&莣.?+rRyk(ʌ( Z`C;-aϣխW: L!KגœEjS=y+"KQm*N0QI84Dk| GD'/@p e 7kO, ;肟=weh696AYxu($SrXoPWi.{R:\vf=,f'ԥ2'1D|ifn -p!P 4#!sy$1^5:IG5d~Ho?lg_v+Z1$8m=oL%SKE"hU XUTI!nꜪq,u ѪK^y2)Ce䂐yX(y!}LbPd. Xlk%yf5ۊ}$oNfj=={};W}O3NxH : !!_v 'M6%} o5+V=^&#+E,h #I r :5WM<׽K"ꔃ!]o~NC};fR}KG6qϗr.F'/᠚vDv *"m1HkU,ӇXR3ȨZؤ^;A,xo դ2GAmwlbqht+u82!] "&k_E\~au"`5fk=F 8N62Ų.!em\`FG /M$޾ZxM,c6?T)щ`^cڜ9S:2[fF#>XhpB}#/4Uhj*\y"۴|pbӓ5iV% >/0a?hjt6t0h90)F:,` =Iᕳ !K2 m3,P!@=ϼ^jQc*P!/?a,siEnNP0Vd}CN 2]3U z@>!CkkiN:0e4,ث8`cEڅ19|9YtT)$RA/wVm=<# oT ‚klѐ80BЏc$cDʎɷ 7ɘ4lݮ)5qj]1Vuz!/z@:YZsvy-o>W"w`1)#">v>+6Y4 ±|wQ>mX 9Uy?Ԯ$.&KMH4WW^,V/h gȞ+_Z(y(B' !f*873_9=Gd,T.%Ƅ(j)~l8-`ra(FIf6mо?/&I =$j#'uz!ZZDC7 QAsGSJ M;oʴ6!هԃxXޱnHc|ήIP*ݕP.T`o&Je*r?i" ؟(0Z%Knȃ na#,`W|D\sBEf]ӍԆ I,]"Gv=({ڶszpk&W,gZ$ wnW [T6R"b/|85]`̧ɟX~?UP옺l%P[uEv:GO82b3p )pDUM-O06; )%`ݢA@æء:сg;ߔE(1%Śa)% z[Fcct(IG $l,A4o?9Uqc SU`%n~AOQ,28hNA:G{jj;KxM.y;BEsC8mX625,ֳIf1Kl=Ш OP>η8$XYLidJϢ]\ ?%X .0L,Jmi1ccO &mtn5cIj =O}G/k4Imh鱚swMdiޯp"ǤJɆB/睫%MWUl7vjz5YUҧSSl( ~v*+*wh=|OW-y u_%1$PgXnр1m*c>)#rҗdfXcmGG=dnl1o+{hÆvS #®|.O:!#mG1Gw4R6q43m,pF?gK4-H>|e`xM;ݜ-BI@pƍXJvWѐ=ظT~3M$țFV9N}dIg!9WldH9{—k1<,klг?ןE%D/o~0 CsJMDi}щ"E;>eq a(VJTsOgQ-']i"Pq84,ahd40*N5cn': jkzV+3q_㵮ʿ@^F+~k7tZV _k5q5uPE7'do5< kB 4ku+ ֳlKMj JY1 QU!&1T1†|<Ԡ e[pPtbdc)F9Yԝ(zB8//38/?[FS)Bxn{`6?}?P۟x3د5c(l^t1]qAuQt*4A? 6Y/$ՁzgӕS93/Ic}Dî{e쳃4M<"dsbHfaTjTX!:{ z{gs YyB X7d#mҟ`[a Ќ|? *Y?>jmIB1K*WIx"qHB7NAp{67y#I5V|֬ # +ɧ,YZzgvΓ[[o>o'>~Ð:oI\{J#Tb|t:PBIJ9ućQ;Ԯ&ga:3xgv|fzhqWA񈲐UZ`Q⼄_d< OsWv#NiχjZQ _a{sFd4́) ?JLH(W8,onk.hK5߰\\<bO2|oq3N"~˵fHھ* mB.X$Ah%(pIj˯u{8EkӜsk: nD XXGvY;b (c')oJ]W*:cFm< A0Vdu=K]r_(>/e7]P 3O!~O (歞=y$mޒ{{gQ֫gClvxNhj."J 2,G0,50erPcn, q`fjm QhπNtdUZiZ;EJJ|ꭣBmĽR4HPiJv0a_i_wZE"vC^ˈּ}Gmxu,UUqG\7V pZ *I8]/RBA7yAX^XG*>]R}A8/k_dY11Bş)] .ޤ'/se[*hȠv Td&2 -; h2{)FHL"0 xUB8/$4Q9 WԈoSܳ&7arul:/+\^mAGP@CĘ)Xcj2G2*3 Lud ۓ{/ÑVI;Tٶ P3>)n7Waj /``d^鳣z0UwM^1u/bZs XP<&5 D\N?A_TB[3z!PB$ϫJsI^qILDb1^;RQ \.v>V;17ғ~ $/P0^ q2+|0pK)l evAA乭ztRsP=\s=Sv&feЂZ V[5aOe8nA'1ߓJA!3+1f4wy8++̜\F^{>IzkYUz)`xo㮛#YBSoj` LۧɛӬ7 2=8I#fVo`7_YI]V]S?j/lI<s 8Dbɓ NA\XR/?1(2g1q,PkfH1Ct3Pf) PD(.7*1%l/'n31^> EH}}}aAxyj󁻝lĈei{7=@@hĔR{5JRlv1J[h{`@:.]u}nqO}Ycv'qOk\8{V_и.!I96l`ibeЃ a rXp%",XR?+v@ >vѤG:EyfG?{6vo pKtwinRӣJ\ęE%s5j 4]vBs] >6f@!,_ TwJFk.O4%vM4p:ZÇujIW>־t8FwUAzY᱙͛/ sƗ 0C/D:V)dO)Ed[ac%뿯2(+NgaoK:0C].gRi눟kVcH|PNvzExx $Ṽ{ bO5b(ŋ|3j2<T0;}1[ŋWӣ/ [_,lZgFP+uޏLa«0Ic`G}p \1/ $A*OMY5*z`1:„YR1҆$?쀗Z=\uk߻"Kɉr2qރ;/~J|ϭսBq z#F\e;C_KX w&{ق)ZΥ١zmJ,ނէOtBRyЂ+Y8]-昲b5a%%3xX7"4v G~5N$ǂnwh¾#4SC-Er23wẃ/-B2M Sqڑ;\.YNqEQX7<;@lJlE5Fm}"[G z#k|q/," > I|3'DG/EFH53:͇%QxG]u"@.3 CJ8:j &h+#m1 fS2/-aGxʫ#`]97<辖{l|'Q$f>I0Ge3[i T3 v}'&ih69Y`:ݷ|+;=kP<OĜvvNo|:bI]I۪e뱎範>@I`Qf3 @5["-ԜL JjIɕF21][gYpw!y8^f.я_'}PY)s ȋfS{Ӣ 6UQ%;gQ7I;-,E."an/}kcy3GB58tD#})8! 3u}|ƈk.۪{ڶ%Wٍ}$5o_;a ^nbP%jXS3o{[pl+l}H94<=[UFWt0ß0B{-&޿S"b lQ3lGSA{?J3o@c~y 0/%VQSwl=S]h{<%~%mA#w=L pꈜ,gɚsZAj::ڳefvN_c4>WK& JH8h0 nKϨ`0-Yӟ$d Q`4_PS˴rxjC|\0U_ 7'|Ѻi\x)xa5WJ9㯗ITS/|Ib$&ݲ̈O;Di?XWv(q. ttzASj0DŀW8kavEn6p 0fh;e)JI BgXCLJ7&xI? EPXhk?O`HN3;6PK$4e}(|ZQ֦0-/XI߆JSE] Ȏ.HJn %gHNܼh ֒&1-7PH̄6ڶwzהԘIS1hWqV/n 7ہM17w-AƑ [gVӗCb Q?Yb] 9*.I 9MJ+{3&!S R4:u9~oMO%~:~G[v Q:x`BZ`Y,Cxik)dVzM#v`HE:^_Fs0 R37 ]#\mF$׏$} [X:]C z3W!5U+,A El/:!GUxA|A` Dٖ,HVMRh[gC>^HSYDڪ# ̙Z_@p+g z Mb{۸Ӷ_í z„H! ea%󤘄e.a2 X29^G1Iy R>xW 0LeE a[ ]IpųZ: Met{ ) KD߶{/Q ?8rz^| u;0ctIo:C JAd$S篡CGq%llzN:RWSIΝO$Z/2uysD$8axjϝM%#Lg Q_hXKSNif3<}jòZ/k`[19bSNyqJ|)ȐWG"wzc> vJb eSY1v<P4 ҈9:Q(˅6;sfw?R̻ս5M ӖQ5Mj-?.˴V 3?^I5QDʵ]'%+q]#p{h9*^Za{*-uxJ1B9%Ց}F~8oIPTׯWaR-(<*s9n43BsY7}d ?p8,h?}|u"5Umb̟['Wݽ0gì݃<V2AN@{˿TbhƐT?T>ÍrJG<Hwwz22/3z6pť$A;v1V|²\K5n,wf|̿^w$s+5[-5軶14 }3&V̊!IwtO+4N'9Oe?[6KrKg Q<|(\WV-Qgd),˜se;b-B ):: sT}w wJHx<ss,)r ĝ 4)y3yD"Zf8׀j7Nj{~5L ʺ:} -_UH+P 2v9/90s7躵o7nSEk/㓪3G%Rx .rB[uysa)6)4MH￙ΈzJ E::(5[ !N ArXΘS 6֚/_׫}ˢAP"|_6TEԕkl^6snzҎN7E:(I]haHmϯgFL*8QyNOg pnKc^1NJP7 3hB X2ēsUSBL,ĨpY{dRp-3łRӼCmʭՕܧ}}wf SmC,U hiߢ&@:wɷӊ'߽{Aٖ Qِ<~R"03y4Ŝ0W@")0ݴ&ݦQO-˗^0hG˗_"J%{g# S bX՗9_U&2J\]iWN"зsʅfd5X"?@!WiSL?o?nX'&Y*9Wi~H;(wJWU(x[bi`3$LDP["!X@RfyyQ&ҭ.TK5Fq8ꆴ B:cܗSՃ$+ӾՄ,7RD^~Jt bE51>E,rgߞMqaeX0_^ _:DŲIq~b=eYz]?Ԕ[v0 \ މ$tCf[͙1?ˇBQ R"'7hqW~:fgfȯVt&nU4e<γw֢5 oA@V'X\D YYn4+N Hd8)!k`g̊lc2{/0/[l8lW㜯?rЛ^0LPlnД["𾭯lqZh0QKˌ)>7عRgvsߓiS;gX/v;9ZYU,Ԫ/o֓ pd3UH E}XϛVWxw:dQQ"w~|$*4$9 ;U|HQ/l l̯(35E8+]4or[ 6+-3%/,Tɻ[5r -g+:{LM; ?"gq?O] Q @ʼr8 1шbB1_̄u1m4څV"xiNH oZM]dBwG>EU\< BN  Ϭ [mH͝-I[2S-Efu%l\%0)>w1=KjSǢ"VvNRkC~񾈿CLtelNLƶo6Mu !O(C=*Z jYL7EsE'+ߡ16 ߗ^f4fӡ YGփpNN>O\aBv!}9xgΘ !~Eg+a{H!2#+Fl(:jo% ?NY_.T"8!>8k,Yʕ_k9g@䖎ɴYh)y5,9^Yd)]1֖OdhWb._vA?(~hasnDvoaEIN8s@OwV^uVZ?\2KZqa"bZ&;umSQ!Ϟ/\S2ˣ 8A$?k轨7G1+egvjrJʁ ?L0vKa]J^?:Jޱ|DRzfVxpYHu#N&*DqRXfe{J_pNթ1 gZ7P{ۊ7XP\Ϻ'3qXRڰɐ3vr E8y#A2d",=,6(v=TR9k4wg.]OQ&=$#]͐sk3qXieagkBI-Kq>b,d)<"ʽSv5-5o#C ϥW>5ڳRc@JNsh8H~O&iuvǞWƋs4Haf%z6.I@Qr(doȘa} ܚ*`;^´JWu+چgٗ%_"dy$Z ]%)a߯ 'W.0ėX:̬,2W c SඥCclT]fj,p ^Zͭ;56*N' //X`xF1b}DX^ISvO_8j !>yx0UiPKۋq<^[)U˾YFHi#}7cd݅hie3ZYFߙbpx½HSjW wYc*ZQxkZ$ DՔ7USNR7Ҭ>%p?S'Ixndͨ\| 1,ԛ."ۙod\|tyBܻ-+r)gQW::ιn^vZeQ<7Z/)IIiԪGU&Mk0V4DwD ܺ%-ĖuGJ\ L*ߋܞX_夠{huBit{IrCQDz]-.(+i4"_%9J YvvXv& K(۷v$tg4ѩ3ѿZ,`veтDGg~"kY7TYGBMI"?Mɓ&T FPI 88&2됒]n@ZÌ۸;I ȗXj/04.h]&S5垾3_,k7&j9"= ?=0GD_2iͩ1k]S60"!]oO!󧋈x^·.qڡ'",Y> R8xR6@L#`5pe'?Z$ FcKoxxbze /ħ;Z'Y1=U?5pϞal*E @#ヌT<)e& &ncU%p}֒zM(d,c|!DAD, LB {BF]rybDXA2[Tc̰bCtZ+]Y'$.@,ytpA;0¬#LFP '4D~Ih~a^0C"24=*>.*;${o/A[\vǼ`:Gڥ*ȑmb(d7l }u֩I 5hjd7\PƁ~עo0NV@)YK"%jbŗN[b7SfN$bXWJdW&.F\~8DP-wHX.Hw7` Y@`Y}1hy\}Hs S`+@|dܰeNg*^@\,j@,1¯ a{G!/sZ43~O5Gx'e^ gF-P[A FVEc?%}ҳvNJ|:1E CSl󹂳a| Ӯ eo-ԙնpUrCR>#TLrUgotTk?'6,`^'^gJ37U̾<^# ~9N 9WLG@tXYX{3.i u?a+lŏ@iAP2 lKPri~/3^.:r  S9u IE/6(2&Aem&Wbݻ|cAȜx Pz!r|S ӁVfbh7[frKg* X_.<^Vff M%O YRN_~ip*^>bɎ[Q|ᯂ *K٠n\d/B ~D7ԣ&z@#SVvcM MU_䋡BKYُŀ:b9\ (ao*J70@SzZZ(CIh2b^>jr$QlDC`t휡;M%P6|d xt6CGxK%,Ч\åNxXET*\:jKya4RqC}ON/hFyOJsg[3SE,fa kA /}1$FF`jh|y ζ  ٦{vf0)y7;)Cd"]$-|J4%Ab9 -l-w*N'OOlS8=$OגwBs>t}σ̿*("(ٳIU0 7&e}7K^xh}g?fM aKF.Ι^ݛᔄsԣ+D~} f\_+s=_8{T>J*A$-YO=?]*4?v55!t}v:F3ٕ KH@ajį"AZtcnH:>3;seXw2Ju-j[P|bz($} {N,Vb4& ' ArmZ6;ZTI) .W=#Ez OsS59T8@B?(fo\%j;s _/hS!y\?X4.g.M>ƔXSئ z:r78|MP3̀iFAvgخ gߧBco}wŶnʑ0҇ NV4JP ω+r3s+Иe1*Gj2B92kh[Gs8&-DJرeD|$3q\ {t=/4/3d-̆b:!Z8&iU֭):0uJ\O\TpZ ؁ނBpRw3m VLu.n佮[ƀZ䮿sڙp&Fz3|>QogIT KJrq{=RL# F/{U*Qj&*d^~C5ӊqRRC7jHLBC_Wߊ4%1 IGc ENxvbӷ1er~_.B ai%t)nFm΋{ [B WϾ^YirO%?IjEҵLkϵ21)RRĐFݱ&s'"}9:ATe%/5hvUfR]O>Jf&H5tp 3ǁC]Fhutct[%11myle$1^H\:@@V$%A2<Ћl9j6y_iXXHBpF_$V6r!A4z Zʭr">9^Ys TkpZXb3H &˽bf]+!Uc 2I<9 eY-ưg:\zաvRv9aIP|Ϯ; %NʼnS>%<"Mcn'Xu=^( M!:'H^̸ +evc$Za>cQ/cn8#zҚ0 $&Hv䂬KgAC&-2 l:Ϊl|keɂ(91Cco74Ў:ϙ ,o,קNSj`tGOUߥ0Š¬9G=1FpbMp3`өa(xb7b$qMWL 4 l%Xg96MTM˦ J,Lڵ!\{ 7^:TE}%qFea@er~ @Zˉ[Q?$Ѳ‹PH5Qxń,%dKLIr[{YYdw?B`Pިkɡ(Qql! 5Q+[&1^d]QrF +~xr>KrG)Tw0dW \K|@"DێYv۪ezfn:EmA_7 Y` + #LBz'm5#Q#eY .n]O@ u_pHS Vn m݋)u?ʠpƨNS_f -Pve"¢_9}H?Y(8#y#[`eP P0٧dЂ(%OtuʵX<oqUiU4(4XKƤ"9(8H]SFdxZL5T^n!(le-{[.sσtgiVy'f)yT~I"[mG-xT&9B#0bA_PE.uH9Md$lR-4;|{ct@wK] q;! TsCcPFDoheq?m2(-2FX=rC Q6M QAX<Lm{J!#B3v0T|d%}̌4,sv6¯$,*&uPhr-|H'Et6SBf[! AD|:d=Y h±R e(<GN3 er4wLm:eD 6kzenr(iIFQniMMyYg9U{ nRй\BOoSe}JM .qQUtgYչ;S C9yXW+{ٕR's.ū%.e@w{a?n]yLRn%[X.qr42r&8k],0Ū/gs (Z!ޤsdN#9{+4Đ()LZzYxQI(!{ۛ:-qv'qx`%ٻVPM jkP$NOB&\A;:,.=B`{n8)|21Gɷ|,  :^ j˄ $qktAq &4ץYCϵM I܅8@-!/;b#戟  :)AnH) ɓ)*.t/95pH&qhF<\64Lt 71 y\d5(5p^vVTԓ鷖]?e8)&s. i`buu]Q߯~gm\m(\U}V[0UjCOm-薪 Iڲ"_QGZZz7ygy}LO|#Z4`"ȏ:.[%:G׀' l C`s6ؓ v˕%Y[Ž.`[''}+p|}۹6MN%}52$"x9orՠ ñv. k[`aq%1@'ThA$鋙Ļo$Cne[t)khY^ʶꑠ(;&~4W}Qв ' 5Z7w5%C[%dyp-aFm5M)C|uls߫]'ʸ2*XY@9HdX ̑FFUtw3A2+($.AEfɿmS).*x{-ڤV2%F .LՃ4 Sw/J ujd,D`˕؂EdBl3əQ;E3.o: sUVAFQ>u@uɦ4KV׹.-jGDqV^ܰteK }˝ǴgQ-9K Xl4>Wo/\qteS Y㤙 ?fh$W]9+K\hLBX=3[7J:򙖮6|}-]8Il .6]wEd0_K/nݾ p:[M'v,o; )&L<Ð>ŏ )ۤܝ$ ZN-~87aݏLHlxoW8z٣zRe@&oZOBp w\?IZg >`,B[݆-Zo}g}]'uֵʗ ɿ<F EVGߣ_2": C̏&Wv,YrmY }>]䵧ߨFRd;%eS1 9?.yY}!-+|@͢FN^tM.r-9yCgJAa *3*eP=,:K4x=.ߜˉ-N ]cYBT\}~h-ΌsH]4.L:Do~)~cYh@,;-:U"p3C]l9V=PXOFyv]D 09ª +S`Pe ,CЇC1;|d\W_{a[(Qɦ>ń!̐KLX* ?g[R T^ #riv9E0 " r#g-}g:?Ji7MxTږ`5c)8? JBϛZ-7`gug\z(r&C\f%Jp!AKA_6!$]F [(D.BK Vn:n PC>(52m!̛2=˓(F8E3 LG#'0DipH]#-üON cG-n3y#rUEG|oUveU_Ḭm4); Gc<€}-Jv߉ס ֡l%.(n!ʝW Kz# J Y) ז-?SԌ:1p.O'̙X 7lJRbN/)=潬x40y~, ~$(rZu-G5快Ph,;;jQVSoddGNߧވ*Tc x ~LLq$s wJooy;gTz03T2Zo۴(,eP|g!LE-/:E 'i}p<|pQ6(Q8D,)J".F(8[7h"_ШNx979*\.R]MOPBצkFk㷔F@i纣M.Ӆ]/ݟTCx>.0L,@`QQV9C!rցf)Q -oZi7(*Ջi5k<&II2a]EIB /կF["4j)3TDk%)skX24OvI&l.d%YOs2)tDw@Q-`K}/ i,~׽$ B&' {SΤ7ɔ JH ~_~_Ȁ b5UMB6"Ҵ1jSmnZK 1aVŤGiER}Ɉe<_Ig튠e1ő0 |X/JJc㦆 NC;ESLDMgc.5'I+.G[!0{YVHg5d9.(*CԵE+4`҅*P'F? lEJLo;lށ":*8ҞNhq)`!瘙7 eWF8mMvcDϼOY4B{^gnc۫0 oRn\WYWO#h}XJÅ5.uϠTg_IFw{= '{@ bsbQܼ`Uo.dͬc $ϝ. ;ȴ׬%Ʈ񥷋08/HkhhcTM.9YIҴBCͧЗ9a-^/3_e8~z92nK_c>ZM'b=k&[Jg=+0v`lUq"*G}zC/B F-JQ gLAbzCSW?dlV,&lgR'R YnO位:[IB1QplѺtRYW2-@l}K./7SU~ehJW!*Mq[WTQ5"σuE=IXFBt ai(rj 6GBeQPBa+g0ĸ$Ok9?0!0RhJv.*g%js\RȽUH4Ȯjb1])Ӹ;7Q qj/SR?*׾s_*ElKdz.xt|u3;x 6==U/x;$v*K3>]Okþyo"ZG(,'Z+>y碌)0R wjv4I"~VSvEnne|&R] ^x~ %j^hvN ,?~Uo%ą˨kL66W!,!A]qSмHQB洕1tC14db0Ug?u:҈Z8 uŧR/flg6'B/F$s`^];]nj+ej0Ȭ~dw#;ap]J]KFJ=Y4J|yDkV>خCJFi͜OKFFEOo mUpİ.X:g|X)Mni;CV3` Q48y&,Ö[ ~X9Zb}FpUa;7]>y)D\SQu?(K|j u ZCRE?cY@d*[.^呣d$ ?Rfzp̅w"V#H`5wju@o db]vHxoo[s;p]w<"Af#|j!lljA\f! ×Q_LFx;}w.*DZ ;8-;OQ$ ./jY98.Q>gd*AY!`𒠔H6m| Fyu[ _V^!Mj2>OY e<Pduv8vH?w=_Qe0'ASu'd[0SH"?Jƛ8 LMZQHLpS/Wn[b ysefNS^lvx{,+n? furAG0EcTB^A.xPH^u TPtd9_&JٝPrue:ܒsEDpL_W=ef]=2A T\,oy03u܊>Nd0e~LjZV?C'\O\d[H89RwnQrUJxMخܹ Z7m? ՁN F&9)E]Ko#g]>Œs/DO'kX@XNY2dj%7,w÷enI ໴"m3gM>HfJQNN"̤VjJAHTNA,Wڊ< V  Ae +[;Pl+B8ޭ콯2# M,l%?=Dn2#Ü_m|^VM<kDBgc]#0$59e'z| '|")c,AxI9ػ]}oH/Yn8եBEi[dYl( S&~"LWw'GgRhTR0RWMMӔjz7Bj4j0߇]o2+>`(~d#Z)gӫt.3ɺDsҚѠB^dl%srW(@VN1s,<|=aM u86AfBHE-0Nct񃣶Wq*t{[ܚųnq5\-km)~)~" .oO݆.tG>pSˮ #uoG_RğR]%5 *~&?bB|xqu)RP6ΚH`QuDcNcVwݪϺ`=yzH/ft֧97m5'ٱE 8tm%/c6 9 7^9Ys55f&3~+dwS~qǘqvV4"gmޔƭc|[~Wy2{?ds- *8+3Ut(8vF gIySF801`CXy+XՂ.9; pxt&=3B?-u0bAؽRnH.Ye+u`q4&& =SfwG+dWpY 8sR2GKXBgzuGlz5@ӟ-ԍR7$0xqjL!54d#|8-f)Q;s:ּ|24@Ǣ{wu_[ʤRN~(}#q6VMR-KEȑ]U %k~&  Q@cQ>-@ikQso~Jz;\+8\j> B1ZˁMi_۴ZI a7 KH}9|5Ѥm'+a=^]Fo] 4]{lN|+ _% #h6 4#P=~7XM!wY9^Ev encڕdj5O$x3yh+MKET=`Ջf\Qb>vl7?>v9;@4wW(x݆0{!NObȤ`JxT쫾[x@Z %*9y%) 2}Xy]s]wJ-#X-2a9rY w@ҟu$Pw*( -ϞD25߶llY!NLݲUٷ7Y ׅ*i*ާ iZF;iպNOU:4/FɂMk+pVrKFvC+{}OGJd5ay1Aо 3tfZOG/VqD-ف? EaM B{kQАTwstI",1ww+0"FA1j ]sλ6k| 0_@+vt- >7\Qv?K=8!G<:8#eLcJbBF!a;YsQMeX%P&U1Lx,rCIstgJA seRe(pLoOAtӮ@r f(:^berͻd+9Yu50ʦze*^Nr귦P[ c2=k1ll|BlrM ,o\'fhxq(PKfhÅN[40R=<͜A[y/0*[kP2KAZL(AY6A\-l V fMZh/n'XE+Sne,)Sq%u?vF=2C/ȳuoe}݂{J=9hq o9י[EHNwB{1Mx?*(5k$uZߴ:0o{׺_~fМS0s~dmVLA%$*po1< 5*쨴=엮*o6)mA=U 8BhП}֋.-7T\\4oY*0'>Sl!wU%J)D,\_: T0Hϴj,`^r(N鸸{1w>@_ji 6ed,OM< dp# ʃ7-P?YKf۲}-[F<E%L,Em:]Z$S Ls׾ީPXKP rUVЖSnc<YкRb"}e7i>t-9 ]ʏK6Az`<ٯY.c@JWF~ ~.&yNu SN0([dn/ՅچGkm-8*JIZ.SXw,GäD=XJҲU%ޢx}ğVѢ #c1~Ot(ޖG5P{o~'LFU(.{eϓ=U :NkxnN%8]Low!zh1C lk Tq$u|aDz?MrpB CZl[@3]P|l4K# +sU;8IM݊|'2WtCMiIâbjziXvejjh)uӏědL-feڨxN aE&S1m 2iM_LrkNK(X8 Ľ4g9G?{kFC646L>'rq-㭰apdgu ҤP® p-;'%}zf4.3&A/{B# y$+L1#QT%5r$A, C3 =bsK]o=G~jA%WnZKAb\':/~Ŕ"0z\c| Pt$[K6.y1C&6˴` y+it\Ws?kr2sӑ}Uzx?$zLM^$2SPhԟ,SDMG %S2yHf{?yY7V2ă yXR>a^{k<íS;rW͋:3rm-ΑU5'R|q1w!A}0A^ i ,4xjۦ$aI 9TlJ¯YMzؗs]ū6[3wZܣ YZ